@lenne.tech/nest-server 11.16.1 → 11.18.0

package/src/core.module.ts

@@ -3,17 +3,23 @@ import { DynamicModule, Global, MiddlewareConsumer, Module, NestModule, Unauthor
 import { APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core';
 import { GraphQLModule } from '@nestjs/graphql';
 import { MongooseModule } from '@nestjs/mongoose';
-import { Context } from 'apollo-server-core';
+import type { Context } from 'graphql-ws';
 import graphqlUploadExpress = require('graphql-upload/graphqlUploadExpress.js');
 import mongoose from 'mongoose';
 
 import { merge } from './core/common/helpers/config.helper';
 import { CheckResponseInterceptor } from './core/common/interceptors/check-response.interceptor';
 import { CheckSecurityInterceptor } from './core/common/interceptors/check-security.interceptor';
+import { ResponseModelInterceptor } from './core/common/interceptors/response-model.interceptor';
+import { TranslateResponseInterceptor } from './core/common/interceptors/translate-response.interceptor';
 import { IServerOptions } from './core/common/interfaces/server-options.interface';
+import { RequestContextMiddleware } from './core/common/middleware/request-context.middleware';
 import { MapAndValidatePipe } from './core/common/pipes/map-and-validate.pipe';
 import { ComplexityPlugin } from './core/common/plugins/complexity.plugin';
 import { mongooseIdPlugin } from './core/common/plugins/mongoose-id.plugin';
+import { mongooseAuditFieldsPlugin } from './core/common/plugins/mongoose-audit-fields.plugin';
+import { mongoosePasswordPlugin } from './core/common/plugins/mongoose-password.plugin';
+import { mongooseRoleGuardPlugin } from './core/common/plugins/mongoose-role-guard.plugin';
 import { ConfigService } from './core/common/services/config.service';
 import { EmailService } from './core/common/services/email.service';
 import { MailjetService } from './core/common/services/mailjet.service';
@@ -24,6 +30,7 @@ import { CoreBetterAuthModule } from './core/modules/better-auth/core-better-aut
 import { CoreBetterAuthService } from './core/modules/better-auth/core-better-auth.service';
 import { ErrorCodeModule } from './core/modules/error-code/error-code.module';
 import { CoreHealthCheckModule } from './core/modules/health-check/core-health-check.module';
+import { CorePermissionsModule } from './core/modules/permissions/core-permissions.module';
 import { CoreSystemSetupModule } from './core/modules/system-setup/core-system-setup.module';
 
 /**
@@ -48,6 +55,8 @@ export class CoreModule implements NestModule {
    * Integrate middleware, e.g. GraphQL upload handing for express
    */
   configure(consumer: MiddlewareConsumer) {
+    // RequestContext middleware must run for all routes to provide AsyncLocalStorage context
+    consumer.apply(RequestContextMiddleware).forRoutes('*');
     if (CoreModule.graphQlEnabled) {
       consumer.apply(graphqlUploadExpress()).forRoutes('graphql');
     }
@@ -185,6 +194,29 @@ export class CoreModule implements NestModule {
       options,
     );
 
+    // Wrap connectionFactory to add security plugins (password hashing, role guard)
+    const originalConnectionFactory = config.mongoose?.options?.connectionFactory;
+    config.mongoose.options = config.mongoose.options || {};
+    config.mongoose.options.connectionFactory = (connection, name) => {
+      // Run original factory first (includes mongooseIdPlugin from defaults)
+      if (originalConnectionFactory) {
+        connection = originalConnectionFactory(connection, name);
+      }
+      // Add password hashing plugin (enabled by default, opt-out via config)
+      if (config.security?.mongoosePasswordPlugin !== false) {
+        connection.plugin(mongoosePasswordPlugin);
+      }
+      // Add role guard plugin (enabled by default, opt-out via config)
+      if (config.security?.mongooseRoleGuardPlugin !== false) {
+        connection.plugin(mongooseRoleGuardPlugin);
+      }
+      // Add audit fields plugin (enabled by default, opt-out via config)
+      if (config.security?.mongooseAuditFieldsPlugin !== false) {
+        connection.plugin(mongooseAuditFieldsPlugin);
+      }
+      return connection;
+    };
+
     // Check secrets
     const jwtConfig = config.jwt;
     if (jwtConfig?.secret && jwtConfig.secret && jwtConfig.refresh && jwtConfig.refresh.secret === jwtConfig.secret) {
@@ -234,6 +266,26 @@ export class CoreModule implements NestModule {
       });
     }
 
+    // TranslateResponseInterceptor: Applies _translations based on Accept-Language header
+    // Registered after security interceptors → runs before them on response
+    // Translation happens before security checks strip restricted fields
+    if (config.security?.translateResponseInterceptor !== false) {
+      providers.push({
+        provide: APP_INTERCEPTOR,
+        useClass: TranslateResponseInterceptor,
+      });
+    }
+
+    // ResponseModelInterceptor: Auto-converts plain objects to model instances
+    // Registered last → runs first on response (NestJS reverse order for interceptors)
+    // This ensures plain objects get securityCheck() and @Restricted metadata before other interceptors check them
+    if (config.security?.responseModelInterceptor !== false) {
+      providers.push({
+        provide: APP_INTERCEPTOR,
+        useClass: ResponseModelInterceptor,
+      });
+    }
+
     if (config.mongoose?.modelDocumentation) {
       providers.push(ModelDocService);
     }
@@ -271,6 +323,12 @@ export class CoreModule implements NestModule {
       imports.push(CoreHealthCheckModule);
     }
 
+    // Permissions report (development tool)
+    const permissionsConfig = config.permissions;
+    if (permissionsConfig === true || (typeof permissionsConfig === 'object' && permissionsConfig.enabled !== false)) {
+      imports.push(CorePermissionsModule.forRoot(permissionsConfig));
+    }
+
     // Add CoreBetterAuthModule based on mode
     // IAM-only mode: BetterAuth is enabled by default (it's the only auth option)
     // Legacy mode: Only register if autoRegister is explicitly true
@@ -368,7 +426,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   const enableAuth = graphQlOpts?.enableSubscriptionAuth ?? true;
 
@@ -463,7 +521,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   const enableAuth = graphQlOpts?.enableSubscriptionAuth ?? true;
 
@@ -575,7 +633,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   if (enableSubscriptionAuth) {
                     // get authToken from authorization header

package/src/index.ts

@@ -16,6 +16,7 @@ export * from './core/common/decorators/graphql-service-options.decorator';
 export * from './core/common/decorators/graphql-user.decorator';
 export * from './core/common/decorators/rest-service-options.decorator';
 export * from './core/common/decorators/rest-user.decorator';
+export * from './core/common/decorators/response-model.decorator';
 export * from './core/common/decorators/restricted.decorator';
 export * from './core/common/decorators/roles.decorator';
 export * from './core/common/decorators/translatable.decorator';
@@ -34,6 +35,7 @@ export * from './core/common/helpers/decorator.helper';
 export * from './core/common/helpers/file.helper';
 export * from './core/common/helpers/filter.helper';
 export * from './core/common/helpers/graphql.helper';
+export * from './core/common/helpers/interceptor.helper';
 export * from './core/common/helpers/gridfs.helper';
 export * from './core/common/helpers/input.helper';
 export * from './core/common/helpers/logging.helper';
@@ -49,6 +51,8 @@ export * from './core/common/inputs/single-filter.input';
 export * from './core/common/inputs/sort.input';
 export * from './core/common/interceptors/check-response.interceptor';
 export * from './core/common/interceptors/check-security.interceptor';
+export * from './core/common/interceptors/response-model.interceptor';
+export * from './core/common/interceptors/translate-response.interceptor';
 export * from './core/common/interfaces/core-persistence-model.interface';
 export * from './core/common/interfaces/cron-job-config-with-time-zone.interface';
 export * from './core/common/interfaces/cron-job-config-with-utc-offset.interface';
@@ -59,6 +63,7 @@ export * from './core/common/interfaces/prepare-output-options.interface';
 export * from './core/common/interfaces/resolve-selector.interface';
 export * from './core/common/interfaces/server-options.interface';
 export * from './core/common/interfaces/service-options.interface';
+export * from './core/common/middleware/request-context.middleware';
 export * from './core/common/middlewares/to-lower-case.middleware';
 export * from './core/common/models/core-model.model';
 export * from './core/common/models/core-persistence.model';
@@ -67,6 +72,9 @@ export * from './core/common/pipes/check-input.pipe';
 export * from './core/common/pipes/map-and-validate.pipe';
 export * from './core/common/plugins/complexity.plugin';
 export * from './core/common/plugins/mongoose-id.plugin';
+export * from './core/common/plugins/mongoose-audit-fields.plugin';
+export * from './core/common/plugins/mongoose-password.plugin';
+export * from './core/common/plugins/mongoose-role-guard.plugin';
 export * from './core/common/scalars/any.scalar';
 export * from './core/common/scalars/date-timestamp.scalar';
 export * from './core/common/scalars/date.scalar';
@@ -78,7 +86,9 @@ export * from './core/common/services/crud.service';
 export * from './core/common/services/email.service';
 export * from './core/common/services/mailjet.service';
 export * from './core/common/services/model-doc.service';
+export * from './core/common/services/model-registry.service';
 export * from './core/common/services/module.service';
+export * from './core/common/services/request-context.service';
 export * from './core/common/services/template.service';
 export * from './core/common/types/array-element.type';
 export * from './core/common/types/core-model-constructor.type';
@@ -167,6 +177,16 @@ export * from './core/modules/health-check/core-health-check.service';
 
 export * from './core/modules/migrate';
 
+// =====================================================================================================================
+// Core - Modules - Permissions
+// =====================================================================================================================
+
+export * from './core/modules/permissions/core-permissions.controller';
+export * from './core/modules/permissions/core-permissions.module';
+export * from './core/modules/permissions/core-permissions.service';
+export * from './core/modules/permissions/interfaces/permissions.interface';
+export * from './core/modules/permissions/permissions-scanner';
+
 // =====================================================================================================================
 // Core - Modules - SystemSetup
 // =====================================================================================================================