@morojs/moro 1.5.15 → 1.5.17

package/src/core/http/http-server.ts

@@ -285,64 +285,6 @@ export class MoroHttpServer {
       // Execute handler
       await route.handler(httpReq, httpRes);
     } catch (error) {
-      // Handle JWT-specific errors gracefully
-      if (
-        error instanceof Error &&
-        (error.name === 'TokenExpiredError' ||
-          error.name === 'JsonWebTokenError' ||
-          error.name === 'NotBeforeError')
-      ) {
-        this.logger.debug('JWT authentication error', 'RequestHandler', {
-          errorType: error.name,
-          errorMessage: error.message,
-          requestPath: req.url,
-          requestMethod: req.method,
-          requestId: httpReq.requestId,
-        });
-
-        if (!httpRes.headersSent) {
-          if (typeof httpRes.status === 'function' && typeof httpRes.json === 'function') {
-            if (error.name === 'TokenExpiredError') {
-              httpRes.status(401).json({
-                success: false,
-                error: 'Token expired',
-                message: 'Your session has expired. Please sign in again.',
-                requestId: httpReq.requestId,
-                expiredAt: (error as any).expiredAt,
-              });
-            } else if (error.name === 'JsonWebTokenError') {
-              httpRes.status(401).json({
-                success: false,
-                error: 'Invalid token',
-                message: 'The provided authentication token is invalid.',
-                requestId: httpReq.requestId,
-              });
-            } else if (error.name === 'NotBeforeError') {
-              httpRes.status(401).json({
-                success: false,
-                error: 'Token not ready',
-                message: 'The authentication token is not yet valid.',
-                requestId: httpReq.requestId,
-                availableAt: (error as any).date,
-              });
-            }
-          } else {
-            // Fallback for non-enhanced response objects
-            httpRes.statusCode = 401;
-            httpRes.setHeader('Content-Type', 'application/json');
-            httpRes.end(
-              JSON.stringify({
-                success: false,
-                error: 'Authentication failed',
-                message: 'JWT authentication error occurred.',
-                requestId: httpReq.requestId,
-              })
-            );
-          }
-        }
-        return;
-      }
-
       // Debug: Log the actual error and where it came from
       this.logger.debug('Request error details', 'RequestHandler', {
         errorType: typeof error,
@@ -1074,101 +1016,11 @@ export class MoroHttpServer {
                 if (!nextCalled) next();
               })
               .catch(error => {
-                // Handle JWT errors in async middleware
-                if (
-                  error instanceof Error &&
-                  (error.name === 'TokenExpiredError' ||
-                    error.name === 'JsonWebTokenError' ||
-                    error.name === 'NotBeforeError')
-                ) {
-                  if (!res.headersSent) {
-                    if (typeof res.status === 'function' && typeof res.json === 'function') {
-                      if (error.name === 'TokenExpiredError') {
-                        res.status(401).json({
-                          success: false,
-                          error: 'Token expired',
-                          message: 'Your session has expired. Please sign in again.',
-                          expiredAt: (error as any).expiredAt,
-                        });
-                      } else if (error.name === 'JsonWebTokenError') {
-                        res.status(401).json({
-                          success: false,
-                          error: 'Invalid token',
-                          message: 'The provided authentication token is invalid.',
-                        });
-                      } else if (error.name === 'NotBeforeError') {
-                        res.status(401).json({
-                          success: false,
-                          error: 'Token not ready',
-                          message: 'The authentication token is not yet valid.',
-                          availableAt: (error as any).date,
-                        });
-                      }
-                    } else {
-                      res.statusCode = 401;
-                      res.setHeader('Content-Type', 'application/json');
-                      res.end(
-                        JSON.stringify({
-                          success: false,
-                          error: 'Authentication failed',
-                          message: 'JWT authentication error occurred.',
-                        })
-                      );
-                    }
-                  }
-                  resolve(); // Continue middleware chain
-                } else {
-                  reject(error);
-                }
+                reject(error);
               });
           }
         } catch (error) {
-          // Handle JWT errors in sync middleware
-          if (
-            error instanceof Error &&
-            (error.name === 'TokenExpiredError' ||
-              error.name === 'JsonWebTokenError' ||
-              error.name === 'NotBeforeError')
-          ) {
-            if (!res.headersSent) {
-              if (typeof res.status === 'function' && typeof res.json === 'function') {
-                if (error.name === 'TokenExpiredError') {
-                  res.status(401).json({
-                    success: false,
-                    error: 'Token expired',
-                    message: 'Your session has expired. Please sign in again.',
-                    expiredAt: (error as any).expiredAt,
-                  });
-                } else if (error.name === 'JsonWebTokenError') {
-                  res.status(401).json({
-                    success: false,
-                    error: 'Invalid token',
-                    message: 'The provided authentication token is invalid.',
-                  });
-                } else if (error.name === 'NotBeforeError') {
-                  res.status(401).json({
-                    success: false,
-                    error: 'Token not ready',
-                    message: 'The authentication token is not yet valid.',
-                    availableAt: (error as any).date,
-                  });
-                }
-              } else {
-                res.statusCode = 401;
-                res.setHeader('Content-Type', 'application/json');
-                res.end(
-                  JSON.stringify({
-                    success: false,
-                    error: 'Authentication failed',
-                    message: 'JWT authentication error occurred.',
-                  })
-                );
-              }
-            }
-            resolve(); // Continue middleware chain
-          } else {
-            reject(error);
-          }
+          reject(error);
         }
       });
     }

package/src/core/middleware/built-in/auth.ts

@@ -12,6 +12,7 @@ import {
   CredentialsProvider,
   EmailProvider,
 } from '../../../types/auth';
+import { safeVerifyJWT, createAuthErrorResponse } from './jwt-helpers';
 
 const logger = createFrameworkLogger('AuthMiddleware');
 
@@ -186,27 +187,59 @@ export const auth = (options: AuthOptions): MiddlewareInterface => ({
             session = await authInstance.getSession({ req: { ...req, token } });
           }
         } catch (error: any) {
-          // Handle specific JWT errors gracefully
+          // Handle specific JWT errors gracefully and return proper HTTP responses
           if (error.name === 'TokenExpiredError') {
             logger.debug('JWT token expired', 'TokenValidation', {
               message: error.message,
               expiredAt: error.expiredAt,
             });
+
+            // If this is a protected route request, return a proper 401 response
+            if (req.headers.accept?.includes('application/json')) {
+              return res.status(401).json(
+                createAuthErrorResponse({
+                  type: 'expired',
+                  message: error.message,
+                  expiredAt: error.expiredAt,
+                })
+              );
+            }
           } else if (error.name === 'JsonWebTokenError') {
             logger.debug('Invalid JWT token format', 'TokenValidation', {
               message: error.message,
             });
+
+            // If this is a protected route request, return a proper 401 response
+            if (req.headers.accept?.includes('application/json')) {
+              return res.status(401).json(
+                createAuthErrorResponse({
+                  type: 'invalid',
+                  message: error.message,
+                })
+              );
+            }
           } else if (error.name === 'NotBeforeError') {
             logger.debug('JWT token not active yet', 'TokenValidation', {
               message: error.message,
               date: error.date,
             });
+
+            // If this is a protected route request, return a proper 401 response
+            if (req.headers.accept?.includes('application/json')) {
+              return res.status(401).json(
+                createAuthErrorResponse({
+                  type: 'malformed',
+                  message: error.message,
+                  date: error.date,
+                })
+              );
+            }
           } else {
             logger.debug('JWT token validation failed', 'TokenValidation', {
               error: error.message || error,
             });
           }
-          // Continue with unauthenticated state - don't throw
+          // Continue with unauthenticated state for non-API requests
         }
       }
 
@@ -298,44 +331,34 @@ async function initializeAuthJS(config: AuthOptions): Promise<any> {
     },
 
     verifyJWT: async (token: string) => {
-      // Require jsonwebtoken for JWT verification
-      let jwt: any;
-      try {
-        jwt = require('jsonwebtoken');
-      } catch (error) {
-        throw new Error(
-          'JWT verification requires the "jsonwebtoken" package. ' +
-            'Please install it with: npm install jsonwebtoken @types/jsonwebtoken'
-        );
-      }
+      const secret = process.env.JWT_SECRET || config.jwt?.secret || config.secret || '';
+
+      // Use the safe JWT verification function
+      const result = safeVerifyJWT(token, secret);
+
+      if (!result.success) {
+        // Create a custom error that includes the structured error information
+        const customError = new Error(result.error?.message || 'JWT verification failed');
+
+        // Add the error type information for upstream handling
+        (customError as any).jwtErrorType = result.error?.type;
+        (customError as any).jwtErrorDetails = result.error;
+
+        // Map the safe error types back to standard JWT error names for compatibility
+        if (result.error?.type === 'expired') {
+          customError.name = 'TokenExpiredError';
+          (customError as any).expiredAt = result.error.expiredAt;
+        } else if (result.error?.type === 'invalid') {
+          customError.name = 'JsonWebTokenError';
+        } else if (result.error?.type === 'malformed') {
+          customError.name = 'NotBeforeError';
+          (customError as any).date = result.error.date;
+        }
 
-      const secret = process.env.JWT_SECRET || config.jwt?.secret || config.secret;
-      if (!secret) {
-        throw new Error(
-          'JWT verification requires a secret. ' +
-            'Please set JWT_SECRET environment variable, or provide jwt.secret or secret in auth config.'
-        );
+        throw customError;
       }
 
-      try {
-        const decoded = jwt.verify(token, secret);
-        return decoded;
-      } catch (error: any) {
-        // Handle specific JWT errors gracefully
-        if (error.name === 'TokenExpiredError') {
-          // Token expired - handled gracefully by auth middleware
-          throw error;
-        } else if (error.name === 'JsonWebTokenError') {
-          // Invalid token format
-          throw error;
-        } else if (error.name === 'NotBeforeError') {
-          // Token not active yet
-          throw error;
-        } else {
-          // Other JWT errors
-          throw new Error(`JWT verification failed: ${error.message}`);
-        }
-      }
+      return result.payload;
     },
 
     signIn: async (provider?: string, options?: any) => {

package/src/core/middleware/built-in/jwt-helpers.ts

@@ -178,7 +178,7 @@ export function createAuthErrorResponse(error: JWTVerificationResult['error']) {
 }
 
 /**
- * Example usage for custom middleware:
+ * Example usage for custom middleware with elegant error handling:
  *
  * ```typescript
  * import { safeVerifyJWT, extractJWTFromHeader, createAuthErrorResponse } from '@morojs/moro';
@@ -197,6 +197,7 @@ export function createAuthErrorResponse(error: JWTVerificationResult['error']) {
  *   const result = safeVerifyJWT(token, process.env.JWT_SECRET!);
  *
  *   if (!result.success) {
+ *     // This provides elegant, user-friendly error messages instead of stack traces
  *     const errorResponse = createAuthErrorResponse(result.error);
  *     return res.status(401).json(errorResponse);
  *   }
@@ -212,4 +213,28 @@ export function createAuthErrorResponse(error: JWTVerificationResult['error']) {
  *   next();
  * };
  * ```
+ *
+ * Benefits of using safeVerifyJWT vs raw jsonwebtoken.verify():
+ *
+ * ❌ Raw approach (shows ugly error messages to users):
+ * ```typescript
+ * try {
+ *   const decoded = jwt.verify(token, secret);
+ *   req.user = decoded;
+ * } catch (error) {
+ *   // This exposes technical details and stack traces to users:
+ *   // "Invalid token: TokenExpiredError: jwt expired at /node_modules/jsonwebtoken/verify.js:190:21..."
+ *   throw error; // BAD - exposes internal details
+ * }
+ * ```
+ *
+ * ✅ Safe approach (shows clean, user-friendly messages):
+ * ```typescript
+ * const result = safeVerifyJWT(token, secret);
+ * if (!result.success) {
+ *   // This returns clean messages like:
+ *   // { "error": "Token expired", "message": "Your session has expired. Please sign in again." }
+ *   return res.status(401).json(createAuthErrorResponse(result.error));
+ * }
+ * ```
  */

package/src/core/modules/auto-discovery.ts

@@ -1,11 +1,10 @@
 // Auto-discovery system for Moro modules
 import { readdirSync, statSync } from 'fs';
-import { join, extname, relative } from 'path';
+import { join, extname, relative, isAbsolute } from 'path';
 import { ModuleConfig } from '../../types/module';
 import { DiscoveryOptions } from '../../types/discovery';
 import { ModuleDefaultsConfig } from '../../types/config';
 import { createFrameworkLogger } from '../logger';
-import { minimatch } from 'minimatch';
 
 export class ModuleDiscovery {
   private baseDir: string;
@@ -219,19 +218,32 @@ export class ModuleDiscovery {
     const fullPath = join(this.baseDir, searchPath);
 
     try {
-      if (!statSync(fullPath).isDirectory()) {
+      const stat = statSync(fullPath);
+
+      if (!stat.isDirectory()) {
         return modules;
       }
+    } catch (error) {
+      return modules;
+    }
 
-      const files = this.findMatchingFiles(fullPath, config);
+    try {
+      const files = await this.findMatchingFilesWithGlob(
+        fullPath,
+        config.patterns,
+        config.ignorePatterns,
+        config.maxDepth
+      );
 
       for (const filePath of files) {
         try {
-          const module = await this.loadModule(filePath);
+          // Convert relative path to absolute path for import
+          const absolutePath = join(this.baseDir, filePath);
+          const module = await this.loadModule(absolutePath);
           if (module && this.validateAdvancedModule(module, config)) {
             modules.push(module);
             this.discoveryLogger.info(
-              `Auto-discovered module: ${module.name}@${module.version} from ${relative(this.baseDir, filePath)}`
+              `Auto-discovered module: ${module.name}@${module.version} from ${filePath}`
             );
           }
         } catch (error) {
@@ -302,14 +314,154 @@ export class ModuleDiscovery {
     return files;
   }
 
+  // Use native Node.js glob to find matching files
+  private async findMatchingFilesWithGlob(
+    searchPath: string,
+    patterns: string[],
+    ignorePatterns: string[],
+    maxDepth: number = 5
+  ): Promise<string[]> {
+    // Force fallback in CI environments or if Node.js version is uncertain
+    const isCI = process.env.CI === 'true' || process.env.GITHUB_ACTIONS === 'true';
+
+    if (isCI) {
+      return this.findMatchingFilesFallback(searchPath, patterns, ignorePatterns, maxDepth);
+    }
+
+    const allFiles: string[] = [];
+
+    try {
+      // Try to use native fs.glob if available (Node.js 20+)
+      const { glob } = await import('fs/promises');
+
+      // Check if glob is actually a function and test it
+      if (typeof glob !== 'function') {
+        return this.findMatchingFilesFallback(searchPath, patterns, ignorePatterns, maxDepth);
+      }
+
+      // Test glob with a simple pattern first
+      try {
+        const testIterator = glob(join(searchPath, '*'));
+        let testCount = 0;
+        for await (const _ of testIterator) {
+          testCount++;
+          if (testCount > 0) break; // Just test that it works
+        }
+      } catch (testError) {
+        return this.findMatchingFilesFallback(searchPath, patterns, ignorePatterns, maxDepth);
+      }
+
+      for (const pattern of patterns) {
+        const fullPattern = join(searchPath, pattern);
+        try {
+          // fs.glob returns an AsyncIterator, need to collect results
+          const globIterator = glob(fullPattern);
+          const files: string[] = [];
+
+          for await (const file of globIterator) {
+            const filePath = typeof file === 'string' ? file : (file as any).name || String(file);
+            const relativePath = relative(this.baseDir, filePath);
+
+            // Check if file should be ignored and within max depth
+            if (
+              !this.shouldIgnore(relativePath, ignorePatterns) &&
+              this.isWithinMaxDepth(relativePath, searchPath, maxDepth)
+            ) {
+              files.push(relativePath);
+            }
+          }
+
+          allFiles.push(...files);
+        } catch (error) {
+          // If any glob call fails, fall back to manual discovery
+          this.discoveryLogger.warn(`Glob pattern failed: ${pattern}`, String(error));
+          return this.findMatchingFilesFallback(searchPath, patterns, ignorePatterns, maxDepth);
+        }
+      }
+    } catch (error) {
+      // fs.glob not available, fall back to manual file discovery
+      this.discoveryLogger.debug('Native fs.glob not available, using fallback');
+      return this.findMatchingFilesFallback(searchPath, patterns, ignorePatterns, maxDepth);
+    }
+
+    return [...new Set(allFiles)]; // Remove duplicates
+  }
+
+  // Fallback for Node.js versions without fs.glob
+  private async findMatchingFilesFallback(
+    searchPath: string,
+    patterns: string[],
+    ignorePatterns: string[],
+    maxDepth: number = 5
+  ): Promise<string[]> {
+    const config = {
+      patterns,
+      ignorePatterns,
+      maxDepth,
+      recursive: true,
+    } as ModuleDefaultsConfig['autoDiscovery'];
+
+    // Handle both absolute and relative paths
+    const fullSearchPath = isAbsolute(searchPath) ? searchPath : join(this.baseDir, searchPath);
+
+    // Check if search path exists
+    try {
+      const { access } = await import('fs/promises');
+      await access(fullSearchPath);
+    } catch (e) {
+      return [];
+    }
+
+    // Get files and convert to relative paths
+    const files = this.findMatchingFiles(fullSearchPath, config);
+    const relativeFiles = files.map(file => relative(this.baseDir, file));
+
+    return relativeFiles;
+  }
+
+  // Simple pattern matching for fallback (basic glob support)
+  private matchesSimplePattern(path: string, pattern: string): boolean {
+    try {
+      // Normalize path separators
+      const normalizedPath = path.replace(/\\/g, '/');
+      const normalizedPattern = pattern.replace(/\\/g, '/');
+
+      // Convert simple glob patterns to regex
+      const regexPattern = normalizedPattern
+        .replace(/\*\*/g, '___DOUBLESTAR___') // Temporarily replace ** BEFORE escaping
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&') // Escape regex chars
+        .replace(/\\\*/g, '[^/]*') // * matches anything except /
+        .replace(/___DOUBLESTAR___/g, '.*') // ** matches anything including /
+        .replace(/\\\?/g, '[^/]') // ? matches single character except /
+        .replace(/\\\{([^}]+)\\\}/g, '($1)') // {ts,js} -> (ts|js)
+        .replace(/,/g, '|'); // Convert comma to OR
+
+      const regex = new RegExp(`^${regexPattern}$`, 'i');
+      const result = regex.test(normalizedPath);
+
+      return result;
+    } catch (error) {
+      this.discoveryLogger.warn(`Pattern matching error for "${pattern}": ${String(error)}`);
+      return false;
+    }
+  }
+
   // Check if path should be ignored
   private shouldIgnore(path: string, ignorePatterns: string[]): boolean {
-    return ignorePatterns.some(pattern => minimatch(path, pattern));
+    return ignorePatterns.some(pattern => this.matchesSimplePattern(path, pattern));
   }
 
   // Check if path matches any of the patterns
   private matchesPatterns(path: string, patterns: string[]): boolean {
-    return patterns.some(pattern => minimatch(path, pattern));
+    return patterns.some(pattern => this.matchesSimplePattern(path, pattern));
+  }
+
+  // Check if file is within max depth (for glob results)
+  private isWithinMaxDepth(relativePath: string, searchPath: string, maxDepth: number): boolean {
+    // Count directory separators to determine depth
+    const pathFromSearch = relative(searchPath, join(this.baseDir, relativePath));
+    const depth = pathFromSearch.split('/').length - 1; // -1 because file itself doesn't count as depth
+    return depth <= maxDepth;
   }
 
   // Remove duplicate modules