@mojaloop/database-lib 11.2.0 → 11.3.0

package/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [11.3.0](https://github.com/mojaloop/database-lib/compare/v11.2.1...v11.3.0) (2025-07-14)
+
+
+### Features
+
+* fix vul and update deps ([#172](https://github.com/mojaloop/database-lib/issues/172)) ([a0d969f](https://github.com/mojaloop/database-lib/commit/a0d969f94b77709a2b9712b94cf52e62961a8796))
+
+### [11.2.1](https://github.com/mojaloop/database-lib/compare/v11.2.0...v11.2.1) (2025-07-08)
+
 ## [11.2.0](https://github.com/mojaloop/database-lib/compare/v11.1.4...v11.2.0) (2025-05-14)
 
 

package/docker-compose.yaml

@@ -0,0 +1,65 @@
+services:
+  cert-gen:
+    image: alpine
+    volumes:
+      - ./certs:/certs
+    command: >
+      sh -c "
+      if [ ! -f /certs/ca.pem ]; then
+        echo 'SSL certificates not found. Generating certificates...' &&
+        apk add --no-cache openssl &&
+        openssl genrsa -out /certs/ca-key.pem 2048 &&
+        openssl req -new -x509 -nodes -days 365 -key /certs/ca-key.pem -out /certs/ca.pem -subj '/C=US/ST=CA/L=San Francisco/O=Mojaloop/OU=Database/CN=MySQL_CA' &&
+        openssl genrsa -out /certs/server-key.pem 2048 &&
+        openssl req -new -key /certs/server-key.pem -out /certs/server.csr -subj '/C=US/ST=CA/L=San Francisco/O=Mojaloop/OU=Database/CN=mysql' &&
+        echo '[v3_req]' > /tmp/cert.conf &&
+        echo 'basicConstraints = CA:FALSE' >> /tmp/cert.conf &&
+        echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment' >> /tmp/cert.conf &&
+        echo 'subjectAltName = @alt_names' >> /tmp/cert.conf &&
+        echo '[alt_names]' >> /tmp/cert.conf &&
+        echo 'DNS.1 = mysql' >> /tmp/cert.conf &&
+        echo 'DNS.2 = localhost' >> /tmp/cert.conf &&
+        echo 'IP.1 = 127.0.0.1' >> /tmp/cert.conf &&
+        openssl x509 -req -days 365 -in /certs/server.csr -CA /certs/ca.pem -CAkey /certs/ca-key.pem -CAcreateserial -out /certs/server-cert.pem -extensions v3_req -extfile /tmp/cert.conf &&
+        rm -f /certs/*.csr /certs/*.srl /tmp/cert.conf &&
+        chmod 644 /certs/ca.pem /certs/server-cert.pem &&
+        chmod 644 /certs/ca-key.pem /certs/server-key.pem &&
+        echo 'SSL certificates generated successfully!' &&
+        echo 'Generated certificate files with permissions:' &&
+        ls -la /certs/ &&
+        echo 'Certificate files should be readable by any user for CI compatibility.'
+      else
+        echo 'SSL certificates found. Ready to start MySQL.'
+      fi
+      "
+    restart: "no"
+
+  mysql:
+    image: mysql:8.0
+    depends_on:
+      cert-gen:
+        condition: service_completed_successfully
+    environment:
+      MYSQL_ROOT_PASSWORD: example_root_password
+      MYSQL_DATABASE: example_db
+      MYSQL_USER: example_user
+      MYSQL_PASSWORD: example_password
+    command:
+      - --ssl-ca=/etc/mysql/certs/ca.pem
+      - --ssl-cert=/etc/mysql/certs/server-cert.pem
+      - --ssl-key=/etc/mysql/certs/server-key.pem
+      - --bind-address=0.0.0.0
+      - --require_secure_transport=ON
+    ports:
+      - "3306:3306"
+    volumes:
+      - mysql_data:/var/lib/mysql
+      - ./certs:/etc/mysql/certs:ro
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+
+volumes:
+  mysql_data:

package/jest.config.js

@@ -0,0 +1,7 @@
+module.exports = {
+  testEnvironment: 'node',
+  testMatch: ['**/test/integration/**/*.test.js'],
+  testTimeout: 30000,
+  collectCoverage: false,
+  verbose: true
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/database-lib",
-  "version": "11.2.0",
+  "version": "11.3.0",
   "description": "Shared database code for central services",
   "main": "src/index.js",
   "license": "Apache-2.0",
@@ -32,10 +32,11 @@
     "test:unit": "npx tape 'test/unit/**/*.test.js'",
     "test:unit:spec": "npm run test:unit | tap-spec",
     "test:xunit": "npm run test:unit | tap-xunit > ./test/results/xunit.xml",
+    "test:int": "npx jest test/integration/database.test.js --testTimeout=30000",
     "test:coverage": "npx nyc --reporter=lcov --reporter=text-summary tapes -- 'test/unit/**/**.test.js'",
     "test:coverage-check": "npm run test:coverage && nyc check-coverage",
     "test:functional": "echo 'No functional tests defined'",
-    "test:integration": "echo 'No integration tests defined'",
+    "test:integration": "./test/scripts/test-integration.sh",
     "audit:fix": "npm audit fix",
     "audit:check": "npx audit-ci --config ./audit-ci.jsonc",
     "dep:check": "npx ncu -e 2",
@@ -47,7 +48,8 @@
     "async-exit-hook": "^2.0.1",
     "knex": "3.1.0",
     "lodash": "4.17.21",
-    "mysql": "2.18.1"
+    "mysql": "^2.18.1",
+    "mysql2": "^3.14.2"
   },
   "overrides": {
     "tar": "6.2.1",
@@ -68,16 +70,18 @@
     },
     "cross-spawn": "7.0.6",
     "trim": "0.0.3",
+    "undici": "6.21.2",
     "yargs-parser": "21.1.1"
   },
   "devDependencies": {
-    "@mojaloop/sdk-standard-components": "19.14.0",
+    "@mojaloop/sdk-standard-components": "19.16.0",
     "audit-ci": "^7.1.0",
+    "jest": "^30.0.4",
     "npm-check-updates": "18.0.1",
     "nyc": "17.1.0",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
-    "sinon": "20.0.0",
+    "sinon": "21.0.0",
     "standard": "17.1.2",
     "standard-version": "9.5.0",
     "tap-spec": "^5.0.0",

package/src/database.js

@@ -35,6 +35,9 @@ class Database {
       mysql: (knex) => {
         return knex('information_schema.tables').where('TABLE_SCHEMA', this._schema).select('TABLE_NAME').then(rows => rows.map(r => r.TABLE_NAME))
       },
+      mysql2: (knex) => {
+        return knex('information_schema.tables').where('TABLE_SCHEMA', this._schema).select('TABLE_NAME').then(rows => rows.map(r => r.TABLE_NAME))
+      },
       pg: (knex) => {
         return knex('pg_catalog.pg_tables').where({ schemaname: 'public' }).select('tablename').then(rows => rows.map(r => r.tablename))
       }

package/test/integration/database.test.js

@@ -0,0 +1,151 @@
+/* global describe, beforeEach, afterEach, test, expect */
+const Database = require('../../src/database')
+const fs = require('fs')
+const path = require('path')
+
+describe('Database Integration Tests with SSL', () => {
+  let db
+
+  beforeEach(() => {
+    db = new Database()
+  })
+
+  afterEach(async () => {
+    if (db && db._knex) {
+      await db.disconnect()
+    }
+  })
+
+  test('should connect to MySQL with SSL using mysql2 client and perform database operations', async () => {
+    // Read the CA certificate for SSL verification
+    const caCertPath = path.join(__dirname, '../../certs/ca.pem')
+    expect(fs.existsSync(caCertPath)).toBe(true)
+
+    const caCert = fs.readFileSync(caCertPath)
+
+    await db.connect({
+      client: 'mysql2',
+      connection: {
+        host: 'localhost',
+        port: 3306,
+        user: 'example_user',
+        password: 'example_password',
+        database: 'example_db',
+        multipleStatements: true,
+        namedPlaceholders: true,
+        ssl: {
+          minVersion: 'TLSv1.3',
+          rejectUnauthorized: true, // Enable certificate validation
+          ca: caCert // Provide CA certificate for validating self-signed cert
+        }
+      }
+    })
+
+    // Verify connection is established
+    expect(db._knex).toBeDefined()
+
+    // Clean up any existing tables
+    await db._knex.schema.dropTableIfExists('accounts')
+    await db._knex.schema.dropTableIfExists('users')
+
+    // Create test tables
+    await db._knex.schema.createTable('users', (table) => {
+      table.increments('id').primary()
+      table.string('name')
+      table.string('email')
+    })
+
+    await db._knex.schema.createTable('accounts', (table) => {
+      table.increments('id').primary()
+      table.integer('user_id').unsigned().references('id').inTable('users')
+      table.decimal('balance', 14, 2)
+    })
+
+    // Test data insertion with named placeholders
+    await db._knex.raw(
+      'INSERT INTO users (name, email) VALUES (:name, :email)',
+      { name: 'Charlie', email: 'charlie@example.com' }
+    )
+
+    // Test multiple statements
+    const multiRes = await db._knex.raw('SELECT * FROM users; SELECT * FROM accounts;')
+    const [users, accounts] = multiRes[0]
+
+    expect(users).toHaveLength(1)
+    expect(users[0]).toMatchObject({
+      id: 1,
+      name: 'Charlie',
+      email: 'charlie@example.com'
+    })
+    expect(accounts).toHaveLength(0)
+
+    // Test streaming functionality
+    const streamResults = []
+    const stream = db._knex('users').select('*').stream()
+    for await (const row of stream) {
+      streamResults.push(row)
+    }
+
+    expect(streamResults).toHaveLength(1)
+    expect(streamResults[0]).toMatchObject({
+      id: 1,
+      name: 'Charlie',
+      email: 'charlie@example.com'
+    })
+
+    // Test server connection and time query
+    const result = await db._knex.raw('SELECT NOW() as currentTime;')
+    expect(result[0][0].currentTime).toBeDefined()
+    expect(result[0][0].currentTime).toBeInstanceOf(Date)
+
+    // Clean up test tables
+    await db._knex.schema.dropTableIfExists('accounts')
+    await db._knex.schema.dropTableIfExists('users')
+  })
+
+  test('should handle mysql client authentication incompatibility with MySQL 8.0', async () => {
+    // Read the CA certificate for SSL verification
+    const caCertPath = path.join(__dirname, '../../certs/ca.pem')
+    expect(fs.existsSync(caCertPath)).toBe(true)
+
+    const caCert = fs.readFileSync(caCertPath)
+
+    // The legacy mysql client doesn't support MySQL 8.0's default caching_sha2_password
+    await expect(db.connect({
+      client: 'mysql',
+      connection: {
+        host: 'localhost',
+        port: 3306,
+        user: 'example_user',
+        password: 'example_password',
+        database: 'example_db',
+        multipleStatements: true,
+        ssl: {
+          minVersion: 'TLSv1.3',
+          rejectUnauthorized: true,
+          ca: caCert
+        }
+      }
+    })).rejects.toThrow('Client does not support authentication protocol requested by server')
+  })
+
+  test('should fail when CA certificate is missing (mysql2)', async () => {
+    const invalidCaCert = Buffer.from('invalid-certificate')
+
+    await expect(db.connect({
+      client: 'mysql2',
+      connection: {
+        host: 'localhost',
+        port: 3306,
+        user: 'example_user',
+        password: 'example_password',
+        database: 'example_db',
+        ssl: {
+          minVersion: 'TLSv1.3',
+          rejectUnauthorized: true,
+          ca: invalidCaCert
+        }
+      }
+    })).rejects.toThrow()
+  })
+})

package/test/scripts/test-integration.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Start docker compose in detached mode
+docker compose up -d
+
+# Wait for MySQL to be ready
+echo "Waiting for MySQL to be ready..."
+RETRIES=30
+until docker compose exec -T mysql mysqladmin ping -h"127.0.0.1" --silent; do
+  RETRIES=$((RETRIES-1))
+  if [ $RETRIES -le 0 ]; then
+    echo "MySQL did not become ready in time."
+    echo "Checking MySQL logs:"
+    docker compose logs mysql
+    echo "Checking certificate files:"
+    docker compose exec -T mysql ls -la /etc/mysql/certs/ || echo "Could not access certs directory"
+    exit 1
+  fi
+  sleep 2
+done
+
+echo "MySQL is ready. Running integration tests..."
+
+# Verify SSL is enabled
+echo "Verifying SSL configuration..."
+docker compose exec -T mysql mysql -u example_user -pexample_password -e "SHOW VARIABLES LIKE 'have_ssl';" example_db
+
+npm run test:int
+
+EXIT_CODE=$?
+
+# Tear down docker compose
+docker compose down -v
+
+exit $EXIT_CODE

package/test/unit/database.test.js

@@ -420,5 +420,56 @@ Test('database', databaseTest => {
     connectTest.end()
   })
 
+  databaseTest.test('listTableQueries should', listTableQueriesTest => {
+    listTableQueriesTest.test('list tables for mysql2 client', async test => {
+      // Arrange
+      const mysql2TableNames = [{ TABLE_NAME: 'products' }, { TABLE_NAME: 'orders' }]
+      // Patch knexConnStub to simulate mysql2
+      knexConnStub.client = { config: { client: 'mysql2' } }
+      // Patch the stub to return mysql2TableNames for mysql2
+      knexConnStub.withArgs('information_schema.tables').returns({
+        where: sandbox.stub().withArgs('TABLE_SCHEMA', 'databaseSchema').returns({
+          select: sandbox.stub().withArgs('TABLE_NAME').returns(Promise.resolve(mysql2TableNames))
+        })
+      })
+
+      // Patch knexStub to return the patched knexConnStub
+      knexStub.returns(knexConnStub)
+
+      // Act
+      await dbInstance.connect({ ...connectionConfig, client: 'mysql2' })
+
+      // Assert
+      test.ok(knexStub.calledOnce)
+      test.equal(knexStub.firstCall.args[0].client, 'mysql2')
+      test.equal(dbInstance._tables.length, mysql2TableNames.length)
+      mysql2TableNames.forEach(tbl => {
+        test.ok(dbInstance[tbl.TABLE_NAME])
+      })
+      test.end()
+    })
+
+    listTableQueriesTest.test('throw error for unsupported db type', async test => {
+      // Arrange
+      const unsupportedClient = 'sqlite3'
+      knexConnStub.client = { config: { client: unsupportedClient } }
+      knexStub.returns(knexConnStub)
+
+      // Remove sqlite3 from _listTableQueries if present
+      dbInstance._listTableQueries[unsupportedClient] = undefined
+
+      // Act & Assert
+      try {
+        await dbInstance.connect({ ...connectionConfig, client: unsupportedClient })
+        test.fail('Should have thrown error')
+      } catch (err) {
+        test.equal(err.message, `Listing tables is not supported for database type ${unsupportedClient}`)
+      }
+      test.end()
+    })
+
+    listTableQueriesTest.end()
+  })
+
   databaseTest.end()
 })