@lenne.tech/nest-server 11.6.2 → 11.7.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.6.2",
+  "version": "11.7.1",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -77,13 +77,14 @@
     "node": ">= 20"
   },
   "dependencies": {
-    "@apollo/server": "4.12.2",
-    "@better-auth/passkey": "1.4.7",
+    "@apollo/server": "5.2.0",
+    "@as-integrations/express5": "1.1.2",
+    "@better-auth/passkey": "1.4.8-beta.4",
     "@getbrevo/brevo": "3.0.1",
-    "@nestjs/apollo": "13.1.0",
+    "@nestjs/apollo": "13.2.3",
     "@nestjs/common": "11.1.9",
     "@nestjs/core": "11.1.9",
-    "@nestjs/graphql": "13.2.0",
+    "@nestjs/graphql": "13.2.3",
     "@nestjs/jwt": "11.0.2",
     "@nestjs/mongoose": "11.0.4",
     "@nestjs/passport": "11.0.5",
@@ -92,16 +93,16 @@
     "@nestjs/swagger": "11.2.3",
     "@nestjs/terminus": "11.0.0",
     "@nestjs/websockets": "11.1.9",
-    "@thallesp/nestjs-better-auth": "2.2.0",
     "apollo-server-core": "3.13.0",
     "bcrypt": "6.0.0",
-    "better-auth": "1.4.7",
+    "better-auth": "1.4.8-beta.4",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.3",
     "compression": "1.8.1",
     "cookie-parser": "1.4.7",
     "dotenv": "17.2.3",
     "ejs": "3.1.10",
+    "express": "5.1.0",
     "graphql": "16.12.0",
     "graphql-query-complexity": "1.1.0",
     "graphql-subscriptions": "3.0.0",
@@ -110,7 +111,7 @@
     "json-to-graphql-query": "2.3.0",
     "lodash": "4.17.21",
     "mongodb": "7.0.0",
-    "mongoose": "8.19.3",
+    "mongoose": "9.0.2",
     "multer": "2.0.2",
     "node-mailjet": "6.0.11",
     "nodemailer": "7.0.11",
@@ -119,7 +120,6 @@
     "reflect-metadata": "0.2.2",
     "rfdc": "1.4.1",
     "rxjs": "7.8.2",
-    "ts-jest": "29.4.6",
     "yuml-diagram": "1.2.0"
   },
   "devDependencies": {
@@ -129,23 +129,23 @@
     "@nestjs/schematics": "11.0.9",
     "@nestjs/testing": "11.1.9",
     "@swc/cli": "0.7.9",
-    "@swc/core": "1.15.3",
+    "@swc/core": "1.15.7",
     "@types/compression": "1.8.1",
     "@types/cookie-parser": "1.4.10",
     "@types/ejs": "3.1.5",
     "@types/express": "4.17.21",
     "@types/lodash": "4.17.21",
     "@types/multer": "2.0.0",
-    "@types/node": "25.0.1",
+    "@types/node": "25.0.3",
     "@types/nodemailer": "7.0.4",
     "@types/passport": "1.0.17",
     "@types/supertest": "6.0.3",
-    "@typescript-eslint/eslint-plugin": "8.49.0",
-    "@typescript-eslint/parser": "8.49.0",
-    "@vitest/coverage-v8": "4.0.15",
-    "@vitest/ui": "4.0.15",
+    "@typescript-eslint/eslint-plugin": "8.50.0",
+    "@typescript-eslint/parser": "8.50.0",
+    "@vitest/coverage-v8": "4.0.16",
+    "@vitest/ui": "4.0.16",
     "ansi-colors": "4.1.3",
-    "eslint": "9.39.1",
+    "eslint": "9.39.2",
     "eslint-config-prettier": "10.1.8",
     "eslint-plugin-unused-imports": "4.3.0",
     "find-file-up": "2.0.1",
@@ -162,28 +162,19 @@
     "pretty-quick": "4.2.2",
     "rimraf": "6.1.2",
     "supertest": "7.1.4",
+    "ts-jest": "29.4.6",
     "ts-loader": "9.5.4",
     "ts-morph": "27.0.2",
     "ts-node": "10.9.2",
     "tsconfig-paths": "4.2.0",
     "typescript": "5.9.3",
     "unplugin-swc": "1.5.9",
-    "vite": "7.2.7",
+    "vite": "7.3.0",
     "vite-plugin-node": "7.0.0",
-    "vite-tsconfig-paths": "5.1.4",
-    "vitest": "4.0.15",
+    "vite-tsconfig-paths": "6.0.3",
+    "vitest": "4.0.16",
     "yalc": "1.0.0-pre.53"
   },
-  "overrides": {
-    "@lykmapipo/common": {
-      "flat": "5.0.2",
-      "mime": "2.6.0"
-    },
-    "better-auth": {
-      "mongodb": "7.0.0"
-    },
-    "ts-morph": "27.0.2"
-  },
   "jest": {
     "collectCoverage": true,
     "coverageDirectory": "../coverage",

package/src/config.env.ts

@@ -14,6 +14,16 @@ const config: { [env: string]: IServerOptions } = {
   // Development environment
   // ===========================================================================
   development: {
+    // Legacy Auth endpoint controls (for migration to BetterAuth)
+    // Set to false after all users have migrated to BetterAuth (IAM)
+    // See: .claude/rules/module-deprecation.md
+    auth: {
+      legacyEndpoints: {
+        enabled: true, // Set to false to disable legacy auth endpoints (returns HTTP 410)
+        // graphql: true, // Optionally disable only GraphQL endpoints
+        // rest: true,    // Optionally disable only REST endpoints
+      },
+    },
     automaticObjectIdFiltering: true,
     betterAuth: {
       basePath: '/iam',
@@ -23,9 +33,6 @@ const config: { [env: string]: IServerOptions } = {
         enabled: true,
         expiresIn: '15m',
       },
-      legacyPassword: {
-        enabled: true,
-      },
       passkey: {
         enabled: false,
         origin: 'http://localhost:3000',
@@ -165,27 +172,34 @@ const config: { [env: string]: IServerOptions } = {
   // Local environment
   // ===========================================================================
   local: {
+    // Legacy Auth endpoint controls (for migration to BetterAuth)
+    // Set to false after all users have migrated to BetterAuth (IAM)
+    // See: .claude/rules/module-deprecation.md
+    auth: {
+      legacyEndpoints: {
+        enabled: true, // Set to false to disable legacy auth endpoints (returns HTTP 410)
+        // graphql: true, // Optionally disable only GraphQL endpoints
+        // rest: true,    // Optionally disable only REST endpoints
+      },
+    },
     automaticObjectIdFiltering: true,
     betterAuth: {
       basePath: '/iam',
       baseUrl: 'http://localhost:3000',
-      // enabled: true by default - set false to explicitly disable
+      enabled: true, // Enable for Scenario 2 (Legacy + IAM) testing
       jwt: {
         enabled: true,
         expiresIn: '15m',
       },
-      legacyPassword: {
-        enabled: true,
-      },
       passkey: {
-        enabled: false,
+        enabled: true,
         origin: 'http://localhost:3000',
         rpId: 'localhost',
         rpName: 'Nest Server Local',
       },
       rateLimit: {
         enabled: true,
-        max: 20,
+        max: 100, // Higher limit for local testing
         message: 'Too many requests, please try again later.',
         skipEndpoints: ['/session', '/callback'],
         strictEndpoints: ['/sign-in', '/sign-up', '/forgot-password', '/reset-password'],
@@ -211,7 +225,7 @@ const config: { [env: string]: IServerOptions } = {
       },
       twoFactor: {
         appName: 'Nest Server Local',
-        enabled: false,
+        enabled: true,
       },
     },
     compression: true,
@@ -327,6 +341,16 @@ const config: { [env: string]: IServerOptions } = {
   // Production environment
   // ===========================================================================
   production: {
+    // Legacy Auth endpoint controls (for migration to BetterAuth)
+    // Set to false after all users have migrated to BetterAuth (IAM)
+    // See: .claude/rules/module-deprecation.md
+    auth: {
+      legacyEndpoints: {
+        enabled: process.env.LEGACY_AUTH_ENABLED !== 'false', // Disable via env var
+        // graphql: true, // Optionally disable only GraphQL endpoints
+        // rest: true,    // Optionally disable only REST endpoints
+      },
+    },
     automaticObjectIdFiltering: true,
     betterAuth: {
       basePath: '/iam',
@@ -336,9 +360,6 @@ const config: { [env: string]: IServerOptions } = {
         enabled: true,
         expiresIn: '15m',
       },
-      legacyPassword: {
-        enabled: true,
-      },
       passkey: {
         enabled: false,
         origin: process.env.BETTER_AUTH_URL || 'https://example.com',

package/src/core/common/helpers/filter.helper.ts

@@ -1,4 +1,4 @@
-import { FilterQuery, QueryOptions } from 'mongoose';
+import { QueryFilter, QueryOptions } from 'mongoose';
 
 import { FilterArgs } from '../args/filter.args';
 import { ComparisonOperatorEnum } from '../enums/comparison-operator.enum';
@@ -19,14 +19,14 @@ export class Filter {
    * Convert filter arguments to a query array
    * @param filterArgs
    */
-  public static convertFilterArgsToQuery<T = any>(filterArgs: Partial<FilterArgs>): [FilterQuery<T>, QueryOptions] {
-    return convertFilterArgsToQuery(filterArgs);
+  public static convertFilterArgsToQuery<T = Record<string, any>>(filterArgs: Partial<FilterArgs>): [T, QueryOptions] {
+    return convertFilterArgsToQuery<T>(filterArgs);
   }
 
   /**
    * Generate filter query
    */
-  public static generateFilterQuery<T = any>(filter?: Partial<FilterInput>): any | FilterQuery<T> {
+  public static generateFilterQuery<T = any>(filter?: Partial<FilterInput>): any | QueryFilter<T> {
     return generateFilterQuery(filter);
   }
 
@@ -41,31 +41,29 @@ export class Filter {
 /**
  * Convert filter arguments to a query array
  */
-export function convertFilterArgsToQuery<T = any>(filterArgs: Partial<FilterArgs>): [FilterQuery<T>, QueryOptions] {
-  return [generateFilterQuery(filterArgs?.filter), generateFindOptions(filterArgs)];
+export function convertFilterArgsToQuery<T = Record<string, any>>(filterArgs: Partial<FilterArgs>): [T, QueryOptions] {
+  return [generateFilterQuery(filterArgs?.filter) as T, generateFindOptions(filterArgs)];
 }
 
 /**
  * Merge FilterArgs and FilterQueries
  */
-export function filterMerge<T = unknown>(
+export function filterMerge<T = Record<string, any>>(
   filterArgs: Partial<FilterArgs>,
-  filterQuery: Partial<FilterQuery<T>>,
+  filterQuery: Partial<T>,
   options?: {
     operator?: '$and' | '$nor' | '$or';
     queryOptions?: Partial<QueryOptions>;
     samples?: number;
   },
-): { filterQuery: FilterQuery<T>; queryOptions?: QueryOptions; samples?: number } {
+): { filterQuery: T; queryOptions?: QueryOptions; samples?: number } {
   const config = {
     operator: '$and',
     ...options,
   };
   const converted = convertFilterArgsToQuery(filterArgs);
   return {
-    filterQuery: (converted[0]
-      ? { [config.operator]: [converted[0], filterQuery || {}] }
-      : filterQuery) as FilterQuery<T>,
+    filterQuery: (converted[0] ? { [config.operator]: [converted[0], filterQuery || {}] } : filterQuery) as T,
     queryOptions: converted[1] || config.queryOptions ? { ...converted[1], ...config.queryOptions } : undefined,
     samples: config.samples,
   };
@@ -76,18 +74,18 @@ export function filterMerge<T = unknown>(
  */
 export function findFilter(options?: {
   conditions?: Record<string, any>[];
-  filterOptions?: FilterQuery<any>;
+  filterOptions?: QueryFilter<any>;
   id?: any;
   ids?: any[];
   type?: '$and' | '$nor' | '$or';
-}): FilterQuery<any> {
+}): QueryFilter<any> {
   const config = {
     type: '$and',
     ...options,
   };
 
   // Init filter Option
-  let filterOptions: FilterQuery<any> = config?.filterOptions;
+  let filterOptions: QueryFilter<any> = config?.filterOptions;
 
   // Check where condition
   if (!filterOptions) {
@@ -120,7 +118,7 @@ export function findFilter(options?: {
   }
 
   // Filter falsy values
-  filterOptions[config.type] = filterOptions[config.type].filter(value => value);
+  filterOptions[config.type] = filterOptions[config.type].filter((value) => value);
 
   // Optimizations
   if (!filterOptions[config.type].length) {
@@ -143,7 +141,7 @@ export function findFilter(options?: {
 export function generateFilterQuery<T = any>(
   filter?: Partial<FilterInput>,
   options?: { automaticObjectIdFiltering?: boolean },
-): any | FilterQuery<T> {
+): any | QueryFilter<T> {
   // Check filter
   if (!filter) {
     return undefined;

package/src/core/common/helpers/gridfs.helper.ts

@@ -166,7 +166,7 @@ export class GridFSHelper {
    */
   static async findFiles(bucket: GridFSBucket, filter: any = {}, options: any = {}): Promise<GridFSFileInfo[]> {
     const files = await bucket.find(filter, options).toArray();
-    return files.map(file => GridFSHelper.normalizeFileInfo(file));
+    return files.map((file) => GridFSHelper.normalizeFileInfo(file));
   }
 
   /**
@@ -200,12 +200,12 @@ export class GridFSHelper {
     filename: string,
     options?: { contentType?: string },
   ): mongo.GridFSBucketWriteStream {
-    // Store contentType in metadata to avoid deprecation warning
+    // Store contentType in metadata (mongodb 7.x no longer has contentType option)
     if (options?.contentType) {
       const metadata = { contentType: options.contentType };
       return bucket.openUploadStream(filename, { metadata });
     }
-    return bucket.openUploadStream(filename, options);
+    return bucket.openUploadStream(filename);
   }
 
   /**
@@ -217,11 +217,11 @@ export class GridFSHelper {
     filename: string,
     options?: { contentType?: string },
   ): mongo.GridFSBucketWriteStream {
-    // Store contentType in metadata to avoid deprecation warning
+    // Store contentType in metadata (mongodb 7.x no longer has contentType option)
     if (options?.contentType) {
       const metadata = { contentType: options.contentType };
       return bucket.openUploadStreamWithId(id, filename, { metadata });
     }
-    return bucket.openUploadStreamWithId(id, filename, options);
+    return bucket.openUploadStreamWithId(id, filename);
   }
 }

package/src/core/common/interfaces/server-options.interface.ts

@@ -22,6 +22,170 @@ import { MailjetOptions } from './mailjet-options.interface';
  */
 export type BetterAuthFieldType = 'boolean' | 'date' | 'json' | 'number' | 'number[]' | 'string' | 'string[]';
 
+/**
+ * Interface for Auth configuration
+ *
+ * This configuration controls the authentication system behavior.
+ * In v11.x, Legacy Auth (CoreAuthService) is the default.
+ * In a future version, BetterAuth (IAM) will become the default.
+ *
+ * @since 11.7.1
+ *
+ * ## Migration Roadmap
+ *
+ * ### v11.x (Current)
+ * - Legacy Auth is the default and required for GraphQL Subscriptions
+ * - BetterAuth can be used alongside Legacy Auth
+ * - Use `legacyEndpoints.enabled: false` after all users migrated to IAM
+ *
+ * ### Future Version (Planned)
+ * - BetterAuth becomes the default
+ * - Legacy Auth becomes optional (must be explicitly enabled)
+ * - CoreModule.forRoot signature simplifies to `CoreModule.forRoot(options)`
+ *
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
+ */
+export interface IAuth {
+  /**
+   * Configuration for legacy auth endpoints
+   *
+   * Legacy endpoints include:
+   * - GraphQL: signIn, signUp, signOut, refreshToken mutations
+   * - REST: /api/auth/* endpoints
+   *
+   * These can be disabled once all users have migrated to BetterAuth (IAM).
+   *
+   * @example
+   * ```typescript
+   * auth: {
+   *   legacyEndpoints: {
+   *     enabled: false // Disable all legacy endpoints after migration
+   *   }
+   * }
+   * ```
+   */
+  legacyEndpoints?: IAuthLegacyEndpoints;
+
+  /**
+   * Prevent user enumeration via unified error messages
+   *
+   * When enabled, authentication errors return a generic "Invalid credentials"
+   * message instead of specific messages like "Unknown email" or "Wrong password".
+   *
+   * This prevents attackers from determining whether an email address exists
+   * in the system, but reduces UX clarity for legitimate users.
+   *
+   * @since 11.7.x
+   * @default false (backward compatible - specific error messages)
+   *
+   * @example
+   * ```typescript
+   * auth: {
+   *   preventUserEnumeration: true // Returns "Invalid credentials" for all auth errors
+   * }
+   * ```
+   */
+  preventUserEnumeration?: boolean;
+
+  /**
+   * Rate limiting configuration for Legacy Auth endpoints
+   *
+   * Protects against brute-force attacks on signIn, signUp, and other
+   * authentication endpoints.
+   *
+   * Follows the same pattern as `betterAuth.rateLimit`.
+   *
+   * @since 11.7.x
+   * @default { enabled: false }
+   *
+   * @example
+   * ```typescript
+   * auth: {
+   *   rateLimit: {
+   *     enabled: true,
+   *     max: 10,
+   *     windowSeconds: 60,
+   *     message: 'Too many login attempts, please try again later.',
+   *   }
+   * }
+   * ```
+   */
+  rateLimit?: IAuthRateLimit;
+}
+
+/**
+ * Interface for Legacy Auth endpoints configuration
+ *
+ * These endpoints are part of the Legacy Auth system (CoreAuthService).
+ * In a future version, BetterAuth (IAM) will become the default and these endpoints
+ * can be disabled once all users have migrated.
+ *
+ * @since 11.7.1
+ * @see https://github.com/lenneTech/nest-server/blob/develop/.claude/rules/module-deprecation.md
+ */
+export interface IAuthLegacyEndpoints {
+  /**
+   * Whether legacy auth endpoints are enabled.
+   *
+   * Set to false to disable all legacy auth endpoints (GraphQL and REST).
+   * Use this after all users have migrated to BetterAuth (IAM).
+   *
+   * Check migration status via the `betterAuthMigrationStatus` query.
+   *
+   * @default true
+   */
+  enabled?: boolean;
+
+  /**
+   * Whether legacy GraphQL auth endpoints are enabled.
+   * Affects: signIn, signUp, signOut, refreshToken mutations
+   *
+   * @default true (inherits from `enabled`)
+   */
+  graphql?: boolean;
+
+  /**
+   * Whether legacy REST auth endpoints are enabled.
+   * Affects: /api/auth/sign-in, /api/auth/sign-up, etc.
+   *
+   * @default true (inherits from `enabled`)
+   */
+  rest?: boolean;
+}
+
+/**
+ * Interface for Legacy Auth rate limiting configuration
+ *
+ * Same structure as IBetterAuthRateLimit for consistency.
+ *
+ * @since 11.7.x
+ */
+export interface IAuthRateLimit {
+  /**
+   * Whether rate limiting is enabled
+   * @default false
+   */
+  enabled?: boolean;
+
+  /**
+   * Maximum number of requests within the time window
+   * @default 10
+   */
+  max?: number;
+
+  /**
+   * Custom message when rate limit is exceeded
+   * @default 'Too many requests, please try again later.'
+   */
+  message?: string;
+
+  /**
+   * Time window in seconds
+   * @default 60
+   */
+  windowSeconds?: number;
+}
+
 /**
  * Interface for better-auth configuration
  */
@@ -41,6 +205,40 @@ export interface IBetterAuth {
    */
   additionalUserFields?: Record<string, IBetterAuthUserField>;
 
+  /**
+   * Whether BetterAuthModule should be auto-registered in CoreModule.
+   *
+   * When false (default), projects integrate BetterAuth via an extended module
+   * in their project (e.g., `src/server/modules/better-auth/better-auth.module.ts`).
+   * This follows the same pattern as Legacy Auth and allows for custom resolvers,
+   * controllers, and project-specific authentication logic.
+   *
+   * Set to true only for simple projects that don't need customization.
+   *
+   * @default false
+   *
+   * @example
+   * ```typescript
+   * // Recommended: Extend BetterAuthModule in your project
+   * // src/server/modules/better-auth/better-auth.module.ts
+   * import { BetterAuthModule as CoreBetterAuthModule } from '@lenne.tech/nest-server';
+   *
+   * @Module({})
+   * export class BetterAuthModule {
+   *   static forRoot(options) {
+   *     return {
+   *       imports: [CoreBetterAuthModule.forRoot(options)],
+   *       // Add custom providers, controllers, etc.
+   *     };
+   *   }
+   * }
+   *
+   * // Then import in ServerModule
+   * import { BetterAuthModule } from './modules/better-auth/better-auth.module';
+   * ```
+   */
+  autoRegister?: boolean;
+
   /**
    * Base path for better-auth endpoints
    * default: '/iam'
@@ -53,6 +251,19 @@ export interface IBetterAuth {
    */
   baseUrl?: string;
 
+  /**
+   * Email/password authentication configuration.
+   * Enabled by default.
+   * Set `enabled: false` to explicitly disable email/password auth.
+   */
+  emailAndPassword?: {
+    /**
+     * Whether email/password authentication is enabled.
+     * @default true
+     */
+    enabled?: boolean;
+  };
+
   /**
    * Whether better-auth is enabled.
    * BetterAuth is enabled by default (zero-config philosophy).
@@ -80,20 +291,6 @@ export interface IBetterAuth {
     expiresIn?: string;
   };
 
-  /**
-   * Legacy password handling configuration.
-   * Used during migration from old auth system.
-   * Enabled by default when this config block is present.
-   * Set `enabled: false` to explicitly disable.
-   */
-  legacyPassword?: {
-    /**
-     * Whether legacy password handling is enabled.
-     * @default true (when legacyPassword config block is present)
-     */
-    enabled?: boolean;
-  };
-
   /**
    * Advanced Better-Auth options passthrough.
    * These options are passed directly to Better-Auth, allowing full customization.
@@ -380,6 +577,17 @@ export interface IJwt {
  * Options for the server
  */
 export interface IServerOptions {
+  /**
+   * Authentication system configuration
+   *
+   * Controls Legacy Auth endpoints and behavior.
+   * In a future version, this will also control BetterAuth as the default system.
+   *
+   * @since 11.7.1
+   * @see IAuth
+   */
+  auth?: IAuth;
+
   /**
    * Automatically detect ObjectIds in string values in FilterQueries
    * and expand them as OR query with string and ObjectId.