@nocobase/client-v2 2.1.0-alpha.39 → 2.1.0-alpha.40

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/client-v2",
-  "version": "2.1.0-alpha.39",
+  "version": "2.1.0-alpha.40",
   "license": "Apache-2.0",
   "main": "lib/index.js",
   "module": "es/index.mjs",
@@ -26,11 +26,11 @@
     "@formily/antd-v5": "1.2.3",
     "@formily/react": "^2.2.27",
     "@formily/shared": "^2.2.27",
-    "@nocobase/evaluators": "2.1.0-alpha.39",
-    "@nocobase/flow-engine": "2.1.0-alpha.39",
-    "@nocobase/sdk": "2.1.0-alpha.39",
-    "@nocobase/shared": "2.1.0-alpha.39",
-    "@nocobase/utils": "2.1.0-alpha.39",
+    "@nocobase/evaluators": "2.1.0-alpha.40",
+    "@nocobase/flow-engine": "2.1.0-alpha.40",
+    "@nocobase/sdk": "2.1.0-alpha.40",
+    "@nocobase/shared": "2.1.0-alpha.40",
+    "@nocobase/utils": "2.1.0-alpha.40",
     "ahooks": "^3.7.2",
     "antd": "5.24.2",
     "antd-style": "3.7.1",
@@ -44,5 +44,5 @@
     "react-i18next": "^11.15.1",
     "react-router-dom": "^6.30.1"
   },
-  "gitHead": "d06ed6b97030866c00e7ce40c9e1bcc773ebf12c"
+  "gitHead": "e73f99dd0abefe847f2e50ff0fea1f41a82fd048"
 }

package/src/BaseApplication.tsx

@@ -368,11 +368,11 @@ export abstract class BaseApplication<
     });
   }
 
-  updateFavicon(favicon?: string) {
+  updateFavicon(favicon?: string | null) {
     let faviconLinkElement = document.querySelector('link[rel="shortcut icon"]') as HTMLLinkElement;
 
-    if (favicon) {
-      this.favicon = favicon;
+    if (arguments.length > 0) {
+      this.favicon = favicon || '';
     }
 
     const iconHref = this.favicon || '/favicon/favicon.ico';

package/src/PluginSettingsManager.ts

@@ -432,7 +432,7 @@ export class PluginSettingsManager<TApp extends BaseApplication<any> = BaseAppli
       return null;
     }
 
-    const { title, aclSnippet, key, menuKey, name, ...others } = page;
+    const { title, aclSnippet, key, menuKey, name, icon, ...others } = page;
 
     return {
       ...others,
@@ -443,6 +443,7 @@ export class PluginSettingsManager<TApp extends BaseApplication<any> = BaseAppli
       name,
       title,
       label: title,
+      icon: this.renderIcon(icon),
       path: this.getRoutePath(name),
       sort: page.sort,
       isAllow,

package/src/__tests__/PluginSettingsManager.test.ts

@@ -76,6 +76,25 @@ describe('PluginSettingsManager v2', () => {
     expect(app.router.get('admin.settings.demo.advanced')).toMatchObject({ path: 'advanced' });
   });
 
+  it('should render string icon on both menu and page tab via renderIcon', () => {
+    // Previously `renderPage` spread the raw `icon` string straight to the antd
+    // Menu item, which displayed "LockOutlinedTitle" as text. Both `renderMenuItem`
+    // and `renderPage` must coerce string icon names to React elements.
+    const app = createMockClient();
+
+    app.pluginSettingsManager.addMenuItem({ key: 'demo', title: 'Demo', icon: 'TeamOutlined' });
+    app.pluginSettingsManager.addPageTabItem({
+      menuKey: 'demo',
+      key: 'index',
+      title: 'Overview',
+      icon: 'LockOutlined',
+    });
+
+    const list = app.pluginSettingsManager.getList();
+    expect(React.isValidElement(list[0].icon)).toBe(true);
+    expect(React.isValidElement(list[0].children?.[0].icon)).toBe(true);
+  });
+
   it('should support componentLoader on page item', () => {
     const app = createMockClient();
     const componentLoader = async () => ({

package/src/__tests__/PoweredBy.test.tsx

@@ -0,0 +1,130 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+import { render, screen, waitFor } from '@testing-library/react';
+import React from 'react';
+import { createMockClient } from '../MockApplication';
+import { Plugin } from '../Plugin';
+import PoweredBy from '../components/PoweredBy';
+
+class PoweredByRoutePlugin extends Plugin {
+  async load() {
+    this.router.add('root', {
+      path: '/',
+      Component: PoweredBy,
+    });
+  }
+}
+
+class MockCustomBrandPlugin extends Plugin {}
+
+const renderPoweredBy = async (plugins: any[] = [], appInfoData: Record<string, any> = { version: '1.2.3' }) => {
+  const app = createMockClient({
+    plugins: [PoweredByRoutePlugin as any, ...plugins],
+  });
+
+  app.apiMock.onGet('app:getInfo').reply(200, {
+    data: appInfoData,
+  });
+
+  const Root = app.getRootComponent();
+  const result = render(<Root />);
+
+  await waitFor(() => {
+    expect(document.querySelector('.ant-spin-spinning')).not.toBeInTheDocument();
+  });
+
+  return result;
+};
+
+describe('PoweredBy', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it('should render the default brand when custom-brand is not installed', async () => {
+    const { container } = await renderPoweredBy();
+
+    expect(screen.getByRole('link', { name: 'NocoBase' })).toHaveAttribute('href', 'https://www.nocobase.com');
+    expect(container).toHaveTextContent('Powered by NocoBase');
+    // The `.nb-brand` className is reserved for the custom-brand HTML branch
+    // so downstream stylesheets can selectively target customised content
+    // without leaking onto the default footer.
+    expect(container.querySelector('.nb-brand')).not.toBeInTheDocument();
+  });
+
+  it('should render custom-brand HTML and replace appVersion', async () => {
+    const { container } = await renderPoweredBy([
+      [
+        MockCustomBrandPlugin,
+        {
+          packageName: '@nocobase/plugin-custom-brand',
+          options: {
+            brand: '<span>Custom Brand</span>{{appVersion}}',
+          },
+        },
+      ],
+    ]);
+
+    await waitFor(() => {
+      expect(container.querySelector('.nb-brand')).toHaveTextContent('Custom Brandv1.2.3');
+    });
+    expect(container.querySelector('.nb-app-version')).toHaveTextContent('v1.2.3');
+    expect(screen.queryByText('Powered by')).not.toBeInTheDocument();
+  });
+
+  it('should not render undefined appVersion when app version is unavailable', async () => {
+    const { container } = await renderPoweredBy(
+      [
+        [
+          MockCustomBrandPlugin,
+          {
+            packageName: '@nocobase/plugin-custom-brand',
+            options: {
+              brand: '<span>Custom Brand</span>{{appVersion}}',
+            },
+          },
+        ],
+      ],
+      {},
+    );
+
+    expect(container.querySelector('.nb-brand')).toHaveTextContent('Custom Brand');
+    expect(container.querySelector('.nb-brand')).not.toHaveTextContent('undefined');
+    expect(container.querySelector('.nb-app-version')).not.toBeInTheDocument();
+  });
+
+  it('should escape custom-brand appVersion placeholder', async () => {
+    // Defence in depth: even if the back-end ever returns a tampered
+    // `app:getInfo` payload, the version string must be HTML-escaped
+    // before being interpolated into the custom-brand template — never
+    // produce a live `<script>` node in the DOM.
+    const { container } = await renderPoweredBy(
+      [
+        [
+          MockCustomBrandPlugin,
+          {
+            packageName: '@nocobase/plugin-custom-brand',
+            options: {
+              brand: '<span>Custom Brand</span>{{appVersion}}',
+            },
+          },
+        ],
+      ],
+      {
+        version: '<script>alert(1)</script>&"',
+      },
+    );
+
+    await waitFor(() => {
+      expect(container.querySelector('.nb-app-version')).toHaveTextContent('v<script>alert(1)</script>&"');
+    });
+    expect(container.querySelector('.nb-brand script')).not.toBeInTheDocument();
+  });
+});

package/src/__tests__/app.test.tsx

@@ -12,6 +12,7 @@ import { useFlowEngineContext } from '@nocobase/flow-engine';
 import { act, fireEvent, render, screen, waitFor } from '@testing-library/react';
 import React from 'react';
 import { Outlet } from 'react-router-dom';
+import { escapeHTML, getAppVersionHTML } from '../utils';
 
 const waitForAppReady = async () => {
   await waitFor(() => {
@@ -66,6 +67,36 @@ describe('app', () => {
       expect(favicon.getAttribute('href')).toBe('/custom-favicon.ico');
     });
 
+    it('should reset favicon to default when favicon is cleared', () => {
+      const app = new Application({ router });
+
+      app.updateFavicon('/custom-favicon.ico');
+      app.updateFavicon(null);
+
+      const favicon = document.querySelector('link[rel="shortcut icon"]') as HTMLLinkElement;
+      expect(favicon).toBeInTheDocument();
+      expect(favicon.getAttribute('href')).toBe('/favicon/favicon.ico');
+    });
+
+    it('should reset favicon to default when favicon is explicitly undefined', () => {
+      const app = new Application({ router });
+
+      app.updateFavicon('/custom-favicon.ico');
+      app.updateFavicon(undefined);
+
+      const favicon = document.querySelector('link[rel="shortcut icon"]') as HTMLLinkElement;
+      expect(favicon).toBeInTheDocument();
+      expect(favicon.getAttribute('href')).toBe('/favicon/favicon.ico');
+    });
+
+    it('should escape app version html placeholder content', () => {
+      expect(getAppVersionHTML('<script>alert(1)</script>&"')).toBe(
+        '<span class="nb-app-version">v&lt;script&gt;alert(1)&lt;/script&gt;&amp;&quot;</span>',
+      );
+      expect(getAppVersionHTML(undefined)).toBe('');
+      expect(escapeHTML("NocoBase <v2> & 'beta'")).toBe('NocoBase &lt;v2&gt; &amp; &#39;beta&#39;');
+    });
+
     it('should reject invalid component objects but keep valid exotic components', () => {
       const app = new Application({ router });
       const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});

package/src/__tests__/nocobase-buildin-plugin-auth.test.tsx

@@ -39,30 +39,18 @@ describe('nocobase buildin plugin auth redirect', () => {
     vi.restoreAllMocks();
   });
 
-  it('should redirect unauthenticated admin access to v2 signin with replace', async () => {
-    const replace = vi.fn();
-    Object.defineProperty(globalThis.window, 'location', {
-      configurable: true,
-      value: {
-        ...originalLocation,
-        pathname: '/v2/admin/7vu4c2sdk6h',
-        search: '',
-        hash: '',
-        replace,
-      },
-    });
-
+  it('should navigate to v2 signin when /auth:check returns no user', async () => {
+    // Aligns with v1: use react-router navigate (virtual) rather than
+    // `window.location.replace`, so a `window.location.href` queued elsewhere
+    // (e.g. 2FA's `code:302` response interceptor) can commit instead of being
+    // overridden.
     const app = createMockClient({
       publicPath: '/v2/',
       plugins: [NocoBaseBuildInPlugin as any],
       router: { type: 'memory', initialEntries: ['/v2/admin/7vu4c2sdk6h'] },
     });
     app.apiMock.onGet('app:getLang').reply(200, {
-      data: {
-        lang: 'en-US',
-        resources: { client: {} },
-        cron: {},
-      },
+      data: { lang: 'en-US', resources: { client: {} }, cron: {} },
     });
     app.apiMock.onGet('/auth:check').reply(200, { data: {} });
 
@@ -70,68 +58,63 @@ describe('nocobase buildin plugin auth redirect', () => {
     render(<Root />);
 
     await waitFor(() => {
-      expect(replace).toHaveBeenCalledWith('/v2/signin?redirect=%2Fv2%2Fadmin%2F7vu4c2sdk6h');
+      expect(app.router.router.state.location.pathname).toBe('/v2/signin');
+      expect(app.router.router.state.location.search).toBe('?redirect=%2Fv2%2Fadmin%2F7vu4c2sdk6h');
     });
   });
 
-  it('should redirect unauthenticated v2 root access to v2 signin with default admin redirect', async () => {
-    const replace = vi.fn();
-    Object.defineProperty(globalThis.window, 'location', {
-      configurable: true,
-      value: {
-        ...originalLocation,
-        pathname: '/nocobase/v2/',
-        search: '',
-        hash: '',
-        replace,
-      },
+  it('should short-circuit /auth:check when server returns code:302 instead of redirecting to signin', async () => {
+    // When the server signals an intermediate redirect (typically 2FA verify),
+    // CurrentUserProvider must NOT treat the missing `user.id` as "logged out"
+    // and race the 2FA response interceptor with its own signin redirect.
+    const app = createMockClient({
+      publicPath: '/v2/',
+      plugins: [NocoBaseBuildInPlugin as any],
+      router: { type: 'memory', initialEntries: ['/v2/admin'] },
+    });
+    app.apiMock.onGet('app:getLang').reply(200, {
+      data: { lang: 'en-US', resources: { client: {} }, cron: {} },
+    });
+    app.apiMock.onGet('/auth:check').reply(200, {
+      data: { code: 302, redirect: '/2fa?redirect=/admin' },
     });
 
+    const Root = app.getRootComponent();
+    render(<Root />);
+
+    // Give CurrentUserProvider time to process the response.
+    await new Promise((resolve) => setTimeout(resolve, 50));
+    expect(app.router.router.state.location.pathname).toBe('/v2/admin');
+    expect(app.router.router.state.location.search).toBe('');
+  });
+
+  it('should redirect unauthenticated v2 root access to v2 signin via <Navigate />', async () => {
     const app = createMockClient({
       publicPath: '/nocobase/v2/',
       plugins: [NocoBaseBuildInPlugin as any],
       router: { type: 'memory', initialEntries: ['/nocobase/v2/'] },
     });
     app.apiMock.onGet('app:getLang').reply(200, {
-      data: {
-        lang: 'en-US',
-        resources: { client: {} },
-        cron: {},
-      },
+      data: { lang: 'en-US', resources: { client: {} }, cron: {} },
     });
 
     const Root = app.getRootComponent();
     render(<Root />);
 
     await waitFor(() => {
-      expect(replace).toHaveBeenCalledWith('/nocobase/v2/signin?redirect=%2Fnocobase%2Fv2%2Fadmin');
+      expect(app.router.router.state.location.pathname).toBe('/nocobase/v2/signin');
+      expect(app.router.router.state.location.search).toBe('?redirect=%2Fnocobase%2Fv2%2Fadmin');
     });
   });
 
   it('should render v2 admin root without redirecting away', async () => {
-    const replace = vi.fn();
-    Object.defineProperty(globalThis.window, 'location', {
-      configurable: true,
-      value: {
-        ...originalLocation,
-        pathname: '/v2/admin',
-        search: '',
-        hash: '',
-        replace,
-      },
-    });
-
     const app = createMockClient({
       publicPath: '/v2/',
       plugins: [NocoBaseBuildInPlugin as any],
       router: { type: 'memory', initialEntries: ['/v2/admin'] },
     });
     app.apiMock.onGet('app:getLang').reply(200, {
-      data: {
-        lang: 'en-US',
-        resources: { client: {} },
-        cron: {},
-      },
+      data: { lang: 'en-US', resources: { client: {} }, cron: {} },
     });
     app.apiMock.onGet('/auth:check').reply(200, { data: { id: 1 } });
     app.apiMock.onGet('systemSettings:get').reply(200, { data: {} });
@@ -152,36 +135,20 @@ describe('nocobase buildin plugin auth redirect', () => {
     await waitFor(() => {
       expect(container.innerHTML).toContain('No pages yet, please configure first');
     });
-    expect(replace).not.toHaveBeenCalled();
+    expect(app.router.router.state.location.pathname).toBe('/v2/admin');
     expect(container.innerHTML).not.toContain('Legacy page');
   });
 
   it.each(['/v2/admin/legacy-page/tab/tab-1', '/v2/admin/legacy-page/view/detail'])(
     'should show 404 for authenticated direct v1-style v2 page access: %s',
     async (pathname) => {
-      const replace = vi.fn();
-      Object.defineProperty(globalThis.window, 'location', {
-        configurable: true,
-        value: {
-          ...originalLocation,
-          pathname,
-          search: '?from=direct',
-          hash: '#dialog',
-          replace,
-        },
-      });
-
       const app = createMockClient({
         publicPath: '/v2/',
         plugins: [NocoBaseBuildInPlugin as any],
         router: { type: 'memory', initialEntries: [pathname] },
       });
       app.apiMock.onGet('app:getLang').reply(200, {
-        data: {
-          lang: 'en-US',
-          resources: { client: {} },
-          cron: {},
-        },
+        data: { lang: 'en-US', resources: { client: {} }, cron: {} },
       });
       app.apiMock.onGet('/auth:check').reply(200, { data: { id: 1 } });
       app.apiMock.onGet('systemSettings:get').reply(200, { data: {} });
@@ -200,7 +167,7 @@ describe('nocobase buildin plugin auth redirect', () => {
       render(<Root />);
 
       expect(await screen.findByText('404')).toBeInTheDocument();
-      expect(replace).not.toHaveBeenCalled();
+      expect(app.router.router.state.location.pathname).toBe(pathname);
     },
   );
 });

package/src/__tests__/remotePlugins.test.ts

@@ -32,6 +32,61 @@ describe('client-v2 remotePlugins', () => {
     expect(mockDefine).toHaveBeenCalledWith('@nocobase/demo/client-v2', expect.any(Function));
   });
 
+  it('should preserve named exports from dev plugin modules', () => {
+    class DemoPlugin extends Plugin {}
+    class DemoActionModel {}
+
+    const mockDefine: any = vi.fn();
+    window.define = mockDefine;
+
+    const pluginModule = {
+      default: DemoPlugin,
+      DemoActionModel,
+    };
+    defineDevPlugins({
+      '@nocobase/demo': pluginModule,
+    });
+
+    const moduleFactory = mockDefine.mock.calls[0]?.[1];
+    expect(mockDefine).toHaveBeenCalledWith('@nocobase/demo/client-v2', expect.any(Function));
+    expect(moduleFactory()).toBe(pluginModule);
+    expect(window.__nocobase_app_dev_plugins__['@nocobase/demo/client-v2']).toBe(pluginModule);
+  });
+
+  it('should expose named exports from devDynamicImport modules to RequireJS consumers', async () => {
+    class DemoPlugin extends Plugin {}
+    class DemoActionModel {}
+
+    const requirejs: any = {
+      requirejs: vi.fn(),
+    };
+    requirejs.requirejs.config = vi.fn();
+
+    const mockDefine: any = vi.fn();
+    window.define = mockDefine;
+
+    const plugins = await getPlugins({
+      requirejs,
+      pluginData: [
+        {
+          name: '@nocobase/demo',
+          packageName: '@nocobase/demo',
+          url: 'https://demo.com/dist/client-v2/index.js',
+        },
+      ] as any,
+      devDynamicImport: vi.fn().mockResolvedValue({ default: DemoPlugin, DemoActionModel }) as any,
+    });
+
+    const moduleFactory = mockDefine.mock.calls.find((call) => call[0] === '@nocobase/demo/client-v2')?.[1];
+
+    expect(plugins).toEqual([['@nocobase/demo', DemoPlugin]]);
+    expect(moduleFactory()).toEqual({ default: DemoPlugin, DemoActionModel });
+    expect(window.__nocobase_app_dev_plugins__['@nocobase/demo/client-v2']).toEqual({
+      default: DemoPlugin,
+      DemoActionModel,
+    });
+  });
+
   it('should not define /client aliases when loading v2 plugins', async () => {
     class DemoPlugin extends Plugin {}
 

package/src/__tests__/useCurrentRoles.test.tsx

@@ -0,0 +1,100 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+import { FlowEngine, FlowEngineProvider } from '@nocobase/flow-engine';
+import { renderHook } from '@testing-library/react';
+import React from 'react';
+import { describe, expect, it } from 'vitest';
+import { ACLContext } from '../acl';
+import { useCurrentRoles } from '../nocobase-buildin-plugin';
+
+type AclContextValue = React.ContextType<typeof ACLContext>;
+
+function makeAclValue(allowAnonymous: boolean): AclContextValue {
+  return {
+    loading: false,
+    data: {
+      data: { allowAnonymous },
+      meta: {},
+    },
+    refresh: async () => undefined,
+  };
+}
+
+function makeEngineWithUser(user: { roles?: Array<{ name: string; title?: string }> } | null): FlowEngine {
+  const engine = new FlowEngine();
+  if (user != null) {
+    engine.context.defineProperty('user', { value: user });
+  }
+  return engine;
+}
+
+function makeWrapper(opts: { engine: FlowEngine; acl: AclContextValue }) {
+  const Wrapper: React.FC = ({ children }) => (
+    <FlowEngineProvider engine={opts.engine}>
+      <ACLContext.Provider value={opts.acl}>{children}</ACLContext.Provider>
+    </FlowEngineProvider>
+  );
+  return Wrapper;
+}
+
+describe('useCurrentRoles', () => {
+  it('returns roles from flowEngine.context.user, dropping the synthetic __union__ entry', () => {
+    // `__union__` is a server-side marker for the merged-roles pseudo role and
+    // must never appear in user-facing role pickers — guards against a regression
+    // that broke role assignment in API Keys / SwitchRole pages.
+    const wrapper = makeWrapper({
+      engine: makeEngineWithUser({
+        roles: [
+          { name: '__union__', title: 'Union' },
+          { name: 'root', title: 'Root' },
+          { name: 'member', title: 'Member' },
+        ],
+      }),
+      acl: makeAclValue(false),
+    });
+    const { result } = renderHook(() => useCurrentRoles(), { wrapper });
+    expect(result.current).toEqual([
+      { name: 'root', title: 'Root' },
+      { name: 'member', title: 'Member' },
+    ]);
+  });
+
+  it('appends an anonymous role when ACL allowAnonymous is true', () => {
+    const wrapper = makeWrapper({
+      engine: makeEngineWithUser({ roles: [{ name: 'root', title: 'Root' }] }),
+      acl: makeAclValue(true),
+    });
+    const { result } = renderHook(() => useCurrentRoles(), { wrapper });
+    expect(result.current).toEqual([
+      { name: 'root', title: 'Root' },
+      { name: 'anonymous', title: 'Anonymous' },
+    ]);
+  });
+
+  it('compiles {{t(...)}} templates in role.title via flowEngine.context.t', () => {
+    const engine = makeEngineWithUser({ roles: [{ name: 'admin', title: '{{t("Admin")}}' }] });
+    engine.context.defineProperty('t', { value: () => 'Compiled Title' });
+    const wrapper = makeWrapper({ engine, acl: makeAclValue(false) });
+    const { result } = renderHook(() => useCurrentRoles(), { wrapper });
+    expect(result.current).toEqual([{ name: 'admin', title: 'Compiled Title' }]);
+  });
+
+  it('returns an empty array when no user has been written to engine.context', () => {
+    const wrapper = makeWrapper({ engine: makeEngineWithUser(null), acl: makeAclValue(false) });
+    const { result } = renderHook(() => useCurrentRoles(), { wrapper });
+    expect(result.current).toEqual([]);
+  });
+
+  it('returns just anonymous when no user is set but allowAnonymous is true', () => {
+    const wrapper = makeWrapper({ engine: makeEngineWithUser(null), acl: makeAclValue(true) });
+    const { result } = renderHook(() => useCurrentRoles(), { wrapper });
+    expect(result.current).toEqual([{ name: 'anonymous', title: 'Anonymous' }]);
+  });
+});