@lenne.tech/nest-server 11.25.2 → 11.25.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/FRAMEWORK-API.md +1 -1
  2. package/migration-guides/11.25.0-to-11.25.3.md +203 -0
  3. package/package.json +5 -3
package/FRAMEWORK-API.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @lenne.tech/nest-server — Framework API Reference
2
2
 
3
- > Auto-generated from source code on 2026-04-20 (v11.25.2)
3
+ > Auto-generated from source code on 2026-04-23 (v11.25.3)
4
4
  > File: `FRAMEWORK-API.md` — compact, machine-readable API surface for Claude Code
5
5
 
6
6
  ## CoreModule.forRoot()
package/migration-guides/11.25.0-to-11.25.3.md ADDED
@@ -0,0 +1,203 @@
1
+ # Migration Guide: 11.25.0 → 11.25.3
2
+
3
+ ## Overview
4
+
5
+ | Category | Details |
6
+ |----------|---------|
7
+ | **Breaking Changes** | None |
8
+ | **New Features** | `cookies` option on `TestHelper.graphQl()` for cookie-based auth in GraphQL tests (11.25.1) |
9
+ | **Bugfixes** | Removed incorrect `@deprecated` tag from the 3-parameter `CoreModule.forRoot()` signature (11.25.2); hardened `scripts/check-server-start.sh` cleanup to avoid hanging CI runs (11.25.3) |
10
+ | **Security** | Added `uuid@<14.0.0` override (GHSA-w5hq-g745-h8pq, transitive via `@compodoc/compodoc`) — framework-internal, no consumer action needed (11.25.3) |
11
+ | **Migration Effort** | None required — update package only. New feature is opt-in. |
12
+
13
+ ---
14
+
15
+ ## Quick Migration
16
+
17
+ ```bash
18
+ # Update package
19
+ pnpm install @lenne.tech/nest-server@11.25.3
20
+
21
+ # Verify build
22
+ pnpm run build
23
+
24
+ # Run tests
25
+ pnpm test
26
+ ```
27
+
28
+ No code changes required. All changes are backward compatible.
29
+
30
+ ---
31
+
32
+ ## What's New in 11.25.1
33
+
34
+ ### `cookies` Option on `TestHelper.graphQl()`
35
+
36
+ Since v11.25.0 cookies are enabled by default. Before v11.25.1, `TestHelper.graphQl()` could only authenticate via JWT (`token` option) — mirroring production cookie flows in GraphQL tests required manual `Cookie` header construction. v11.25.1 adds a first-class `cookies` option to `TestGraphQLOptions`, identical in behavior to the existing `cookies` option on `TestRestOptions`.
37
+
38
+ **Three usage modes:**
39
+
40
+ ```typescript
41
+ // 1. Plain session token string (recommended)
42
+ // -> Auto-detected and converted via buildBetterAuthCookies() to all
43
+ // relevant cookie names (iam.session_token, token)
44
+ await testHelper.graphQl({
45
+ name: 'me',
46
+ type: TestGraphQLType.QUERY,
47
+ fields: ['id', 'email'],
48
+ cookies: sessionToken, // e.g. raw token from DB `session` collection
49
+ });
50
+
51
+ // 2. Pre-formatted cookie string (contains = or ;)
52
+ // -> Used as-is as a Cookie header
53
+ await testHelper.graphQl({
54
+ name: 'me',
55
+ type: TestGraphQLType.QUERY,
56
+ fields: ['id'],
57
+ cookies: 'iam.session_token=abc.signature; other=value',
58
+ });
59
+
60
+ // 3. Record<string, string>
61
+ // -> Joined into a Cookie header
62
+ await testHelper.graphQl({
63
+ name: 'me',
64
+ type: TestGraphQLType.QUERY,
65
+ fields: ['id'],
66
+ cookies: { 'iam.session_token': 'abc.signature' },
67
+ });
68
+ ```
69
+
70
+ **Combined with `token`:**
71
+
72
+ Both headers are sent. The server's middleware token priority remains: `Authorization: Bearer` header first, then JWT cookie, then session cookie.
73
+
74
+ ```typescript
75
+ await testHelper.graphQl({
76
+ name: 'me',
77
+ type: TestGraphQLType.QUERY,
78
+ fields: ['id'],
79
+ token: jwtToken, // -> Authorization header
80
+ cookies: sessionToken, // -> Cookie header (ignored when JWT is valid)
81
+ });
82
+ ```
83
+
84
+ **Reference test:** [`tests/stories/graphql-cookie-auth.story.test.ts`](../tests/stories/graphql-cookie-auth.story.test.ts) covers all three modes plus combined JWT + cookie usage.
85
+
86
+ ### When to Use
87
+
88
+ - **JWT-only tests:** Continue using `token` alone — no change needed.
89
+ - **Cookie-based tests:** Use `cookies` with the plain session-token string (simplest form).
90
+ - **Hybrid flows:** Pass both `token` and `cookies` to exercise fallback behavior.
91
+
92
+ This matches the production default since v11.25.0 (cookies enabled by default, JWT via `Authorization: Bearer` works independently).
93
+
94
+ ---
95
+
96
+ ## What's Fixed in 11.25.2
97
+
98
+ ### `@deprecated` Tag Removed from 3-Parameter `CoreModule.forRoot()`
99
+
100
+ The 3-parameter signature used by projects running Legacy Auth alongside BetterAuth was incorrectly marked `@deprecated` in `src/core.module.ts`, which caused IDE/TypeScript deprecation warnings for valid usage.
101
+
102
+ ```typescript
103
+ // This is valid and supported — no longer emits a deprecation warning
104
+ CoreModule.forRoot(CoreAuthService, AuthModule.forRoot(envConfig.jwt), envConfig);
105
+ ```
106
+
107
+ **No action needed.** If your editor was showing a strike-through on this call in 11.25.0 / 11.25.1, it will disappear after upgrading. The signature remains fully supported for projects migrating from Legacy Auth to BetterAuth. See [module-deprecation.md](../.claude/rules/module-deprecation.md) for the long-term roadmap.
108
+
109
+ ---
110
+
111
+ ## What's Fixed in 11.25.3
112
+
113
+ ### `scripts/check-server-start.sh` Cleanup Hardened
114
+
115
+ The CI helper script `scripts/check-server-start.sh` (used by `pnpm run check`) previously streamed server logs via a background `tail -f` and `wait`ed on both PIDs on `EXIT`. On macOS/bash this pattern hung intermittently because `tail -f` does not always honor `SIGTERM` while blocked on the kqueue watch, leaving `pnpm run check` stuck.
116
+
117
+ **Changes:**
118
+ - `tail -f` removed; the relevant log excerpt is printed at the end instead.
119
+ - Server process is killed with `SIGTERM` → ~2 s grace window → `SIGKILL` without `wait`ing on the child.
120
+ - `disown` suppresses the `Terminated: 15` noise in bash job output.
121
+
122
+ **No consumer impact.** The script is CI-only and not shipped to downstream projects. If your project has copied an older version of this script, you can optionally sync it — but nothing breaks if you leave it as-is.
123
+
124
+ ### `uuid@<14.0.0` Security Override (Framework-Internal)
125
+
126
+ A new `pnpm.overrides` entry was added in this repo's `package.json` to patch a missing buffer bounds check in `uuid` v3/v5/v6 (GHSA-w5hq-g745-h8pq), pulled in transitively via `@compodoc/compodoc → @compodoc/live-server → http-auth`.
127
+
128
+ **No consumer action needed.** The override lives in the framework's own `package.json`; it is not inherited by downstream projects through `@lenne.tech/nest-server`. If your own project depends on `@compodoc/compodoc` (or any other package that transitively pulls vulnerable `uuid` versions), follow the same pattern from [`.claude/rules/package-management.md`](../.claude/rules/package-management.md) in your own `pnpm.overrides`:
129
+
130
+ ```json
131
+ {
132
+ "pnpm": {
133
+ "overrides": {
134
+ "uuid@<14.0.0": "14.0.0"
135
+ }
136
+ }
137
+ }
138
+ ```
139
+
140
+ ---
141
+
142
+ ## Compatibility Notes
143
+
144
+ ### TestHelper Cookies (REST + GraphQL symmetry)
145
+
146
+ Before 11.25.1, only `testHelper.rest()` and `testHelper.download()`/`downloadBuffer()` supported `cookies`. From 11.25.1 on, `testHelper.graphQl()` exposes the same option with identical semantics, so test suites can switch an endpoint between REST and GraphQL without rewriting the auth setup.
147
+
148
+ ### No Changes to Production Runtime
149
+
150
+ 11.25.1–11.25.3 are strictly test-helper, documentation and CI improvements. No runtime behavior, security semantics, or configuration defaults change compared to v11.25.0.
151
+
152
+ ---
153
+
154
+ ## Troubleshooting
155
+
156
+ ### `testHelper.graphQl({ cookies: sessionToken })` returns 401
157
+
158
+ **Cause:** The session token may be stale (parallel test run invalidated it) or not yet written to the DB.
159
+
160
+ **Fix:** Re-fetch the session token before each GraphQL call (same pattern used for REST):
161
+
162
+ ```typescript
163
+ const token = await getSessionTokenFromDb(user.email);
164
+ await testHelper.graphQl({ ..., cookies: token });
165
+ ```
166
+
167
+ See [`tests/stories/graphql-cookie-auth.story.test.ts`](../tests/stories/graphql-cookie-auth.story.test.ts) for the reference setup (Mongo client, fresh-token helper, parallel-safe email generator).
168
+
169
+ ### IDE still shows strike-through on `CoreModule.forRoot(CoreAuthService, AuthModule.forRoot(...), envConfig)`
170
+
171
+ **Cause:** TypeScript declaration cache / stale `node_modules/@lenne.tech/nest-server/dist/core.module.d.ts`.
172
+
173
+ **Fix:** Reinstall the package and restart the TS server:
174
+
175
+ ```bash
176
+ pnpm install @lenne.tech/nest-server@11.25.3
177
+ # VS Code: Command Palette → "TypeScript: Restart TS Server"
178
+ ```
179
+
180
+ ---
181
+
182
+ ## Module Documentation
183
+
184
+ ### Test Helper
185
+ - **Interface:** [src/test/test.helper.ts](../src/test/test.helper.ts) — `TestGraphQLOptions.cookies`
186
+ - **README:** [src/test/README.md](../src/test/README.md) — TestHelper usage (REST, GraphQL, cookies)
187
+ - **Reference Story:** [tests/stories/graphql-cookie-auth.story.test.ts](../tests/stories/graphql-cookie-auth.story.test.ts)
188
+
189
+ ### Core Module
190
+ - **Source:** [src/core.module.ts](../src/core.module.ts) — `CoreModule.forRoot()` overloads
191
+ - **Deprecation Roadmap:** [.claude/rules/module-deprecation.md](../.claude/rules/module-deprecation.md)
192
+
193
+ ### Infrastructure
194
+ - **Check Script:** [scripts/check-server-start.sh](../scripts/check-server-start.sh)
195
+ - **Package Overrides:** [.claude/rules/package-management.md](../.claude/rules/package-management.md)
196
+
197
+ ---
198
+
199
+ ## References
200
+
201
+ - [Migration Guide 11.24.x → 11.25.0](./11.24.x-to-11.25.0.md) (cookies default change, CORS unification)
202
+ - [Configurable Features Pattern](../.claude/rules/configurable-features.md)
203
+ - [nest-server-starter](https://github.com/lenneTech/nest-server-starter) (reference implementation)
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lenne.tech/nest-server",
3
- "version": "11.25.2",
3
+ "version": "11.25.3",
4
4
  "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
5
5
  "keywords": [
6
6
  "node",
@@ -199,7 +199,8 @@
199
199
  "kysely@>=0.26.0 <0.28.16": "Security: SQL injection - transitive via better-auth",
200
200
  "lodash@>=4.0.0 <4.18.0": "Security: CVE in lodash@4.17.x - transitive via @nestjs/graphql. 4.18.1 is the latest patched version",
201
201
  "defu@<=6.1.6": "Security: prototype pollution via __proto__ key - transitive via better-auth",
202
- "follow-redirects@<=1.15.11": "Security: Custom Authentication Headers leak on cross-domain redirect (GHSA-r4q5-vmmm-2653) - transitive via axios>@getbrevo/brevo and axios>node-mailjet"
202
+ "follow-redirects@<=1.15.11": "Security: Custom Authentication Headers leak on cross-domain redirect (GHSA-r4q5-vmmm-2653) - transitive via axios>@getbrevo/brevo and axios>node-mailjet",
203
+ "uuid@<14.0.0": "Security: Missing buffer bounds check in v3/v5/v6 (GHSA-w5hq-g745-h8pq) - transitive via @compodoc/compodoc and @compodoc/compodoc>@compodoc/live-server>http-auth"
203
204
  },
204
205
  "overrides": {
205
206
  "axios@<1.15.0": "1.15.0",
@@ -219,7 +220,8 @@
219
220
  "kysely@>=0.26.0 <0.28.16": "0.28.16",
220
221
  "lodash@>=4.0.0 <4.18.0": "4.18.1",
221
222
  "defu@<=6.1.6": "6.1.7",
222
- "follow-redirects@<=1.15.11": "1.16.0"
223
+ "follow-redirects@<=1.15.11": "1.16.0",
224
+ "uuid@<14.0.0": "14.0.0"
223
225
  },
224
226
  "onlyBuiltDependencies": [
225
227
  "bcrypt",