npm - @lenne.tech/nest-server - Versions diffs - 11.17.0 → 11.18.0 - Mend

@lenne.tech/nest-server 11.17.0 → 11.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/src/core/common/services/module.service.ts CHANGED Viewed

@@ -5,10 +5,13 @@ import { ProcessType } from '../enums/process-type.enum';
 import { getStringIds, popAndMap } from '../helpers/db.helper';
 import { check } from '../helpers/input.helper';
 import { prepareInput, prepareOutput } from '../helpers/service.helper';
+import { getTranslatablePropertyKeys, updateLanguage } from '../decorators/translatable.decorator';
 import { ServiceOptions } from '../interfaces/service-options.interface';
 import { CoreModel } from '../models/core-model.model';
 import { FieldSelection } from '../types/field-selection.type';
 import { ConfigService } from './config.service';
+import { ModelRegistry } from './model-registry.service';
+import { RequestContext } from './request-context.service';
 /**
  * Module service class to be extended by concrete module services
@@ -40,6 +43,11 @@ export abstract class ModuleService<T extends CoreModel = any> {
     this.configService = options?.configService;
     this.mainDbModel = options?.mainDbModel;
     this.mainModelConstructor = options?.mainModelConstructor;
+    // Auto-register model class for ResponseModelInterceptor lookups
+    if (options?.mainModelConstructor && options?.mainDbModel?.modelName) {
+      ModelRegistry.register(options.mainDbModel.modelName, options.mainModelConstructor);
+    }
   }
   /**
@@ -191,7 +199,10 @@ export abstract class ModuleService<T extends CoreModel = any> {
     }
     // Run service function
-    let result = await serviceFunc(config);
+    // When force is enabled, bypass the Mongoose role guard plugin as well
+    let result = config.force
+      ? await RequestContext.runWithBypassRoleGuard(() => serviceFunc(config))
+      : await serviceFunc(config);
     // Pop and map main model
     if (config.processFieldSelection && config.fieldSelection && this.processFieldSelection) {
@@ -242,6 +253,85 @@ export abstract class ModuleService<T extends CoreModel = any> {
     return result;
   }
+  /**
+   * Simplified result processing for direct Mongoose queries.
+   * Handles population and output preparation without the full process() pipeline.
+   *
+   * Security (password hashing, role guard, createdBy/updatedBy, type mapping,
+   * field filtering, secret removal, translations) is handled automatically
+   * by the safety net (Mongoose plugins + interceptors).
+   *
+   * Use this when bypassing CrudService methods but still wanting
+   * population and custom prepareOutput() transformations.
+   *
+   * Note: This method does NOT perform authorization checks (checkRights).
+   * The caller is responsible for verifying permissions before calling this method.
+   *
+   * @example
+   * ```typescript
+   * // Direct Mongoose query with result processing
+   * const doc = await this.mainDbModel.findById(id).exec();
+   * return this.processResult(doc, serviceOptions);
+   *
+   * // Aggregate with result processing
+   * const results = await this.mainDbModel.aggregate(pipeline).exec();
+   * return this.processResult(results, serviceOptions);
+   * ```
+   */
+  async processResult(result: any, serviceOptions: ServiceOptions = {}): Promise<any> {
+    if (!result) {
+      return result;
+    }
+    // Population (if GraphQL field selection is available)
+    if (serviceOptions.fieldSelection && this.processFieldSelection) {
+      const populateOpts = serviceOptions.processFieldSelection || {};
+      const items = Array.isArray(result) ? result : [result];
+      for (const item of items) {
+        await this.processFieldSelection(item, serviceOptions.fieldSelection, populateOpts);
+      }
+    }
+    // Custom prepareOutput (type mapping, ObjectId conversion, custom overrides)
+    if (this.prepareOutput) {
+      result = await this.prepareOutput(result, serviceOptions);
+    }
+    return result;
+  }
+  /**
+   * Apply translation-aware input processing.
+   * Auto-detects @Translatable fields on the model and routes non-base-language
+   * values into _translations.
+   *
+   * @param input - The input data to transform
+   * @param oldDoc - The existing document from DB (needed for value comparison)
+   * @param language - Language code (defaults to RequestContext.getLanguage())
+   * @returns The transformed input with translations stored in _translations
+   *
+   * @example
+   * ```typescript
+   * // In a custom update method:
+   * const oldDoc = await this.mainDbModel.findById(id).lean();
+   * input = this.applyTranslationInput(input, oldDoc, serviceOptions.language);
+   * return this.mainDbModel.findByIdAndUpdate(id, input, { returnDocument: 'after' }).exec();
+   * ```
+   */
+  protected applyTranslationInput(input: any, oldDoc: any, language?: string): any {
+    language = language || RequestContext.getLanguage();
+    if (!language) {
+      return input;
+    }
+    const translatableFields = getTranslatablePropertyKeys(this.mainModelConstructor);
+    if (translatableFields.length === 0) {
+      return input;
+    }
+    return updateLanguage(language, input, oldDoc, translatableFields);
+  }
   /**
    * Prepare input before save
    */

package/src/core/common/services/request-context.service.ts ADDED Viewed

@@ -0,0 +1,69 @@
+import { AsyncLocalStorage } from 'async_hooks';
+export interface IRequestContext {
+  currentUser?: {
+    id: string;
+    hasRole?: (roles: string[]) => boolean;
+    roles?: string[];
+  };
+  language?: string;
+  /** When true, mongooseRoleGuardPlugin allows role changes regardless of user permissions */
+  bypassRoleGuard?: boolean;
+}
+/**
+ * Request-scoped context using AsyncLocalStorage.
+ * Provides access to the current user in Mongoose hooks and other
+ * places where NestJS request scope is not available.
+ */
+export class RequestContext {
+  private static storage = new AsyncLocalStorage<IRequestContext>();
+  static run<T>(context: IRequestContext, fn: () => T): T {
+    return this.storage.run(context, fn);
+  }
+  static get(): IRequestContext | undefined {
+    return this.storage.getStore();
+  }
+  static getCurrentUser(): IRequestContext['currentUser'] | undefined {
+    return this.storage.getStore()?.currentUser;
+  }
+  static getLanguage(): string | undefined {
+    return this.storage.getStore()?.language;
+  }
+  /**
+   * Check if the role guard bypass is active for the current context.
+   */
+  static isBypassRoleGuard(): boolean {
+    return this.storage.getStore()?.bypassRoleGuard === true;
+  }
+  /**
+   * Run a function with the role guard bypass enabled.
+   * The current context (user, language) is preserved; only bypassRoleGuard is added.
+   *
+   * Use this when authorized code needs to set roles on users, e.g.:
+   * - signUp with default roles
+   * - Admin panel where a non-admin role (e.g. HR_MANAGER) creates users with roles
+   * - System setup creating initial admin
+   *
+   * @example
+   * ```typescript
+   * await RequestContext.runWithBypassRoleGuard(async () => {
+   *   await this.mainDbModel.findByIdAndUpdate(userId, { roles: ['EMPLOYEE'] });
+   * });
+   * ```
+   */
+  static runWithBypassRoleGuard<T>(fn: () => T): T {
+    const currentStore = this.storage.getStore();
+    const context: IRequestContext = {
+      ...currentStore,
+      bypassRoleGuard: true,
+    };
+    return this.storage.run(context, fn);
+  }
+}

package/src/core/modules/auth/guards/auth.guard.ts CHANGED Viewed

@@ -40,8 +40,8 @@ const createPassportContext =
         try {
           request.authInfo = info;
           return resolve(callback(err, user, info));
-        } catch (err) {
-          reject(err);
+        } catch (callbackError) {
+          reject(callbackError);
         }
       })(request, response, (err: any) => (err ? reject(err) : resolve(undefined))),
     );

package/src/core/modules/better-auth/core-better-auth.resolver.ts CHANGED Viewed

@@ -342,9 +342,9 @@ export class CoreBetterAuthResolver {
         // 1. accessToken (JWT plugin enriched response)
         // 2. token (top-level, some BetterAuth versions)
         // 3. session.token (session-based fallback)
-        const responseAny = response as any;
+        const tokenResponse = response as any;
         const rawToken =
-          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+          tokenResponse.accessToken || tokenResponse.token || (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
         return {

package/src/core.module.ts CHANGED Viewed

@@ -3,17 +3,23 @@ import { DynamicModule, Global, MiddlewareConsumer, Module, NestModule, Unauthor
 import { APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core';
 import { GraphQLModule } from '@nestjs/graphql';
 import { MongooseModule } from '@nestjs/mongoose';
-import { Context } from 'apollo-server-core';
+import type { Context } from 'graphql-ws';
 import graphqlUploadExpress = require('graphql-upload/graphqlUploadExpress.js');
 import mongoose from 'mongoose';
 import { merge } from './core/common/helpers/config.helper';
 import { CheckResponseInterceptor } from './core/common/interceptors/check-response.interceptor';
 import { CheckSecurityInterceptor } from './core/common/interceptors/check-security.interceptor';
+import { ResponseModelInterceptor } from './core/common/interceptors/response-model.interceptor';
+import { TranslateResponseInterceptor } from './core/common/interceptors/translate-response.interceptor';
 import { IServerOptions } from './core/common/interfaces/server-options.interface';
+import { RequestContextMiddleware } from './core/common/middleware/request-context.middleware';
 import { MapAndValidatePipe } from './core/common/pipes/map-and-validate.pipe';
 import { ComplexityPlugin } from './core/common/plugins/complexity.plugin';
 import { mongooseIdPlugin } from './core/common/plugins/mongoose-id.plugin';
+import { mongooseAuditFieldsPlugin } from './core/common/plugins/mongoose-audit-fields.plugin';
+import { mongoosePasswordPlugin } from './core/common/plugins/mongoose-password.plugin';
+import { mongooseRoleGuardPlugin } from './core/common/plugins/mongoose-role-guard.plugin';
 import { ConfigService } from './core/common/services/config.service';
 import { EmailService } from './core/common/services/email.service';
 import { MailjetService } from './core/common/services/mailjet.service';
@@ -49,6 +55,8 @@ export class CoreModule implements NestModule {
    * Integrate middleware, e.g. GraphQL upload handing for express
    */
   configure(consumer: MiddlewareConsumer) {
+    // RequestContext middleware must run for all routes to provide AsyncLocalStorage context
+    consumer.apply(RequestContextMiddleware).forRoutes('*');
     if (CoreModule.graphQlEnabled) {
       consumer.apply(graphqlUploadExpress()).forRoutes('graphql');
     }
@@ -186,6 +194,29 @@ export class CoreModule implements NestModule {
       options,
     );
+    // Wrap connectionFactory to add security plugins (password hashing, role guard)
+    const originalConnectionFactory = config.mongoose?.options?.connectionFactory;
+    config.mongoose.options = config.mongoose.options || {};
+    config.mongoose.options.connectionFactory = (connection, name) => {
+      // Run original factory first (includes mongooseIdPlugin from defaults)
+      if (originalConnectionFactory) {
+        connection = originalConnectionFactory(connection, name);
+      }
+      // Add password hashing plugin (enabled by default, opt-out via config)
+      if (config.security?.mongoosePasswordPlugin !== false) {
+        connection.plugin(mongoosePasswordPlugin);
+      }
+      // Add role guard plugin (enabled by default, opt-out via config)
+      if (config.security?.mongooseRoleGuardPlugin !== false) {
+        connection.plugin(mongooseRoleGuardPlugin);
+      }
+      // Add audit fields plugin (enabled by default, opt-out via config)
+      if (config.security?.mongooseAuditFieldsPlugin !== false) {
+        connection.plugin(mongooseAuditFieldsPlugin);
+      }
+      return connection;
+    };
     // Check secrets
     const jwtConfig = config.jwt;
     if (jwtConfig?.secret && jwtConfig.secret && jwtConfig.refresh && jwtConfig.refresh.secret === jwtConfig.secret) {
@@ -235,6 +266,26 @@ export class CoreModule implements NestModule {
       });
     }
+    // TranslateResponseInterceptor: Applies _translations based on Accept-Language header
+    // Registered after security interceptors → runs before them on response
+    // Translation happens before security checks strip restricted fields
+    if (config.security?.translateResponseInterceptor !== false) {
+      providers.push({
+        provide: APP_INTERCEPTOR,
+        useClass: TranslateResponseInterceptor,
+      });
+    }
+    // ResponseModelInterceptor: Auto-converts plain objects to model instances
+    // Registered last → runs first on response (NestJS reverse order for interceptors)
+    // This ensures plain objects get securityCheck() and @Restricted metadata before other interceptors check them
+    if (config.security?.responseModelInterceptor !== false) {
+      providers.push({
+        provide: APP_INTERCEPTOR,
+        useClass: ResponseModelInterceptor,
+      });
+    }
     if (config.mongoose?.modelDocumentation) {
       providers.push(ModelDocService);
     }
@@ -375,7 +426,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   const enableAuth = graphQlOpts?.enableSubscriptionAuth ?? true;
@@ -470,7 +521,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   const enableAuth = graphQlOpts?.enableSubscriptionAuth ?? true;
@@ -582,7 +633,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   if (enableSubscriptionAuth) {
                     // get authToken from authorization header

package/src/index.ts CHANGED Viewed

@@ -16,6 +16,7 @@ export * from './core/common/decorators/graphql-service-options.decorator';
 export * from './core/common/decorators/graphql-user.decorator';
 export * from './core/common/decorators/rest-service-options.decorator';
 export * from './core/common/decorators/rest-user.decorator';
+export * from './core/common/decorators/response-model.decorator';
 export * from './core/common/decorators/restricted.decorator';
 export * from './core/common/decorators/roles.decorator';
 export * from './core/common/decorators/translatable.decorator';
@@ -34,6 +35,7 @@ export * from './core/common/helpers/decorator.helper';
 export * from './core/common/helpers/file.helper';
 export * from './core/common/helpers/filter.helper';
 export * from './core/common/helpers/graphql.helper';
+export * from './core/common/helpers/interceptor.helper';
 export * from './core/common/helpers/gridfs.helper';
 export * from './core/common/helpers/input.helper';
 export * from './core/common/helpers/logging.helper';
@@ -49,6 +51,8 @@ export * from './core/common/inputs/single-filter.input';
 export * from './core/common/inputs/sort.input';
 export * from './core/common/interceptors/check-response.interceptor';
 export * from './core/common/interceptors/check-security.interceptor';
+export * from './core/common/interceptors/response-model.interceptor';
+export * from './core/common/interceptors/translate-response.interceptor';
 export * from './core/common/interfaces/core-persistence-model.interface';
 export * from './core/common/interfaces/cron-job-config-with-time-zone.interface';
 export * from './core/common/interfaces/cron-job-config-with-utc-offset.interface';
@@ -59,6 +63,7 @@ export * from './core/common/interfaces/prepare-output-options.interface';
 export * from './core/common/interfaces/resolve-selector.interface';
 export * from './core/common/interfaces/server-options.interface';
 export * from './core/common/interfaces/service-options.interface';
+export * from './core/common/middleware/request-context.middleware';
 export * from './core/common/middlewares/to-lower-case.middleware';
 export * from './core/common/models/core-model.model';
 export * from './core/common/models/core-persistence.model';
@@ -67,6 +72,9 @@ export * from './core/common/pipes/check-input.pipe';
 export * from './core/common/pipes/map-and-validate.pipe';
 export * from './core/common/plugins/complexity.plugin';
 export * from './core/common/plugins/mongoose-id.plugin';
+export * from './core/common/plugins/mongoose-audit-fields.plugin';
+export * from './core/common/plugins/mongoose-password.plugin';
+export * from './core/common/plugins/mongoose-role-guard.plugin';
 export * from './core/common/scalars/any.scalar';
 export * from './core/common/scalars/date-timestamp.scalar';
 export * from './core/common/scalars/date.scalar';
@@ -78,7 +86,9 @@ export * from './core/common/services/crud.service';
 export * from './core/common/services/email.service';
 export * from './core/common/services/mailjet.service';
 export * from './core/common/services/model-doc.service';
+export * from './core/common/services/model-registry.service';
 export * from './core/common/services/module.service';
+export * from './core/common/services/request-context.service';
 export * from './core/common/services/template.service';
 export * from './core/common/types/array-element.type';
 export * from './core/common/types/core-model-constructor.type';