npm - @lenne.tech/nest-server - Versions diffs - 10.0.7 → 10.0.8 - Mend

@lenne.tech/nest-server 10.0.7 → 10.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dist/config.env.js +1 -0
package/dist/config.env.js.map +1 -1
package/dist/core/common/interfaces/cron-job-config.interface.d.ts +1 -0
package/dist/core/common/services/core-cron-jobs.service.js +4 -3
package/dist/core/common/services/core-cron-jobs.service.js.map +1 -1
package/dist/core/common/types/wrapper.type.d.ts +1 -0
package/dist/core/common/types/wrapper.type.js +3 -0
package/dist/core/common/types/wrapper.type.js.map +1 -0
package/dist/core.module.js +4 -0
package/dist/core.module.js.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.js +1 -0
package/dist/index.js.map +1 -1
package/dist/tsconfig.build.tsbuildinfo +1 -1
package/package.json +12 -12
package/src/config.env.ts +25 -0
package/src/core/common/interfaces/cron-job-config.interface.ts +9 -3
package/src/core/common/interfaces/server-options.interface.ts +7 -0
package/src/core/common/services/core-cron-jobs.service.ts +7 -4
package/src/core/common/types/wrapper.type.ts +10 -0
package/src/core.module.ts +6 -0
package/src/index.ts +1 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "10.0.7",
+  "version": "10.0.8",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -75,13 +75,13 @@
     "@nestjs/terminus": "10.0.1",
     "apollo-server-core": "3.11.1",
     "apollo-server-express": "3.11.1",
-    "bcrypt": "5.1.0",
+    "bcrypt": "5.1.1",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.0",
     "compression": "1.7.4",
     "cookie-parser": "1.4.6",
     "ejs": "3.1.9",
-    "graphql": "16.7.1",
+    "graphql": "16.8.0",
     "graphql-query-complexity": "0.12.0",
     "graphql-subscriptions": "2.0.0",
     "graphql-upload": "15.0.2",
@@ -89,7 +89,7 @@
     "json-to-graphql-query": "2.2.5",
     "light-my-request": "5.10.0",
     "lodash": "4.17.21",
-    "mongodb": "4.16.0",
+    "mongodb": "4.17.0",
     "mongoose": "6.11.5",
     "mongoose-gridfs": "1.3.0",
     "multer": "1.4.5-lts.1",
@@ -109,12 +109,12 @@
     "@babel/plugin-proposal-private-methods": "7.18.6",
     "@compodoc/compodoc": "1.1.21",
     "@lenne.tech/eslint-config-ts": "0.0.9",
-    "@nestjs/cli": "10.1.11",
+    "@nestjs/cli": "10.1.12",
     "@nestjs/schematics": "10.0.2",
     "@nestjs/testing": "10.1.3",
     "@swc/cli": "0.1.62",
-    "@swc/core": "1.3.76",
-    "@swc/jest": "0.2.28",
+    "@swc/core": "1.3.78",
+    "@swc/jest": "0.2.29",
     "@types/compression": "1.7.2",
     "@types/cookie-parser": "1.4.3",
     "@types/cron": "2.0.1",
@@ -123,14 +123,14 @@
     "@types/jest": "29.5.3",
     "@types/lodash": "4.14.197",
     "@types/multer": "1.4.7",
-    "@types/node": "20.4.9",
+    "@types/node": "20.5.1",
     "@types/nodemailer": "6.4.9",
     "@types/passport": "1.0.12",
     "@types/supertest": "2.0.12",
-    "@typescript-eslint/eslint-plugin": "6.3.0",
-    "@typescript-eslint/parser": "6.3.0",
+    "@typescript-eslint/eslint-plugin": "6.4.0",
+    "@typescript-eslint/parser": "6.4.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.46.0",
+    "eslint": "8.47.0",
     "eslint-config-prettier": "9.0.0",
     "eslint-plugin-unused-imports": "3.0.0",
     "find-file-up": "2.0.1",
@@ -143,7 +143,7 @@
     "jest": "29.6.2",
     "npm-watch": "0.11.0",
     "pm2": "5.3.0",
-    "prettier": "3.0.1",
+    "prettier": "3.0.2",
     "pretty-quick": "3.1.3",
     "supertest": "6.3.3",
     "ts-jest": "29.1.1",

package/src/config.env.ts CHANGED Viewed

@@ -18,6 +18,7 @@ const config: { [env: string]: IServerOptions } = {
       sayHello: {
         cronTime: CronExpression.EVERY_10_SECONDS,
         runOnInit: false,
+        disabled: false,
         runParallel: 1,
         timeZone: 'Europe/Berlin',
         throwException: false,
@@ -65,12 +66,20 @@ const config: { [env: string]: IServerOptions } = {
     },
     ignoreSelectionsForPopulate: true,
     jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      // tslint:disable-next-line:max-line-length
       secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
       signInOptions: {
         expiresIn: '15m',
       },
       refresh: {
         renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        // tslint:disable-next-line:max-line-length
         secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
         signInOptions: {
           expiresIn: '7d',
@@ -147,12 +156,20 @@ const config: { [env: string]: IServerOptions } = {
     },
     ignoreSelectionsForPopulate: true,
     jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      // tslint:disable-next-line:max-line-length
       secret: 'SECRET_OR_PRIVATE_KEY_DEV',
       signInOptions: {
         expiresIn: '15m',
       },
       refresh: {
         renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        // tslint:disable-next-line:max-line-length
         secret: 'SECRET_OR_PRIVATE_KEY_DEV_REFRESH',
         signInOptions: {
           expiresIn: '7d',
@@ -229,12 +246,20 @@ const config: { [env: string]: IServerOptions } = {
     },
     ignoreSelectionsForPopulate: true,
     jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      // tslint:disable-next-line:max-line-length
       secret: 'SECRET_OR_PRIVATE_KEY_PROD',
       signInOptions: {
         expiresIn: '15m',
       },
       refresh: {
         renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        // tslint:disable-next-line:max-line-length
         secret: 'SECRET_OR_PRIVATE_KEY_PROD_REFRESH',
         signInOptions: {
           expiresIn: '7d',

package/src/core/common/interfaces/cron-job-config.interface.ts CHANGED Viewed

@@ -18,13 +18,19 @@ export interface CronJobConfig {
    */
   cronTime: CronExpression | string | Date | Falsy;
+  /**
+   * Whether the cron job is disabled or not.
+   * This option is set to `false` by default
+   */
+  disabled?: boolean;
   /**
    * A function that will fire when the job is complete, when it is stopped.
    */
   onComplete?: CronCommand | null;
   /**
-   * This will immediately fire your `onTickfunction` as soon as the requisit initialization has happened.
+   * This will immediately fire the `onTick` function as soon as the requisite initialization has happened.
    * This option is set to `true` by default.
    */
   runOnInit?: boolean;
@@ -58,8 +64,8 @@ export interface CronJobConfig {
   unrefTimeout?: boolean;
   /**
-   * This allows you to specify the offset of your timezone rather than using the `timeZoneparam.
-   * Probably don't use both ``timeZone` andutcOffset`` together or weird things may happen.
+   * This allows you to specify the offset of the timezone rather than using the `timeZone` parameter.
+   * Probably don't use both `timeZone` and `utcOffset` together or weird things may happen.
    */
   utcOffset?: string | number;
 }

package/src/core/common/interfaces/server-options.interface.ts CHANGED Viewed

@@ -30,6 +30,8 @@ export interface IJwt {
   /**
    * Secret to encrypt the JWT
+   * Each secret should be unique and not reused in other environments,
+   * also the JWT secret should be different from the Refresh secret!
    */
   secret?: string;
@@ -288,10 +290,15 @@ export interface IServerOptions {
   /**
    * Configuration of JavaScript Web Token (JWT) module
+   *
+   * Hint: The secrets of the different environments should be different, otherwise a JWT can be used in different
+   * environments, which can lead to security vulnerabilities.
    */
   jwt?: {
     /**
      * Configuration for refresh Token (JWT)
+     * Hint: The secret of the JWT and the Refresh Token should be different, otherwise a new RefreshToken can also be
+     * requested with the JWT, which can lead to a security vulnerability.
      */
     refresh?: {
       /**

package/src/core/common/services/core-cron-jobs.service.ts CHANGED Viewed

@@ -62,15 +62,18 @@ export abstract class CoreCronJobs implements OnApplicationBootstrap {
     // Init cron jobs
     for (const [name, CronExpressionOrConfig] of Object.entries(this.cronJobs)) {
       // Check config
-      if (!CronExpressionOrConfig) {
+      if (
+        !CronExpressionOrConfig
+        || (typeof CronExpressionOrConfig === 'object' && (CronExpressionOrConfig as CronJobConfig).disabled)
+      ) {
         continue;
       }
       // Prepare config
-      let conf: CronExpression | string | Date | Falsy | CronJobConfig = CronExpressionOrConfig;
-      if (typeof conf === 'string' || conf instanceof Date) {
+      let conf: CronJobConfig = (CronExpressionOrConfig as CronJobConfig);
+      if (typeof CronExpressionOrConfig === 'string' || CronExpressionOrConfig instanceof Date) {
         conf = {
-          cronTime: conf,
+          cronTime: CronExpressionOrConfig as string | Date,
         };
       }

package/src/core/common/types/wrapper.type.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Wrapper type used to circumvent ESM modules circular dependency issue
+ * caused by reflection metadata saving the type of the property.
+ *
+ * It is needed if swc is used and ReferenceError occurs:
+ * @Inject(forwardRef(() => CustomService)) private readonly customService: WrapperType<CustomService>,
+ *
+ * See https://docs.nestjs.com/recipes/swc#common-pitfalls
+ */
+export type WrapperType<T> = T; // WrapperType === Relation

package/src/core.module.ts CHANGED Viewed

@@ -128,6 +128,12 @@ export class CoreModule implements NestModule {
       options,
     );
+    // Check secrets
+    const jwtConfig = config.jwt;
+    if (jwtConfig?.secret && jwtConfig.secret && jwtConfig.refresh && jwtConfig.refresh.secret === jwtConfig.secret) {
+      console.warn('JWT secret and refresh secret are equal, this can lead to security vulnerabilities!');
+    }
     // Set providers
     const providers: any[] = [
       // The ConfigService provides access to the current configuration of the module

package/src/index.ts CHANGED Viewed

@@ -80,6 +80,7 @@ export * from './core/common/types/remove-methods.type';
 export * from './core/common/types/require-only-one.type';
 export * from './core/common/types/required-at-least-one.type';
 export * from './core/common/types/string-or-object-id.type';
+export * from './core/common/types/wrapper.type';
 // =====================================================================================================================
 // Core - Modules - Auth