@intranefr/superbackend 1.6.6 → 1.6.7

package/src/services/auditLogger.js

@@ -1,22 +1,24 @@
-const AuditEvent = require('../models/AuditEvent');
+const AuditEvent = require("../models/AuditEvent");
 
 const SENSITIVE_KEYS = [
-  'password',
-  'token',
-  'secret',
-  'authorization',
-  'cookie',
-  'apikey',
-  'api_key',
-  'accesstoken',
-  'refreshtoken',
-  'passwordhash',
+  "password",
+  "token",
+  "secret",
+  "authorization",
+  "cookie",
+  "apikey",
+  "api_key",
+  "accesstoken",
+  "refreshtoken",
+  "passwordhash",
 ];
 
+const FALLBACK_AUDIT_ACTION = "system.unknown_action";
+
 async function getConfig() {
   return {
-    auditTrackingEnabled: process.env.AUDIT_TRACKING_ENABLED !== 'false',
-    auditLogFailedAttempts: process.env.AUDIT_LOG_FAILED_ATTEMPTS !== 'false',
+    auditTrackingEnabled: process.env.AUDIT_TRACKING_ENABLED !== "false",
+    auditLogFailedAttempts: process.env.AUDIT_LOG_FAILED_ATTEMPTS !== "false",
     auditRetentionDays: parseInt(process.env.AUDIT_RETENTION_DAYS, 10) || 90,
   };
 }
@@ -25,20 +27,20 @@ function scrubValue(key, value) {
   const lowerKey = String(key).toLowerCase();
   for (const sensitive of SENSITIVE_KEYS) {
     if (lowerKey.includes(sensitive)) {
-      return '[REDACTED]';
+      return "[REDACTED]";
     }
   }
   return value;
 }
 
 function scrubObject(obj, depth = 0) {
-  if (depth > 5 || !obj || typeof obj !== 'object') return obj;
+  if (depth > 5 || !obj || typeof obj !== "object") return obj;
   if (Array.isArray(obj)) {
     return obj.slice(0, 10).map((item) => scrubObject(item, depth + 1));
   }
   const result = {};
   for (const [key, value] of Object.entries(obj)) {
-    if (typeof value === 'object' && value !== null) {
+    if (typeof value === "object" && value !== null) {
       result[key] = scrubObject(value, depth + 1);
     } else {
       result[key] = scrubValue(key, value);
@@ -50,9 +52,12 @@ function scrubObject(obj, depth = 0) {
 function extractContext(req) {
   if (!req) return {};
   return {
-    ip: req.ip || req.headers?.['x-forwarded-for']?.split(',')[0]?.trim() || req.connection?.remoteAddress,
-    userAgent: req.headers?.['user-agent']?.slice(0, 500),
-    requestId: req.headers?.['x-request-id'] || req.requestId,
+    ip:
+      req.ip ||
+      req.headers?.["x-forwarded-for"]?.split(",")[0]?.trim() ||
+      req.connection?.remoteAddress,
+    userAgent: req.headers?.["user-agent"]?.slice(0, 500),
+    requestId: req.headers?.["x-request-id"] || req.requestId,
     path: req.path || req.url,
     method: req.method,
   };
@@ -60,28 +65,47 @@ function extractContext(req) {
 
 function extractActor(req) {
   if (!req) {
-    return { actorType: 'system', actorId: null };
+    return { actorType: "system", actorId: null };
   }
 
   if (req.user) {
     return {
-      actorType: 'user',
+      actorType: "user",
       actorId: String(req.user._id || req.user.id),
     };
   }
 
-  const authHeader = req.headers?.authorization || '';
-  if (authHeader.startsWith('Basic ')) {
+  const authHeader = req.headers?.authorization || "";
+  if (authHeader.startsWith("Basic ")) {
     try {
-      const credentials = Buffer.from(authHeader.substring(6), 'base64').toString('utf-8');
-      const [username] = credentials.split(':');
-      return { actorType: 'admin', actorId: username || null };
+      const credentials = Buffer.from(
+        authHeader.substring(6),
+        "base64",
+      ).toString("utf-8");
+      const [username] = credentials.split(":");
+      return { actorType: "admin", actorId: username || null };
     } catch (e) {
-      return { actorType: 'admin', actorId: null };
+      return { actorType: "admin", actorId: null };
     }
   }
 
-  return { actorType: 'system', actorId: null };
+  return { actorType: "system", actorId: null };
+}
+
+function normalizeAction(action) {
+  if (typeof action === "string" && action.trim().length > 0) {
+    return {
+      value: action,
+      normalized: false,
+      original: null,
+    };
+  }
+
+  return {
+    value: FALLBACK_AUDIT_ACTION,
+    normalized: true,
+    original: action,
+  };
 }
 
 async function logAudit(event) {
@@ -91,28 +115,39 @@ async function logAudit(event) {
       return null;
     }
 
-    if (event.outcome === 'failure' && !config.auditLogFailedAttempts) {
+    if (event.outcome === "failure" && !config.auditLogFailedAttempts) {
       return null;
     }
 
     const actor = event.actor || extractActor(event.req);
     const context = event.context || extractContext(event.req);
+    const normalizedAction = normalizeAction(event.action);
+    const actionNormalizationMeta = normalizedAction.normalized
+      ? {
+          actionNormalized: true,
+          normalizedFromAction:
+            normalizedAction.original === undefined
+              ? null
+              : String(normalizedAction.original),
+        }
+      : {};
 
     const auditEvent = await AuditEvent.create({
-      actorType: actor.actorType || 'system',
+      actorType: actor.actorType || "system",
       actorId: actor.actorId || null,
-      action: event.action,
-      entityType: event.entityType || event.targetType || 'unknown',
+      action: normalizedAction.value,
+      entityType: event.entityType || event.targetType || "unknown",
       entityId: event.entityId || event.targetId || null,
       before: event.before || null,
       after: event.after || null,
       meta: scrubObject({
         ...(event.meta || {}),
-        outcome: event.outcome || 'success',
+        ...actionNormalizationMeta,
+        outcome: event.outcome || "success",
         context,
         details: scrubObject(event.details || {}),
       }),
-      outcome: event.outcome || 'success',
+      outcome: event.outcome || "success",
       context,
       targetType: event.targetType || event.entityType,
       targetId: event.targetId || event.entityId,
@@ -121,7 +156,7 @@ async function logAudit(event) {
     return auditEvent;
   } catch (err) {
     try {
-      console.log('[AuditLogger] Failed to log audit:', err.message);
+      console.log("[AuditLogger] Failed to log audit:", err.message);
     } catch (e) {
       // ignore
     }
@@ -139,13 +174,15 @@ function auditMiddleware(action, options = {}) {
   return (req, res, next) => {
     const originalEnd = res.end;
     res.end = function (...args) {
-      const outcome = res.statusCode >= 400 ? 'failure' : 'success';
+      const outcome = res.statusCode >= 400 ? "failure" : "success";
       logAuditSync({
         req,
         action,
         outcome,
         entityType: options.entityType || options.targetType,
-        entityId: options.getEntityId ? options.getEntityId(req) : (req.params?.id || req.params?.key),
+        entityId: options.getEntityId
+          ? options.getEntityId(req)
+          : req.params?.id || req.params?.key,
         details: options.getDetails ? options.getDetails(req, res) : undefined,
       });
       return originalEnd.apply(this, args);
@@ -161,5 +198,6 @@ module.exports = {
   getConfig,
   extractActor,
   extractContext,
+  normalizeAction,
   scrubObject,
 };

package/src/services/email.service.js

@@ -12,12 +12,22 @@ const CACHE_TTL = 60000; // 1 minute
 
 // Helper to get setting with cache
 const getSetting = async (key, defaultValue) => {
+  // Try to initialize Resend if not already initialized
+  if (!resendClient && key === "RESEND_API_KEY") {
+    // We'll let the lazy init handle it below to avoid recursion
+  }
+
   const cached = settingsCache.get(key);
   if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
     return cached.value;
   }
 
   try {
+    // If we're not connected yet, avoid buffering and return default
+    if (mongoose.connection.readyState !== 1) {
+      return defaultValue;
+    }
+
     const setting = await GlobalSetting.findOne({ key }).lean();
     const value = setting ? setting.value : defaultValue;
     settingsCache.set(key, { value, timestamp: Date.now() });
@@ -40,6 +50,9 @@ const replaceTemplateVars = (template, variables) => {
 
 // Initialize Resend client if API key is available
 const initResend = async () => {
+  // Only init if we have a connection
+  if (mongoose.connection.readyState !== 1) return;
+
   // Try to get API key from settings first, then fall back to env
   const apiKey = await getSetting("RESEND_API_KEY", process.env.RESEND_API_KEY);
 
@@ -57,9 +70,6 @@ const initResend = async () => {
   }
 };
 
-// Initialize on module load
-initResend().catch((err) => console.error("Error initializing Resend:", err));
-
 const sendEmail = async ({
   to,
   subject,
@@ -70,6 +80,11 @@ const sendEmail = async ({
   type = "other",
   metadata,
 }) => {
+  // Lazy initialize Resend if needed
+  if (!resendClient) {
+    await initResend();
+  }
+
   const defaultFrom =
     from ||
     (await getSetting(

package/src/services/superDemosAuthoringSessions.service.js

@@ -0,0 +1,132 @@
+const crypto = require('crypto');
+
+const DEFAULT_TTL_MS = 10 * 60 * 1000;
+
+function base64UrlEncode(buf) {
+  return buf
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+function newId(prefix) {
+  const raw = crypto.randomBytes(16);
+  return `${prefix}_${base64UrlEncode(raw)}`.toLowerCase();
+}
+
+function newToken() {
+  const raw = crypto.randomBytes(32);
+  return `sdt_${base64UrlEncode(raw)}`;
+}
+
+const sessions = new Map(); // sessionId -> session
+
+function nowMs() {
+  return Date.now();
+}
+
+function cleanupExpired() {
+  const t = nowMs();
+  for (const [id, s] of sessions.entries()) {
+    if (s.expiresAtMs <= t) {
+      sessions.delete(id);
+      try {
+        if (s.adminWs && s.adminWs.close) s.adminWs.close();
+      } catch {}
+      try {
+        if (s.sdkWs && s.sdkWs.close) s.sdkWs.close();
+      } catch {}
+    }
+  }
+}
+
+function createSession({ projectId = null, demoId = null, ttlMs = DEFAULT_TTL_MS } = {}) {
+  cleanupExpired();
+
+  const sessionId = newId('sd_sess');
+  const token = newToken();
+
+  const createdAtMs = nowMs();
+  const expiresAtMs = createdAtMs + (Number(ttlMs) > 0 ? Number(ttlMs) : DEFAULT_TTL_MS);
+
+  const session = {
+    sessionId,
+    token,
+    projectId: projectId ? String(projectId) : null,
+    demoId: demoId ? String(demoId) : null,
+    createdAtMs,
+    expiresAtMs,
+    adminWs: null,
+    sdkWs: null,
+  };
+
+  sessions.set(sessionId, session);
+  return { sessionId, token, expiresAtMs };
+}
+
+function getSession(sessionId) {
+  cleanupExpired();
+  const id = String(sessionId || '').trim();
+  if (!id) return null;
+  const s = sessions.get(id);
+  if (!s) return null;
+  if (s.expiresAtMs <= nowMs()) {
+    sessions.delete(id);
+    return null;
+  }
+  return s;
+}
+
+function validateToken(sessionId, token) {
+  const s = getSession(sessionId);
+  if (!s) return false;
+  return String(s.token) === String(token || '');
+}
+
+function attachClient(sessionId, role, ws) {
+  const s = getSession(sessionId);
+  if (!s) return null;
+  if (role === 'admin') s.adminWs = ws;
+  if (role === 'sdk') s.sdkWs = ws;
+  return s;
+}
+
+function detachClient(sessionId, role, ws) {
+  const s = getSession(sessionId);
+  if (!s) return null;
+  if (role === 'admin' && s.adminWs === ws) s.adminWs = null;
+  if (role === 'sdk' && s.sdkWs === ws) s.sdkWs = null;
+  return s;
+}
+
+function destroySession(sessionId) {
+  const id = String(sessionId || '').trim();
+  if (!id) return false;
+  const s = sessions.get(id);
+  sessions.delete(id);
+  if (s) {
+    try {
+      if (s.adminWs && s.adminWs.close) s.adminWs.close();
+    } catch {}
+    try {
+      if (s.sdkWs && s.sdkWs.close) s.sdkWs.close();
+    } catch {}
+  }
+  return Boolean(s);
+}
+
+function _resetForTests() {
+  sessions.clear();
+}
+
+module.exports = {
+  DEFAULT_TTL_MS,
+  createSession,
+  getSession,
+  validateToken,
+  attachClient,
+  detachClient,
+  destroySession,
+  _resetForTests,
+};

package/src/services/superDemosWs.service.js

@@ -0,0 +1,164 @@
+const { WebSocketServer } = require('ws');
+const url = require('url');
+
+const SuperDemoProject = require('../models/SuperDemoProject');
+const sessions = require('./superDemosAuthoringSessions.service');
+
+function toStr(v) {
+  return v === undefined || v === null ? '' : String(v);
+}
+
+function normalizeOrigin(o) {
+  const s = toStr(o).trim();
+  return s.replace(/\/$/, '');
+}
+
+function safeSend(ws, payload) {
+  try {
+    ws.send(JSON.stringify(payload));
+  } catch {}
+}
+
+function parseAndValidateQuery(parsed) {
+  const q = parsed && parsed.query ? parsed.query : {};
+  const sessionId = toStr(q.sessionId).trim();
+  const role = toStr(q.role).trim().toLowerCase();
+  const token = toStr(q.token).trim();
+
+  if (!sessionId || !token) return { ok: false, error: 'Missing sessionId/token' };
+  if (role !== 'admin' && role !== 'sdk') return { ok: false, error: 'Invalid role' };
+  if (!sessions.validateToken(sessionId, token)) return { ok: false, error: 'Invalid session' };
+
+  return { ok: true, sessionId, role, token };
+}
+
+async function isOriginAllowedForSession(req, session) {
+  // If no projectId, skip allowlist enforcement.
+  if (!session || !session.projectId) return true;
+
+  const origin = normalizeOrigin(req.headers?.origin);
+  // If origin header is missing (some WS clients), allow.
+  if (!origin) return true;
+
+  let project;
+  try {
+    project = await SuperDemoProject.findOne({ projectId: session.projectId, isActive: true }).lean();
+  } catch {
+    // If DB lookup fails, fail open for now (v1).
+    return true;
+  }
+  if (!project) return true;
+
+  const allowed = Array.isArray(project.allowedOrigins) ? project.allowedOrigins : [];
+  if (allowed.length === 0) return true;
+
+  const allowedNorm = allowed.map(normalizeOrigin).filter(Boolean);
+  return allowedNorm.includes(origin);
+}
+
+function attachSuperDemosWebsocketServer(server) {
+  const wsPath = '/api/superdemos/ws';
+  const wss = new WebSocketServer({ noServer: true });
+
+  server.on('upgrade', async (req, socket, head) => {
+    const parsed = url.parse(req.url, true);
+    if (!parsed || parsed.pathname !== wsPath) return;
+
+    const validated = parseAndValidateQuery(parsed);
+    if (!validated.ok) {
+      try {
+        socket.destroy();
+      } catch {}
+      return;
+    }
+
+    const session = sessions.getSession(validated.sessionId);
+    if (!session) {
+      try {
+        socket.destroy();
+      } catch {}
+      return;
+    }
+
+    if (validated.role === 'sdk') {
+      const okOrigin = await isOriginAllowedForSession(req, session);
+      if (!okOrigin) {
+        try {
+          socket.destroy();
+        } catch {}
+        return;
+      }
+    }
+
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      wss.emit('connection', ws, req, parsed);
+    });
+  });
+
+  wss.on('connection', (ws, _req, parsed) => {
+    const validated = parseAndValidateQuery(parsed);
+    if (!validated.ok) {
+      safeSend(ws, { type: 'error', error: validated.error });
+      ws.close();
+      return;
+    }
+
+    const { sessionId, role } = validated;
+    const session = sessions.attachClient(sessionId, role, ws);
+    if (!session) {
+      safeSend(ws, { type: 'error', error: 'Session expired' });
+      ws.close();
+      return;
+    }
+
+    ws._sbSuperDemos = { sessionId, role };
+
+    safeSend(ws, { type: 'hello', sessionId, role, expiresAtMs: session.expiresAtMs });
+
+    const peer = role === 'admin' ? session.sdkWs : session.adminWs;
+    if (peer && peer.readyState === peer.OPEN) {
+      safeSend(ws, { type: 'peer_status', peerRole: role === 'admin' ? 'sdk' : 'admin', status: 'connected' });
+    } else {
+      safeSend(ws, { type: 'peer_status', peerRole: role === 'admin' ? 'sdk' : 'admin', status: 'disconnected' });
+    }
+
+    // Notify other side.
+    if (peer && peer.readyState === peer.OPEN) {
+      safeSend(peer, { type: 'peer_status', peerRole: role, status: 'connected' });
+    }
+
+    ws.on('message', (raw) => {
+      const s = sessions.getSession(sessionId);
+      if (!s) return;
+
+      const other = role === 'admin' ? s.sdkWs : s.adminWs;
+      if (!other || other.readyState !== other.OPEN) return;
+
+      // Relay as-is if it is valid JSON.
+      try {
+        const msg = JSON.parse(toStr(raw));
+        safeSend(other, msg);
+      } catch {
+        // ignore invalid frames
+      }
+    });
+
+    function cleanup() {
+      const s = sessions.detachClient(sessionId, role, ws);
+      if (!s) return;
+      const other = role === 'admin' ? s.sdkWs : s.adminWs;
+      if (other && other.readyState === other.OPEN) {
+        safeSend(other, { type: 'peer_status', peerRole: role, status: 'disconnected' });
+      }
+    }
+
+    ws.on('close', cleanup);
+    ws.on('error', cleanup);
+  });
+
+  return { wss, wsPath };
+}
+
+module.exports = {
+  attachSuperDemosWebsocketServer,
+};

package/src/services/terminalsWs.service.js

@@ -29,7 +29,7 @@ function attachTerminalWebsocketServer(server, options = {}) {
     const parsed = url.parse(req.url, true);
     if (!parsed || parsed.pathname !== wsPath) return;
 
-    console.log(`[Terminals] WebSocket upgrade request for ${parsed.pathname}`);
+    //console.log(`[Terminals] WebSocket upgrade request for ${parsed.pathname}`);
     wss.handleUpgrade(req, socket, head, (ws) => {
       wss.emit('connection', ws, req, parsed);
     });
@@ -62,6 +62,7 @@ function attachTerminalWebsocketServer(server, options = {}) {
 
     s.pty.onData(onData);
 
+    // Enhanced message handler with ping/pong support
     ws.on('message', (raw) => {
       touch(sessionId);
       let msg;
@@ -79,19 +80,50 @@ function attachTerminalWebsocketServer(server, options = {}) {
       if (msg.type === 'resize') {
         resizeSession(sessionId, msg.cols, msg.rows);
       }
+
+      // Handle ping messages with pong response
+      if (msg.type === 'ping') {
+        try {
+          ws.send(JSON.stringify({ type: 'pong' }));
+          console.log(`[Terminals] Pong sent for session ${sessionId}`);
+        } catch (error) {
+          console.error(`[Terminals] Failed to send pong for session ${sessionId}:`, error);
+        }
+      }
     });
 
-    ws.on('close', () => {
+    ws.on('close', (code, reason) => {
+      console.log(`[Terminals] WebSocket closed for session ${sessionId}, code: ${code}, reason: ${reason}`);
       try {
         s.pty.offData(onData);
       } catch {}
     });
 
-    ws.on('error', () => {
+    ws.on('error', (error) => {
+      console.error(`[Terminals] WebSocket error for session ${sessionId}:`, error);
       try {
         s.pty.offData(onData);
       } catch {}
     });
+
+    // Set up connection timeout detection
+    const pingInterval = setInterval(() => {
+      if (ws.readyState === WebSocket.OPEN) {
+        try {
+          ws.send(JSON.stringify({ type: 'ping' }));
+        } catch (error) {
+          console.error(`[Terminals] Failed to send server ping for session ${sessionId}:`, error);
+          clearInterval(pingInterval);
+          ws.close();
+        }
+      } else {
+        clearInterval(pingInterval);
+      }
+    }, 45000); // Server ping every 45 seconds
+
+    ws.on('close', () => {
+      clearInterval(pingInterval);
+    });
   });
 
   return { wss, wsPath };

package/src/utils/rbac/rightsRegistry.js

@@ -61,6 +61,8 @@ const DEFAULT_RIGHTS = [
   'admin_panel__file-manager:write',
   'admin_panel__ui-components:read',
   'admin_panel__ui-components:write',
+  'admin_panel__superdemos:read',
+  'admin_panel__superdemos:write',
   'admin_panel__headless:read',
   'admin_panel__headless:write',
   'admin_panel__pages:read',