@qwickapps/server 1.9.0 → 1.10.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qwickapps/server",
-  "version": "1.9.0",
+  "version": "1.10.0",
   "description": "Plugin-based application server framework for building websites, APIs, admin dashboards, and full-stack products",
   "type": "module",
   "main": "dist/src/index.js",
@@ -139,7 +139,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/qwickapps/server.git"
+    "url": "git+https://github.com/qwickapps/server.git"
   },
   "homepage": "https://github.com/qwickapps/server#readme",
   "publishConfig": {

package/src/core/control-panel.ts

@@ -37,6 +37,7 @@ import {
 } from './plugin-registry.js';
 import { bearerTokenAuth } from '../plugins/api-keys/index.js';
 import { createCorePlugin } from '../plugins/core/index.js';
+import { sanitizeUrl } from '../utils/url.js';
 
 // Get the package root directory for serving UI assets
 const _filename = fileURLToPath(import.meta.url);
@@ -506,7 +507,7 @@ function generateLandingPageHtml(options: {
   const linksHtml = links
     .map(
       (link) =>
-        `<a href="${link.url}" class="link">${link.label}</a>`
+        `<a href="${sanitizeUrl(link.url)}" class="link">${link.label}</a>`
     )
     .join('');
 

package/src/core/gateway.ts

@@ -34,6 +34,7 @@ import express from 'express';
 import { existsSync, readFileSync } from 'fs';
 import { resolve, join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { sanitizeUrl } from '../utils/url.js';
 
 // Get QwickApps Server version from package.json
 const _filename = fileURLToPath(import.meta.url);
@@ -287,7 +288,7 @@ function generateLandingPageHtml(
   const linksHtml = links
     .map(
       (link) =>
-        `<a href="${link.url}" class="link">${link.label}</a>`
+        `<a href="${sanitizeUrl(link.url)}" class="link">${link.label}</a>`
     )
     .join('');
 
@@ -846,7 +847,7 @@ function generateMaintenancePageHtml(
   }
 
   const contactHtml = config.contactUrl
-    ? `<a href="${config.contactUrl}" class="btn btn-secondary">
+    ? `<a href="${sanitizeUrl(config.contactUrl)}" class="btn btn-secondary">
         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" width="18" height="18">
           <path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"/>
           <polyline points="22,6 12,13 2,6"/>
@@ -1362,35 +1363,33 @@ export function createGateway(config: GatewayConfig): GatewayInstance {
         },
       });
 
-      const apps = config.apps || [];
-      for (const appConfig of apps) {
-        // IMPORTANT: Insert QwickApps Server and Control Panel proxies BEFORE root path proxy
-        // This ensures /qapi/* and /cpanel requests don't get caught by frontend catch-all routing
-        if (appConfig.path === '/') {
-          // 1. Register QwickApps Server API proxy at /qapi/* BEFORE the root proxy
-          //    These are framework APIs: SuperTokens auth, health checks, postgres, cache, etc.
-          //    Payload CMS uses natural Next.js /api/* path
-          app.use((req, res, next) => {
-            if (req.path.startsWith('/qapi/')) {
-              return qwickAppsApiProxy(req, res, next);
-            }
-            next();
-          });
-          logger.debug(`Setting up proxy: /qapi/* -> http://localhost:${cpPort} (QwickApps Server APIs)`);
-          mountedApps.push({ path: '/qapi', type: 'proxy', target: `http://localhost:${cpPort}` });
-
-          // 2. Register Control Panel UI proxy BEFORE the root proxy
-          app.use(cpPath, cpUiProxy);
-          mountedApps.push({ path: cpPath, type: 'proxy', target: `http://localhost:${cpPort}` });
-
-          // 3. Setup WebSocket upgrade handling for control panel UI
-          server!.on('upgrade', (req: IncomingMessage, socket: Duplex, head: Buffer) => {
-            if (req.url?.startsWith(cpPath)) {
-              cpUiProxy.upgrade?.(req, socket as Socket, head);
-            }
-          });
+      // Always register QwickApps Server API proxy (/qapi/*) and Control Panel proxy (/cpanel)
+      // regardless of whether any apps are mounted. This ensures createControlPanel() callers
+      // (which pass no apps) still get /cpanel and /api routes proxied from the gateway port.
+      // 1. Register QwickApps Server API proxy at /qapi/*
+      app.use((req, res, next) => {
+        if (req.path.startsWith('/qapi/')) {
+          return qwickAppsApiProxy(req, res, next);
         }
+        next();
+      });
+      logger.debug(`Setting up proxy: /qapi/* -> http://localhost:${cpPort} (QwickApps Server APIs)`);
+      mountedApps.push({ path: '/qapi', type: 'proxy', target: `http://localhost:${cpPort}` });
+
+      // 2. Register Control Panel UI proxy
+      app.use(cpPath, cpUiProxy);
+      mountedApps.push({ path: cpPath, type: 'proxy', target: `http://localhost:${cpPort}` });
 
+      // 3. Setup WebSocket upgrade handling for control panel UI
+      server!.on('upgrade', (req: IncomingMessage, socket: Duplex, head: Buffer) => {
+        if (req.url?.startsWith(cpPath)) {
+          cpUiProxy.upgrade?.(req, socket as Socket, head);
+        }
+      });
+
+      const apps = config.apps || [];
+      for (const appConfig of apps) {
+        // For apps with a root path, skip re-registering qapi/cpanel proxies (already done above)
         // Now register the app itself
         if (appConfig.source.type === 'proxy') {
           setupProxyApp(appConfig, server);

package/src/plugins/auth/adapters/supertokens-adapter.ts

@@ -72,6 +72,51 @@ export function supertokensAdapter(config: SupertokensAdapterConfig): AuthAdapte
               recipeList.push(EmailPassword.default.init());
             }
 
+            // Add Passwordless (magic link) recipe if enabled
+            if (config.enablePasswordless) {
+              const Passwordless = await import('supertokens-node/recipe/passwordless');
+
+              // eslint-disable-next-line @typescript-eslint/no-explicit-any
+              const passwordlessConfig: any = {
+                contactMethod: 'EMAIL',
+                flowType: 'MAGIC_LINK',
+              };
+
+              // Override email delivery with Resend if API key is provided
+              if (config.resendApiKey) {
+                const resendApiKey = config.resendApiKey;
+                const fromEmail = config.resendFromEmail || 'noreply@faabzi.com';
+                const appName = config.appName;
+
+                passwordlessConfig.emailDelivery = {
+                  service: {
+                    sendEmail: async ({ email, urlWithLinkCode }: { email: string; urlWithLinkCode?: string }) => {
+                      try {
+                        await fetch('https://api.resend.com/emails', {
+                          method: 'POST',
+                          headers: {
+                            Authorization: `Bearer ${resendApiKey}`,
+                            'Content-Type': 'application/json',
+                          },
+                          body: JSON.stringify({
+                            from: fromEmail,
+                            to: email,
+                            subject: `Sign in to ${appName}`,
+                            html: `<p>Click the link below to sign in to ${appName}.</p><p>This link expires in 15 minutes.</p><p><a href="${urlWithLinkCode}" style="display:inline-block;padding:12px 24px;background-color:#1a1a1a;color:#fff;text-decoration:none;border-radius:6px;font-weight:600;">Sign in</a></p><p>Or copy this URL: ${urlWithLinkCode}</p><p>If you did not request this, you can safely ignore this email.</p>`,
+                          }),
+                        });
+                      } catch (err) {
+                        console.error('[SupertokensAdapter] Failed to send magic link email via Resend:', err);
+                        throw err;
+                      }
+                    },
+                  },
+                };
+              }
+
+              recipeList.push(Passwordless.default.init(passwordlessConfig));
+            }
+
             // Add ThirdParty recipe if any social providers configured
             if (config.socialProviders) {
               // Build provider configurations using Supertokens ProviderInput type

package/src/plugins/auth/env-config.ts

@@ -149,6 +149,9 @@ function parseSupertokensEnv(): EnvParseResult<SupertokensAdapterConfig> {
     apiBasePath: getEnv('SUPERTOKENS_API_BASE_PATH') ?? '/auth',
     websiteBasePath: getEnv('SUPERTOKENS_WEBSITE_BASE_PATH') ?? '/auth',
     enableEmailPassword: getEnvBool('SUPERTOKENS_ENABLE_EMAIL_PASSWORD', true),
+    enablePasswordless: getEnvBool('SUPERTOKENS_ENABLE_PASSWORDLESS', false),
+    resendApiKey: getEnv('RESEND_API_KEY'),
+    resendFromEmail: getEnv('RESEND_FROM_EMAIL'),
   };
 
   // Parse social providers

package/src/plugins/auth/types.ts

@@ -155,6 +155,15 @@ export interface SupertokensAdapterConfig {
   /** Enable email/password auth (default: true) */
   enableEmailPassword?: boolean;
 
+  /** Enable passwordless (magic link) auth (default: false) */
+  enablePasswordless?: boolean;
+
+  /** Resend API key for magic link email delivery (optional — uses SuperTokens core delivery if not set) */
+  resendApiKey?: string;
+
+  /** From email address for magic link emails */
+  resendFromEmail?: string;
+
   /** Social login providers */
   socialProviders?: {
     google?: { clientId: string; clientSecret: string };

package/src/plugins/maintenance-plugin.ts

@@ -819,7 +819,7 @@ export function createMaintenancePlugin(config: MaintenancePluginConfig = {}): P
                 // Execute Payload migration command
                 const { spawn } = await import('child_process');
 
-                migrationProcess = spawn('npx', ['payload', 'migrate', '--force-accept-warning'], {
+                migrationProcess = spawn('pnpm', ['exec', 'payload', 'migrate', '--force-accept-warning'], {
                   cwd: process.cwd(),
                   env: {
                     ...process.env,

package/src/plugins/postgres-plugin.test.ts

@@ -36,6 +36,8 @@ import {
   createPostgresPlugin,
   getPostgres,
   hasPostgres,
+  parseConnectionUrl,
+  isManagedDatabase,
   type PostgresPluginConfig,
 } from './postgres-plugin.js';
 import type { PluginRegistry } from '../core/plugin-registry.js';
@@ -221,6 +223,82 @@ describe('PostgreSQL Plugin', () => {
     });
   });
 
+  describe('parseConnectionUrl', () => {
+    it('should parse a standard URL with explicit port', () => {
+      const result = parseConnectionUrl('postgresql://myuser:mypass@localhost:5432/mydb');
+      expect(result).toEqual({ user: 'myuser', password: 'mypass', host: 'localhost', port: 5432, database: 'mydb' });
+    });
+
+    it('should default port to 5432 when omitted (Neon URL)', () => {
+      const result = parseConnectionUrl('postgresql://user:pass@ep-xxx.us-east-2.aws.neon.tech/neondb?sslmode=require');
+      expect(result.host).toBe('ep-xxx.us-east-2.aws.neon.tech');
+      expect(result.port).toBe(5432);
+      expect(result.database).toBe('neondb');
+      expect(result.user).toBe('user');
+    });
+
+    it('should parse a Supabase URL without port', () => {
+      const result = parseConnectionUrl('postgresql://user:pass@db.abc123.supabase.co/postgres');
+      expect(result.host).toBe('db.abc123.supabase.co');
+      expect(result.port).toBe(5432);
+      expect(result.database).toBe('postgres');
+    });
+
+    it('should normalise postgres:// scheme to postgresql://', () => {
+      const result = parseConnectionUrl('postgres://user:pass@localhost:5432/testdb');
+      expect(result.host).toBe('localhost');
+      expect(result.database).toBe('testdb');
+    });
+
+    it('should strip query-string params from the database name', () => {
+      const result = parseConnectionUrl('postgresql://user:pass@host.neon.tech/mydb?sslmode=require&connect_timeout=10');
+      expect(result.database).toBe('mydb');
+    });
+
+    it('should decode percent-encoded characters in password', () => {
+      const result = parseConnectionUrl('postgresql://user:pass%40word@ep-xxx.neon.tech/mydb?sslmode=require');
+      expect(result.user).toBe('user');
+      expect(result.password).toBe('pass@word');
+      expect(result.host).toBe('ep-xxx.neon.tech');
+      expect(result.database).toBe('mydb');
+    });
+
+    it('should handle empty password without throwing', () => {
+      const result = parseConnectionUrl('postgresql://user:@localhost:5432/mydb');
+      expect(result.user).toBe('user');
+      expect(result.password).toBe('');
+      expect(result.host).toBe('localhost');
+      expect(result.port).toBe(5432);
+      expect(result.database).toBe('mydb');
+    });
+
+    it('should throw on an invalid URL', () => {
+      expect(() => parseConnectionUrl('not-a-url')).toThrow('Invalid PostgreSQL connection URL format');
+    });
+  });
+
+  describe('isManagedDatabase', () => {
+    it('should return true for *.neon.tech hosts', () => {
+      expect(isManagedDatabase('ep-xxx.us-east-2.aws.neon.tech')).toBe(true);
+    });
+
+    it('should return true for *.supabase.co hosts', () => {
+      expect(isManagedDatabase('db.abc123.supabase.co')).toBe(true);
+    });
+
+    it('should return false for localhost', () => {
+      expect(isManagedDatabase('localhost')).toBe(false);
+    });
+
+    it('should return false for RDS hosts', () => {
+      expect(isManagedDatabase('mydb.cluster-xyz.us-east-1.rds.amazonaws.com')).toBe(false);
+    });
+
+    it('should return false for a domain that merely contains but does not end with neon.tech', () => {
+      expect(isManagedDatabase('neon.tech.example.com')).toBe(false);
+    });
+  });
+
   describe('onStop', () => {
     it('should close pool and unregister instance', async () => {
       const plugin = createPostgresPlugin(mockConfig, 'test');

package/src/plugins/postgres-plugin.ts

@@ -161,26 +161,43 @@ export interface PostgresInstance {
 const instances = new Map<string, PostgresInstance>();
 
 /**
- * Parse database connection URL to extract components
+ * Parse database connection URL to extract components.
+ * Supports both `postgresql://` and `postgres://` schemes,
+ * optional port (defaults to 5432), and query-string parameters.
  */
-function parseConnectionUrl(url: string): {
+export function parseConnectionUrl(url: string): {
   user: string;
   password: string;
   host: string;
   port: number;
   database: string;
 } {
-  const match = url.match(/postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/(.+)/);
-  if (!match) {
+  // Normalise postgres:// → postgresql:// so the URL constructor accepts it
+  const normalised = url.replace(/^postgres:\/\//, 'postgresql://');
+  let parsed: URL;
+  try {
+    parsed = new URL(normalised);
+  } catch {
     throw new Error('Invalid PostgreSQL connection URL format');
   }
-  return {
-    user: match[1],
-    password: match[2],
-    host: match[3],
-    port: parseInt(match[4], 10),
-    database: match[5],
-  };
+  const user = decodeURIComponent(parsed.username);
+  const password = decodeURIComponent(parsed.password);
+  const host = parsed.hostname;
+  const port = parsed.port ? parseInt(parsed.port, 10) : 5432;
+  // pathname starts with '/' — strip it to get the database name
+  const database = decodeURIComponent(parsed.pathname.slice(1));
+  if (!user || !host || !database) {
+    throw new Error('Invalid PostgreSQL connection URL format');
+  }
+  return { user, password, host, port, database };
+}
+
+/**
+ * Returns true when the host belongs to a known managed-database provider
+ * (Neon, Supabase) where destructive operations like DROP DATABASE are unsafe.
+ */
+export function isManagedDatabase(host: string): boolean {
+  return host.endsWith('.neon.tech') || host.endsWith('.supabase.co');
 }
 
 /**
@@ -567,6 +584,8 @@ export function createPostgresPlugin(
               }
             }
 
+            const managed = connParams ? isManagedDatabase(connParams.host) : false;
+
             try {
               await targetInstance.query('SELECT 1');
               res.json({
@@ -576,6 +595,7 @@ export function createPostgresPlugin(
                 user: connParams?.user,
                 host: connParams?.host,
                 port: connParams?.port,
+                managed,
                 autoInitializeEnabled: config.autoInitialize !== false,
                 adminCredentialsProvided: !!(config.adminUser && config.adminPassword),
               });
@@ -587,6 +607,7 @@ export function createPostgresPlugin(
                 user: connParams?.user,
                 host: connParams?.host,
                 port: connParams?.port,
+                managed,
                 errorMessage: err instanceof Error ? err.message : String(err),
                 autoInitializeEnabled: config.autoInitialize !== false,
                 adminCredentialsProvided: !!(config.adminUser && config.adminPassword),
@@ -676,6 +697,13 @@ export function createPostgresPlugin(
             }
 
             const connParams = parseConnectionUrl(config.url);
+
+            if (isManagedDatabase(connParams.host)) {
+              return res.status(403).json({
+                message: 'Delete and recreate is not supported for managed databases (Neon, Supabase). Manage your database through the provider dashboard.',
+              });
+            }
+
             const effectiveAdminUser = adminUser || config.adminUser;
             const effectiveAdminPassword = adminPassword || config.adminPassword;
 

package/src/plugins/rate-limit/env-config.ts

@@ -12,7 +12,7 @@
  * - RATE_LIMIT_CLEANUP_ENABLED: Enable cleanup job (default: true)
  * - RATE_LIMIT_CLEANUP_INTERVAL_MS: Cleanup interval in ms (default: 300000 = 5 minutes)
  * - RATE_LIMIT_API_ENABLED: Enable status API endpoints (default: true)
- * - RATE_LIMIT_API_PREFIX: API route prefix (default: /rate-limit)
+ * - RATE_LIMIT_API_PREFIX: API route prefix (default: empty, framework adds /rate-limit automatically)
  * - RATE_LIMIT_DEBUG: Enable debug logging (default: false)
  *
  * PostgreSQL Store (via postgres-plugin):
@@ -181,7 +181,7 @@ export function createRateLimitPluginFromEnv(options?: RateLimitEnvPluginOptions
   const cleanupEnabled = getEnvBool('RATE_LIMIT_CLEANUP_ENABLED', true);
   const cleanupIntervalMs = getEnvInt('RATE_LIMIT_CLEANUP_INTERVAL_MS', 300000);
   const apiEnabled = getEnvBool('RATE_LIMIT_API_ENABLED', true);
-  const apiPrefix = getEnv('RATE_LIMIT_API_PREFIX') || '/rate-limit';
+  const apiPrefix = getEnv('RATE_LIMIT_API_PREFIX') || '';
   const debug = options?.debug ?? getEnvBool('RATE_LIMIT_DEBUG', false);
 
   // PostgreSQL store config
@@ -252,10 +252,10 @@ export function getRateLimitConfigStatus(): RateLimitConfigStatus {
  * Register config API routes
  */
 function registerConfigRoutes(registry: PluginRegistry): void {
-  // GET /rate-limit/config/status - Get current rate limit status
+  // GET /config/status - Get current rate limit status
   registry.addRoute({
     method: 'get',
-    path: '/rate-limit/config/status',
+    path: '/config/status',
     pluginId: 'rate-limit',
     handler: (_req: Request, res: Response) => {
       res.json(getRateLimitConfigStatus());

package/src/utils/index.ts

@@ -0,0 +1 @@
+export { sanitizeUrl } from './url.js';

package/src/utils/url.test.ts

@@ -0,0 +1,43 @@
+import { sanitizeUrl } from './url.js';
+
+describe('sanitizeUrl', () => {
+  it('allows https URLs', () => {
+    expect(sanitizeUrl('https://example.com')).toBe('https://example.com');
+  });
+
+  it('allows http URLs', () => {
+    expect(sanitizeUrl('http://example.com/path')).toBe('http://example.com/path');
+  });
+
+  it('allows relative URLs starting with /', () => {
+    expect(sanitizeUrl('/relative/path')).toBe('/relative/path');
+  });
+
+  it('blocks javascript: protocol', () => {
+    expect(sanitizeUrl('javascript:alert(document.cookie)')).toBe('#');
+  });
+
+  it('blocks javascript: with uppercase', () => {
+    expect(sanitizeUrl('JavaScript:alert(1)')).toBe('#');
+  });
+
+  it('blocks data: protocol', () => {
+    expect(sanitizeUrl('data:text/html,<h1>test</h1>')).toBe('#');
+  });
+
+  it('blocks vbscript: protocol', () => {
+    expect(sanitizeUrl('vbscript:msgbox(1)')).toBe('#');
+  });
+
+  it('returns fallback for empty string', () => {
+    expect(sanitizeUrl('')).toBe('#');
+  });
+
+  it('returns custom fallback when provided', () => {
+    expect(sanitizeUrl('javascript:alert(1)', '/safe')).toBe('/safe');
+  });
+
+  it('returns fallback for malformed URLs', () => {
+    expect(sanitizeUrl('not a url at all')).toBe('#');
+  });
+});

package/src/utils/url.ts

@@ -0,0 +1,21 @@
+/**
+ * Sanitizes a URL to prevent javascript: and other dangerous protocol injections
+ * when interpolating user-supplied URLs into HTML href attributes.
+ *
+ * Allows: http:, https:, and relative URLs (starting with /).
+ * Returns fallback for any other protocol (e.g., javascript:, data:, vbscript:).
+ */
+export function sanitizeUrl(url: string, fallback = '#'): string {
+  if (!url) return fallback;
+  // Allow relative URLs
+  if (url.startsWith('/')) return url;
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+      return url;
+    }
+    return fallback;
+  } catch {
+    return fallback;
+  }
+}

package/ui/src/dashboard/widgets/DatabaseOperationsWidget.tsx

@@ -33,6 +33,7 @@ interface DatabaseStatus {
   user?: string;
   host?: string;
   port?: number;
+  managed?: boolean;
   errorMessage?: string;
   autoInitializeEnabled: boolean;
   adminCredentialsProvided: boolean;
@@ -360,6 +361,12 @@ export const DatabaseOperationsWidget: React.FC<DatabaseOperationsWidgetProps> =
             </Typography>
           </Box>
 
+          {status.managed && (
+            <Alert severity="info" sx={{ mt: 2 }}>
+              Managed database (Neon / Supabase). Delete and recreate is disabled — manage your database through the provider dashboard.
+            </Alert>
+          )}
+
           {!status.connected && !operating && (
             <Box sx={{ display: 'flex', gap: 1, mt: 2 }}>
               <Button
@@ -370,14 +377,16 @@ export const DatabaseOperationsWidget: React.FC<DatabaseOperationsWidgetProps> =
               >
                 Initialize Database
               </Button>
-              <Button
-                variant="contained"
-                color="error"
-                onClick={() => startOperation('recreate')}
-                size="small"
-              >
-                Recreate Database
-              </Button>
+              {!status.managed && (
+                <Button
+                  variant="contained"
+                  color="error"
+                  onClick={() => startOperation('recreate')}
+                  size="small"
+                >
+                  Recreate Database
+                </Button>
+              )}
             </Box>
           )}
         </CardContent>