@rebasepro/server-core 0.1.0 → 0.2.1

package/src/storage/routes.ts

@@ -94,25 +94,7 @@ export function createStorageRoutes(config: StorageRoutesConfig): Hono<HonoEnv>
         const key = typeof body["key"] === "string" ? body["key"] : "";
         const bucket = typeof body["bucket"] === "string" ? body["bucket"] : undefined;
 
-        // Backward compatibility support for older clients sending path and fileName
-        const legacyPath = typeof body["path"] === "string" ? body["path"] : "";
-        const legacyFileName = typeof body["fileName"] === "string" ? body["fileName"] : undefined;
-
-        let finalKey = key;
-        if (!finalKey) {
-            if (legacyPath || legacyFileName) {
-                const parts = [];
-                if (legacyPath) parts.push(legacyPath);
-                if (legacyFileName) {
-                    parts.push(legacyFileName);
-                } else {
-                    parts.push(uploadedFile.name || "unnamed");
-                }
-                finalKey = parts.join("/");
-            } else {
-                finalKey = uploadedFile.name || "unnamed";
-            }
-        }
+        const finalKey = key || uploadedFile.name || "unnamed";
 
         // Extract custom metadata from request body
         const metadata: Record<string, unknown> = {};

package/src/utils/logging.ts

@@ -21,8 +21,8 @@ debug: 3 };
  */
 export function resetConsole() {
     // Store original methods if not already stored
-    if (!(global as unknown as Record<string, unknown>).__originalConsole) {
-        (global as unknown as Record<string, unknown>).__originalConsole = {
+    if (!(global as Record<string, unknown>).__originalConsole) {
+        (global as Record<string, unknown>).__originalConsole = {
             log: console.log,
             warn: console.warn,
             error: console.error,
@@ -30,7 +30,7 @@ export function resetConsole() {
         };
     }
 
-    const original = (global as unknown as Record<string, unknown>).__originalConsole as Console;
+    const original = (global as Record<string, unknown>).__originalConsole as Console;
     console.log = original.log;
     console.warn = original.warn;
     console.error = original.error;

package/test/admin-routes.test.ts

@@ -63,6 +63,7 @@ displayName: data.displayName,
 passwordHash: data.passwordHash }))
         ),
         listUsers: jest.fn().mockResolvedValue([]),
+        listUsersPaginated: jest.fn().mockResolvedValue({ users: [], total: 0, limit: 25, offset: 0 }),
         getUserRoles: jest.fn().mockResolvedValue([mockRole("editor")]),
         getUserRoleIds: jest.fn().mockResolvedValue(["editor"]),
         assignDefaultRole: jest.fn().mockResolvedValue(undefined),
@@ -226,12 +227,17 @@ accessExpiresIn: "1h" });
         describe("GET /admin/users", () => {
             it("returns list of users with roles", async () => {
                 const app = createApp();
-                mockAuthRepo.listUsers.mockResolvedValueOnce([
-                    mockUser({ id: "u1",
+                mockAuthRepo.listUsersPaginated.mockResolvedValueOnce({
+                    users: [
+                        mockUser({ id: "u1",
 email: "a@test.com" }),
-                    mockUser({ id: "u2",
+                        mockUser({ id: "u2",
 email: "b@test.com" })
-                ]);
+                    ],
+                    total: 2,
+                    limit: 25,
+                    offset: 0
+                });
                 mockAuthRepo.getUserRoleIds
                     .mockResolvedValueOnce(["admin"])
                     .mockResolvedValueOnce(["editor"]);

package/test/auth-routes.test.ts

@@ -916,7 +916,7 @@ withEmail: false });
             const body = await res.json() as any;
             expect(body.needsSetup).toBe(false);
             expect(body.registrationEnabled).toBe(false);
-            expect(body.googleEnabled).toBe(false);
+            expect(body.enabledProviders).toEqual([]);
         });
 
         it("reports Google enabled when configured", async () => {
@@ -925,7 +925,7 @@ withEmail: false });
 
             const res = await app.request("/auth/config");
             const body = await res.json() as any;
-            expect(body.googleEnabled).toBe(true);
+            expect(body.enabledProviders).toContain("google");
         });
     });
 

package/test/backend-hooks-admin.test.ts

@@ -159,11 +159,16 @@ describe("BackendHooks — Admin Routes", () => {
                 }
             };
             const app = createApp(hooks);
-            mockAuthRepo.listUsers.mockResolvedValueOnce([
-                mockUser({ id: "u1", email: "alice@test.com" }),
-                mockUser({ id: "u2", email: "bot@system.internal" }),
-                mockUser({ id: "u3", email: "bob@test.com" })
-            ]);
+            mockAuthRepo.listUsersPaginated.mockResolvedValueOnce({
+                users: [
+                    mockUser({ id: "u1", email: "alice@test.com" }),
+                    mockUser({ id: "u2", email: "bot@system.internal" }),
+                    mockUser({ id: "u3", email: "bob@test.com" })
+                ],
+                total: 3,
+                limit: 25,
+                offset: 0
+            });
             mockAuthRepo.getUserRoleIds
                 .mockResolvedValueOnce(["editor"])
                 .mockResolvedValueOnce(["editor"])
@@ -186,9 +191,14 @@ describe("BackendHooks — Admin Routes", () => {
                 }
             };
             const app = createApp(hooks);
-            mockAuthRepo.listUsers.mockResolvedValueOnce([
-                mockUser({ id: "u1", email: "alice@secret.com" })
-            ]);
+            mockAuthRepo.listUsersPaginated.mockResolvedValueOnce({
+                users: [
+                    mockUser({ id: "u1", email: "alice@secret.com" })
+                ],
+                total: 1,
+                limit: 25,
+                offset: 0
+            });
             mockAuthRepo.getUserRoleIds.mockResolvedValueOnce(["editor"]);
 
             const res = await app.request("/admin/users", { headers: { ...adminAuth() } });
@@ -219,7 +229,12 @@ describe("BackendHooks — Admin Routes", () => {
             const afterReadSpy = jest.fn((user, ctx) => user);
             const hooks: BackendHooks = { users: { afterRead: afterReadSpy } };
             const app = createApp(hooks);
-            mockAuthRepo.listUsers.mockResolvedValueOnce([mockUser({ id: "u1" })]);
+            mockAuthRepo.listUsersPaginated.mockResolvedValueOnce({
+                users: [mockUser({ id: "u1" })],
+                total: 1,
+                limit: 25,
+                offset: 0
+            });
             mockAuthRepo.getUserRoleIds.mockResolvedValueOnce(["editor"]);
 
             await app.request("/admin/users", { headers: { ...adminAuth("admin-42") } });
@@ -379,9 +394,14 @@ describe("BackendHooks — Admin Routes", () => {
     describe("no hooks configured", () => {
         it("returns data unchanged when no hooks are provided", async () => {
             const app = createApp(); // no hooks
-            mockAuthRepo.listUsers.mockResolvedValueOnce([
-                mockUser({ id: "u1", email: "alice@test.com" })
-            ]);
+            mockAuthRepo.listUsersPaginated.mockResolvedValueOnce({
+                users: [
+                    mockUser({ id: "u1", email: "alice@test.com" })
+                ],
+                total: 1,
+                limit: 25,
+                offset: 0
+            });
             mockAuthRepo.getUserRoleIds.mockResolvedValueOnce(["editor"]);
 
             const res = await app.request("/admin/users", { headers: { ...adminAuth() } });

package/test/custom-auth-adapter.test.ts

@@ -0,0 +1,177 @@
+import { createCustomAuthAdapter } from "../src/auth/custom-auth-adapter";
+import type { AuthenticatedUser, CustomAuthAdapterOptions } from "@rebasepro/types";
+
+const TEST_USER: AuthenticatedUser = {
+    uid: "user-123",
+    email: "test@example.com",
+    displayName: "Test User",
+    roles: ["editor"],
+    isAdmin: false,
+    rawToken: "tok_abc",
+};
+
+const ADMIN_USER: AuthenticatedUser = {
+    uid: "admin-1",
+    email: "admin@example.com",
+    roles: ["admin"],
+    isAdmin: true,
+};
+
+describe("createCustomAuthAdapter", () => {
+    it("sets the adapter id to 'custom'", () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+        });
+        expect(adapter.id).toBe("custom");
+    });
+
+    it("delegates verifyRequest to the provided function", async () => {
+        const verifyRequest = jest.fn(async () => TEST_USER);
+        const adapter = createCustomAuthAdapter({ verifyRequest });
+        const req = new Request("http://localhost/api", {
+            headers: { Authorization: "Bearer test-token" },
+        });
+        const result = await adapter.verifyRequest(req);
+        expect(verifyRequest).toHaveBeenCalledWith(req);
+        expect(result).toBe(TEST_USER);
+    });
+
+    it("returns null from verifyRequest when the user function returns null", async () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+        });
+        const result = await adapter.verifyRequest(new Request("http://localhost/"));
+        expect(result).toBeNull();
+    });
+
+    // ── verifyToken (fallback via synthetic Request) ──────────────────
+
+    it("synthesizes a Request when verifyToken is not provided", async () => {
+        const verifyRequest = jest.fn(async (request: Request) => {
+            const auth = request.headers.get("authorization");
+            if (auth === "Bearer my-token") return TEST_USER;
+            return null;
+        });
+        const adapter = createCustomAuthAdapter({ verifyRequest });
+
+        expect(adapter.verifyToken).toBeDefined();
+
+        const result = await adapter.verifyToken!("my-token");
+        expect(result).toBe(TEST_USER);
+
+        // Verify the synthetic request was created correctly
+        expect(verifyRequest).toHaveBeenCalledTimes(1);
+        const calledRequest = verifyRequest.mock.calls[0][0] as Request;
+        expect(calledRequest.headers.get("authorization")).toBe("Bearer my-token");
+        expect(calledRequest.url).toContain("_ws_auth");
+    });
+
+    it("returns null from fallback verifyToken for invalid token", async () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+        });
+        const result = await adapter.verifyToken!("bad-token");
+        expect(result).toBeNull();
+    });
+
+    // ── verifyToken (direct passthrough) ──────────────────────────────
+
+    it("uses the user-provided verifyToken when given", async () => {
+        const customVerifyToken = jest.fn(async (token: string) => {
+            if (token === "direct-token") return ADMIN_USER;
+            return null;
+        });
+        const verifyRequest = jest.fn(async () => null);
+        const adapter = createCustomAuthAdapter({
+            verifyRequest,
+            verifyToken: customVerifyToken,
+        });
+
+        const result = await adapter.verifyToken!("direct-token");
+        expect(result).toBe(ADMIN_USER);
+
+        // verifyRequest should NOT be called — verifyToken takes precedence
+        expect(verifyRequest).not.toHaveBeenCalled();
+    });
+
+    it("returns null from user-provided verifyToken for unknown token", async () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+            verifyToken: async () => null,
+        });
+        const result = await adapter.verifyToken!("unknown");
+        expect(result).toBeNull();
+    });
+
+    // ── Capabilities ──────────────────────────────────────────────────
+
+    it("returns default capabilities when none are overridden", async () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+        });
+        const caps = await adapter.getCapabilities!();
+        expect(caps).toEqual({
+            hasBuiltInAuthRoutes: false,
+            emailPasswordLogin: false,
+            registration: false,
+            passwordReset: false,
+            sessionManagement: false,
+            profileUpdate: false,
+            emailVerification: false,
+            enabledProviders: [],
+        });
+    });
+
+    it("merges user-provided capabilities with defaults", async () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+            capabilities: { emailPasswordLogin: true, registration: true },
+        });
+        const caps = await adapter.getCapabilities!();
+        expect(caps.emailPasswordLogin).toBe(true);
+        expect(caps.registration).toBe(true);
+        expect(caps.hasBuiltInAuthRoutes).toBe(false);
+    });
+
+    // ── Optional fields ───────────────────────────────────────────────
+
+    it("passes through serviceKey", () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+            serviceKey: "sk_live_123",
+        });
+        expect(adapter.serviceKey).toBe("sk_live_123");
+    });
+
+    it("passes through userManagement and roleManagement when provided", () => {
+        const userMgmt = {
+            getUser: jest.fn(),
+            listUsers: jest.fn(),
+            createUser: jest.fn(),
+            updateUser: jest.fn(),
+            deleteUser: jest.fn(),
+        };
+        const roleMgmt = {
+            listRoles: jest.fn(),
+            getUserRoles: jest.fn(),
+            setUserRoles: jest.fn(),
+        };
+
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+            userManagement: userMgmt as unknown as CustomAuthAdapterOptions["userManagement"],
+            roleManagement: roleMgmt as unknown as CustomAuthAdapterOptions["roleManagement"],
+        });
+
+        expect(adapter.userManagement).toBe(userMgmt);
+        expect(adapter.roleManagement).toBe(roleMgmt);
+    });
+
+    it("omits userManagement and roleManagement when not provided", () => {
+        const adapter = createCustomAuthAdapter({
+            verifyRequest: async () => null,
+        });
+        expect(adapter.userManagement).toBeUndefined();
+        expect(adapter.roleManagement).toBeUndefined();
+    });
+});

package/test/env.test.ts

@@ -0,0 +1,138 @@
+import { z } from "zod";
+import { loadEnv } from "../src/env";
+
+describe("env configuration and localhost validation", () => {
+    let originalEnv: NodeJS.ProcessEnv;
+
+    beforeEach(() => {
+        // Save a backup of the original process.env
+        originalEnv = { ...process.env };
+        // Clear env vars that might interfere with tests
+        delete process.env.NODE_ENV;
+        delete process.env.DATABASE_URL;
+        delete process.env.ADMIN_CONNECTION_STRING;
+        delete process.env.JWT_SECRET;
+        delete process.env.FRONTEND_URL;
+        delete process.env.CORS_ORIGINS;
+        delete process.env.ALLOW_LOCALHOST_IN_PRODUCTION;
+    });
+
+    afterEach(() => {
+        // Restore process.env after each test
+        process.env = originalEnv;
+    });
+
+    it("should allow localhost URLs in development mode", () => {
+        process.env.NODE_ENV = "development";
+        process.env.DATABASE_URL = "postgresql://localhost:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+
+        expect(() => loadEnv()).not.toThrow();
+        const env = loadEnv();
+        expect(env.DATABASE_URL).toBe("postgresql://localhost:5432/rebase");
+    });
+
+    it("should fail validation in production if DATABASE_URL contains localhost", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://localhost:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+
+        expect(() => loadEnv()).toThrowError(/postgresql:\/\/localhost:5432\/rebase/);
+    });
+
+    it("should fail validation in production if DATABASE_URL contains 127.0.0.1", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://127.0.0.1:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+
+        expect(() => loadEnv()).toThrowError(/postgresql:\/\/127\.0\.0\.1:5432\/rebase/);
+    });
+
+    it("should fail validation in production if DATABASE_URL contains an IPv6 loopback [::1]", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://[::1]:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+
+        expect(() => loadEnv()).toThrowError(/postgresql:\/\/\[::1\]:5432\/rebase/);
+    });
+
+    it("should fail validation in production if DATABASE_URL contains a loopback in the 127.x.x.x range", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://127.0.0.2:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+
+        expect(() => loadEnv()).toThrowError(/postgresql:\/\/127\.0\.0\.2:5432\/rebase/);
+    });
+
+    it("should succeed validation in production with a non-localhost DATABASE_URL", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://db.my-app.com:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+
+        expect(() => loadEnv()).not.toThrow();
+        const env = loadEnv();
+        expect(env.DATABASE_URL).toBe("postgresql://db.my-app.com:5432/rebase");
+    });
+
+    it("should allow localhost URLs in production if ALLOW_LOCALHOST_IN_PRODUCTION is set to true", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://localhost:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+        process.env.ALLOW_LOCALHOST_IN_PRODUCTION = "true";
+
+        expect(() => loadEnv()).not.toThrow();
+        const env = loadEnv();
+        expect(env.DATABASE_URL).toBe("postgresql://localhost:5432/rebase");
+    });
+
+    it("should not block localhost URLs in CORS_ORIGINS in production mode", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://db.my-app.com:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+        process.env.CORS_ORIGINS = "http://localhost:3000,https://my-app.com";
+
+        expect(() => loadEnv()).not.toThrow();
+        const env = loadEnv();
+        expect(env.CORS_ORIGINS).toBe("http://localhost:3000,https://my-app.com");
+    });
+
+    it("should validate and block localhost in extended variables", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://db.my-app.com:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+        // Extended URL points to localhost
+        process.env.EXTERNAL_SERVICE_URL = "https://localhost:8080/api";
+
+        const extension = {
+            extend: z.object({
+                EXTERNAL_SERVICE_URL: z.string().url(),
+            }),
+        };
+
+        expect(() => loadEnv(extension)).toThrowError(/https:\/\/localhost:8080\/api/);
+    });
+
+    it("should validate and block plain host string matching localhost", () => {
+        process.env.NODE_ENV = "production";
+        process.env.DATABASE_URL = "postgresql://db.my-app.com:5432/rebase";
+        process.env.JWT_SECRET = "12345678901234567890123456789012";
+        process.env.FRONTEND_URL = "https://my-app.com";
+        process.env.DB_HOST = "localhost";
+
+        const extension = {
+            extend: z.object({
+                DB_HOST: z.string(),
+            }),
+        };
+
+        expect(() => loadEnv(extension)).toThrowError(/localhost/);
+    });
+});

package/test/query-parser.test.ts

@@ -156,36 +156,7 @@ describe("parseQueryOptions — PostgREST filters", () => {
     });
 });
 
-// ─────────────────────────────────────────────────────────────
-// parseQueryOptions — Legacy JSON where
-// ─────────────────────────────────────────────────────────────
-describe("parseQueryOptions — legacy JSON where", () => {
-    it("parses JSON where string", () => {
-        const result = parseQueryOptions({
-            where: JSON.stringify({ status: ["==", "published"] })
-        });
-        expect(result.where?.status).toEqual(["==", "published"]);
-    });
-
-    it("accepts object where directly", () => {
-        const result = parseQueryOptions({
-            where: { status: ["==", "draft"] }
-        });
-        expect(result.where?.status).toEqual(["==", "draft"]);
-    });
-
-    it("throws for malformed JSON where", () => {
-        expect(() => parseQueryOptions({ where: "not valid json{" })).toThrow("Invalid 'where' filter");
-    });
 
-    it("throws for array where", () => {
-        expect(() => parseQueryOptions({ where: JSON.stringify([1, 2]) })).toThrow("Filter must be a JSON object");
-    });
-
-    it("throws for null where", () => {
-        expect(() => parseQueryOptions({ where: JSON.stringify(null) })).toThrow("Filter must be a JSON object");
-    });
-});
 
 // ─────────────────────────────────────────────────────────────
 // parseQueryOptions — Sorting

package/tsconfig.json

@@ -35,6 +35,9 @@
       ],
       "@rebasepro/common": [
         "../common/src"
+      ],
+      "hono": [
+        "node_modules/hono"
       ]
     }
   },

package/app/frontend/node_modules/esbuild/LICENSE.md

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2020 Evan Wallace
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/app/frontend/node_modules/esbuild/README.md

@@ -1,3 +0,0 @@
-# esbuild
-
-This is a JavaScript bundler and minifier. See https://github.com/evanw/esbuild and the [JavaScript API documentation](https://esbuild.github.io/api/) for details.