npm - @restforgejs/platform - Versions diffs - 4.1.1 → 4.3.1 - Mend

@restforgejs/platform 4.1.1 → 4.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (340) hide show

package/generators/cli/endpoint/create.js CHANGED Viewed

@@ -33,6 +33,7 @@ const MetadataManager = require('../../lib/utils/metadata-manager');
 const DemoGenerator = require('../../src/utils/demo-generator');
 const projectRegistry = require('../../lib/utils/project-registry');
 const cliOutput = require('../../lib/utils/cli-output');
+const endpointSchemaValidator = require('../../lib/payload/endpoint-schema-validator');
 function hasAuditRequired(payload) {
     if (!payload || !payload.fieldPolicy) return false;
@@ -89,7 +90,19 @@ module.exports = {
             type: 'string',
             required: false,
             default: null,
-            description: 'Tipe database (postgres|mysql|oracle|sqlite). Default: auto-detect dari config'
+            description: 'Tipe database (postgres|mysql|oracle). Default: postgres'
+        },
+        config: {
+            type: 'string',
+            required: false,
+            default: null,
+            description: 'File config database (.env) untuk validasi schema payload-vs-database. Wajib kecuali `--skip-schema-check` aktif atau default config sudah di-set via `config set-default`. Fallback ke `.restforge/defaults.json` bila tidak disediakan eksplisit'
+        },
+        'skip-schema-check': {
+            type: 'boolean',
+            required: false,
+            default: false,
+            description: 'Lewati validasi schema database (escape hatch untuk DB offline atau maintenance). Shape RDF tetap divalidasi'
         },
         force: {
             type: 'boolean',
@@ -123,8 +136,9 @@ module.exports = {
         }
     },
     examples: [
-        'npx restforge endpoint create --project=my-app --name=users --payload=users.json',
-        'npx restforge endpoint create --project=my-app --name=orders --payload=orders.json --force'
+        'npx restforge endpoint create --project=my-app --name=users --payload=users.json --config=db.env',
+        'npx restforge endpoint create --project=my-app --name=orders --payload=orders.json --config=db.env --force=true',
+        'npx restforge endpoint create --project=my-app --name=visitors --payload=visitors.json --skip-schema-check'
     ],
     async handler(args) {
         const startTime = Date.now();
@@ -142,6 +156,10 @@ module.exports = {
             const skipSqlValidation = !!args['skip-sql-validation'];
             const noAuditMigration = !!args['no-audit-migration'];
             const verbose = !!args.verbose;
+            const skipSchemaCheck = !!args['skip-schema-check'];
+            const configArg = typeof args.config === 'string' && args.config.trim().length > 0
+                ? args.config.trim()
+                : null;
             if (!verbose) {
                 cliOutput.mute();
@@ -178,6 +196,26 @@ module.exports = {
                 warnings: cliOutput.drainWarnings()
             };
+            // Schema validation pre-codegen: cross-check payload terhadap struktur
+            // tabel database aktual. Wajib unless --skip-schema-check di-set.
+            // Drift -> throw (exitCode=1). Connection fail -> throw (exitCode=3).
+            // Validasi dilakukan SEBELUM conflict-checker + archive supaya gagal
+            // tanpa rotate file existing.
+            if (muted) cliOutput.unmute();
+            const schemaResult = await endpointSchemaValidator.validateEndpointSchema({
+                payload,
+                payloadFileName: path.basename(payloadFile),
+                configArg,
+                skipSchemaCheck,
+                workingDir: cwd
+            });
+            if (!verbose) {
+                cliOutput.mute();
+                muted = true;
+            }
+            summary.schemaValidation = schemaResult;
+            summary.config.config = configArg || null;
             const registry = projectRegistry.loadProjectRegistry();
             if (registry.projects[project]) {
                 const existing = registry.projects[project];
@@ -271,8 +309,9 @@ module.exports = {
             summary.duration = ((Date.now() - startTime) / 1000).toFixed(2);
             cliOutput.printCreateSummary(summary);
         } catch (error) {
+            // cli-entry.js men-print `Error: <message>` ke stderr saat handler
+            // re-throw (lihat handler dispatch). Jangan double-print di sini.
             if (muted) cliOutput.unmute();
-            console.error(`Error: ${error.message}`);
             throw error;
         }
     }

package/generators/cli/key/generate.js CHANGED Viewed

@@ -17,6 +17,7 @@ const fs = require('node:fs');
 const path = require('node:path');
 const { generateApiKey, validateApiKey } = require('../../lib/utils/key-generator');
 const { updateEnvKey, hasEnvKey, getEnvValue, backupEnvFile } = require('../../lib/utils/env-manager');
+const { validatePathWithinBase } = require('../../lib/utils/path-validator');
 module.exports = {
     resource: 'key',
@@ -43,7 +44,7 @@ module.exports = {
     ],
     async handler(args) {
         const workingDir = process.cwd();
-        const outputFile = path.resolve(workingDir, args.output);
+        const outputFile = validatePathWithinBase(args.output, workingDir);
         const outputRelative = path.relative(workingDir, outputFile);
         console.log('');

package/generators/cli/key/revoke.js CHANGED Viewed

@@ -17,6 +17,7 @@ const path = require('node:path');
 const readline = require('node:readline');
 const { findEnvFiles, getEnvValue, removeEnvKey, backupEnvFile } = require('../../lib/utils/env-manager');
 const { maskApiKey } = require('../../lib/utils/key-generator');
+const { validatePathWithinBase } = require('../../lib/utils/path-validator');
 function createReadlineInterface() {
     return readline.createInterface({
@@ -155,7 +156,7 @@ module.exports = {
         let selectedFile = null;
         if (args.file) {
-            const filePath = path.resolve(baseDir, args.file);
+            const filePath = validatePathWithinBase(args.file, baseDir);
             const relativePath = path.relative(baseDir, filePath);
             const key = getEnvValue(filePath, 'KEY');

package/generators/cli/payload/diff.js CHANGED Viewed

@@ -20,8 +20,9 @@ module.exports = {
     flags: {
         config: {
             type: 'string',
-            required: true,
-            description: 'File config database (.env)'
+            required: false,
+            default: null,
+            description: 'File config database (.env). Fallback ke `.restforge/defaults.json` bila tidak disediakan eksplisit (set via `config set-default`)'
         },
         table: {
             type: 'string',

package/generators/cli/payload/generate.js CHANGED Viewed

@@ -22,8 +22,9 @@ module.exports = {
     flags: {
         config: {
             type: 'string',
-            required: true,
-            description: 'File config database (.env)'
+            required: false,
+            default: null,
+            description: 'File config database (.env). Fallback ke `.restforge/defaults.json` bila tidak disediakan eksplisit (set via `config set-default`)'
         },
         table: {
             type: 'string',

package/generators/cli/payload/sync.js CHANGED Viewed

@@ -21,8 +21,9 @@ module.exports = {
     flags: {
         config: {
             type: 'string',
-            required: true,
-            description: 'File config database (.env)'
+            required: false,
+            default: null,
+            description: 'File config database (.env). Fallback ke `.restforge/defaults.json` bila tidak disediakan eksplisit (set via `config set-default`)'
         },
         table: {
             type: 'string',

package/generators/cli/payload/validate.js CHANGED Viewed

@@ -20,8 +20,9 @@ module.exports = {
     flags: {
         config: {
             type: 'string',
-            required: true,
-            description: 'File config database (.env)'
+            required: false,
+            default: null,
+            description: 'File config database (.env). Fallback ke `.restforge/defaults.json` bila tidak disediakan eksplisit (set via `config set-default`)'
         },
         table: {
             type: 'string',

package/generators/cli/processor/create.js CHANGED Viewed

@@ -26,6 +26,7 @@ const ConflictChecker = require('../../lib/utils/conflict-checker');
 const MetadataManager = require('../../lib/utils/metadata-manager');
 const SensitiveFieldMasker = require('../../lib/utils/sensitive-field-masker');
 const ProcessorValidationGenerator = require('../../lib/generators/processor-validation-generator');
+const { validateSafeName } = require('../../lib/utils/path-validator');
 const isBun = typeof Bun !== 'undefined';
@@ -272,11 +273,19 @@ async function execute(config) {
       next();
     });
-    // Middleware untuk validasi API key jika diperlukan
+    // Middleware untuk validasi API key jika diperlukan (constant-time comparison)
     if (config.key) {
+      const crypto = require('crypto');
+      const expectedKey = Buffer.from(config.key);
       app.use((req, res, next) => {
         const apiKey = req.headers['x-api-key'];
-        if (!apiKey || apiKey !== config.key) {
+        if (!apiKey) {
+          return res.status(401).json({ error: 'Unauthorized: Invalid API Key' });
+        }
+        const providedKey = Buffer.from(apiKey);
+        if (expectedKey.length !== providedKey.length ||
+            !crypto.timingSafeEqual(expectedKey, providedKey)) {
           return res.status(401).json({ error: 'Unauthorized: Invalid API Key' });
         }
         next();
@@ -870,7 +879,7 @@ module.exports = {
             type: 'string',
             required: false,
             default: null,
-            description: 'Tipe database (postgres|mysql|oracle|sqlite). Default: auto-detect dari config'
+            description: 'Tipe database (postgres|mysql|oracle). Default: postgres'
         },
         force: {
             type: 'boolean',
@@ -891,6 +900,8 @@ module.exports = {
     ],
     async handler(args) {
         try {
+            validateSafeName(args.project, 'project');
+            validateSafeName(args.name, 'processor');
             const project = ArgumentValidator.validateProjectName(args.project);
             const endpoint = ArgumentValidator.validateEndpointName(args.name);
             const payloadFile = ArgumentValidator.validatePayloadName(args.payload);

package/generators/cli/project/delete.js CHANGED Viewed

@@ -16,6 +16,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const readline = require('node:readline');
+const { validateSafeName } = require('../../lib/utils/path-validator');
 const isBun = typeof Bun !== 'undefined';
@@ -228,7 +229,7 @@ module.exports = {
         'npx restforge project delete --project=my-app --yes'
     ],
     async handler(args) {
-        const moduleName = args.project;
+        const moduleName = validateSafeName(args.project, 'project');
         const autoConfirm = args.yes === true;
         const workingDir = getWorkingDirectory();

package/generators/cli/query/validate.js CHANGED Viewed

@@ -33,8 +33,9 @@ module.exports = {
     flags: {
         config: {
             type: 'string',
-            required: true,
-            description: 'File config database (.env)'
+            required: false,
+            default: null,
+            description: 'File config database (.env). Fallback ke `.restforge/defaults.json` bila tidak disediakan eksplisit (set via `config set-default`)'
         },
         sql: {
             type: 'string',