@solidstarters/solid-core 1.2.166 → 1.2.168

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solidstarters/solid-core",
-  "version": "1.2.166",
+  "version": "1.2.168",
   "description": "This module is a NestJS module containing all the required core providers required by a Solid application",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/config/iam.config.ts

@@ -22,6 +22,7 @@ export const iamConfig = registerAs('iam', () => {
             callbackURL: process.env.IAM_GOOGLE_OAUTH_CALLBACK_URL,
             redirectURL: process.env.IAM_GOOGLE_OAUTH_REDIRECT_URL,
         },
+        iamAutoGeneratedPassword:process.env.IAM_AUTOGENERATED_PASSWORD || true
     };
 })
 

package/src/dtos/post-chatter-message.dto.ts

@@ -16,4 +16,4 @@ export class PostChatterMessageDto {
     @IsString()
     @IsOptional()
     messageSubType?: string;
-} 
+}

package/src/entities/chatter-message.entity.ts

@@ -1,14 +1,14 @@
 import { CommonEntity } from 'src/entities/common.entity'
-import {Entity, Column, Index, JoinColumn, ManyToOne} from 'typeorm';
+import { Entity, Column, Index, JoinColumn, ManyToOne } from 'typeorm';
 import { User } from 'src/entities/user.entity'
 
 @Entity("ss_chatter_message")
 export class ChatterMessage extends CommonEntity {
     @Index()
     @Column({ type: "varchar" })
-    messageType: string;
+    messageType: string; // audit | custom 
     @Column({ type: "varchar" })
-    messageSubType: string;
+    messageSubType: string; // update | insert | delete | post_message
     @Column({ type: "text" })
     messageBody: string;
     @Index()

package/src/helpers/security.helper.ts

@@ -1,38 +1,74 @@
+import { HelmetOptions } from "helmet";
 import { Environment } from "src/decorators/disallow-in-production.decorator";
-import { HelmetOptions } from "helmet"; 
 
+/**
+ * Default security headers for SolidX apps.
+ * - HSTS only in prod over HTTPS
+ * - CSP with frame-ancestors 'none' (prevents clickjacking)
+ * - X-Frame-Options: DENY (legacy fallback)
+ * - No X-XSS-Protection (deprecated)
+ */
 export function buildDefaultSecurityHeaderOptions(): Readonly<HelmetOptions> {
-    return {
-    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+  const isProd = process.env.ENV === Environment.Production;
+
+  return {
+    // Modern CSP. Add more directives as your app needs (script-src, connect-src, etc.)
+    contentSecurityPolicy: {
+      useDefaults: true,
+      directives: {
+        // sensible secure defaults
+        // "default-src": ["'self'"],
+        // "base-uri": ["'self'"],
+        // "object-src": ["'none'"],
+        // "form-action": ["'self'"],
+
+        // clickjacking defense (modern)
+        "frame-ancestors": ["'none'"],
+
+        // add/adjust as needed for your app:
+        // "script-src": ["'self'"],              // add hashes/nonces/CSPRO if needed
+        // "style-src": ["'self'", "'unsafe-inline'"],
+        // "img-src": ["'self'", "data:"],
+        // "connect-src": ["'self'", "https://api.example.com"],
+        // "frame-src": ["'none'"],               // iframes you intentionally allow
+      },
+    },
+
+    
+    // Legacy clickjacking defense (kept for older UAs)
+    frameguard: { action: "deny" },
+
+    // Referrer/cross-origin policies
+    referrerPolicy: { policy: "strict-origin-when-cross-origin" },
     crossOriginEmbedderPolicy: false,
-    crossOriginResourcePolicy: { policy: 'same-site' },
-    frameguard: { action: 'sameorigin' }, // or { action: 'deny' }
-    // HSTS: send only in prod over HTTPS
-    hsts:
-      process.env.NODE_ENV === Environment.Production
-        ? { maxAge: 31536000, includeSubDomains: true, preload: true } // 1 year
-        : false,
-  }
+    crossOriginResourcePolicy: { policy: "same-site" },
+
+    // HSTS only when you’re on HTTPS in production
+    hsts: isProd
+      ? { maxAge: 31536000, includeSubDomains: true, preload: true }
+      : false,
+  };
 }
 
-type Source = 'self' | 'none' | string; // string = an origin like 'https://cdn.example.com'
-type DirectiveConfig = 'self' | 'none' | Source[];
+/* ---------------- Permissions-Policy (formerly Feature-Policy) ---------------- */
 
+type Source = "self" | "none" | string;
+type DirectiveConfig = "self" | "none" | Source[];
 export type PermissionsPolicyConfig = Record<string, DirectiveConfig>;
 
 export const DEFAULT_PERMISSIONS_POLICY: PermissionsPolicyConfig = {
-  camera: 'none',
-  microphone: 'none',
-  geolocation: 'none',
-  fullscreen: 'self',             // allow same-origin fullscreen
-  payment: 'none',
-  accelerometer: 'none',
-  autoplay: 'none',
-  'clipboard-read': 'none',
-  'clipboard-write': 'none',
-  gyroscope: 'none',
-  magnetometer: 'none',
-  usb: 'none',
+  camera: "none",
+  microphone: "none",
+  geolocation: "none",
+  fullscreen: "self",
+  payment: "none",
+  accelerometer: "none",
+  autoplay: "none",
+  "clipboard-read": "none",
+  "clipboard-write": "none",
+  gyroscope: "none",
+  magnetometer: "none",
+  usb: "none",
 };
 
 export function buildPermissionsPolicyHeader(
@@ -41,13 +77,42 @@ export function buildPermissionsPolicyHeader(
   const merged: PermissionsPolicyConfig = { ...DEFAULT_PERMISSIONS_POLICY, ...overrides };
   return Object.entries(merged)
     .map(([feature, value]) => `${feature}=${serializeValue(value)}`)
-    .join(', ');
+    .join(", ");
 }
 
 function serializeValue(v: DirectiveConfig): string {
-  if (v === 'none') return '()';
-  if (v === 'self') return '(self)';
-  // array of sources: allow 'self' and/or explicit origins
-  const parts = v.map(src => (src === 'self' ? 'self' : src)).join(' ');
+  if (v === "none") return "()";
+  if (v === "self") return "(self)";
+  const parts = v.map((src) => (src === "self" ? "self" : src)).join(" ");
   return `(${parts})`;
 }
+
+/* ---------------- Cache-Control helpers ---------------- */
+
+/**
+ * Default: no-store for HTML/API responses unless you have a reason to cache.
+ * Attach as a global middleware or on selected routes.
+ */
+export const DEFAULT_CACHE_CONTROL =
+  "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0";
+
+export function setDefaultCacheControl() {
+  return function cacheControlMiddleware(
+    _req: import("express").Request,
+    _res: import("express").Response,
+    next: import("express").NextFunction
+  ) {
+    _res.setHeader("Cache-Control", DEFAULT_CACHE_CONTROL);
+    next();
+  };
+}
+
+/* ---------------- Example Express wiring ---------------- */
+// import express from "express";
+// const app = express();
+// app.use(helmet(buildDefaultSecurityHeaderOptions()));
+// app.use((req, res, next) => {
+//   res.setHeader("Permissions-Policy", buildPermissionsPolicyHeader());
+//   next();
+// });
+// app.use(setDefaultCacheControl());

package/src/services/authentication.service.ts

@@ -196,7 +196,7 @@ export class AuthenticationService {
 
     private async populateForSignup<T extends User>(user: T, signUpDto: SignUpDto, isUserActive: boolean = true, onForcePasswordChange?: boolean) {
         // const user = new User();
-
+        let autoGeneratedPwdPermission = await this.settingService.getConfigValue('iamAutoGeneratedPassword');
         if (signUpDto.roles && signUpDto.roles.length > 0) {
             for (let i = 0; i < signUpDto.roles.length; i++) {
                 const roleName = signUpDto.roles[i];
@@ -217,7 +217,7 @@ export class AuthenticationService {
         if (signUpDto.password) {
             pwd = await this.hashingService.hash(signUpDto.password);
         }
-        else {
+        if(autoGeneratedPwdPermission?.toString().toLowerCase() === 'true'){
             // TODO: If password is not specified then auto-generate a random password, trigger this password over an email to the user.
             // TODO: Also track if the user has to force reset / change their password, and then activate the user. 
             autoGeneratedPwd = this.generatePassword();