@memberjunction/server 5.12.0 → 5.14.0

package/src/index.ts

@@ -99,13 +99,14 @@ export * from './resolvers/EntityRecordNameResolver.js';
 export * from './resolvers/MergeRecordsResolver.js';
 export * from './resolvers/ReportResolver.js';
 export * from './resolvers/QueryResolver.js';
+export * from './resolvers/TestQuerySQLResolver.js';
 export * from './resolvers/SqlLoggingConfigResolver.js';
 export * from './resolvers/SyncRolesUsersResolver.js';
 export * from './resolvers/SyncDataResolver.js';
 export * from './resolvers/GetDataResolver.js';
 export * from './resolvers/GetDataContextDataResolver.js';
 export * from './resolvers/TransactionGroupResolver.js';
-export * from './resolvers/CreateQueryResolver.js';
+export * from './resolvers/QuerySystemUserResolver.js';
 export * from './resolvers/TelemetryResolver.js';
 export * from './resolvers/APIKeyResolver.js';
 export * from './resolvers/MCPResolver.js';
@@ -126,32 +127,16 @@ export * from './resolvers/CurrentUserContextResolver.js';
 export { GetReadOnlyDataSource, GetReadWriteDataSource, GetReadWriteProvider, GetReadOnlyProvider } from './util.js';
 
 export * from './generated/generated.js';
-export * from './hooks.js';
 export * from './multiTenancy/index.js';
+export * from './middleware/index.js';
 
-import type { ServerExtensibilityOptions, HookWithOptions } from './hooks.js';
-import { HookRegistry } from '@memberjunction/core';
-import type { HookRegistrationOptions } from '@memberjunction/core';
+import { RegisterDataHook } from '@memberjunction/core';
+import type { RequestHandler, ErrorRequestHandler } from 'express';
 import type { ApolloServerPlugin } from '@apollo/server';
-import { createTenantMiddleware, createTenantPreRunViewHook, createTenantPreSaveHook } from './multiTenancy/index.js';
+import type { GraphQLSchema } from 'graphql';
+import { BaseServerMiddleware } from './middleware/BaseServerMiddleware.js';
 
-/**
- * Register a hook that may be a plain function or a `{ hook, Priority, Namespace }` object.
- * Dynamic packages (e.g., BCSaaS) return hooks in object form to declare registration metadata.
- */
-function registerHookEntry<T>(hookName: string, entry: T | HookWithOptions<T>): void {
-  if (typeof entry === 'function') {
-    HookRegistry.Register(hookName, entry);
-  } else if (entry && typeof entry === 'object' && 'hook' in entry) {
-    const { hook, Priority, Namespace } = entry as HookWithOptions<T>;
-    const options: HookRegistrationOptions = {};
-    if (Priority != null) options.Priority = Priority;
-    if (Namespace != null) options.Namespace = Namespace;
-    HookRegistry.Register(hookName, hook, options);
-  }
-}
-
-export type MJServerOptions = ServerExtensibilityOptions & {
+export type MJServerOptions = {
   onBeforeServe?: () => void | Promise<void>;
   restApiOptions?: Partial<RESTApiOptions>; // Options for REST API configuration
 };
@@ -417,6 +402,91 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
     Object.values(module).filter((value) => typeof value === 'function')
   ) as BuildSchemaOptions['resolvers'];
 
+  // ─── Discover all server middleware via ClassFactory ─────────────────────
+  const allRegistrations = MJGlobal.Instance.ClassFactory.GetAllRegistrations(BaseServerMiddleware);
+
+  // Deduplicate by key (same key -> highest priority wins).
+  // This is the replacement mechanism: if BCSaaS registers with the same
+  // key as MJ's built-in tenant filter, ClassFactory's priority system
+  // ensures only the higher-priority one is used.
+  const uniqueKeys = new Set(
+      allRegistrations.map(r => r.Key?.trim().toLowerCase()).filter((k): k is string => k != null)
+  );
+
+  const winnerRegistrations: typeof allRegistrations = [];
+  for (const key of uniqueKeys) {
+      const winner = MJGlobal.Instance.ClassFactory.GetRegistration(BaseServerMiddleware, key);
+      if (winner) winnerRegistrations.push(winner);
+  }
+
+  // Instantiate and filter by Enabled
+  const middlewares: BaseServerMiddleware[] = [];
+  for (const reg of winnerRegistrations) {
+      const MwClass = reg.SubClass as new () => BaseServerMiddleware;
+      const mw = new MwClass();
+      if (mw.Enabled) {
+          middlewares.push(mw);
+      }
+  }
+
+  // Initialize all middleware
+  for (const mw of middlewares) {
+      await mw.Initialize();
+      console.log(`  [Middleware] ${mw.Label}`);
+  }
+
+  // Collect middleware contributions for each pipeline stage
+  const mwPreAuth: RequestHandler[] = [];
+  const mwPostAuth: RequestHandler[] = [];
+  const mwPostRoute: (RequestHandler | ErrorRequestHandler)[] = [];
+  const mwApolloPlugins: ApolloServerPlugin[] = [];
+  const mwSchemaTransformers: ((schema: GraphQLSchema) => GraphQLSchema)[] = [];
+  const mwResolverPaths: string[] = [];
+
+  for (const mw of middlewares) {
+      mwPreAuth.push(...mw.GetPreAuthMiddleware());
+      mwPostAuth.push(...mw.GetPostAuthMiddleware());
+      mwPostRoute.push(...mw.GetPostRouteMiddleware());
+      mwApolloPlugins.push(...mw.GetApolloPlugins());
+      mwSchemaTransformers.push(...mw.GetSchemaTransformers());
+      mwResolverPaths.push(...mw.GetResolverPaths());
+
+      // Express app configuration escape hatch
+      if (mw.ConfigureExpressApp) {
+          await mw.ConfigureExpressApp(app);
+      }
+
+      // Extract hook methods and register in the global hook store
+      // (ProviderBase/BaseEntity will read these via GetDataHooks())
+      RegisterDataHook('PreRunView', mw.PreRunView.bind(mw));
+      RegisterDataHook('PostRunView', mw.PostRunView.bind(mw));
+      RegisterDataHook('PreSave', mw.PreSave.bind(mw));
+  }
+
+  // ─── Resolve middleware-contributed resolver paths and merge into resolvers ───
+  let allResolvers = resolvers;
+  if (mwResolverPaths.length > 0) {
+      const mwGlobs = mwResolverPaths.flatMap((p) => (isWindows ? p.replace(/\\/g, '/') : p));
+      const mwResolverFiles = fg.globSync(mwGlobs);
+      if (mwResolverFiles.length > 0) {
+          const mwModules = await Promise.all(
+              mwResolverFiles.map((modulePath) => {
+                  try {
+                      return import(isWindows ? `file://${modulePath}` : modulePath);
+                  } catch (e) {
+                      console.error(`Error loading middleware resolver at '${modulePath}'`, e);
+                      throw e;
+                  }
+              })
+          );
+          const mwResolvers = mwModules.flatMap((module) =>
+              Object.values(module).filter((value) => typeof value === 'function')
+          );
+          allResolvers = [...resolvers, ...mwResolvers] as BuildSchemaOptions['resolvers'];
+          console.log(`  [Middleware Resolvers] Loaded ${mwResolverFiles.length} resolver file(s) from middleware`);
+      }
+  }
+
   // Create an explicit PubSub instance so we can reference it outside of resolvers
   // graphql-subscriptions v3 renamed asyncIterator→asyncIterableIterator, but
   // type-graphql still calls asyncIterator. Shim for compatibility.
@@ -451,7 +521,7 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
   let schema = mergeSchemas({
     schemas: [
       buildSchemaSync({
-        resolvers,
+        resolvers: allResolvers,
         validate: false,
         scalarsMap: [{ type: Date, scalar: GraphQLTimestamp }],
         emitSchemaFile: websiteRunFromPackage !== 1,
@@ -463,11 +533,9 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
   schema = requireSystemUserDirective.transformer(schema);
   schema = publicDirective.transformer(schema);
 
-  // Apply user-provided schema transformers (after built-in directive transformers)
-  if (options?.SchemaTransformers) {
-    for (const transformer of options.SchemaTransformers) {
-      schema = transformer(schema);
-    }
+  // Apply middleware-contributed schema transformers (after built-in directive transformers)
+  for (const transformer of mwSchemaTransformers) {
+    schema = transformer(schema);
   }
 
   const httpServer = createServer(app);
@@ -502,7 +570,7 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
   const apolloServer = buildApolloServer(
     { schema },
     { httpServer, serverCleanup },
-    options?.ApolloPlugins
+    mwApolloPlugins.length > 0 ? mwApolloPlugins : undefined
   );
   await apolloServer.start();
   
@@ -534,16 +602,9 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
     res.status(200).json({ status: 'ok' });
   });
 
-  // Apply user-provided Express middleware (after compression, before routes)
-  if (options?.ExpressMiddlewareBefore) {
-    for (const mw of options.ExpressMiddlewareBefore) {
-      app.use(mw);
-    }
-  }
-
-  // Escape hatch for advanced Express app configuration
-  if (options?.ConfigureExpressApp) {
-    await Promise.resolve(options.ConfigureExpressApp(app));
+  // Apply middleware-contributed pre-auth handlers (after compression, before routes)
+  for (const mw of mwPreAuth) {
+    app.use(mw);
   }
 
   // ─── OAuth callback routes (unauthenticated, registered BEFORE auth) ─────
@@ -575,20 +636,12 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
   // ─── Unified auth middleware (replaces both REST authMiddleware and contextFunction auth) ─────
   app.use(createUnifiedAuthMiddleware(dataSources));
 
-  // ─── Built-in post-auth middleware (multi-tenancy) ─────
-  // Config-driven multi-tenancy middleware runs after auth so it can read req.userPayload.
-  if (configInfo.multiTenancy?.enabled) {
-    const tenantMiddleware = createTenantMiddleware(configInfo.multiTenancy);
-    app.use(tenantMiddleware);
-  }
-
-  // ─── Post-auth middleware from plugins ─────
+  // ─── Post-auth middleware from BaseServerMiddleware plugins ─────
   // Middleware here has access to the authenticated user via req.userPayload.
-  // Use this for tenant context resolution, org membership loading, etc.
-  if (options?.ExpressMiddlewarePostAuth) {
-    for (const mw of options.ExpressMiddlewarePostAuth) {
-      app.use(mw);
-    }
+  // Contributions come from @RegisterClass(BaseServerMiddleware, key) classes
+  // (e.g., MJTenantFilterMiddleware for multi-tenancy, BCSaaSMiddleware for org context).
+  for (const mw of mwPostAuth) {
+    app.use(mw);
   }
 
   // ─── OAuth authenticated routes (auth already handled by unified middleware) ─────
@@ -645,10 +698,8 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
   );
 
   // ─── Post-route middleware (error handlers, catch-alls) ─────
-  if (options?.ExpressMiddlewareAfter) {
-    for (const mw of options.ExpressMiddlewareAfter) {
-      app.use(mw);
-    }
+  for (const mw of mwPostRoute) {
+    app.use(mw);
   }
 
   // Initialize and start scheduled jobs service if enabled
@@ -664,45 +715,9 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
     }
   }
 
-  // Register provider-level hooks with the global HookRegistry.
-  // Each entry can be a plain function or a { hook, Priority, Namespace } object.
-  if (options?.PreRunViewHooks) {
-    for (const entry of options.PreRunViewHooks) {
-      registerHookEntry('PreRunView', entry);
-    }
-  }
-  if (options?.PostRunViewHooks) {
-    for (const entry of options.PostRunViewHooks) {
-      registerHookEntry('PostRunView', entry);
-    }
-  }
-  if (options?.PreSaveHooks) {
-    for (const entry of options.PreSaveHooks) {
-      registerHookEntry('PreSave', entry);
-    }
-  }
-
-  // Auto-register multi-tenancy hooks when enabled in config
-  // (The tenant Express middleware was already registered above in the post-auth slot)
-  if (configInfo.multiTenancy?.enabled) {
-    console.log('[MultiTenancy] Enabled — registering tenant isolation hooks');
-    const tenantConfig = configInfo.multiTenancy;
-
-    // Register tenant PreRunView hook (injects WHERE clauses)
-    // Priority 50 + namespace allows middle layers to replace with their own implementation
-    HookRegistry.Register('PreRunView', createTenantPreRunViewHook(tenantConfig), {
-      Priority: 50,
-      Namespace: 'mj:tenantFilter',
-    });
-
-    // Register tenant PreSave hook (validates tenant column on writes)
-    HookRegistry.Register('PreSave', createTenantPreSaveHook(tenantConfig), {
-      Priority: 50,
-      Namespace: 'mj:tenantSave',
-    });
-
-    console.log(`[MultiTenancy] Context source: ${tenantConfig.contextSource}, scoping: ${tenantConfig.scopingStrategy}, write protection: ${tenantConfig.writeProtection}`);
-  }
+  // Data hooks are now registered via BaseServerMiddleware classes above
+  // (e.g., MJTenantFilterMiddleware registers PreRunView and PreSave hooks).
+  // No config-bag hook registration needed.
 
   if (options?.onBeforeServe) {
     await Promise.resolve(options.onBeforeServe());

package/src/middleware/BaseServerMiddleware.ts

@@ -0,0 +1,141 @@
+/**
+ * Base class for server middleware that intercepts the MJServer request pipeline.
+ *
+ * Subclasses register via @RegisterClass(BaseServerMiddleware, key) and are
+ * discovered by serve() via ClassFactory.GetAllRegistrations().
+ *
+ * Key-based deduplication: If two middleware classes register with the same key,
+ * ClassFactory returns the highest-priority one -- the other is replaced.
+ * This is how BCSaaS replaces MJ's built-in tenant filtering.
+ *
+ * For adding new routes/endpoints (webhooks, bot endpoints), see
+ * ServerExtensionsCore and BaseServerExtension (PR #2037).
+ * BaseServerMiddleware is for intercepting the existing pipeline, not adding to it.
+ */
+
+import type { RequestHandler, ErrorRequestHandler, Application } from 'express';
+import type { ApolloServerPlugin } from '@apollo/server';
+import type { GraphQLSchema } from 'graphql';
+import type { RunViewParams, UserInfo, BaseEntity, RunViewResult } from '@memberjunction/core';
+
+export abstract class BaseServerMiddleware {
+    // --- Identity ---
+
+    /**
+     * Human-readable label for logging (e.g., 'mj:tenantFilter', 'bcsaas').
+     */
+    abstract get Label(): string;
+
+    /**
+     * Whether this middleware is active. Override to check config, env vars, etc.
+     * Disabled middleware classes are never instantiated or activated by serve().
+     * Default: true.
+     */
+    get Enabled(): boolean { return true; }
+
+    // --- Lifecycle ---
+
+    /**
+     * Optional async initialization (read config, warm caches, etc.).
+     * Called by serve() after instantiation, before middleware/hooks are extracted.
+     */
+    async Initialize(): Promise<void> { /* no-op by default */ }
+
+    // --- Express Middleware ---
+    // Each method corresponds to a named slot in the request pipeline.
+    // Override to contribute middleware at that stage.
+    // Default implementations return empty arrays (no-op).
+
+    /**
+     * Express middleware applied BEFORE authentication.
+     * Runs after compression but before OAuth/REST/GraphQL routes.
+     * Use for: rate limiting, request logging, custom headers.
+     */
+    GetPreAuthMiddleware(): RequestHandler[] { return []; }
+
+    /**
+     * Express middleware that runs AFTER authentication has resolved UserInfo.
+     * The authenticated user payload is available at req.userPayload.
+     * Use for: tenant context resolution, org membership loading.
+     */
+    GetPostAuthMiddleware(): RequestHandler[] { return []; }
+
+    /**
+     * Express middleware/error handlers applied AFTER all routes.
+     * Use for: catch-all error handlers, response logging.
+     */
+    GetPostRouteMiddleware(): (RequestHandler | ErrorRequestHandler)[] { return []; }
+
+    // --- Express App Configuration ---
+
+    /**
+     * Optional escape hatch for advanced Express app configuration.
+     * Called once during server setup with the Express app instance.
+     * Use for: trust proxy settings, custom CORS, body parser config.
+     * Return undefined to skip (default).
+     */
+    ConfigureExpressApp?(app: Application): void | Promise<void>;
+
+    // --- Apollo / GraphQL Extensions ---
+
+    /**
+     * Additional Apollo Server plugins merged with built-in plugins.
+     * Use for: query tracing, caching, custom error formatting.
+     */
+    GetApolloPlugins(): ApolloServerPlugin[] { return []; }
+
+    /**
+     * Schema transformers applied after built-in directive transformers.
+     * Use for: custom directives, schema stitching, field-level auth.
+     */
+    GetSchemaTransformers(): ((schema: GraphQLSchema) => GraphQLSchema)[] { return []; }
+
+    // --- Resolver Discovery ---
+
+    /**
+     * Additional TypeGraphQL resolver glob paths to include in the Apollo schema.
+     * serve() collects these from all active middleware and adds them to the
+     * resolvers array passed to buildSchema().
+     *
+     * Return absolute glob paths (use `path.join(__dirname, ...)` or equivalent).
+     *
+     * Use for: Open App resolvers, domain-specific GraphQL queries/mutations
+     * that live outside MJServer's built-in resolver set.
+     *
+     * @example
+     * ```typescript
+     * GetResolverPaths(): string[] {
+     *     return [path.join(__dirname, 'resolvers', '*Resolver.{js,ts}')];
+     * }
+     * ```
+     */
+    GetResolverPaths(): string[] { return []; }
+
+    // --- Data Hooks ---
+    // Override any of these to intercept data operations.
+    // Default implementations are pass-through (no-op).
+
+    /**
+     * Hook that runs before a RunView operation. Can modify the RunViewParams
+     * (e.g., injecting tenant filters) before execution.
+     */
+    PreRunView(params: RunViewParams, contextUser: UserInfo | undefined): RunViewParams | Promise<RunViewParams> {
+        return params;
+    }
+
+    /**
+     * Hook that runs after a RunView operation completes. Can modify the result
+     * (e.g., filtering or augmenting data) before it is returned to the caller.
+     */
+    PostRunView(params: RunViewParams, results: RunViewResult, contextUser: UserInfo | undefined): RunViewResult | Promise<RunViewResult> {
+        return results;
+    }
+
+    /**
+     * Hook that runs before a Save operation on a BaseEntity.
+     * Return true to allow, false to reject silently, or a string to reject with that error message.
+     */
+    PreSave(entity: BaseEntity, contextUser: UserInfo | undefined): boolean | string | Promise<boolean | string> {
+        return true;
+    }
+}

package/src/middleware/MJTenantFilterMiddleware.ts

@@ -0,0 +1,39 @@
+/**
+ * MJ's built-in multi-tenancy middleware.
+ *
+ * Registers with key 'mj:tenantFilter' so that downstream layers (e.g., BCSaaS)
+ * can replace it by registering with the same key at higher ClassFactory priority.
+ *
+ * Conditionally enabled via configInfo.multiTenancy?.enabled.
+ */
+
+import { RegisterClass } from '@memberjunction/global';
+import { BaseServerMiddleware } from './BaseServerMiddleware.js';
+import { configInfo } from '../config.js';
+import { createTenantMiddleware, createTenantPreRunViewHook, createTenantPreSaveHook } from '../multiTenancy/index.js';
+import type { RequestHandler } from 'express';
+import type { RunViewParams, UserInfo, BaseEntity } from '@memberjunction/core';
+
+@RegisterClass(BaseServerMiddleware, 'mj:tenantFilter')
+export class MJTenantFilterMiddleware extends BaseServerMiddleware {
+    get Label(): string { return 'mj:tenantFilter'; }
+
+    /**
+     * Only active when multiTenancy is enabled in config.
+     */
+    get Enabled(): boolean {
+        return configInfo.multiTenancy?.enabled ?? false;
+    }
+
+    GetPostAuthMiddleware(): RequestHandler[] {
+        return [createTenantMiddleware(configInfo.multiTenancy!)];
+    }
+
+    PreRunView(params: RunViewParams, contextUser: UserInfo | undefined): RunViewParams | Promise<RunViewParams> {
+        return createTenantPreRunViewHook(configInfo.multiTenancy!)(params, contextUser);
+    }
+
+    PreSave(entity: BaseEntity, contextUser: UserInfo | undefined): boolean | string | Promise<boolean | string> {
+        return createTenantPreSaveHook(configInfo.multiTenancy!)(entity, contextUser);
+    }
+}

package/src/middleware/index.ts

@@ -0,0 +1,2 @@
+export * from './BaseServerMiddleware.js';
+export * from './MJTenantFilterMiddleware.js';

package/src/resolvers/GetDataResolver.ts

@@ -1,6 +1,7 @@
 import { Arg, Ctx, Field, InputType, ObjectType, Query } from 'type-graphql';
 import { AppContext } from '../types.js';
-import { LogError, LogStatus, Metadata, QueryCompositionEngine } from '@memberjunction/core';
+import { LogError, LogStatus, Metadata } from '@memberjunction/core';
+import { QueryCompositionEngine } from '@memberjunction/generic-database-provider';
 import { RequireSystemUser } from '../directives/RequireSystemUser.js';
 import { v4 as uuidv4 } from 'uuid';
 import { GetReadOnlyDataSource, GetReadOnlyProvider } from '../util.js';