@lenne.tech/nest-server 11.22.0 → 11.23.0

package/src/core/common/services/crud.service.ts

@@ -1,6 +1,8 @@
-import { NotFoundException } from '@nestjs/common';
+import { Logger, NotFoundException } from '@nestjs/common';
 import {
   AggregateOptions,
+  Collection,
+  Connection,
   Document,
   Model as MongooseModel,
   PipelineStage,
@@ -76,7 +78,11 @@ export abstract class CrudService<
     return this.process(
       async (data) => {
         const currentUserId = serviceOptions?.currentUser?.id;
-        return new this.mainDbModel({ ...data.input, createdBy: currentUserId, updatedBy: currentUserId }).save();
+        return new (this.mainDbModel as MongooseModel<Document & Model>)({
+          ...data.input,
+          createdBy: currentUserId,
+          updatedBy: currentUserId,
+        }).save();
       },
       { input, serviceOptions },
     );
@@ -314,7 +320,7 @@ export abstract class CrudService<
     filter?: FilterArgs | { filterQuery?: QueryFilter<any>; queryOptions?: QueryOptions; samples?: number },
     serviceOptions: ServiceOptions = {},
   ): Promise<{ items: Model[]; pagination: PaginationInfo; totalCount: number }> {
-    serviceOptions.raw = true;
+    serviceOptions.force = true;
     return this.findAndCount(filter, serviceOptions);
   }
 
@@ -443,11 +449,77 @@ export abstract class CrudService<
   }
 
   /**
-   * Get service model to process queries directly
+   * Get service model to process queries directly.
    * See https://mongoosejs.com/docs/api/model.html
+   *
+   * Note: Returns the full Mongoose Model (including `.collection`).
+   * Prefer using CrudService methods or Mongoose Model methods directly
+   * to ensure plugins (Tenant, Audit, RoleGuard) fire correctly.
    */
   getModel(): MongooseModel<Document & Model> {
-    return this.mainDbModel;
+    return this.mainDbModel as unknown as MongooseModel<Document & Model>;
+  }
+
+  /**
+   * Get the native MongoDB Collection, bypassing all Mongoose plugins.
+   *
+   * **WARNING:** Native driver access bypasses Tenant-Isolation, Audit-Fields,
+   * RoleGuard, and Password-Hashing plugins. Only use this when Mongoose
+   * Model methods cannot achieve the goal (e.g., bulk imports, migrations).
+   *
+   * Every call logs a `[SECURITY]` warning with the provided reason.
+   *
+   * @param reason - Mandatory justification for native access (logged for audit trail)
+   * @throws Error if reason is empty
+   *
+   * @example
+   * ```typescript
+   * const col = this.getNativeCollection('Migration: bulk-import historical data without tenant context');
+   * await col.insertMany(legacyDocs);
+   * ```
+   */
+  protected getNativeCollection(reason: string): Collection {
+    this.validateNativeAccessReason(reason, 'getNativeCollection');
+
+    const modelName = (this.mainDbModel as any)?.modelName || 'Unknown';
+    Logger.warn(`[SECURITY] Native collection access: ${reason} (Model: ${modelName})`, this.constructor.name);
+
+    return (this.mainDbModel as unknown as MongooseModel<Document & Model>).collection;
+  }
+
+  /**
+   * Get the Mongoose Connection (which provides access to the native MongoDB Db and MongoClient).
+   *
+   * **WARNING:** Via `connection.db` you get the native MongoDB Db instance,
+   * and via `connection.getClient()` the native MongoClient. Both bypass ALL
+   * Mongoose plugins (Tenant-Isolation, Audit-Fields, RoleGuard, Password-Hashing).
+   *
+   * Every call logs a `[SECURITY]` warning with the provided reason.
+   *
+   * @param reason - Mandatory justification (min 20 chars) for native access (logged for audit trail)
+   * @throws Error if reason is empty or too short
+   *
+   * @example
+   * ```typescript
+   * // Read-only cross-collection count (no Mongoose schema for target collection)
+   * const conn = this.getNativeConnection('Statistics: count chatmessages across all tenants');
+   * const count = await conn.db.collection('chatmessages').countDocuments({ ... });
+   * ```
+   */
+  protected getNativeConnection(reason: string): Connection {
+    this.validateNativeAccessReason(reason, 'getNativeConnection');
+
+    const modelName = (this.mainDbModel as any)?.modelName || 'Unknown';
+    Logger.warn(`[SECURITY] Native connection access: ${reason} (Model: ${modelName})`, this.constructor.name);
+
+    return (this.mainDbModel as unknown as MongooseModel<Document & Model>).db;
+  }
+
+  private validateNativeAccessReason(reason: string, method: string): void {
+    const trimmed = reason?.trim();
+    if (!trimmed || trimmed.length < 20) {
+      throw new Error(`${method} requires a meaningful reason (min 20 chars) — explain why native access is needed`);
+    }
   }
 
   /**

package/src/core/common/services/module.service.ts

@@ -13,6 +13,19 @@ import { ConfigService } from './config.service';
 import { ModelRegistry } from './model-registry.service';
 import { RequestContext } from './request-context.service';
 
+/**
+ * Mongoose Model with native driver access paths removed to prevent
+ * accidental bypass of Mongoose plugins (Tenant, Audit, RoleGuard, Password).
+ *
+ * Blocked:
+ * - `.collection` — native MongoDB Collection (bypasses ALL plugins)
+ * - `.db` — Mongoose Connection → `.db` (native Db) → `.getClient()` (native MongoClient)
+ *
+ * Use `getNativeCollection(reason)` or `getNativeConnection(reason)` in CrudService
+ * for legitimate native access (logged, requires justification).
+ */
+export type SafeModel<T> = Omit<Model<T>, 'collection' | 'db'>;
+
 /**
  * Module service class to be extended by concrete module services
  */
@@ -28,9 +41,15 @@ export abstract class ModuleService<T extends CoreModel = any> {
   protected mainModelConstructor: new (...args: any[]) => T;
 
   /**
-   * Main DB model of the service, will be used as default for populate and mapping
+   * Main DB model of the service, will be used as default for populate and mapping.
+   *
+   * Typed as SafeModel to prevent direct access to the native MongoDB driver
+   * via `.collection`. All Mongoose plugins (Tenant, Audit, RoleGuard, Password)
+   * only fire on Model methods — native driver access bypasses them all.
+   *
+   * For legitimate native access, use `getNativeCollection(reason)` in CrudService.
    */
-  protected mainDbModel: Model<Document & T>;
+  protected mainDbModel: SafeModel<Document & T>;
 
   /**
    * Set main properties
@@ -41,7 +60,7 @@ export abstract class ModuleService<T extends CoreModel = any> {
     mainModelConstructor?: new (...args: any[]) => T;
   }) {
     this.configService = options?.configService;
-    this.mainDbModel = options?.mainDbModel;
+    this.mainDbModel = options?.mainDbModel as SafeModel<Document & T>;
     this.mainModelConstructor = options?.mainModelConstructor;
 
     // Auto-register model class for ResponseModelInterceptor lookups
@@ -107,6 +126,10 @@ export abstract class ModuleService<T extends CoreModel = any> {
       ...options?.serviceOptions,
     };
 
+    // Detect nested process() calls
+    const currentDepth = RequestContext.getProcessDepth();
+    const isNested = currentDepth > 0;
+
     // Note raw configuration
     if (config.raw) {
       config.prepareInput = null;
@@ -146,31 +169,53 @@ export abstract class ModuleService<T extends CoreModel = any> {
       if (!opts.targetModel && config.inputType) {
         opts.targetModel = config.inputType;
       }
-      const originalInput = config.input;
-      const inputJSON = JSON.stringify(originalInput);
       const preparedInput = await this.prepareInput(config.input, config);
-      new Promise(() => {
-        if (
-          inputJSON?.replace(/"password":\s*"[^"]*"/, '') !==
-          JSON.stringify(preparedInput)?.replace(/"password":\s*"[^"]*"/, '')
-        ) {
-          console.debug(
-            'CheckSecurityInterceptor: securityCheck changed input of type',
-            originalInput.constructor.name,
-            'to type',
-            preparedInput.constructor.name,
-          );
+
+      if (this.configService?.getFastButReadOnly('debugProcessInput', false)) {
+        try {
+          const secretFields: string[] = this.configService?.getFastButReadOnly('security.secretFields', [
+            'password',
+            'verificationToken',
+            'passwordResetToken',
+            'refreshTokens',
+            'tempTokens',
+          ]);
+          const redact = (json: string) =>
+            secretFields.reduce(
+              (s, field) => s.replace(new RegExp(`"${field}":\\s*"[^"]*"`, 'g'), `"${field}":"[REDACTED]"`),
+              json || '',
+            );
+          const originalJSON = redact(JSON.stringify(config.input));
+          const preparedJSON = redact(JSON.stringify(preparedInput));
+          if (originalJSON !== preparedJSON) {
+            console.debug(
+              'process: prepareInput changed input of type',
+              config.input?.constructor?.name,
+              'to type',
+              preparedInput?.constructor?.name,
+            );
+          }
+        } catch {
+          // JSON.stringify can fail on circular references — ignore
         }
-      });
+      }
+
       config.input = preparedInput;
     }
 
-    // Get DB object
+    // Get DB object for rights checking — lean query to avoid recursive process() call.
+    // Using lean preserves ALL fields (including createdBy) which is needed for
+    // S_CREATOR and S_SELF checks. The full process() pipeline would remove
+    // restricted fields, potentially breaking these checks.
     if (config.dbObject && config.checkRights && this.checkRights) {
       if (typeof config.dbObject === 'string' || config.dbObject instanceof Types.ObjectId) {
-        const dbObject = await this.get(getStringIds(config.dbObject));
-        if (dbObject) {
-          config.dbObject = dbObject;
+        if (this.mainDbModel) {
+          const rawDoc = await this.mainDbModel.findById(getStringIds(config.dbObject)).lean().exec();
+          if (rawDoc) {
+            config.dbObject = (this.mainModelConstructor as any)?.map
+              ? (this.mainModelConstructor as any).map(rawDoc)
+              : rawDoc;
+          }
         }
       }
     }
@@ -198,21 +243,27 @@ export abstract class ModuleService<T extends CoreModel = any> {
       (config.input as Record<string, any>).updatedBy = config.currentUser.id;
     }
 
-    // Run service function
-    // When force is enabled, bypass the Mongoose role guard plugin as well
+    // Run service function with incremented depth
+    // When force is enabled, also bypass the Mongoose role guard plugin
+    const executeServiceFunc = () => RequestContext.runWithIncrementedProcessDepth(() => serviceFunc(config));
+
     let result = config.force
-      ? await RequestContext.runWithBypassRoleGuard(() => serviceFunc(config))
-      : await serviceFunc(config);
+      ? await RequestContext.runWithBypassRoleGuard(executeServiceFunc)
+      : await executeServiceFunc();
 
     // Pop and map main model
+    // Skip on nested calls UNLESS populate was explicitly requested —
+    // the outermost call handles population for the final response.
     if (config.processFieldSelection && config.fieldSelection && this.processFieldSelection) {
-      let temps = result;
-      if (!Array.isArray(result)) {
-        temps = [result];
-      }
-      for (const temp of temps) {
-        const field = config.outputPath ? _.get(temp, config.outputPath) : temp;
-        await this.processFieldSelection(field, config.fieldSelection, config.processFieldSelection);
+      if (!isNested || config.populate) {
+        let temps = result;
+        if (!Array.isArray(result)) {
+          temps = [result];
+        }
+        for (const temp of temps) {
+          const field = config.outputPath ? _.get(temp, config.outputPath) : temp;
+          await this.processFieldSelection(field, config.fieldSelection, config.processFieldSelection);
+        }
       }
     }
 
@@ -222,6 +273,14 @@ export abstract class ModuleService<T extends CoreModel = any> {
       if (!opts.targetModel && config.outputType) {
         opts.targetModel = config.outputType;
       }
+
+      // On nested calls without explicit populate: skip model mapping
+      // (the outermost call and CheckSecurityInterceptor handle final mapping).
+      // Secret removal (removeSecrets) stays active at ALL depths.
+      if (isNested && !config.populate && typeof opts === 'object') {
+        opts.targetModel = undefined;
+      }
+
       if (config.outputPath) {
         let temps = result;
         if (!Array.isArray(result)) {
@@ -236,7 +295,9 @@ export abstract class ModuleService<T extends CoreModel = any> {
     }
 
     // Check output rights
-    if (config.checkRights && (await this.checkRights(undefined, config.currentUser as any, config))) {
+    // Skip on nested calls — the outermost process() and CheckSecurityInterceptor
+    // perform the final output rights check on the complete response.
+    if (!isNested && config.checkRights && (await this.checkRights(undefined, config.currentUser as any, config))) {
       const opts: any = {
         dbObject: config.dbObject,
         processType: ProcessType.OUTPUT,
@@ -362,7 +423,7 @@ export abstract class ModuleService<T extends CoreModel = any> {
     data: any,
     fieldsSelection: FieldSelection,
     options: {
-      dbModel?: Model<Document & T>;
+      dbModel?: Model<Document & T> | SafeModel<Document & T>;
       ignoreSelections?: boolean;
       model?: new (...args: any[]) => T;
     } = {},
@@ -372,7 +433,7 @@ export abstract class ModuleService<T extends CoreModel = any> {
       model: this.mainModelConstructor,
       ...options,
     };
-    return popAndMap(data, fieldsSelection, config.model, config.dbModel, {
+    return popAndMap(data, fieldsSelection, config.model, config.dbModel as Model<Document & T>, {
       ignoreSelections: config.ignoreSelections,
     });
   }

package/src/core/common/services/request-context.service.ts

@@ -19,6 +19,13 @@ export interface IRequestContext {
   tenantRole?: string;
   /** When true, indicates admin bypass is active (admin without header sees all data) */
   isAdminBypass?: boolean;
+  /**
+   * Tracks the nesting depth of process() calls.
+   * 0 = outermost call (full pipeline), > 0 = nested call (reduced pipeline).
+   * Used to skip redundant populate, output mapping, and output rights checks
+   * on inner calls — the outermost call and CheckSecurityInterceptor handle these.
+   */
+  processDepth?: number;
 }
 
 /**
@@ -81,6 +88,46 @@ export class RequestContext {
     return this.storage.run(context, fn);
   }
 
+  /**
+   * Get the current process() nesting depth.
+   * Returns 0 if not inside a process() call.
+   */
+  static getProcessDepth(): number {
+    return this.storage.getStore()?.processDepth || 0;
+  }
+
+  /**
+   * Run a function with incremented process depth.
+   *
+   * Used internally by `ModuleService.process()` to wrap the serviceFunc call.
+   * At depth > 0, the built-in pipeline skips redundant populate, model mapping,
+   * and output rights checks — the outermost call (depth 0) and
+   * CheckSecurityInterceptor handle these for the final response.
+   *
+   * Also available for custom pipeline implementations that wrap `process()`.
+   *
+   * **Security contract:** Code running at depth > 0 must NOT return data
+   * directly to external consumers without an outer depth-0 `process()` call
+   * or manual `checkRights` — the output rights check is skipped at depth > 0.
+   *
+   * @example
+   * ```typescript
+   * // Custom pipeline that wraps a service call with depth tracking
+   * const result = await RequestContext.runWithIncrementedProcessDepth(async () => {
+   *   return this.innerService.create(input, serviceOptions);
+   * });
+   * ```
+   */
+  static runWithIncrementedProcessDepth<T>(fn: () => T): T {
+    const currentStore = this.storage.getStore();
+    const currentDepth = currentStore?.processDepth || 0;
+    const context: IRequestContext = {
+      ...currentStore,
+      processDepth: currentDepth + 1,
+    };
+    return this.storage.run(context, fn);
+  }
+
   static getTenantId(): string | undefined {
     return this.storage.getStore()?.tenantId;
   }