@restforgejs/platform 4.1.1 → 4.3.1

package/generators/tests/unit/lib/processor-validation-generator.test.js

@@ -1,300 +0,0 @@
-const test = require('node:test');
-const assert = require('node:assert');
-
-const {
-  generateRouterValidationCode,
-  escapeSingleQuoted
-} = require('../../../lib/generators/processor-validation-generator');
-
-/**
- * Bangun stub router scope dan eksekusi blok validasi yang di-generate.
- * Generated code dibungkus di inner function sehingga early return pada
- * blok validasi (res.status(400).json(...)) tidak menghentikan flow
- * pembacaan state dari resObj.
- */
-function runValidationBlock(validationCode, input) {
-  const resObj = {
-    __done: false,
-    __payload: null,
-    __status: 0,
-    status(code) {
-      this.__status = code;
-      return this;
-    },
-    json(body) {
-      this.__done = true;
-      this.__payload = body;
-      return this;
-    }
-  };
-  const inner = new Function('input', 'res', validationCode);
-  inner(input, resObj);
-  return {
-    done: resObj.__done,
-    payload: resObj.__payload,
-    status: resObj.__status
-  };
-}
-
-test('escapeSingleQuoted: escape backslash dan single quote', () => {
-  assert.strictEqual(escapeSingleQuoted("O'Brien"), "O\\'Brien");
-  assert.strictEqual(escapeSingleQuoted('path\\to'), 'path\\\\to');
-  assert.strictEqual(escapeSingleQuoted(''), '');
-  assert.strictEqual(escapeSingleQuoted(42), '');
-});
-
-test('proc tanpa request: emit komentar no-op saja', () => {
-  const code = generateRouterValidationCode({ name: 'proc1' });
-  assert.match(code, /Tidak ada validation rules di payload/);
-  assert.doesNotMatch(code, /__validationErrors/);
-});
-
-test('proc dengan request.validate:false: emit komentar opt-out', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      validate: false,
-      body: { x: { type: 'string', required: true } }
-    }
-  });
-  assert.match(code, /di-opt-out/);
-  assert.doesNotMatch(code, /__validationErrors/);
-});
-
-test('proc dengan request tanpa field yang validable: emit komentar', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: { body: { note: {} } }
-  });
-  assert.match(code, /Tidak ada field yang perlu divalidasi/);
-});
-
-test('required field string: menolak absent dan tipe salah', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        order_id: { type: 'string', required: true }
-      }
-    }
-  });
-  // Kode harus valid dan berisi __validationErrors.
-  assert.match(code, /const __validationErrors = \[\];/);
-
-  // Kasus absen: error "wajib diisi".
-  const r1 = runValidationBlock(code, {});
-  assert.strictEqual(r1.status, 400);
-  assert.strictEqual(r1.payload.errors.length, 1);
-  assert.match(r1.payload.errors[0].message, /wajib diisi/);
-
-  // Kasus tipe salah: error "harus berupa string".
-  const r2 = runValidationBlock(code, { order_id: 123 });
-  assert.strictEqual(r2.status, 400);
-  assert.match(r2.payload.errors[0].message, /harus berupa string/);
-
-  // Kasus valid.
-  const r3 = runValidationBlock(code, { order_id: 'abc' });
-  assert.strictEqual(r3.done, false);
-});
-
-test('required field uuid: validate format', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        order_id: { type: 'uuid', required: true }
-      }
-    }
-  });
-
-  const invalid = runValidationBlock(code, { order_id: 'not-a-uuid' });
-  assert.strictEqual(invalid.status, 400);
-  assert.match(invalid.payload.errors[0].message, /UUID yang valid/);
-
-  const valid = runValidationBlock(code, {
-    order_id: '550e8400-e29b-41d4-a716-446655440000'
-  });
-  assert.strictEqual(valid.done, false);
-});
-
-test('required field number: menolak non-numeric', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: { quantity: { type: 'number', required: true } }
-    }
-  });
-  const invalid = runValidationBlock(code, { quantity: 'abc' });
-  assert.strictEqual(invalid.status, 400);
-  assert.match(invalid.payload.errors[0].message, /harus berupa angka/);
-
-  const valid = runValidationBlock(code, { quantity: 42 });
-  assert.strictEqual(valid.done, false);
-});
-
-test('required field integer: menolak desimal', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: { qty: { type: 'integer', required: true } }
-    }
-  });
-  const invalid = runValidationBlock(code, { qty: 1.5 });
-  assert.strictEqual(invalid.status, 400);
-});
-
-test('required field boolean: terima true/false/string', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: { is_active: { type: 'boolean', required: true } }
-    }
-  });
-  assert.strictEqual(runValidationBlock(code, { is_active: true }).done, false);
-  assert.strictEqual(runValidationBlock(code, { is_active: false }).done, false);
-  assert.strictEqual(runValidationBlock(code, { is_active: 'true' }).done, false);
-  assert.strictEqual(runValidationBlock(code, { is_active: 'maybe' }).status, 400);
-});
-
-test('required field array: tolak non-array', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: { items: { type: 'array', required: true } }
-    }
-  });
-  const invalid = runValidationBlock(code, { items: 'not-array' });
-  assert.strictEqual(invalid.status, 400);
-  const valid = runValidationBlock(code, { items: [1, 2] });
-  assert.strictEqual(valid.done, false);
-});
-
-test('required field object: tolak array dan primitive', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: { payload: { type: 'object', required: true } }
-    }
-  });
-  assert.strictEqual(runValidationBlock(code, { payload: [] }).status, 400);
-  assert.strictEqual(runValidationBlock(code, { payload: 'x' }).status, 400);
-  assert.strictEqual(runValidationBlock(code, { payload: { a: 1 } }).done, false);
-});
-
-test('enum whitelist: tolak nilai di luar daftar', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        status: { type: 'string', required: true, enum: ['draft', 'approved', 'rejected'] }
-      }
-    }
-  });
-  const invalid = runValidationBlock(code, { status: 'hacked' });
-  assert.strictEqual(invalid.status, 400);
-  assert.match(invalid.payload.errors[0].message, /tidak termasuk nilai yang diizinkan/);
-
-  const valid = runValidationBlock(code, { status: 'approved' });
-  assert.strictEqual(valid.done, false);
-});
-
-test('minLength/maxLength untuk string', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        note: { type: 'string', required: true, minLength: 3, maxLength: 10 }
-      }
-    }
-  });
-  assert.strictEqual(runValidationBlock(code, { note: 'ab' }).status, 400);
-  assert.strictEqual(runValidationBlock(code, { note: 'hello world!' }).status, 400);
-  assert.strictEqual(runValidationBlock(code, { note: 'hello' }).done, false);
-});
-
-test('format email: validate regex email', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        email: { type: 'string', required: true, format: 'email' }
-      }
-    }
-  });
-  assert.strictEqual(runValidationBlock(code, { email: 'not-email' }).status, 400);
-  assert.strictEqual(runValidationBlock(code, { email: 'a@b.co' }).done, false);
-});
-
-test('header mapTo: generate validasi pada nama mapTo, bukan nama header', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      headers: {
-        'X-App-Code': { type: 'string', required: true, mapTo: 'app_code' }
-      }
-    }
-  });
-
-  assert.doesNotMatch(code, /input\['X-App-Code'\]/);
-  assert.match(code, /input\['app_code'\]/);
-  assert.match(code, /Header X-App-Code/);
-
-  const missing = runValidationBlock(code, {});
-  assert.strictEqual(missing.status, 400);
-  const ok = runValidationBlock(code, { app_code: 'sales' });
-  assert.strictEqual(ok.done, false);
-});
-
-test('non-required field: skip jika absen, tapi validate jika value ada', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        tag: { type: 'string', minLength: 2 }
-      }
-    }
-  });
-
-  // absent -> tidak ada error.
-  assert.strictEqual(runValidationBlock(code, {}).done, false);
-  // present tapi tidak lolos minLength.
-  assert.strictEqual(runValidationBlock(code, { tag: 'x' }).status, 400);
-  // present dan lolos.
-  assert.strictEqual(runValidationBlock(code, { tag: 'ok' }).done, false);
-});
-
-test('kode yang di-generate tidak expose field name user sebagai kode eksekusi', () => {
-  // Nama field dengan single quote dan backslash di-escape.
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        "foo'; return 42; //": { type: 'string', required: true }
-      }
-    }
-  });
-  // Kode masih bisa di-compile.
-  const fn = new Function('input', 'res', `${code}\nreturn true;`);
-  const res = { status: () => ({ json: () => {} }) };
-  assert.doesNotThrow(() => fn({}, res));
-});
-
-test('multiple field dari body dan headers: semua error terkumpul (fail fast per field)', () => {
-  const code = generateRouterValidationCode({
-    name: 'proc1',
-    request: {
-      body: {
-        order_id: { type: 'uuid', required: true },
-        qty: { type: 'integer', required: true }
-      },
-      headers: {
-        'X-App-Code': { type: 'string', required: true, mapTo: 'app_code' }
-      }
-    }
-  });
-  const result = runValidationBlock(code, {});
-  assert.strictEqual(result.status, 400);
-  assert.strictEqual(result.payload.errors.length, 3);
-  const fields = result.payload.errors.map(e => e.field).sort();
-  assert.deepStrictEqual(fields, ['app_code', 'order_id', 'qty']);
-});

package/generators/tests/unit/lib/sensitive-field-masker.test.js

@@ -1,170 +0,0 @@
-const test = require('node:test');
-const assert = require('node:assert');
-
-const masker = require('../../../lib/utils/sensitive-field-masker');
-
-test('maskSensitive: mask field dengan nama password', () => {
-  const input = { username: 'ibrahim', password: 'secret123' };
-  const out = masker.maskSensitive(input);
-  assert.strictEqual(out.password, '***MASKED***');
-  assert.strictEqual(out.username, 'ibrahim');
-});
-
-test('maskSensitive: mask berbagai nama field sensitif yang umum', () => {
-  const input = {
-    token: 'abc',
-    apiKey: 'xyz',
-    api_key: 'xyz',
-    credit_card: '4111-1111',
-    cardNumber: '4111-1111',
-    cvv: '123',
-    ssn: '000-00-0000',
-    pin: '1234',
-    privateKey: 'RSA',
-    refresh_token: 'r',
-    accessToken: 'a',
-    otp: '999999',
-    mfa: 'Y',
-    authorization: 'Bearer x',
-    auth: 'Bearer x'
-  };
-  const out = masker.maskSensitive(input);
-  for (const key of Object.keys(input)) {
-    assert.strictEqual(out[key], '***MASKED***', `Field ${key} seharusnya ter-mask`);
-  }
-});
-
-test('maskSensitive: case insensitive (PASSWORD, Password, password)', () => {
-  const out = masker.maskSensitive({
-    PASSWORD: 'x',
-    Password: 'y',
-    password: 'z'
-  });
-  assert.strictEqual(out.PASSWORD, '***MASKED***');
-  assert.strictEqual(out.Password, '***MASKED***');
-  assert.strictEqual(out.password, '***MASKED***');
-});
-
-test('maskSensitive: rekursif pada nested object', () => {
-  const out = masker.maskSensitive({
-    user: { name: 'a', password: 'b', nested: { token: 't' } },
-    items: [{ secret: 'x' }, { ok: 'v' }]
-  });
-  assert.strictEqual(out.user.password, '***MASKED***');
-  assert.strictEqual(out.user.name, 'a');
-  assert.strictEqual(out.user.nested.token, '***MASKED***');
-  assert.strictEqual(out.items[0].secret, '***MASKED***');
-  assert.strictEqual(out.items[1].ok, 'v');
-});
-
-test('maskSensitive: return nilai primitive apa adanya', () => {
-  assert.strictEqual(masker.maskSensitive(null), null);
-  assert.strictEqual(masker.maskSensitive(undefined), undefined);
-  assert.strictEqual(masker.maskSensitive(42), 42);
-  assert.strictEqual(masker.maskSensitive('plain string'), 'plain string');
-});
-
-test('maskSensitive: tidak melakukan mutasi pada object asli', () => {
-  const original = { password: 'orig', name: 'ibrahim' };
-  const out = masker.maskSensitive(original);
-  assert.strictEqual(original.password, 'orig');
-  assert.notStrictEqual(out, original);
-});
-
-test('maskSensitive: field name yang mengandung substring sensitif tidak di-mask', () => {
-  const out = masker.maskSensitive({
-    password_hint: 'nama hewan peliharaan',
-    my_token_description: 'deskripsi',
-    secretly_happy: 'v'
-  });
-  assert.strictEqual(out.password_hint, 'nama hewan peliharaan');
-  assert.strictEqual(out.my_token_description, 'deskripsi');
-  assert.strictEqual(out.secretly_happy, 'v');
-});
-
-test('isFieldSensitive: flag explicit sensitive:true mengalahkan pattern', () => {
-  assert.strictEqual(masker.isFieldSensitive('nickname', { sensitive: true }), true);
-  assert.strictEqual(masker.isFieldSensitive('password', {}), true);
-  assert.strictEqual(masker.isFieldSensitive('email', {}), false);
-  assert.strictEqual(masker.isFieldSensitive('email', null), false);
-});
-
-test('sanitizeExtraKeywords: filter karakter tidak aman dan duplikat', () => {
-  const out = masker.sanitizeExtraKeywords([
-    'ktp_number',
-    'npwp',
-    '123bad',          // tidak boleh: mulai angka
-    'has space',       // tidak boleh: mengandung spasi
-    'regex.*inject',   // tidak boleh: meta character
-    'alpha|beta',      // tidak boleh: pipe injection
-    'NPWP',            // duplikat lowercase dari npwp
-    42,                // tidak boleh: bukan string
-    null
-  ]);
-  assert.deepStrictEqual(out, ['ktp_number', 'npwp']);
-});
-
-test('buildMaskerHelperCode: output adalah kode JS valid dan fungsional', () => {
-  const code = masker.buildMaskerHelperCode({ extraKeywords: ['ktp_number'] });
-  // Compile dan jalankan kode untuk verify fungsional.
-  const runner = new Function(`${code}\nreturn __maskSensitive(arguments[0]);`);
-  const result = runner({
-    password: 'x',
-    ktp_number: '3201234',
-    name: 'ibrahim',
-    nested: { token: 't' }
-  });
-  assert.strictEqual(result.password, '***MASKED***');
-  assert.strictEqual(result.ktp_number, '***MASKED***');
-  assert.strictEqual(result.name, 'ibrahim');
-  assert.strictEqual(result.nested.token, '***MASKED***');
-});
-
-test('buildMaskerHelperCode: reject regex injection via extra keyword', () => {
-  // Keyword berbahaya di-filter sebelum di-embed ke regex.
-  const code = masker.buildMaskerHelperCode({ extraKeywords: ['.*', '|password|'] });
-  const runner = new Function(`${code}\nreturn __maskSensitive(arguments[0]);`);
-  const result = runner({ normal_field: 'ok', password: 'x' });
-  // normal_field tidak boleh ter-mask (tidak ada regex '.*' yang aktif).
-  assert.strictEqual(result.normal_field, 'ok');
-  // Default pattern tetap bekerja untuk password.
-  assert.strictEqual(result.password, '***MASKED***');
-});
-
-test('buildMaskerHelperCode: output dengan extraKeywords kosong tidak mengandung pipe trailing', () => {
-  const code = masker.buildMaskerHelperCode();
-  assert.ok(!/mfa\|\)/.test(code), 'Regex tidak boleh memiliki pipe tanpa alternative');
-  assert.ok(/mfa\)/.test(code), 'Regex harus diakhiri dengan mfa');
-});
-
-test('collectExplicitSensitiveKeywords: collect unique field dari semua processor', () => {
-  const processors = [
-    {
-      request: {
-        body: {
-          ktp_number: { type: 'string', sensitive: true },
-          normal: { type: 'string' }
-        },
-        headers: {
-          'X-Token-ID': { type: 'string', mapTo: 'token_id', sensitive: true }
-        }
-      }
-    },
-    {
-      request: {
-        body: {
-          ktp_number: { type: 'string', sensitive: true },
-          npwp: { type: 'string', sensitive: true }
-        }
-      }
-    }
-  ];
-  const out = masker.collectExplicitSensitiveKeywords(processors);
-  assert.deepStrictEqual(out.sort(), ['ktp_number', 'npwp', 'token_id']);
-});
-
-test('collectExplicitSensitiveKeywords: handle payload kosong atau tanpa request', () => {
-  assert.deepStrictEqual(masker.collectExplicitSensitiveKeywords([]), []);
-  assert.deepStrictEqual(masker.collectExplicitSensitiveKeywords(null), []);
-  assert.deepStrictEqual(masker.collectExplicitSensitiveKeywords([{ name: 'x' }]), []);
-});

package/generators/tests/unit/lib/sql-table-extractor.test.js

@@ -1,119 +0,0 @@
-'use strict';
-
-const test = require('node:test');
-const assert = require('node:assert');
-
-const {
-  extractTables,
-  extractTablesUnion,
-  _stripCommentsAndStrings
-} = require('../../../lib/utils/sql-table-extractor');
-
-function setEquals(a, b) {
-  if (a.size !== b.size) return false;
-  for (const v of a) if (!b.has(v)) return false;
-  return true;
-}
-
-test('extractTables: empty string returns empty set', () => {
-  const result = extractTables('');
-  assert.strictEqual(result.size, 0);
-});
-
-test('extractTables: simple FROM clause captures table name', () => {
-  const result = extractTables('SELECT * FROM users');
-  assert.ok(setEquals(result, new Set(['users'])));
-});
-
-test('extractTables: FROM + JOIN captured, names lowercased', () => {
-  const result = extractTables('SELECT * FROM Users JOIN Orders ON Users.id = Orders.user_id');
-  assert.ok(setEquals(result, new Set(['users', 'orders'])));
-});
-
-test('extractTables: schema prefix stripped (public.users -> users)', () => {
-  const result = extractTables('SELECT * FROM public.users');
-  assert.ok(setEquals(result, new Set(['users'])));
-});
-
-test('extractTables: multi-line SQL with INNER/LEFT JOIN — semua tertangkap', () => {
-  const sql = `
-    SELECT a.*, b.name, c.total
-    FROM stock_inbound a
-    INNER JOIN supplier b ON b.id = a.supplier_id
-    LEFT JOIN product c ON c.id = a.product_id
-    WHERE a.year = :year
-  `;
-  const result = extractTables(sql);
-  assert.ok(setEquals(result, new Set(['stock_inbound', 'supplier', 'product'])));
-});
-
-test('extractTables: WITH CTE — cte name tertangkap (caller filter via metadata)', () => {
-  const sql = 'WITH cte AS (SELECT 1 AS x) SELECT * FROM cte';
-  const result = extractTables(sql);
-  assert.ok(result.has('cte'));
-});
-
-test('extractTables: single-line comment "-- FROM tablefake" tidak match', () => {
-  const sql = 'SELECT * FROM users -- FROM tablefake\nWHERE id = 1';
-  const result = extractTables(sql);
-  assert.ok(setEquals(result, new Set(['users'])));
-  assert.ok(!result.has('tablefake'));
-});
-
-test('extractTables: literal string "FROM tablefake" tidak match', () => {
-  const sql = "SELECT 'FROM tablefake' AS label FROM users";
-  const result = extractTables(sql);
-  assert.ok(setEquals(result, new Set(['users'])));
-  assert.ok(!result.has('tablefake'));
-});
-
-test('extractTables: multi-line comment /* FROM x */ tidak match', () => {
-  const sql = 'SELECT * /* FROM tablefake */ FROM users';
-  const result = extractTables(sql);
-  assert.ok(setEquals(result, new Set(['users'])));
-  assert.ok(!result.has('tablefake'));
-});
-
-test('extractTables: function-as-table FROM unnest(...) — unnest tertangkap (caller filter)', () => {
-  const sql = 'SELECT v FROM unnest(ARRAY[1,2,3]) AS v';
-  const result = extractTables(sql);
-  assert.ok(result.has('unnest'));
-});
-
-test('extractTablesUnion: union dari beberapa SQL string', () => {
-  const result = extractTablesUnion([
-    'SELECT * FROM a',
-    'SELECT * FROM b JOIN a ON a.id = b.a_id'
-  ]);
-  assert.ok(setEquals(result, new Set(['a', 'b'])));
-});
-
-test('extractTables: real-world SQL dengan FROM + multiple JOIN', () => {
-  const sql = `
-    SELECT
-      si.id,
-      s.name AS supplier_name,
-      p.name AS product_name
-    FROM stock_inbound si
-    JOIN supplier s ON s.id = si.supplier_id
-    JOIN product p ON p.id = si.product_id
-    WHERE si.year = :year
-  `;
-  const result = extractTables(sql);
-  assert.ok(setEquals(result, new Set(['stock_inbound', 'supplier', 'product'])));
-});
-
-test('_stripCommentsAndStrings: line comment, block comment, dan literal string semua di-strip', () => {
-  const sql = "SELECT 'FROM x' /* FROM y */ FROM users -- FROM z";
-  const cleaned = _stripCommentsAndStrings(sql);
-  assert.ok(!/FROM x/.test(cleaned));
-  assert.ok(!/FROM y/.test(cleaned));
-  assert.ok(!/FROM z/.test(cleaned));
-  assert.ok(/FROM users/.test(cleaned));
-});
-
-test('extractTables: non-string input (null/undefined/number) returns empty set', () => {
-  assert.strictEqual(extractTables(null).size, 0);
-  assert.strictEqual(extractTables(undefined).size, 0);
-  assert.strictEqual(extractTables(42).size, 0);
-});