@lenne.tech/nest-server 11.13.2 → 11.13.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.13.2",
+  "version": "11.13.3",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -54,10 +54,10 @@
     "prepack": "npm run prestart:prod",
     "prepublishOnly": "npm run lint && npm run test:ci",
     "preversion": "npm run lint",
-    "vitest": "NODE_ENV=local vitest run --config vitest-e2e.config.ts",
+    "vitest": "NODE_ENV=e2e vitest run --config vitest-e2e.config.ts",
     "vitest:ci": "NODE_ENV=ci vitest run --config vitest-e2e.config.ts",
-    "vitest:cov": "NODE_ENV=local vitest run --coverage --config vitest-e2e.config.ts",
-    "vitest:watch": "NODE_ENV=local vitest --config vitest-e2e.config.ts",
+    "vitest:cov": "NODE_ENV=e2e vitest run --coverage --config vitest-e2e.config.ts",
+    "vitest:watch": "NODE_ENV=e2e vitest --config vitest-e2e.config.ts",
     "vitest:unit": "vitest run --config vitest.config.ts",
     "test:unit:watch": "vitest --config vitest.config.ts",
     "test:types": "tsc --noEmit --skipLibCheck -p tests/types/tsconfig.json",

package/src/config.env.ts

@@ -11,6 +11,145 @@ import { IServerOptions } from './core/common/interfaces/server-options.interfac
  */
 dotenv.config();
 const config: { [env: string]: IServerOptions } = {
+  // ===========================================================================
+  // CI environment
+  // ===========================================================================
+  ci: {
+    auth: {
+      legacyEndpoints: { enabled: true },
+    },
+    automaticObjectIdFiltering: true,
+    betterAuth: {
+      // Email verification disabled for test environment (no real mailbox available)
+      emailVerification: false,
+      // JWT enabled by default (zero-config)
+      jwt: { enabled: true, expiresIn: '15m' },
+      // Passkey auto-activated when URLs can be resolved (env: 'local' → localhost defaults)
+      passkey: { enabled: true, origin: 'http://localhost:3001', rpId: 'localhost', rpName: 'Nest Server Local' },
+      rateLimit: { enabled: true, max: 100, windowSeconds: 60 },
+      secret: 'BETTER_AUTH_SECRET_LOCAL_32_CHARS_M',
+      // Social providers disabled in local environment (no credentials)
+      socialProviders: {
+        apple: { clientId: '', clientSecret: '', enabled: false },
+        github: { clientId: '', clientSecret: '', enabled: false },
+        google: { clientId: '', clientSecret: '', enabled: false },
+      },
+      // Trusted origins for Passkey (localhost defaults)
+      trustedOrigins: ['http://localhost:3000', 'http://localhost:3001'],
+      // 2FA enabled for local testing
+      twoFactor: { appName: 'Nest Server Local', enabled: true },
+    },
+    compression: true,
+    cookies: false,
+    cronJobs: {
+      sayHello: {
+        cronTime: CronExpression.EVERY_10_SECONDS,
+        disabled: false,
+        runOnInit: false,
+        runParallel: 1,
+        throwException: false,
+        timeZone: 'Europe/Berlin',
+      },
+    },
+    email: {
+      defaultSender: {
+        email: 'oren.satterfield@ethereal.email',
+        name: 'Nest Server Local',
+      },
+      mailjet: {
+        api_key_private: 'MAILJET_API_KEY_PRIVATE',
+        api_key_public: 'MAILJET_API_KEY_PUBLIC',
+      },
+      passwordResetLink: 'http://localhost:4200/user/password-reset',
+      smtp: {
+        auth: {
+          pass: 'K4DvD8U31VKseT7vQC',
+          user: 'oren.satterfield@ethereal.email',
+        },
+        host: 'mailhog.lenne.tech',
+        port: 1025,
+        secure: false,
+      },
+      verificationLink: 'http://localhost:4200/user/verification',
+    },
+    env: 'ci',
+    // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
+    errorCode: {
+      autoRegister: false,
+    },
+    execAfterInit: 'npm run docs:bootstrap',
+    filter: {
+      maxLimit: null,
+    },
+    graphQl: {
+      driver: {
+        introspection: true,
+      },
+      maxComplexity: 1000,
+    },
+    healthCheck: {
+      configs: {
+        database: {
+          enabled: true,
+        },
+      },
+      enabled: true,
+    },
+    hostname: '127.0.0.1',
+    ignoreSelectionsForPopulate: true,
+    jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      refresh: {
+        renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
+      sameTokenIdPeriod: 2000,
+      secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+    },
+    loadLocalConfig: true,
+    logExceptions: true,
+    mongoose: {
+      collation: {
+        locale: 'de',
+      },
+      modelDocumentation: true,
+      uri: 'mongodb://127.0.0.1/nest-server-ci',
+    },
+    port: 3000,
+    security: {
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
+      checkSecurityInterceptor: true,
+      mapAndValidatePipe: true,
+    },
+    sha256: true,
+    staticAssets: {
+      options: { prefix: '' },
+      path: join(__dirname, '..', 'public'),
+    },
+    templates: {
+      engine: 'ejs',
+      path: join(__dirname, 'templates'),
+    },
+  },
+
   // ===========================================================================
   // Development environment
   // ===========================================================================
@@ -117,9 +256,9 @@ const config: { [env: string]: IServerOptions } = {
   },
 
   // ===========================================================================
-  // Local environment (env: 'local' → auto URLs + Passkey)
+  // E2E environment
   // ===========================================================================
-  local: {
+  e2e: {
     auth: {
       legacyEndpoints: { enabled: true },
     },
@@ -177,6 +316,124 @@ const config: { [env: string]: IServerOptions } = {
       },
       verificationLink: 'http://localhost:4200/user/verification',
     },
+    env: 'e2e',
+    // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
+    errorCode: {
+      autoRegister: false,
+    },
+    execAfterInit: 'npm run docs:bootstrap',
+    filter: {
+      maxLimit: null,
+    },
+    graphQl: {
+      driver: {
+        introspection: true,
+      },
+      maxComplexity: 1000,
+    },
+    healthCheck: {
+      configs: {
+        database: {
+          enabled: true,
+        },
+      },
+      enabled: true,
+    },
+    hostname: '127.0.0.1',
+    ignoreSelectionsForPopulate: true,
+    jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      refresh: {
+        renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
+      sameTokenIdPeriod: 2000,
+      secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+    },
+    loadLocalConfig: true,
+    logExceptions: true,
+    mongoose: {
+      collation: {
+        locale: 'de',
+      },
+      modelDocumentation: true,
+      uri: 'mongodb://127.0.0.1/nest-server-e2e',
+    },
+    port: 3000,
+    security: {
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
+      checkSecurityInterceptor: true,
+      mapAndValidatePipe: true,
+    },
+    sha256: true,
+    staticAssets: {
+      options: { prefix: '' },
+      path: join(__dirname, '..', 'public'),
+    },
+    templates: {
+      engine: 'ejs',
+      path: join(__dirname, 'templates'),
+    },
+  },
+
+  // ===========================================================================
+  // Local environment (env: 'local' → auto URLs + Passkey)
+  // ===========================================================================
+  local: {
+    auth: {
+      legacyEndpoints: { enabled: true },
+    },
+    automaticObjectIdFiltering: true,
+    compression: true,
+    cronJobs: {
+      sayHello: {
+        cronTime: CronExpression.EVERY_10_SECONDS,
+        disabled: false,
+        runOnInit: false,
+        runParallel: 1,
+        throwException: false,
+        timeZone: 'Europe/Berlin',
+      },
+    },
+    email: {
+      defaultSender: {
+        email: 'oren.satterfield@ethereal.email',
+        name: 'Nest Server Local',
+      },
+      mailjet: {
+        api_key_private: 'MAILJET_API_KEY_PRIVATE',
+        api_key_public: 'MAILJET_API_KEY_PUBLIC',
+      },
+      passwordResetLink: 'http://localhost:4200/user/password-reset',
+      smtp: {
+        auth: {
+          pass: 'K4DvD8U31VKseT7vQC',
+          user: 'oren.satterfield@ethereal.email',
+        },
+        host: 'mailhog.lenne.tech',
+        port: 1025,
+        secure: false,
+      },
+      verificationLink: 'http://localhost:4200/user/verification',
+    },
     env: 'local',
     // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
     errorCode: {

package/src/core/common/interfaces/server-options.interface.ts

@@ -524,6 +524,13 @@ export interface IBetterAuthRateLimit {
    */
   max?: number;
 
+  /**
+   * Maximum number of entries in the in-memory rate limit store.
+   * When exceeded, the oldest entries are evicted to prevent unbounded memory growth.
+   * @default 10000
+   */
+  maxEntries?: number;
+
   /**
    * Custom message when rate limit is exceeded
    * default: 'Too many requests, please try again later.'

package/src/core/modules/better-auth/better-auth.config.ts

@@ -14,6 +14,21 @@ import { IBetterAuth } from '../../common/interfaces/server-options.interface';
  */
 export type BetterAuthInstance = ReturnType<typeof betterAuth>;
 
+// ---------------------------------------------------------------------------
+// Performance-optimized password hashing using Node.js native crypto.scrypt
+//
+// Better-Auth's default uses @noble/hashes scrypt which runs on the main
+// event loop. Under concurrent load this blocks all requests while hashing.
+// Node.js crypto.scrypt() offloads the work to the libuv thread pool,
+// allowing the event loop to remain responsive.
+//
+// Parameters match Better-Auth's defaults exactly:
+//   N=16384, r=16, p=1, dkLen=64, 16-byte salt
+// ---------------------------------------------------------------------------
+
+const SCRYPT_PARAMS = { maxmem: 128 * 16384 * 16 * 2, N: 16384, p: 1, r: 16 };
+const SCRYPT_KEY_LENGTH = 64;
+
 /**
  * Generates a cryptographically secure random secret.
  * Used as fallback when no BETTER_AUTH_SECRET is configured.
@@ -27,6 +42,38 @@ function generateSecureSecret(): string {
   return crypto.randomBytes(32).toString('base64');
 }
 
+/**
+ * Hash a password using Node.js native crypto.scrypt (libuv thread pool).
+ * Output format matches Better-Auth: "salt:hash" (both hex encoded).
+ */
+async function nativeScryptHash(password: string): Promise<string> {
+  const salt = crypto.randomBytes(16).toString('hex');
+  const normalized = password.normalize('NFKC');
+  const key = await new Promise<Buffer>((resolve, reject) => {
+    crypto.scrypt(normalized, salt, SCRYPT_KEY_LENGTH, SCRYPT_PARAMS, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(derivedKey);
+    });
+  });
+  return `${salt}:${key.toString('hex')}`;
+}
+
+/**
+ * Verify a password against a Better-Auth scrypt hash using Node.js native crypto.scrypt.
+ */
+async function nativeScryptVerify(data: { hash: string; password: string }): Promise<boolean> {
+  const [salt, storedKey] = data.hash.split(':');
+  if (!salt || !storedKey) return false;
+  const normalized = data.password.normalize('NFKC');
+  const key = await new Promise<Buffer>((resolve, reject) => {
+    crypto.scrypt(normalized, salt, SCRYPT_KEY_LENGTH, SCRYPT_PARAMS, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(derivedKey);
+    });
+  });
+  return crypto.timingSafeEqual(key, Buffer.from(storedKey, 'hex'));
+}
+
 /**
  * Cached auto-generated secret for the current server instance.
  * Generated once at a module load to ensure consistency within a single run.
@@ -268,6 +315,10 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
     // Can be disabled by setting config.emailAndPassword.enabled = false
     emailAndPassword: {
       enabled: config.emailAndPassword?.enabled !== false,
+      password: {
+        hash: nativeScryptHash,
+        verify: nativeScryptVerify,
+      },
     },
     plugins,
     secret: validation.resolvedSecret || config.secret,

package/src/core/modules/better-auth/core-better-auth-email-verification.service.ts

@@ -409,11 +409,27 @@ export class CoreBetterAuthEmailVerificationService {
     return elapsed < cooldown;
   }
 
+  /**
+   * Maximum entries in the lastSendTimes map to prevent unbounded growth.
+   * At 10,000 entries with email strings as keys, this uses ~1-2 MB max.
+   */
+  private static readonly MAX_SEND_TIMES_ENTRIES = 10000;
+
   /**
    * Track that a verification email was sent to this address
    */
   protected trackSend(email: string): void {
     const key = email.toLowerCase();
+
+    // Evict oldest entry if map is at capacity (before adding new one)
+    if (!this.lastSendTimes.has(key) && this.lastSendTimes.size >= CoreBetterAuthEmailVerificationService.MAX_SEND_TIMES_ENTRIES) {
+      // Map preserves insertion order - first key is the oldest
+      const oldestKey = this.lastSendTimes.keys().next().value;
+      if (oldestKey) {
+        this.lastSendTimes.delete(oldestKey);
+      }
+    }
+
     this.lastSendTimes.set(key, Date.now());
 
     // Schedule cleanup to prevent memory leak

package/src/core/modules/better-auth/core-better-auth-rate-limiter.service.ts

@@ -46,6 +46,7 @@ interface RateLimitEntry {
 const DEFAULT_CONFIG: Required<IBetterAuthRateLimit> = {
   enabled: false,
   max: 10,
+  maxEntries: 10000,
   message: 'Too many requests, please try again later.',
   skipEndpoints: ['/session', '/callback'],
   strictEndpoints: ['/sign-in', '/sign-up', '/forgot-password', '/reset-password'],
@@ -143,6 +144,11 @@ export class CoreBetterAuthRateLimiter {
     let entry = this.store.get(key);
 
     if (!entry || now >= entry.resetTime) {
+      // Evict oldest entries if store exceeds maxEntries
+      if (!entry && this.store.size >= this.config.maxEntries) {
+        this.evictOldest();
+      }
+
       // Create new entry or reset expired one
       entry = {
         count: 1,
@@ -234,6 +240,40 @@ export class CoreBetterAuthRateLimiter {
     }
   }
 
+  /**
+   * Evict the oldest entries when the store exceeds maxEntries.
+   * First removes all expired entries, then removes entries closest to expiry
+   * until the store is at 90% capacity.
+   */
+  private evictOldest(): void {
+    const now = Date.now();
+    let evicted = 0;
+
+    // First pass: remove all expired entries
+    for (const [key, entry] of this.store.entries()) {
+      if (now >= entry.resetTime) {
+        this.store.delete(key);
+        evicted++;
+      }
+    }
+
+    // If still over limit, remove entries with earliest resetTime (oldest)
+    if (this.store.size >= this.config.maxEntries) {
+      const targetSize = Math.floor(this.config.maxEntries * 0.9);
+      const entries = [...this.store.entries()].sort((a, b) => a[1].resetTime - b[1].resetTime);
+
+      for (const [key] of entries) {
+        if (this.store.size <= targetSize) break;
+        this.store.delete(key);
+        evicted++;
+      }
+    }
+
+    if (evicted > 0) {
+      this.logger.warn(`Evicted ${evicted} rate limit entries (store was at capacity: ${this.config.maxEntries})`);
+    }
+  }
+
   /**
    * Determine if an endpoint should skip rate limiting
    */

package/src/core/modules/better-auth/core-better-auth-user.mapper.ts

@@ -370,27 +370,38 @@ export class CoreBetterAuthUserMapper {
         return false;
       }
 
+      // Better-Auth stores account.userId as ObjectId that references users._id
+      const userMongoId = legacyUser._id as ObjectId;
+
+      // FAST PATH: Check if credential account already exists BEFORE expensive bcrypt
+      // For already-migrated users this avoids ~130ms of bcrypt.compare() per sign-in
+      const existingAccount = await accountsCollection.findOne({
+        providerId: 'credential',
+        userId: userMongoId,
+      });
+
+      if (existingAccount) {
+        return true;
+      }
+
+      // No password provided - cannot verify, cannot migrate
+      if (!plainPassword) {
+        return false;
+      }
+
       // IMPORTANT: Verify the provided password matches the legacy hash
       // This prevents migration with a wrong password
       // Legacy Auth uses two formats for backwards compatibility:
       // 1. bcrypt(password) - direct hash
       // 2. bcrypt(sha256(password)) - sha256 then bcrypt
-      if (plainPassword) {
-        const directMatch = await bcrypt.compare(plainPassword, legacyUser.password);
-        const sha256Match = await bcrypt.compare(sha256(plainPassword), legacyUser.password);
-        if (!directMatch && !sha256Match) {
-          // Security: Wrong password provided for migration - reject
-          this.logger.warn(`Migration password verification failed for ${maskEmail(userEmail)}`);
-          return false;
-        }
-      } else {
-        // No password provided - cannot verify, cannot migrate
+      const directMatch = await bcrypt.compare(plainPassword, legacyUser.password);
+      const sha256Match = !directMatch ? await bcrypt.compare(sha256(plainPassword), legacyUser.password) : false;
+      if (!directMatch && !sha256Match) {
+        // Security: Wrong password provided for migration - reject
+        this.logger.warn(`Migration password verification failed for ${maskEmail(userEmail)}`);
         return false;
       }
 
-      // Better-Auth stores account.userId as ObjectId that references users._id
-      // The id field is a secondary string identifier used in API responses
-      const userMongoId = legacyUser._id as ObjectId;
       const userIdHex = userMongoId.toHexString();
 
       // Update user with Better-Auth fields if not already present
@@ -413,17 +424,6 @@ export class CoreBetterAuthUserMapper {
         );
       }
 
-      // Check if credential account already exists
-      // Better-Auth stores userId as ObjectId referencing users._id
-      const existingAccount = await accountsCollection.findOne({
-        providerId: 'credential',
-        userId: userMongoId,
-      });
-
-      if (existingAccount) {
-        return true;
-      }
-
       // Create the credential account with Better-Auth compatible scrypt hash
       const passwordHash = await this.hashPasswordForBetterAuth(plainPassword);