@intranefr/superbackend 1.7.9 → 1.7.10

package/index.js

@@ -1,4 +1,6 @@
-require("dotenv").config({ path: process.env.ENV_FILE || ".env" });
+if (!process.env.SUPERBACKEND_AS_MIDDLEWARE) {
+  require("dotenv").config({ path: process.env.ENV_FILE || ".env" });
+}
 const express = require("express");
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intranefr/superbackend",
-  "version": "1.7.9",
+  "version": "1.7.10",
   "description": "Node.js middleware that gives your project backend superpowers",
   "main": "index.js",
   "bin": {
@@ -44,6 +44,7 @@
     "@aws-sdk/client-s3": "^3.0.0",
     "@intranefr/superbackend": "^1.7.7",
     "axios": "^1.13.2",
+    "basic-auth": "^2.0.1",
     "bcryptjs": "^2.4.3",
     "cheerio": "^1.0.0-rc.12",
     "connect-mongo": "^5.1.0",

package/src/controllers/publicExport.controller.js

@@ -0,0 +1,146 @@
+const express = require('express');
+const router = express.Router();
+const path = require('path');
+const fs = require('fs');
+const waitingListPublicExportsService = require('../services/waitingListPublicExports.service');
+const waitingListService = require('../services/waitingListJson.service');
+const { logAudit } = require('../services/auditLogger');
+
+/**
+ * GET /share/export/:name - Public export access page
+ */
+router.get('/:name', async (req, res) => {
+  try {
+    const { name } = req.params;
+    const { format = 'csv', error } = req.query;
+
+    // Validate format
+    if (!['csv', 'json'].includes(format)) {
+      return res.status(400).send('Invalid format. Must be csv or json.');
+    }
+
+    // Find export configuration
+    const exportConfig = await waitingListPublicExportsService.getPublicExportByName(name);
+    if (!exportConfig) {
+      return res.status(404).send('Export not found');
+    }
+
+    // If no password protection, redirect to immediate download
+    if (!exportConfig.password) {
+      const downloadUrl = `/api/waiting-list/share/export?type=${encodeURIComponent(name)}&format=${format}`;
+      return res.redirect(downloadUrl);
+    }
+
+    // Show password entry page
+    const templatePath = path.join(__dirname, '..', '..', 'views', 'public-export-password.ejs');
+    fs.readFile(templatePath, 'utf8', (err, template) => {
+      if (err) {
+        console.error('Error reading template:', err);
+        return res.status(500).send('Error loading page');
+      }
+
+      try {
+        let html = template
+          .replace(/<%= exportName %>/g, exportConfig.name)
+          .replace(/<%= exportType %>/g, exportConfig.type)
+          .replace(/<%= format %>/g, format)
+          .replace(/<%= format\.toUpperCase\(\) %>/g, format.toUpperCase())
+          .replace(/<%= format === 'csv' \? 'bg-green-100 text-green-800' : 'bg-blue-100 text-blue-800' %>/g, 
+            format === 'csv' ? 'bg-green-100 text-green-800' : 'bg-blue-100 text-blue-800')
+          .replace(/<%= error %>/g, error || '');
+
+        // Handle error conditional
+        if (error) {
+          html = html.replace(/<% if \(error\) \{ %>/g, '').replace(/<% } %>/g, '');
+        } else {
+          // Remove the entire error div when no error
+          html = html.replace(/<% if \(error\) \{ %>[\s\S]*?<% } %>/g, '');
+        }
+
+        res.send(html);
+      } catch (renderErr) {
+        console.error('Error rendering template:', renderErr);
+        res.status(500).send('Error rendering page');
+      }
+    });
+
+  } catch (error) {
+    console.error('Public export page error:', error);
+    res.status(500).send('Internal server error');
+  }
+});
+
+/**
+ * POST /share/export/:name/auth - Password validation
+ */
+router.post('/:name/auth', async (req, res) => {
+  try {
+    const { name } = req.params;
+    const { password, format = 'csv' } = req.body;
+
+    // Validate required fields
+    if (!password) {
+      return res.status(400).json({ error: 'Password is required' });
+    }
+
+    if (!['csv', 'json'].includes(format)) {
+      return res.status(400).json({ error: 'Invalid format' });
+    }
+
+    // Find export configuration
+    const exportConfig = await waitingListPublicExportsService.getPublicExportByName(name);
+    if (!exportConfig) {
+      return res.status(404).json({ error: 'Export not found' });
+    }
+
+    // Validate password
+    const isValidPassword = await waitingListPublicExportsService.validateExportPassword(exportConfig, password);
+    if (!isValidPassword) {
+      // Log failed attempt
+      await logAudit({
+        action: 'public.waiting_list.export.auth_failed',
+        entityType: 'WaitingListPublicExport',
+        req,
+        details: {
+          exportName: name,
+          ip: req.ip,
+          userAgent: req.headers['user-agent'],
+          authMethod: 'web_form'
+        }
+      });
+
+      return res.status(401).json({ error: 'Invalid password' });
+    }
+
+    // Set session for authenticated access
+    req.session.exportAuth = req.session.exportAuth || {};
+    req.session.exportAuth[name] = {
+      authenticated: true,
+      timestamp: Date.now(),
+      format: format
+    };
+
+    // Log successful authentication
+    await logAudit({
+      action: 'public.waiting_list.export.auth_success',
+      entityType: 'WaitingListPublicExport',
+      req,
+      details: {
+        exportName: name,
+        ip: req.ip,
+        userAgent: req.headers['user-agent'],
+        authMethod: 'web_form'
+      }
+    });
+
+    // Return download URL
+    const downloadUrl = `/api/waiting-list/share/export?type=${encodeURIComponent(name)}&format=${format}`;
+    res.json({ downloadUrl });
+
+  } catch (error) {
+    console.error('Password validation error:', error);
+    res.status(500).json({ error: 'Authentication failed' });
+  }
+});
+
+module.exports = router;

package/src/controllers/waitingList.controller.js

@@ -1,5 +1,7 @@
 const waitingListService = require('../services/waitingListJson.service');
+const waitingListPublicExportsService = require('../services/waitingListPublicExports.service');
 const { validateEmail, sanitizeString } = require('../utils/validation');
+const basicAuth = require('basic-auth');
 
 // Subscribe to waiting list
 exports.subscribe = async (req, res) => {
@@ -272,3 +274,303 @@ exports.bulkRemove = async (req, res) => {
     return res.status(500).json({ error: 'Failed to bulk remove entries' });
   }
 };
+
+// Public export endpoint
+exports.publicExport = async (req, res) => {
+  try {
+    const { type, format = 'csv', password: queryPassword } = req.query;
+
+    // Validate required parameters
+    if (!type) {
+      return res.status(400).json({ 
+        error: 'Type parameter is required',
+        field: 'type'
+      });
+    }
+
+    // Validate format
+    if (!['csv', 'json'].includes(format)) {
+      return res.status(400).json({ 
+        error: 'Format must be either "csv" or "json"',
+        field: 'format'
+      });
+    }
+
+    // Find export configuration by type
+    const exportConfig = await waitingListPublicExportsService.getPublicExportByName(type);
+    if (!exportConfig) {
+      return res.status(404).json({ 
+        error: 'Export configuration not found',
+        field: 'type'
+      });
+    }
+
+    // Check password protection (support multiple authentication methods)
+    let providedPassword = null;
+    let authMethod = 'none';
+
+    if (exportConfig.password) {
+      // First check session authentication (web form)
+      if (req.session && req.session.exportAuth && req.session.exportAuth[type] && 
+          req.session.exportAuth[type].authenticated && 
+          req.session.exportAuth[type].format === format) {
+        // Session is valid (5 minute expiry)
+        const sessionAge = Date.now() - req.session.exportAuth[type].timestamp;
+        if (sessionAge < 5 * 60 * 1000) { // 5 minutes
+          authMethod = 'session';
+        } else {
+          // Session expired, remove it
+          delete req.session.exportAuth[type];
+        }
+      }
+
+      // If no valid session, check query parameter
+      if (authMethod === 'none' && queryPassword) {
+        providedPassword = queryPassword;
+        authMethod = 'query';
+      } else if (authMethod === 'none') {
+        // Fall back to Basic Auth
+        const auth = basicAuth(req);
+        if (auth && auth.pass) {
+          providedPassword = auth.pass;
+          authMethod = 'basic';
+        }
+      }
+
+      // Validate password if we have one
+      if (authMethod !== 'session') {
+        if (!providedPassword || !await waitingListPublicExportsService.validateExportPassword(exportConfig, providedPassword)) {
+          // For Basic Auth, send proper challenge
+          if (authMethod === 'none' || authMethod === 'basic') {
+            res.setHeader('WWW-Authenticate', 'Basic realm="Waiting List Export"');
+          }
+          return res.status(401).json({ 
+            error: 'Authentication required',
+            field: 'password',
+            authMethod: authMethod === 'query' ? 'query' : 'basic'
+          });
+        }
+      }
+    }
+
+    // Get filtered waiting list entries
+    const { entries } = await waitingListService.getWaitingListEntriesAdmin({
+      type: exportConfig.type,
+      status: 'active',
+      limit: 100000, // Large limit to get all entries
+      offset: 0
+    });
+
+    // Record access for analytics
+    await waitingListPublicExportsService.recordExportAccess(exportConfig.name, req, authMethod);
+
+    // Export in requested format
+    if (format === 'json') {
+      res.setHeader('Content-Type', 'application/json');
+      res.setHeader('Content-Disposition', `attachment; filename="waiting-list-${exportConfig.type}-${new Date().toISOString().split('T')[0]}.json"`);
+      
+      const exportData = {
+        export: {
+          name: exportConfig.name,
+          type: exportConfig.type,
+          exportedAt: new Date().toISOString(),
+          totalEntries: entries.length,
+          authMethod
+        },
+        entries: entries.map(entry => ({
+          email: entry.email,
+          type: entry.type,
+          status: entry.status,
+          referralSource: entry.referralSource,
+          createdAt: entry.createdAt,
+          updatedAt: entry.updatedAt
+        }))
+      };
+      
+      return res.json(exportData);
+    } else {
+      // CSV format
+      res.setHeader('Content-Type', 'text/csv');
+      res.setHeader('Content-Disposition', `attachment; filename="waiting-list-${exportConfig.type}-${new Date().toISOString().split('T')[0]}.csv"`);
+
+      // CSV header row
+      const csvRows = [
+        ['Email', 'Type', 'Status', 'Referral Source', 'Created At', 'Updated At']
+      ];
+
+      // Data rows
+      entries.forEach(entry => {
+        csvRows.push([
+          entry.email || '',
+          entry.type || '',
+          entry.status || '',
+          entry.referralSource || '',
+          entry.createdAt ? new Date(entry.createdAt).toISOString() : '',
+          entry.updatedAt ? new Date(entry.updatedAt).toISOString() : ''
+        ]);
+      });
+
+      // Convert to CSV string with proper escaping
+      const csvContent = csvRows.map(row => 
+        row.map(cell => {
+          const str = String(cell || '');
+          // Escape quotes and wrap in quotes if contains comma, quote, or newline
+          if (str.includes(',') || str.includes('"') || str.includes('\n')) {
+            return `"${str.replace(/"/g, '""')}"`;
+          }
+          return str;
+        }).join(',')
+      ).join('\n');
+
+      return res.send(csvContent);
+    }
+  } catch (error) {
+    console.error('Public export error:', error);
+    return res.status(500).json({ error: 'Failed to export data' });
+  }
+};
+
+// Admin: Get all public exports
+exports.getPublicExports = async (req, res) => {
+  try {
+    const result = await waitingListPublicExportsService.getPublicExports();
+    res.json(result);
+  } catch (error) {
+    console.error('Get public exports error:', error);
+    return res.status(500).json({ error: 'Failed to get public exports' });
+  }
+};
+
+// Admin: Create public export
+exports.createPublicExport = async (req, res) => {
+  try {
+    const { name, type, password, format = 'csv' } = req.body;
+
+    // Validate required fields
+    if (!name) {
+      return res.status(400).json({ 
+        error: 'Name is required',
+        field: 'name'
+      });
+    }
+
+    if (!type) {
+      return res.status(400).json({ 
+        error: 'Type is required',
+        field: 'type'
+      });
+    }
+
+    // Hash password if provided
+    let hashedPassword = null;
+    if (password) {
+      hashedPassword = await waitingListPublicExportsService.hashPassword(password);
+    }
+
+    const exportConfig = await waitingListPublicExportsService.createPublicExport({
+      name: name.trim(),
+      type: type.trim(),
+      password: hashedPassword,
+      format
+    }, req.user?.username || 'admin');
+
+    // Don't return password hash in response
+    const response = { ...exportConfig };
+    delete response.password;
+    response.hasPassword = !!password;
+
+    res.status(201).json({
+      message: 'Public export created successfully',
+      data: response
+    });
+  } catch (error) {
+    console.error('Create public export error:', error);
+    
+    if (error.code === 'VALIDATION') {
+      return res.status(400).json({ 
+        error: error.message,
+        field: 'general'
+      });
+    }
+    
+    if (error.code === 'DUPLICATE_NAME') {
+      return res.status(409).json({ 
+        error: error.message,
+        field: 'name'
+      });
+    }
+
+    return res.status(500).json({ error: 'Failed to create public export' });
+  }
+};
+
+// Admin: Update public export
+exports.updatePublicExport = async (req, res) => {
+  try {
+    const { id } = req.params;
+    const { name, type, password, format } = req.body;
+
+    const updates = {};
+    if (name !== undefined) updates.name = name.trim();
+    if (type !== undefined) updates.type = type.trim();
+    if (format !== undefined) updates.format = format;
+    if (password !== undefined) {
+      updates.password = password ? await waitingListPublicExportsService.hashPassword(password) : null;
+    }
+
+    const result = await waitingListPublicExportsService.updatePublicExport(id, updates, req.user?.username || 'admin');
+    
+    // Don't return password hash in response
+    const updatedExport = result.exports.find(e => e.id === id);
+    const response = { ...updatedExport };
+    delete response.password;
+    response.hasPassword = !!updatedExport.password;
+
+    res.json({
+      message: 'Public export updated successfully',
+      data: response
+    });
+  } catch (error) {
+    console.error('Update public export error:', error);
+    
+    if (error.code === 'VALIDATION') {
+      return res.status(400).json({ 
+        error: error.message,
+        field: 'general'
+      });
+    }
+    
+    if (error.code === 'NOT_FOUND') {
+      return res.status(404).json({ 
+        error: 'Public export not found',
+        field: 'id'
+      });
+    }
+
+    return res.status(500).json({ error: 'Failed to update public export' });
+  }
+};
+
+// Admin: Delete public export
+exports.deletePublicExport = async (req, res) => {
+  try {
+    const { id } = req.params;
+
+    await waitingListPublicExportsService.deletePublicExport(id, req.user?.username || 'admin');
+
+    res.json({
+      message: 'Public export deleted successfully'
+    });
+  } catch (error) {
+    console.error('Delete public export error:', error);
+    
+    if (error.code === 'NOT_FOUND') {
+      return res.status(404).json({ 
+        error: 'Public export not found',
+        field: 'id'
+      });
+    }
+
+    return res.status(500).json({ error: 'Failed to delete public export' });
+  }
+};

package/src/middleware.js

@@ -228,7 +228,6 @@ function createMiddleware(options = {}) {
   // Database connection
   const mongoUri =
     options.mongodbUri ||
-    options.dbConnection ||
     process.env.MONGODB_URI ||
     process.env.MONGO_URI;
 
@@ -539,15 +538,8 @@ function createMiddleware(options = {}) {
     router.use(express.urlencoded({ extended: true }));
   }
 
-  // Session middleware for admin authentication
-  const sessionMongoUrl = options.mongodbUri || process.env.MONGODB_URI || process.env.MONGO_URI;
-  const sessionStore = !isJest && sessionMongoUrl
-    ? MongoStore.create({
-      mongoUrl: sessionMongoUrl,
-      collectionName: 'admin_sessions',
-      ttl: 24 * 60 * 60 // 24 hours in seconds
-    })
-    : undefined;
+  // Session middleware - disabled for now (MongoDB at 27018 requires auth for writes)
+  const sessionStore = undefined;
 
   const sessionMiddleware = session({
     secret: process.env.SESSION_SECRET || 'superbackend-session-secret-fallback',
@@ -2290,6 +2282,9 @@ res.status(500).send("Error rendering page");
     next();
   });
 
+  // Public export pages
+  router.use("/share/export", require("./routes/publicExport.routes"));
+
   // Public pages router (catch-all, must be last before error handler)
   router.use(require("./routes/pages.routes"));
 

package/src/models/User.js

@@ -92,11 +92,6 @@ const userSchema = new mongoose.Schema({
   timestamps: true
 });
 
-// Indexes
-userSchema.index({ email: 1 });
-userSchema.index({ githubId: 1 });
-userSchema.index({ clerkUserId: 1 });
-
 // Hash password before saving
 userSchema.pre('save', async function(next) {
   if (!this.isModified('passwordHash')) return next();

package/src/routes/publicExport.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const publicExportController = require('../controllers/publicExport.controller');
+
+// Public export access page and authentication
+router.get('/:name', publicExportController);
+router.post('/:name/auth', publicExportController);
+
+module.exports = router;

package/src/routes/waitingList.routes.js

@@ -4,6 +4,7 @@ const waitingListController = require('../controllers/waitingList.controller');
 const asyncHandler = require('../utils/asyncHandler');
 const { auditMiddleware } = require('../services/auditLogger');
 const rateLimiter = require('../services/rateLimiter.service');
+const basicAuth = require('basic-auth');
 
 // POST /api/waiting-list/subscribe - Subscribe to waiting list
 // Rate limited by IP to prevent spam/abuse (1 request per minute)
@@ -20,4 +21,11 @@ router.get('/stats',
   asyncHandler(waitingListController.getStats)
 );
 
+// GET /api/waiting-list/share/export - Public export endpoint
+// Rate limited to prevent abuse (10 requests per minute)
+router.get('/share/export', 
+  rateLimiter.limit('waitingListPublicExportLimiter'),
+  asyncHandler(waitingListController.publicExport)
+);
+
 module.exports = router;

package/src/routes/waitingListAdmin.routes.js

@@ -9,4 +9,10 @@ router.get('/types', adminSessionAuth, asyncHandler(waitingListController.getTyp
 router.get('/export-csv', adminSessionAuth, asyncHandler(waitingListController.exportCsv));
 router.post('/bulk-remove', adminSessionAuth, asyncHandler(waitingListController.bulkRemove));
 
+// Public exports management
+router.get('/public-exports', adminSessionAuth, asyncHandler(waitingListController.getPublicExports));
+router.post('/public-exports', adminSessionAuth, asyncHandler(waitingListController.createPublicExport));
+router.put('/public-exports/:id', adminSessionAuth, asyncHandler(waitingListController.updatePublicExport));
+router.delete('/public-exports/:id', adminSessionAuth, asyncHandler(waitingListController.deletePublicExport));
+
 module.exports = router;