npm - @lenne.tech/nest-server - Versions diffs - 11.8.0 → 11.10.0 - Mend

@lenne.tech/nest-server 11.8.0 → 11.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (173) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.8.0",
+  "version": "11.10.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -21,7 +21,7 @@
     "build:pack": "npm pack && echo 'use file:/ROOT_PATH_TO_TGZ_FILE to integrate the package'",
     "build:dev": "npm run build && yalc push --private",
     "docs": "npm run docs:ci && open http://127.0.0.1:8080/ && open ./public/index.html && compodoc -p tsconfig.json -s ",
-    "docs:bootstrap": "node extras/update-spectaql-version.mjs && npx -y spectaql ./spectaql.yml",
+    "docs:bootstrap": "node extras/update-spectaql-version.mjs && node scripts/run-spectaql.mjs",
     "docs:ci": "ts-node ./scripts/init-server.ts && npm run docs:bootstrap && compodoc -p tsconfig.json",
     "format": "prettier --write 'src/**/*.ts'",
     "format:staged": "pretty-quick --staged",
@@ -62,6 +62,7 @@
     "vitest:watch": "NODE_ENV=local vitest --config vitest-e2e.config.ts",
     "vitest:unit": "vitest run --config vitest.config.ts",
     "test:unit:watch": "vitest --config vitest.config.ts",
+    "test:types": "tsc --noEmit --skipLibCheck -p tests/types/tsconfig.json",
     "watch": "npm-watch",
     "link:eslint": "yalc add @lenne.tech/eslint-config-ts && yalc link @lenne.tech/eslint-config-ts && npm install",
     "unlink:eslint": "yalc remove @lenne.tech/eslint-config-ts && npm install"
@@ -79,7 +80,7 @@
   "dependencies": {
     "@apollo/server": "5.2.0",
     "@as-integrations/express5": "1.1.2",
-    "@better-auth/passkey": "1.4.8-beta.4",
+    "@better-auth/passkey": "^1.4.16",
     "@getbrevo/brevo": "3.0.1",
     "@nestjs/apollo": "13.2.3",
     "@nestjs/common": "11.1.9",
@@ -97,7 +98,7 @@
     "@tus/server": "2.3.0",
     "apollo-server-core": "3.13.0",
     "bcrypt": "6.0.0",
-    "better-auth": "1.4.8-beta.4",
+    "better-auth": "^1.4.16",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.3",
     "compression": "1.8.1",
@@ -146,6 +147,7 @@
     "@typescript-eslint/parser": "8.50.0",
     "@vitest/coverage-v8": "4.0.16",
     "@vitest/ui": "4.0.16",
+    "otpauth": "9.4.1",
     "ansi-colors": "4.1.3",
     "eslint": "9.39.2",
     "eslint-config-prettier": "10.1.8",

package/src/config.env.ts CHANGED Viewed

@@ -69,6 +69,12 @@ const config: { [env: string]: IServerOptions } = {
         appName: 'Nest Server Development',
         enabled: false,
       },
+      // CORS trustedOrigins configuration:
+      // - Not set + Passkey disabled: All origins allowed (default)
+      // - Not set + Passkey enabled: Server startup FAILS (trustedOrigins required)
+      // - Set explicitly: Only configured origins allowed
+      // Uncomment and configure when enabling Passkey:
+      // trustedOrigins: ['http://localhost:3000', 'http://localhost:3001'],
     },
     compression: true,
     cookies: false,
@@ -223,6 +229,10 @@ const config: { [env: string]: IServerOptions } = {
           enabled: false,
         },
       },
+      // REQUIRED when Passkey is enabled!
+      // Passkey uses credentials: 'include' which requires explicit CORS origins.
+      // Server startup will fail if Passkey is enabled without trustedOrigins.
+      trustedOrigins: ['http://localhost:3000', 'http://localhost:3001'],
       twoFactor: {
         appName: 'Nest Server Local',
         enabled: true,
@@ -262,6 +272,10 @@ const config: { [env: string]: IServerOptions } = {
       verificationLink: 'http://localhost:4200/user/verification',
     },
     env: 'local',
+    // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
+    errorCode: {
+      autoRegister: false,
+    },
     execAfterInit: 'npm run docs:bootstrap',
     filter: {
       maxLimit: null,
@@ -395,10 +409,15 @@ const config: { [env: string]: IServerOptions } = {
           enabled: !!process.env.SOCIAL_GOOGLE_CLIENT_ID,
         },
       },
+      // REQUIRED for Passkey in production!
+      // Passkey uses credentials: 'include' which requires explicit origins (no wildcard '*')
+      // Configure all frontend URLs that need Passkey authentication:
+      trustedOrigins: process.env.TRUSTED_ORIGINS?.split(',') || [],
       twoFactor: {
         appName: process.env.TWO_FACTOR_APP_NAME || 'Nest Server',
         enabled: process.env.TWO_FACTOR_ENABLED === 'true',
       },
+      // Example: TRUSTED_ORIGINS=https://app.example.com,https://admin.example.com
     },
     compression: true,
     cookies: false,

package/src/core/common/helpers/logging.helper.ts ADDED Viewed

@@ -0,0 +1,134 @@
+/**
+ * Logging helper functions for safe logging of sensitive data.
+ *
+ * These functions help mask sensitive information in logs to comply with
+ * security best practices and GDPR requirements.
+ *
+ * @example
+ * ```typescript
+ * import { maskToken, maskEmail, maskSensitive } from './logging.helper';
+ *
+ * // Instead of: logger.debug(`Token: ${token}`)
+ * logger.debug(`Token: ${maskToken(token)}`);
+ *
+ * // Instead of: logger.debug(`User: ${user.email}`)
+ * logger.debug(`User: ${maskEmail(user.email)}`);
+ * ```
+ */
+/**
+ * Checks if the current environment is production.
+ * Use this to conditionally skip verbose debug logging in production.
+ *
+ * @returns true if NODE_ENV is 'production'
+ */
+export function isProduction(): boolean {
+  return process.env.NODE_ENV === 'production';
+}
+/**
+ * Masks a cookie header for safe logging.
+ * Removes all cookie values, keeping only cookie names.
+ *
+ * @param cookieHeader - The cookie header string
+ * @returns Masked cookie header showing only cookie names
+ *
+ * @example
+ * maskCookieHeader('session=abc123; token=xyz789') // 'session=***; token=***'
+ */
+export function maskCookieHeader(cookieHeader: null | string | undefined): string {
+  if (!cookieHeader) {
+    return 'none';
+  }
+  // Replace cookie values with ***
+  return cookieHeader.replace(/=([^;]*)/g, '=***');
+}
+/**
+ * Masks an email address for safe logging.
+ * Shows only the first 2 characters of the local part and the domain.
+ *
+ * @param email - The email to mask
+ * @returns Masked email or 'none' if not provided
+ *
+ * @example
+ * maskEmail('john.doe@example.com') // 'jo***@example.com'
+ * maskEmail(null) // 'none'
+ */
+export function maskEmail(email: null | string | undefined): string {
+  if (!email) {
+    return 'none';
+  }
+  const atIndex = email.indexOf('@');
+  if (atIndex <= 0) {
+    return '***';
+  }
+  const localPart = email.substring(0, atIndex);
+  const domain = email.substring(atIndex);
+  const visibleChars = Math.min(2, localPart.length);
+  return `${localPart.substring(0, visibleChars)}***${domain}`;
+}
+/**
+ * Masks an ObjectId or ID string for safe logging.
+ *
+ * @param id - The ID to mask
+ * @returns Masked ID or 'none' if not provided
+ *
+ * @example
+ * maskId('507f1f77bcf86cd799439011') // '507f***9011'
+ */
+export function maskId(id: null | string | undefined): string {
+  return maskSensitive(id, 4, 4);
+}
+/**
+ * Masks sensitive string data for safe logging.
+ * Generic function for any sensitive string.
+ *
+ * @param value - The value to mask
+ * @param visibleStart - Number of characters to show at start (default: 4)
+ * @param visibleEnd - Number of characters to show at end (default: 0)
+ * @returns Masked value or 'none' if not provided
+ *
+ * @example
+ * maskSensitive('secretpassword123') // 'secr***'
+ * maskSensitive('secretpassword123', 2, 2) // 'se***23'
+ */
+export function maskSensitive(
+  value: null | string | undefined,
+  visibleStart: number = 4,
+  visibleEnd: number = 0,
+): string {
+  if (!value) {
+    return 'none';
+  }
+  const minLength = visibleStart + visibleEnd + 3; // At least 3 chars for '***'
+  if (value.length <= minLength) {
+    return '***';
+  }
+  const start = value.substring(0, visibleStart);
+  const end = visibleEnd > 0 ? value.substring(value.length - visibleEnd) : '';
+  return `${start}***${end}`;
+}
+/**
+ * Masks a token for safe logging.
+ * Shows only the first 4 and last 4 characters.
+ *
+ * @param token - The token to mask
+ * @returns Masked token or 'none' if not provided
+ *
+ * @example
+ * maskToken('abc123xyz789') // 'abc1...9'
+ * maskToken(null) // 'none'
+ */
+export function maskToken(token: null | string | undefined): string {
+  if (!token) {
+    return 'none';
+  }
+  if (token.length <= 8) {
+    return '***';
+  }
+  return `${token.substring(0, 4)}...${token.substring(token.length - 4)}`;
+}