@morojs/moro 1.5.7 → 1.5.9

package/dist/types/http.d.ts

@@ -19,8 +19,17 @@ export interface CookieOptions {
     sameSite?: 'strict' | 'lax' | 'none';
     domain?: string;
     path?: string;
+    critical?: boolean;
+    throwOnLateSet?: boolean;
 }
-export interface HttpResponse extends ServerResponse {
+export interface ResponseState {
+    headersSent: boolean;
+    statusCode: number;
+    headers: Record<string, any>;
+    finished: boolean;
+    writable: boolean;
+}
+export interface MoroResponseMethods {
     json(data: any): void;
     status(code: number): HttpResponse;
     send(data: string | Buffer): void;
@@ -29,7 +38,13 @@ export interface HttpResponse extends ServerResponse {
     redirect(url: string, status?: number): void;
     sendFile(filePath: string): Promise<void>;
     render?(template: string, data?: any): Promise<void>;
+    hasHeader(name: string): boolean;
+    setBulkHeaders(headers: Record<string, string | number>): HttpResponse;
+    appendHeader(name: string, value: string | string[]): HttpResponse;
+    canSetHeaders(): boolean;
+    getResponseState(): ResponseState;
 }
+export type HttpResponse = ServerResponse & MoroResponseMethods;
 export type HttpHandler = (req: HttpRequest, res: HttpResponse) => Promise<void> | void;
 export type Middleware = (req: HttpRequest, res: HttpResponse, next: () => void) => Promise<void> | void;
 export type MiddlewareFunction = (req: HttpRequest, res: HttpResponse, next: () => void) => void | Promise<void>;

package/dist/types/module.d.ts

@@ -12,6 +12,11 @@ export interface ModuleRoute {
         window: number;
     };
     middleware?: string[];
+    auth?: {
+        roles?: string[];
+        permissions?: string[];
+        optional?: boolean;
+    };
 }
 export interface ModuleSocket {
     event: string;
@@ -65,6 +70,12 @@ export interface InternalRouteDefinition {
     validation?: any;
     cache?: CacheConfig;
     rateLimit?: RateLimitConfig;
+    auth?: {
+        roles?: string[];
+        permissions?: string[];
+        optional?: boolean;
+    };
+    [key: string]: any;
 }
 export interface WebSocketDefinition {
     event: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@morojs/moro",
-  "version": "1.5.7",
+  "version": "1.5.9",
   "description": "High-performance Node.js framework with intelligent routing, automatic middleware ordering, enterprise authentication (Auth.js), type-safe Zod validation, and functional architecture",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/core/database/adapters/mongodb.ts

@@ -11,6 +11,16 @@ interface MongoDBConfig {
   database?: string;
   authSource?: string;
   ssl?: boolean;
+  tls?: {
+    ca?: string;
+    cert?: string;
+    key?: string;
+    passphrase?: string;
+    insecure?: boolean;
+    allowInvalidCertificates?: boolean;
+    allowInvalidHostnames?: boolean;
+    checkServerIdentity?: boolean;
+  };
   replicaSet?: string;
   maxPoolSize?: number;
   minPoolSize?: number;
@@ -32,11 +42,29 @@ export class MongoDBAdapter implements DatabaseAdapter {
 
       const url = config.url || this.buildConnectionString(config);
 
-      this.client = new MongoClient(url, {
+      const clientOptions: any = {
         maxPoolSize: config.maxPoolSize || 10,
         minPoolSize: config.minPoolSize || 0,
         ssl: config.ssl || false,
-      });
+      };
+
+      // Add TLS options if provided
+      if (config.tls) {
+        clientOptions.tls = true;
+        if (config.tls.ca) clientOptions.tlsCAFile = config.tls.ca;
+        if (config.tls.cert) clientOptions.tlsCertificateFile = config.tls.cert;
+        if (config.tls.key) clientOptions.tlsCertificateKeyFile = config.tls.key;
+        if (config.tls.passphrase)
+          clientOptions.tlsCertificateKeyFilePassword = config.tls.passphrase;
+        if (config.tls.insecure) clientOptions.tlsInsecure = config.tls.insecure;
+        if (config.tls.allowInvalidCertificates)
+          clientOptions.tlsAllowInvalidCertificates = config.tls.allowInvalidCertificates;
+        if (config.tls.allowInvalidHostnames)
+          clientOptions.tlsAllowInvalidHostnames = config.tls.allowInvalidHostnames;
+        if (config.tls.checkServerIdentity === false) clientOptions.checkServerIdentity = false;
+      }
+
+      this.client = new MongoClient(url, clientOptions);
 
       this.db = this.client.db(config.database || 'moro_app');
 

package/src/core/database/adapters/mysql.ts

@@ -9,6 +9,19 @@ interface MySQLConfig {
   password?: string;
   database?: string;
   connectionLimit?: number;
+  ssl?:
+    | {
+        rejectUnauthorized?: boolean;
+        ca?: string;
+        cert?: string;
+        key?: string;
+        passphrase?: string;
+        servername?: string;
+        checkServerIdentity?: boolean;
+        ciphers?: string;
+        secureProtocol?: string;
+      }
+    | boolean;
 }
 
 export class MySQLAdapter implements DatabaseAdapter {
@@ -27,6 +40,7 @@ export class MySQLAdapter implements DatabaseAdapter {
         waitForConnections: true,
         connectionLimit: config.connectionLimit || 10,
         queueLimit: 0,
+        ssl: typeof config.ssl === 'object' ? { ...config.ssl } : config.ssl || false,
       });
     } catch (error) {
       throw new Error(

package/src/core/database/adapters/postgresql.ts

@@ -9,7 +9,17 @@ interface PostgreSQLConfig {
   password?: string;
   database?: string;
   connectionLimit?: number;
-  ssl?: boolean;
+  ssl?:
+    | {
+        rejectUnauthorized?: boolean;
+        ca?: string;
+        cert?: string;
+        key?: string;
+        passphrase?: string;
+        servername?: string;
+        checkServerIdentity?: boolean;
+      }
+    | boolean;
 }
 
 export class PostgreSQLAdapter implements DatabaseAdapter {
@@ -26,7 +36,7 @@ export class PostgreSQLAdapter implements DatabaseAdapter {
         password: config.password || '',
         database: config.database || 'moro_app',
         max: config.connectionLimit || 10,
-        ssl: config.ssl || false,
+        ssl: typeof config.ssl === 'object' ? { ...config.ssl } : config.ssl || false,
       });
 
       this.pool.on('error', (err: Error) => {

package/src/core/database/adapters/redis.ts

@@ -11,6 +11,15 @@ interface RedisConfig {
   maxRetriesPerRequest?: number;
   retryDelayOnFailover?: number;
   lazyConnect?: boolean;
+  tls?: {
+    rejectUnauthorized?: boolean;
+    ca?: string;
+    cert?: string;
+    key?: string;
+    passphrase?: string;
+    servername?: string;
+    checkServerIdentity?: boolean;
+  };
   cluster?: {
     enableReadyCheck?: boolean;
     redisOptions?: any;
@@ -30,13 +39,20 @@ export class RedisAdapter implements DatabaseAdapter {
 
       if (config.cluster) {
         // Redis Cluster
-        this.client = new Redis.Cluster(config.cluster.nodes, {
+        const clusterOptions: any = {
           enableReadyCheck: config.cluster.enableReadyCheck || false,
           redisOptions: config.cluster.redisOptions || {},
-        });
+        };
+
+        // Add TLS options to cluster configuration
+        if (config.tls) {
+          clusterOptions.redisOptions.tls = { ...config.tls };
+        }
+
+        this.client = new Redis.Cluster(config.cluster.nodes, clusterOptions);
       } else {
         // Single Redis instance
-        this.client = new Redis({
+        const redisOptions: any = {
           host: config.host || 'localhost',
           port: config.port || 6379,
           password: config.password,
@@ -44,7 +60,14 @@ export class RedisAdapter implements DatabaseAdapter {
           maxRetriesPerRequest: config.maxRetriesPerRequest || 3,
           retryDelayOnFailover: config.retryDelayOnFailover || 100,
           lazyConnect: config.lazyConnect || true,
-        });
+        };
+
+        // Add TLS options if provided
+        if (config.tls) {
+          redisOptions.tls = { ...config.tls };
+        }
+
+        this.client = new Redis(redisOptions);
       }
 
       this.client.on('error', (err: Error) => {

package/src/core/framework.ts

@@ -444,6 +444,76 @@ export class Moro extends EventEmitter {
           throw new Error(`Handler ${route.handler} is not a function`);
         }
 
+        // Check authentication if auth configuration is provided
+        if ((route as any).auth) {
+          const auth = (req as any).auth;
+          const authConfig = (route as any).auth;
+
+          if (!auth) {
+            res.status(401);
+            res.json({
+              success: false,
+              error: 'Authentication required',
+              message: 'You must be logged in to access this resource',
+            });
+            return;
+          }
+
+          // Check authentication requirement (default is required unless optional: true)
+          if (!authConfig.optional && !auth.isAuthenticated) {
+            res.status(401);
+            res.json({
+              success: false,
+              error: 'Authentication required',
+              message: 'You must be logged in to access this resource',
+            });
+            return;
+          }
+
+          // Skip further checks if not authenticated but optional
+          if (!auth.isAuthenticated && authConfig.optional) {
+            // Continue to handler
+          } else if (auth.isAuthenticated) {
+            const user = auth.user;
+
+            // Check roles if specified
+            if (authConfig.roles && authConfig.roles.length > 0) {
+              const userRoles = user?.roles || [];
+              const hasRole = authConfig.roles.some((role: string) => userRoles.includes(role));
+
+              if (!hasRole) {
+                res.status(403);
+                res.json({
+                  success: false,
+                  error: 'Insufficient permissions',
+                  message: `Required roles: ${authConfig.roles.join(', ')}`,
+                  userRoles,
+                });
+                return;
+              }
+            }
+
+            // Check permissions if specified
+            if (authConfig.permissions && authConfig.permissions.length > 0) {
+              const userPermissions = user?.permissions || [];
+              const hasPermission = authConfig.permissions.every((permission: string) =>
+                userPermissions.includes(permission)
+              );
+
+              if (!hasPermission) {
+                res.status(403);
+                res.json({
+                  success: false,
+                  error: 'Insufficient permissions',
+                  message: `Required permissions: ${authConfig.permissions.join(', ')}`,
+                  userPermissions,
+                });
+                return;
+              }
+            }
+          }
+        }
+
         // Validate request if validation schema is provided
         if (route.validation) {
           try {

package/src/core/http/http-server.ts

@@ -631,6 +631,26 @@ export class MoroHttpServer {
     };
 
     httpRes.cookie = (name: string, value: string, options: any = {}) => {
+      if (httpRes.headersSent) {
+        const isCritical =
+          options.critical ||
+          name.includes('session') ||
+          name.includes('auth') ||
+          name.includes('csrf');
+        const message = `Cookie '${name}' could not be set - headers already sent`;
+
+        if (isCritical || options.throwOnLateSet) {
+          throw new Error(`${message}. This may cause authentication or security issues.`);
+        } else {
+          this.logger.warn(message, 'CookieWarning', {
+            cookieName: name,
+            critical: isCritical,
+            stackTrace: new Error().stack,
+          });
+        }
+        return httpRes;
+      }
+
       const cookieValue = encodeURIComponent(value);
       let cookieString = `${name}=${cookieValue}`;
 
@@ -694,6 +714,62 @@ export class MoroHttpServer {
       }
     };
 
+    // Header management utilities
+    httpRes.hasHeader = (name: string): boolean => {
+      return httpRes.getHeader(name) !== undefined;
+    };
+
+    // Note: removeHeader is inherited from ServerResponse, we don't override it
+
+    httpRes.setBulkHeaders = (headers: Record<string, string | number>) => {
+      if (httpRes.headersSent) {
+        this.logger.warn('Cannot set headers - headers already sent', 'HeaderWarning', {
+          attemptedHeaders: Object.keys(headers),
+        });
+        return httpRes;
+      }
+
+      Object.entries(headers).forEach(([key, value]) => {
+        httpRes.setHeader(key, value);
+      });
+      return httpRes;
+    };
+
+    httpRes.appendHeader = (name: string, value: string | string[]) => {
+      if (httpRes.headersSent) {
+        this.logger.warn(
+          `Cannot append to header '${name}' - headers already sent`,
+          'HeaderWarning'
+        );
+        return httpRes;
+      }
+
+      const existing = httpRes.getHeader(name);
+      if (existing) {
+        const values = Array.isArray(existing) ? existing : [existing.toString()];
+        const newValues = Array.isArray(value) ? value : [value];
+        httpRes.setHeader(name, [...values, ...newValues]);
+      } else {
+        httpRes.setHeader(name, value);
+      }
+      return httpRes;
+    };
+
+    // Response state utilities
+    httpRes.canSetHeaders = (): boolean => {
+      return !httpRes.headersSent;
+    };
+
+    httpRes.getResponseState = () => {
+      return {
+        headersSent: httpRes.headersSent,
+        statusCode: httpRes.statusCode,
+        headers: httpRes.getHeaders ? httpRes.getHeaders() : {},
+        finished: httpRes.finished || false,
+        writable: httpRes.writable,
+      };
+    };
+
     return httpRes;
   }
 
@@ -1075,23 +1151,25 @@ export const middleware = {
         }
 
         if (acceptEncoding.includes('gzip')) {
-          res.setHeader('Content-Encoding', 'gzip');
           zlib.gzip(buffer, { level }, (err: any, compressed: Buffer) => {
             if (err) {
               return isJson ? originalJson.call(res, data) : originalSend.call(res, data);
             }
-            res.setHeader('Content-Length', compressed.length);
-            res.writeHead(res.statusCode || 200, res.getHeaders());
+            if (!res.headersSent) {
+              res.setHeader('Content-Encoding', 'gzip');
+              res.setHeader('Content-Length', compressed.length);
+            }
             res.end(compressed);
           });
         } else if (acceptEncoding.includes('deflate')) {
-          res.setHeader('Content-Encoding', 'deflate');
           zlib.deflate(buffer, { level }, (err: any, compressed: Buffer) => {
             if (err) {
               return isJson ? originalJson.call(res, data) : originalSend.call(res, data);
             }
-            res.setHeader('Content-Length', compressed.length);
-            res.writeHead(res.statusCode || 200, res.getHeaders());
+            if (!res.headersSent) {
+              res.setHeader('Content-Encoding', 'deflate');
+              res.setHeader('Content-Length', compressed.length);
+            }
             res.end(compressed);
           });
         } else {
@@ -1519,13 +1597,15 @@ export const middleware = {
       // Only handle SSE requests
       if (req.headers.accept?.includes('text/event-stream')) {
         // Set SSE headers
-        res.writeHead(200, {
-          'Content-Type': 'text/event-stream',
-          'Cache-Control': 'no-cache',
-          Connection: 'keep-alive',
-          'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
-          'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
-        });
+        if (!res.headersSent) {
+          res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            Connection: 'keep-alive',
+            'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
+            'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
+          });
+        }
 
         // Add SSE methods to response
         (res as any).sendEvent = (data: any, event?: string, id?: string) => {
@@ -1626,7 +1706,8 @@ export const middleware = {
             const chunkSize = end - start + 1;
 
             if (start >= fileSize || end >= fileSize) {
-              res.status(416).setHeader('Content-Range', `bytes */${fileSize}`);
+              res.status(416);
+              res.setHeader('Content-Range', `bytes */${fileSize}`);
               res.json({ success: false, error: 'Range not satisfiable' });
               return;
             }

package/src/core/middleware/built-in/cache.ts

@@ -188,7 +188,9 @@ export const cache = (options: CacheOptions = {}): MiddlewareInterface => ({
           parts.push(`stale-while-revalidate=${directives.staleWhileRevalidate}`);
         }
 
-        res.setHeader('Cache-Control', parts.join(', '));
+        if (!res.headersSent) {
+          res.setHeader('Cache-Control', parts.join(', '));
+        }
         return res;
       };
 

package/src/core/middleware/built-in/sse.ts

@@ -35,13 +35,15 @@ export const sse = (
       logger.debug('Setting up SSE connection', 'SSESetup');
 
       // Set SSE headers
-      res.writeHead(200, {
-        'Content-Type': 'text/event-stream',
-        'Cache-Control': 'no-cache',
-        Connection: 'keep-alive',
-        'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
-        'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
-      });
+      if (!res.headersSent) {
+        res.writeHead(200, {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          Connection: 'keep-alive',
+          'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
+          'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
+        });
+      }
 
       // Add SSE methods to response
       res.sendEvent = (data: any, event?: string, id?: string) => {

package/src/core/modules/modules.ts

@@ -24,6 +24,21 @@ export function defineModule(definition: ModuleDefinition): ModuleConfig {
       cache: route.cache,
       rateLimit: route.rateLimit,
       middleware: route.middleware,
+      // Copy all additional properties for extensibility
+      ...Object.fromEntries(
+        Object.entries(route).filter(
+          ([key]) =>
+            ![
+              'method',
+              'path',
+              'handler',
+              'validation',
+              'cache',
+              'rateLimit',
+              'middleware',
+            ].includes(key)
+        )
+      ),
     }));
 
     // Store the actual route handler functions

package/src/core/runtime/node-adapter.ts

@@ -138,24 +138,30 @@ export class NodeRuntimeAdapter extends BaseRuntimeAdapter {
 
     if (!enhanced.cookie) {
       enhanced.cookie = function (name: string, value: string, options?: any) {
-        const cookieString = `${name}=${value}`;
-        this.setHeader('Set-Cookie', cookieString);
+        if (!this.headersSent) {
+          const cookieString = `${name}=${value}`;
+          this.setHeader('Set-Cookie', cookieString);
+        }
         return this;
       };
     }
 
     if (!enhanced.clearCookie) {
       enhanced.clearCookie = function (name: string, options?: any) {
-        this.setHeader('Set-Cookie', `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT`);
+        if (!this.headersSent) {
+          this.setHeader('Set-Cookie', `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT`);
+        }
         return this;
       };
     }
 
     if (!enhanced.redirect) {
       enhanced.redirect = function (url: string, status?: number) {
-        this.statusCode = status || 302;
-        this.setHeader('Location', url);
-        this.end();
+        if (!this.headersSent) {
+          this.statusCode = status || 302;
+          this.setHeader('Location', url);
+          this.end();
+        }
       };
     }
 

package/src/types/http.ts

@@ -22,9 +22,20 @@ export interface CookieOptions {
   sameSite?: 'strict' | 'lax' | 'none';
   domain?: string;
   path?: string;
+  // Security options
+  critical?: boolean; // Mark as critical for security (throws on late set)
+  throwOnLateSet?: boolean; // Force throw if headers already sent
 }
 
-export interface HttpResponse extends ServerResponse {
+export interface ResponseState {
+  headersSent: boolean;
+  statusCode: number;
+  headers: Record<string, any>;
+  finished: boolean;
+  writable: boolean;
+}
+
+export interface MoroResponseMethods {
   json(data: any): void;
   status(code: number): HttpResponse;
   send(data: string | Buffer): void;
@@ -33,8 +44,19 @@ export interface HttpResponse extends ServerResponse {
   redirect(url: string, status?: number): void;
   sendFile(filePath: string): Promise<void>;
   render?(template: string, data?: any): Promise<void>;
+
+  // Header management utilities
+  hasHeader(name: string): boolean;
+  setBulkHeaders(headers: Record<string, string | number>): HttpResponse;
+  appendHeader(name: string, value: string | string[]): HttpResponse;
+
+  // Response state utilities
+  canSetHeaders(): boolean;
+  getResponseState(): ResponseState;
 }
 
+export type HttpResponse = ServerResponse & MoroResponseMethods;
+
 export type HttpHandler = (req: HttpRequest, res: HttpResponse) => Promise<void> | void;
 export type Middleware = (
   req: HttpRequest,

package/src/types/module.ts

@@ -7,6 +7,11 @@ export interface ModuleRoute {
   cache?: { ttl: number; key?: string };
   rateLimit?: { requests: number; window: number };
   middleware?: string[];
+  auth?: {
+    roles?: string[];
+    permissions?: string[];
+    optional?: boolean;
+  };
 }
 
 export interface ModuleSocket {
@@ -57,6 +62,13 @@ export interface InternalRouteDefinition {
   validation?: any;
   cache?: CacheConfig;
   rateLimit?: RateLimitConfig;
+  auth?: {
+    roles?: string[];
+    permissions?: string[];
+    optional?: boolean;
+  };
+  // Allow additional properties for extensibility
+  [key: string]: any;
 }
 
 export interface WebSocketDefinition {