@solidstarters/solid-core 1.2.153 → 1.2.154

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solidstarters/solid-core",
-  "version": "1.2.153",
+  "version": "1.2.154",
   "description": "This module is a NestJS module containing all the required core providers required by a Solid application",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -39,6 +39,7 @@
     "@elasticemail/elasticemail-client": "^4.0.23",
     "@hapi/joi": "^17.1.1",
     "@nestjs/schedule": "^6.0.0",
+    "@nestjs/throttler": "^6.4.0",
     "amqplib": "^0.10.4",
     "axios": "^1.7.0",
     "bcrypt": "^5.1.1",
@@ -50,6 +51,7 @@
     "exceljs": "^4.4.0",
     "fast-csv": "^5.0.2",
     "handlebars": "^4.7.8",
+    "helmet": "^8.1.0",
     "ioredis": "^5.4.1",
     "locale-codes": "^1.3.1",
     "lodash": "^4.17.21",

package/src/config/iam.config.ts

@@ -9,10 +9,13 @@ export const iamConfig = registerAs('iam', () => {
         activateUserOnRegistration: (process.env.IAM_ACTIVATE_USER_ON_REGISTRATION ?? 'true') === 'true',
         autoLoginUserOnRegistration: (process.env.IAM_AUTO_LOGIN_USER_ON_REGISTRATION ?? 'false') === 'true',
         otpExpiry: parseInt(process.env.IAM_OTP_EXPIRY ?? '10'),
+        forgotPasswordVerificationTokenExpiry: parseInt(process.env.IAM_FORGOT_PASSWORD_VERIFICATION_TOKEN_EXPIRY ?? '10'),
         defaultRole: process.env.IAM_DEFAULT_ROLE ?? 'Public',
         dummyOtp: process.env.IAM_OTP_DUMMY,
         forgotPasswordSendVerificationTokenOn: process.env.IAM_FORGOT_PASSWORD_SEND_VERIFICATION_TOKEN_ON ?? 'email',
         forceChangePasswordOnFirstLogin:true,
+        PASSWORD_REGEX: process.env.PASSWORD_REGEX || '^$|^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[^\\da-zA-Z]).*$',
+        PASSWORD_COMPLEXITY_DESC : process.env.PASSWORD_COMPLEXITY_DESC || 'Password must contain at least one uppercase, one lowercase, one number, and one special character.',
         googleOauth: {
             clientID: process.env.IAM_GOOGLE_OAUTH_CLIENT_ID,
             clientSecret: process.env.IAM_GOOGLE_OAUTH_CLIENT_SECRET,

package/src/constants/error-messages.ts

@@ -21,7 +21,7 @@ export const ERROR_MESSAGES = {
     USER_ID_MISMATCH: "User ID's do not match.",
     USERNAME_MISMATCH: "User username's do not match.",
     INCORRECT_CURRENT_PASSWORD: 'Incorrect current password specified.',
-    PASSWORD_REUSED: 'This password was previously used, please use a different password.',
+    PASSWORD_REUSED: 'Try a different password',
     INVALID_VERIFICATION_TOKEN: 'Invalid verification token',
     ACCESS_DENIED: 'Access denied',
     INVALID_USER_PROFILE: 'Invalid user profile',

package/src/controllers/ai-interaction.controller.ts

@@ -5,6 +5,8 @@ import { AiInteractionService } from '../services/ai-interaction.service';
 import { CreateAiInteractionDto } from '../dtos/create-ai-interaction.dto';
 import { UpdateAiInteractionDto } from '../dtos/update-ai-interaction.dto';
 import { InvokeAiPromptDto } from '../dtos/invoke-ai-prompt.dto';
+import { ActiveUser } from 'src/decorators/active-user.decorator';
+import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
 
 enum ShowSoftDeleted {
   INCLUSIVE = "inclusive",
@@ -92,8 +94,8 @@ export class AiInteractionController {
 
   @ApiBearerAuth("jwt")
   @Post('/trigger-mcp-client-job')
-  async triggerMcpClientJob(@Body() dto: InvokeAiPromptDto) {
-    return this.service.triggerMcpClientJob(dto.prompt);
+  async triggerMcpClientJob(@Body() dto: InvokeAiPromptDto, @ActiveUser() activeUser: ActiveUserData) {
+    return this.service.triggerMcpClientJob(dto.prompt, activeUser.sub);
   }
 
   @ApiBearerAuth("jwt")

package/src/controllers/authentication.controller.ts

@@ -1,29 +1,31 @@
 import { Body, Controller, Get, HttpCode, HttpStatus, Logger, Post, Res, UseGuards } from '@nestjs/common';
-import { AuthenticationService } from '../services/authentication.service';
-import { SignInDto } from '../dtos/sign-in.dto';
-import { SignUpDto } from '../dtos/sign-up.dto';
-import { Response } from 'express';
-import { RefreshTokenDto } from '../dtos/refresh-token.dto';
 import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
-import { LocalAuthGuard } from '../passport-strategies/local.strategy';
+import { SkipThrottle, ThrottlerGuard } from '@nestjs/throttler';
+import { Response } from 'express';
+import { ActiveUser } from "../decorators/active-user.decorator";
 import { Public } from '../decorators/public.decorator';
-import { InitiateForgotPasswordDto } from '../dtos/initiate-forgot-password.dto';
-import { ConfirmForgotPasswordDto } from '../dtos/confirm-forgot-password.dto';
 import { ChangePasswordDto } from "../dtos/change-password.dto";
-import { ActiveUser } from "../decorators/active-user.decorator";
+import { ConfirmForgotPasswordDto } from '../dtos/confirm-forgot-password.dto';
+import { InitiateForgotPasswordDto } from '../dtos/initiate-forgot-password.dto';
+import { RefreshTokenDto } from '../dtos/refresh-token.dto';
+import { SignInDto } from '../dtos/sign-in.dto';
+import { SignUpDto } from '../dtos/sign-up.dto';
 import { ActiveUserData } from "../interfaces/active-user-data.interface";
-import { RegisterPrivateDto } from '../dtos/register-private.dto';
+import { AuthenticationService } from '../services/authentication.service';
 
 
 // @Auth(AuthType.None)
 @Controller('iam')
 @ApiTags("Iam")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({login: true, short: true, burst: true, sustained: true}) // disable all sets by default for this controller
 export class AuthenticationController {
     private readonly logger = new Logger(AuthenticationController.name);
 
     constructor(private readonly authService: AuthenticationService) { }
 
     @Public()
+    @SkipThrottle({ login: false }) //Enable the login throttle only 
     @Post('register')
     signUp(@Body() signUpDto: SignUpDto) {
         return this.authService.signUp(signUpDto);
@@ -37,6 +39,7 @@ export class AuthenticationController {
 
     @Public()
     // @UseGuards(LocalAuthGuard)
+    @SkipThrottle({ login: false }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // by default @Post does 201, we wanted 200 - hence using @HttpCode(HttpStatus.OK)
     @Post('authenticate')
     async signIn(
@@ -59,6 +62,7 @@ export class AuthenticationController {
     }
 
     @Public()
+    @SkipThrottle({ login: false }) //Enable the login throttle only
     @HttpCode(HttpStatus.OK) // changed since the default is 201
     @Post('refresh-tokens')
     refreshTokens(@Body() refreshTokenDto: RefreshTokenDto) {
@@ -66,12 +70,14 @@ export class AuthenticationController {
     }
 
     @Public()
+    @SkipThrottle({ login: false }) //Enable the login throttle only
     @Post('initiate/forgot-password')
     initiateForgotPassword(@Body() initiateForgotPasswordDto: InitiateForgotPasswordDto) {
         return this.authService.initiateForgotPassword(initiateForgotPasswordDto);
     }
 
     @Public()
+    @SkipThrottle({ login: false }) //Enable the login throttle only
     @Post('confirm/forgot-password')
     confirmForgotPassword(@Body() confirmForgotPasswordDto: ConfirmForgotPasswordDto) {
         return this.authService.confirmForgotPassword(confirmForgotPasswordDto);

package/src/controllers/email-template.controller.ts

@@ -1,4 +1,4 @@
-import { Body, Controller, Delete, Get, Header, Param, Patch, Post, Put, Query, UploadedFiles, UseInterceptors } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Header, Param, Patch, Post, Put, Query, UploadedFiles, UseGuards, UseInterceptors } from '@nestjs/common';
 import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { PaginationQueryDto } from 'src/dtos/pagination-query.dto';
 import { Roles } from 'src/decorators/roles.decorator';
@@ -13,10 +13,13 @@ import { Public } from 'src/decorators/public.decorator';
 // import { Mailgen } from 'mailgen';
 import Mailgen = require('mailgen');
 import { AnyFilesInterceptor } from '@nestjs/platform-express';
+import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 
 @Controller('email-template')
 @ApiTags("Common")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only 
 export class EmailTemplateController {
   constructor(private readonly service: EmailTemplateService) { }
 

package/src/controllers/google-authentication.controller.ts

@@ -10,11 +10,15 @@ import { UserService } from '../services/user.service';
 import { Public } from '../decorators/public.decorator';
 import { iamConfig } from '../config/iam.config';
 import { isGoogleOAuthConfigured } from 'src/helpers/google-oauth.helper';
+import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
+
 
 
 @Auth(AuthType.None)
 @Controller('iam/google')
 @ApiTags("Iam")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ login: false, short: false, burst: true, sustained: true }) //Enable the login throttle only 
 export class GoogleAuthenticationController {
     constructor(
         @Inject(iamConfig.KEY) private iamConfiguration: ConfigType<typeof iamConfig>,

package/src/controllers/media.controller.ts

@@ -1,10 +1,11 @@
-import { Controller, Post, Body, Param, UploadedFiles, UseInterceptors, Put, Get, Query, Delete, Patch } from '@nestjs/common';
+import { Controller, Post, Body, Param, UploadedFiles, UseInterceptors, Put, Get, Query, Delete, Patch, UseGuards } from '@nestjs/common';
 import { AnyFilesInterceptor } from "@nestjs/platform-express";
 import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { Public } from 'src/decorators/public.decorator';
 import { MediaService } from 'src/services/media.service';
 import { CreateMediaDto } from 'src/dtos/create-media.dto';
 import { UpdateMediaDto } from 'src/dtos/update-media.dto';
+import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 enum ShowSoftDeleted {
   INCLUSIVE = "inclusive",
@@ -13,6 +14,8 @@ enum ShowSoftDeleted {
 
 @ApiTags('Solid Core')
 @Controller('media')
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
 export class MediaController {
   constructor(private readonly service: MediaService) {}
 
@@ -46,6 +49,7 @@ export class MediaController {
   }
 
   @Public()
+  @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
   @ApiBearerAuth("jwt")
   @Post('/upload')
   @UseInterceptors(AnyFilesInterceptor())

package/src/controllers/model-metadata.controller.ts

@@ -1,13 +1,16 @@
-import { Body, Controller, Delete, Get, Logger, Param, ParseIntPipe, Post, Put, Query } from '@nestjs/common';
+import { Body, Controller, Delete, Get, Logger, Param, ParseIntPipe, Post, Put, Query, UseGuards } from '@nestjs/common';
 import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { Public } from 'src/decorators/public.decorator';
 import { BasicFilterDto } from '../dtos/basic-filters.dto';
 import { CreateModelMetadataDto } from '../dtos/create-model-metadata.dto';
 import { UpdateModelMetaDataDto } from '../dtos/update-model-metadata.dto';
 import { ModelMetadataService } from '../services/model-metadata.service';
+import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 @Controller('model-metadata')
 @ApiTags("App Builder")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
 export class ModelMetadataController {
     private logger = new Logger('ModelMetadataController');
 
@@ -32,6 +35,7 @@ export class ModelMetadataController {
     }
 
     @Public()
+    @SkipThrottle({ burst: false, short: true, login: true, sustained: true }) //Enable burst only
     @Get('public')
     async findManyPublic() {
         const basicFilterDto: BasicFilterDto = {
@@ -40,7 +44,7 @@ export class ModelMetadataController {
             offset: 0,
             filters: [],
             groupBy: [],
-            populate: [],
+            populate: [],   
             populateMedia: [],
             sort: []
         }
@@ -61,6 +65,7 @@ export class ModelMetadataController {
     }
 
     @Public()
+    @SkipThrottle({ short: false, burst: true, login: true, sustained: true }) //Enable short only
     @Post('/update-user-key')
     updateUserKey(@Body() data: any) {
         return this.modelMetadataService.updateUserKey(data);

package/src/controllers/otp-authentication.controller.ts

@@ -1,4 +1,4 @@
-import { Body, Controller, HttpCode, HttpStatus, Post, Res } from '@nestjs/common';
+import { Body, Controller, HttpCode, HttpStatus, Post, Res, UseGuards } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { Response } from 'express';
 import { Auth } from '../decorators/auth.decorator';
@@ -8,11 +8,14 @@ import { OTPSignInDto } from '../dtos/otp-sign-in.dto';
 import { OTPSignUpDto } from '../dtos/otp-sign-up.dto';
 import { AuthType } from '../enums/auth-type.enum';
 import { AuthenticationService } from '../services/authentication.service';
+import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 
 @Auth(AuthType.None)
 @Controller('iam/otp')
 @ApiTags("Iam")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ login: false, short: true, burst: true, sustained: true }) //Enable the login throttle only
 export class OTPAuthenticationController {
     constructor(private readonly authService: AuthenticationService) { }
 

package/src/controllers/service.controller.ts

@@ -1,12 +1,15 @@
-import { Body, Controller, Get, Logger, Post } from '@nestjs/common';
+import { Body, Controller, Get, Logger, Post, UseGuards } from '@nestjs/common';
 import { DiscoveryService, MetadataScanner, Reflector } from '@nestjs/core';
 import { Public } from 'src/decorators/public.decorator';
 import { SolidRegistry } from '../helpers/solid-registry';
 import { ApiTags } from '@nestjs/swagger';
+import { ThrottlerGuard, SkipThrottle } from '@nestjs/throttler';
 
 
 @Controller('')
 @ApiTags("Common")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ short: true, login: true, burst: true, sustained: true }) //Skip all
 export class ServiceController {
     private readonly logger = new Logger(ServiceController.name);
 
@@ -21,6 +24,7 @@ export class ServiceController {
     }
 
     @Public()
+    @SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
     @Post('seed')
     async seedData(@Body() seedData: any) {
         const seeder = this.solidRegistry

package/src/controllers/sms-template.controller.ts

@@ -1,16 +1,17 @@
-import { Body, Controller, Delete, Get, Param, Patch, Post, Put, Query, UploadedFiles, UseInterceptors } from '@nestjs/common';
-import { ApiBearerAuth, ApiQuery, ApiTags } from '@nestjs/swagger';
-import { PaginationQueryDto } from 'src/dtos/pagination-query.dto';
-import { Roles } from 'src/decorators/roles.decorator';
-import { SmsTemplateService } from '../services/sms-template.service';
+import { Body, Controller, Delete, Get, Param, Post, Put, Query, UploadedFiles, UseGuards, UseInterceptors } from '@nestjs/common';
+import { AnyFilesInterceptor } from '@nestjs/platform-express';
+import { ApiQuery, ApiTags } from '@nestjs/swagger';
+import { SkipThrottle, ThrottlerGuard } from '@nestjs/throttler';
+import { Public } from 'src/decorators/public.decorator';
 import { CreateSmsTemplateDto } from '../dtos/create-sms-template.dto';
 import { UpdateSmsTemplateDto } from '../dtos/update-sms-template.dto';
-import { Public } from 'src/decorators/public.decorator';
-import { AnyFilesInterceptor } from '@nestjs/platform-express';
+import { SmsTemplateService } from '../services/sms-template.service';
 
 
 @Controller('sms-template')
 @ApiTags("Common")
+@UseGuards(ThrottlerGuard)
+@SkipThrottle({ short: false, login: true, burst: true, sustained: true }) //Enable the short throttle only
 export class SmsTemplateController {
   constructor(private readonly service: SmsTemplateService) { }
 

package/src/decorators/solid-password.decorator.ts

@@ -0,0 +1,51 @@
+// solid-password.decorator.ts
+import {
+    registerDecorator,
+    ValidationArguments,
+    ValidationOptions,
+    ValidatorConstraint,
+    ValidatorConstraintInterface,
+} from 'class-validator';
+import { Injectable } from '@nestjs/common';
+import { iamConfig } from '../config/iam.config';
+
+interface SolidPasswordOptions extends ValidationOptions {
+    regex?: RegExp | string;
+    message ?: string;
+}
+
+@ValidatorConstraint({ async: false })
+@Injectable()
+export class SolidPasswordConstraint implements ValidatorConstraintInterface {
+    validate(value: string, args: ValidationArguments) {
+        if (!value) return false;
+
+        const opts = args.constraints[0] as SolidPasswordOptions;
+
+        // priority: decorator-provided regex → iamConfig().PASSWORD_REGEX
+        const regex = opts?.regex || iamConfig().PASSWORD_REGEX;
+
+        return new RegExp(regex).test(value);
+    }
+
+    defaultMessage(args?: ValidationArguments): string {
+        const opts = args?.constraints?.[0] as SolidPasswordOptions;
+
+        // Just use the string from decorator if passed, otherwise use iamConfig
+        return opts?.message || iamConfig().PASSWORD_COMPLEXITY_DESC;
+    }
+}
+
+export function SolidPasswordRegex(
+    options?: SolidPasswordOptions,
+): PropertyDecorator {
+    return (object: Object, propertyName: string) => {
+        registerDecorator({
+            target: object.constructor,
+            propertyName,
+            options,
+            constraints: [options],
+            validator: SolidPasswordConstraint,
+        });
+    };
+}

package/src/dtos/change-password.dto.ts

@@ -1,4 +1,5 @@
 import { IsNotEmpty } from "class-validator";
+import { SolidPasswordRegex } from "src/decorators/solid-password.decorator";
 
 export class ChangePasswordDto {
     @IsNotEmpty()
@@ -11,5 +12,6 @@ export class ChangePasswordDto {
     currentPassword: string;
 
     @IsNotEmpty()
+    @SolidPasswordRegex({ regex: /^$|^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\da-zA-Z]).*$/})
     newPassword: string;
 }

package/src/dtos/confirm-forgot-password.dto.ts

@@ -1,4 +1,5 @@
 import { IsNotEmpty, IsOptional } from "class-validator";
+import { SolidPasswordRegex } from "src/decorators/solid-password.decorator";
 
 export class ConfirmForgotPasswordDto {
     @IsNotEmpty()
@@ -13,5 +14,6 @@ export class ConfirmForgotPasswordDto {
     verificationToken: string;
 
     @IsNotEmpty()
+    @SolidPasswordRegex({ regex: /^$|^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\da-zA-Z]).*$/})
     password: string;
 }

package/src/helpers/cors.helper.ts

@@ -0,0 +1,34 @@
+import { CorsOptions } from 'cors';
+import { ConfigService } from '@nestjs/config';
+
+/** Build CorsOptions from env; supports wildcards like https://*.example.com */
+export function buildDefaultCorsOptions(configService: ConfigService): CorsOptions {
+  const rawOrigins = configService.get<string>('CORS_ORIGINS') ?? '';
+  const allowed = rawOrigins.split(',').map(s => s.trim()).filter(Boolean);
+
+  const escapeRx = (s: string) => s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const patternToRegex = (pattern: string): RegExp => {
+    const hasScheme = /^https?:\/\//i.test(pattern);
+    const schemePart = hasScheme ? '' : 'https?:\\/\\/';
+    if (pattern === '*' || pattern === '.*') return /^.*$/i;
+    const escaped = escapeRx(pattern)
+      .replace(/^https?:\/\//i, '')      // strip scheme if present
+      .replace(/\*/g, '[^.]+');          // * => one subdomain segment
+    return new RegExp(`^${schemePart}${escaped}(?::\\d+)?$`, 'i');
+  };
+
+  const matchers = allowed.map(patternToRegex);
+  const isAllowed = (origin: string) =>
+    matchers.length > 0 && matchers.some(rx => rx.test(origin));
+
+  return {
+    origin: (origin, cb) => {
+      if (!origin) return cb(null, true);           // allow no-origin (CLI/mobile/internal)
+      if (isAllowed(origin)) return cb(null, true);
+      return cb(new Error(`Origin ${origin} not allowed by CORS`), false);
+    },
+    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization'],
+    credentials: true,
+  };
+}

package/src/helpers/security.helper.ts

@@ -0,0 +1,53 @@
+import { Environment } from "src/decorators/disallow-in-production.decorator";
+import { HelmetOptions } from "helmet"; 
+
+export function buildDefaultSecurityHeaderOptions(): Readonly<HelmetOptions> {
+    return {
+    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+    crossOriginEmbedderPolicy: false,
+    crossOriginResourcePolicy: { policy: 'same-site' },
+    frameguard: { action: 'sameorigin' }, // or { action: 'deny' }
+    // HSTS: send only in prod over HTTPS
+    hsts:
+      process.env.NODE_ENV === Environment.Production
+        ? { maxAge: 31536000, includeSubDomains: true, preload: true } // 1 year
+        : false,
+  }
+}
+
+type Source = 'self' | 'none' | string; // string = an origin like 'https://cdn.example.com'
+type DirectiveConfig = 'self' | 'none' | Source[];
+
+export type PermissionsPolicyConfig = Record<string, DirectiveConfig>;
+
+export const DEFAULT_PERMISSIONS_POLICY: PermissionsPolicyConfig = {
+  camera: 'none',
+  microphone: 'none',
+  geolocation: 'none',
+  fullscreen: 'self',             // allow same-origin fullscreen
+  payment: 'none',
+  accelerometer: 'none',
+  autoplay: 'none',
+  'clipboard-read': 'none',
+  'clipboard-write': 'none',
+  gyroscope: 'none',
+  magnetometer: 'none',
+  usb: 'none',
+};
+
+export function buildPermissionsPolicyHeader(
+  overrides: Partial<PermissionsPolicyConfig> = {}
+): string {
+  const merged: PermissionsPolicyConfig = { ...DEFAULT_PERMISSIONS_POLICY, ...overrides };
+  return Object.entries(merged)
+    .map(([feature, value]) => `${feature}=${serializeValue(value)}`)
+    .join(', ');
+}
+
+function serializeValue(v: DirectiveConfig): string {
+  if (v === 'none') return '()';
+  if (v === 'self') return '(self)';
+  // array of sources: allow 'self' and/or explicit origins
+  const parts = v.map(src => (src === 'self' ? 'self' : src)).join(' ');
+  return `(${parts})`;
+}

package/src/index.ts

@@ -134,6 +134,7 @@ export * from './entities/dashboard-question-sql-dataset-config.entity'
 export * from './entities/ai-interaction.entity'
 
 export * from './enums/auth-type.enum'
+export * from './decorators/disallow-in-production.decorator'
 
 export * from './filters/http-exception.filter'
 
@@ -167,6 +168,8 @@ export * from './helpers/field-crud-managers/SelectionStaticFieldCrudManager' //
 export * from './helpers/field-crud-managers/ShortTextFieldCrudManager' //rename
 export * from './helpers/field-crud-managers/UUIDFieldCrudManager' //rename
 export * from './helpers/environment.helper'
+export * from './helpers/cors.helper'
+export * from './helpers/security.helper'
 
 export * from './services/crud.service'
 export * from './interceptors/logging.interceptor'

package/src/repository/chatter-message-details.repository.ts

@@ -0,0 +1,109 @@
+import { Injectable } from '@nestjs/common';
+import {
+  DataSource,
+  QueryRunner,
+  SelectQueryBuilder,
+} from 'typeorm';
+import { camelize, classify } from '@angular-devkit/core/src/utils/strings';
+
+import { ChatterMessageDetails } from 'src/entities/chatter-message-details.entity';
+import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
+import { RequestContextService } from 'src/services/request-context.service';
+import { SecurityRuleRepository } from './security-rule.repository';
+import { SolidBaseRepository } from './solid-base.repository';
+import {get} from "lodash"
+
+
+@Injectable()
+export class ChatterMessageDetailsRepository extends SolidBaseRepository<ChatterMessageDetails> {
+  constructor(
+    readonly dataSource: DataSource,
+    readonly requestContextService: RequestContextService,
+    readonly securityRuleRepository: SecurityRuleRepository,
+  ) {
+    super(ChatterMessageDetails, dataSource, requestContextService, securityRuleRepository);
+  }
+    private readonly CO_MODEL_NAME_PATH = 'filters.chatterMessage.coModelName.$eq';
+
+  /**
+   * Build a security-aware QB:
+   *  - join the real relation to ChatterMessage (alias: "message")
+   *  - left join the polymorphic co-model table using message.co_model_* fields
+   *  - (optionally) apply security rules on the co-model alias
+   */
+  override createQueryBuilder(
+    alias = 'detail',
+    queryRunner?: QueryRunner,
+  ): SelectQueryBuilder<ChatterMessageDetails> {
+    const activeUser = this.requestContextService.getActiveUser();
+    let qb = super.createQueryBuilder(alias, queryRunner);
+
+    // Join the real relation so we can access co_model_* fields
+    qb = qb.leftJoin(`${alias}.chatterMessage`, 'chatterMessage');
+
+    // Example: join the "client" co-model (pass whatever co-model name you need)
+    const [coModelName, coModelAlias] = this.getCoModelNameAndAlias();
+
+    qb = this.leftJoinCoModel(qb, coModelName, 'chatterMessage');
+
+    if (!activeUser) return qb;
+
+    // If your security rules should apply to the co-model rows, pass the co-model alias.
+    // Here we use the co-model name "client" both as model key and alias base for consistency.
+    return this.securityRuleRepository.applySecurityRules(
+      qb,
+      coModelName,                           // modelSingularName (or whatever your rules expect)
+      activeUser as ActiveUserData,
+      coModelAlias,      // the alias we used inside leftJoinCoModel
+    );
+  }
+
+  /**
+   * Left-join the polymorphic co-model table, matching:
+   *   <coModelAlias>.id = <messageAlias>.co_model_entity_id
+   *   AND <messageAlias>.co_model_name = :model
+   *
+   * @param qb            QB built on ChatterMessageDetails
+   * @param coModelName   e.g. "client" | "invoice" | ...
+   * @param messageAlias  alias used for joined ChatterMessage (default: "message")
+   *
+   * Notes:
+   * - We resolve the entity metadata from the classified name (e.g., "Client"),
+   *   then use metadata.tablePath to get schema-qualified table.
+   * - We build a stable alias from metadata.name (camelized).
+   */
+  leftJoinCoModel<T>(
+    qb: SelectQueryBuilder<T>,
+    coModelName: string,
+    messageAlias: string = 'message',
+  ): SelectQueryBuilder<T> {
+    // Resolve entity metadata from your naming convention
+    const entityName = classify(coModelName);                 // "client" -> "Client"
+    const meta = this.dataSource.getMetadata(entityName);     // throws if not registered
+    // const table = meta.tablePath;                             // schema-qualified
+    const coAlias = camelize(meta.name);                      // stable alias, e.g., "client"
+
+    // LEFT JOIN "<schema>"."<table>" "<coAlias>"
+    //   ON "<coAlias>"."id" = "message"."co_model_entity_id"
+    //  AND "message"."co_model_name" = :model
+    qb.leftJoin(
+      entityName,
+      coAlias,
+      `"${coAlias}"."id" = "${messageAlias}"."co_model_entity_id" AND "${messageAlias}"."co_model_name" = :model`,
+      { model: coModelName },
+    );
+
+    return qb;
+  }
+
+  // This uses the requestContextService.getRequestFilter method and extracts the coModelName and creates the alias and returns the name and alias tuple
+  private getCoModelNameAndAlias() {
+    const requestFilter = this.requestContextService.getRequestFilter();
+    if (!requestFilter) return [undefined, undefined];
+
+    const coModelName = get(requestFilter, this.CO_MODEL_NAME_PATH);
+    const alias = camelize(coModelName);
+    return [coModelName, alias];
+  }
+
+}