@terreno/api 0.13.2 → 0.14.0

package/src/auth.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {afterEach, beforeEach, describe, expect, it, setSystemTime} from "bun:test";
 import type express from "express";
 import type jwt from "jsonwebtoken";
@@ -8,13 +9,26 @@ import {modelRouter} from "./api";
 import {addAuthRoutes, addMeRoutes, generateTokens, setupAuth} from "./auth";
 import {setupServer} from "./expressServer";
 import {Permissions} from "./permissions";
+import {getCurrentRequestContext} from "./requestContext";
 import {type Food, FoodModel, getBaseServer, setupDb, UserModel} from "./tests";
 import {AdminOwnerTransformer} from "./transformers";
 import {timeout} from "./utils";
 
+const decodeTokenPayload = <T extends Record<string, unknown>>(token: string): T => {
+  const encodedPayload = token.split(".")[1];
+  return JSON.parse(Buffer.from(encodedPayload, "base64url").toString("utf8")) as T;
+};
+
 describe("auth tests", () => {
   let app: express.Application;
   let admin: any;
+  let contextEvents: Array<{
+    currentSessionId?: string;
+    requestId?: string;
+    sessionId?: string;
+    stage: string;
+    userId?: string;
+  }>;
   let notAdmin: any;
   let agent: TestAgent;
 
@@ -23,6 +37,7 @@ describe("auth tests", () => {
     // lockout mechanism needs real time to progress
     setSystemTime();
     [admin, notAdmin] = await setupDb();
+    contextEvents = [];
 
     await Promise.all([
       FoodModel.create({
@@ -76,6 +91,65 @@ describe("auth tests", () => {
           }),
         })
       );
+      router.use(
+        "/context-food",
+        modelRouter(FoodModel, {
+          permissions: {
+            create: [Permissions.IsAuthenticated],
+            delete: [],
+            list: [],
+            read: [],
+            update: [],
+          },
+          postCreate: async (_value, req) => {
+            contextEvents.push({
+              currentSessionId: getCurrentRequestContext()?.sessionId,
+              requestId: req.requestId,
+              sessionId: req.sessionId,
+              stage: "postCreate",
+              userId: req.user?.id,
+            });
+          },
+          preCreate: (body, req) => {
+            contextEvents.push({
+              currentSessionId: getCurrentRequestContext()?.sessionId,
+              requestId: req.requestId,
+              sessionId: req.sessionId,
+              stage: "preCreate",
+              userId: req.user?.id,
+            });
+
+            return {
+              ...(body as Partial<Food>),
+              categories: [],
+              eatenBy: [req.user?._id],
+              expiration: "2026-01-01",
+              lastEatenWith: {},
+              likesIds: [],
+              ownerId: req.user?._id,
+              source: {name: "context-test"},
+              tags: [],
+            } as unknown as Food;
+          },
+          responseHandler: async (value, method, req) => {
+            contextEvents.push({
+              currentSessionId: getCurrentRequestContext()?.sessionId,
+              requestId: req.requestId,
+              sessionId: req.sessionId,
+              stage: `responseHandler:${method}`,
+              userId: req.user?.id,
+            });
+
+            return {
+              id: String((value as {_id: unknown})._id),
+              requestId: req.requestId ?? null,
+              sessionContext: getCurrentRequestContext()?.sessionId ?? null,
+              sessionId: req.sessionId ?? null,
+              userId: req.user?.id ?? null,
+            };
+          },
+        })
+      );
     }
     app = setupServer({
       addRoutes,
@@ -201,6 +275,92 @@ describe("auth tests", () => {
     expect(res.body.data.token).toBeDefined();
   });
 
+  it("passes request and session context through modelRouter hooks", async () => {
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "admin@example.com", password: "securePassword"})
+      .expect(200);
+    const loginTokenPayload = decodeTokenPayload<{sid?: string}>(loginRes.body.data.token);
+
+    const createRes = await agent
+      .post("/context-food")
+      .set("authorization", `Bearer ${loginRes.body.data.token}`)
+      .set("X-Request-ID", "model-router-request-1")
+      .send({calories: 10, name: "Context Apple"})
+      .expect(201);
+
+    expect(loginTokenPayload.sid).toBeDefined();
+    const sessionId = loginTokenPayload.sid;
+    if (!sessionId) {
+      throw new Error("Expected login token to include a session id");
+    }
+    expect(createRes.headers["x-request-id"]).toBe("model-router-request-1");
+    expect(createRes.headers["x-session-id"]).toBe(sessionId);
+    expect(createRes.body.data.requestId).toBe("model-router-request-1");
+    expect(createRes.body.data.sessionId).toBe(sessionId);
+    expect(createRes.body.data.sessionContext).toBe(sessionId);
+    expect(createRes.body.data.userId).toBe(String(admin._id));
+    expect(contextEvents).toEqual([
+      {
+        currentSessionId: sessionId,
+        requestId: "model-router-request-1",
+        sessionId,
+        stage: "preCreate",
+        userId: String(admin._id),
+      },
+      {
+        currentSessionId: sessionId,
+        requestId: "model-router-request-1",
+        sessionId,
+        stage: "postCreate",
+        userId: String(admin._id),
+      },
+      {
+        currentSessionId: sessionId,
+        requestId: "model-router-request-1",
+        sessionId,
+        stage: "responseHandler:create",
+        userId: String(admin._id),
+      },
+    ]);
+  });
+
+  it("preserves JWT session id across refresh and request context", async () => {
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "admin@example.com", password: "securePassword"})
+      .expect(200);
+    const loginTokenPayload = decodeTokenPayload<{sid?: string}>(loginRes.body.data.token);
+    const loginRefreshPayload = decodeTokenPayload<{sid?: string}>(loginRes.body.data.refreshToken);
+
+    expect(loginTokenPayload.sid).toBeDefined();
+    const loginSessionId = loginTokenPayload.sid;
+    if (!loginSessionId) {
+      throw new Error("Expected login token to include a session id");
+    }
+    expect(loginRefreshPayload.sid).toBe(loginSessionId);
+    expect(loginRes.headers["x-session-id"]).toBe(loginSessionId);
+
+    const refreshRes = await agent
+      .post("/auth/refresh_token")
+      .send({refreshToken: loginRes.body.data.refreshToken})
+      .expect(200);
+    const refreshedTokenPayload = decodeTokenPayload<{sid?: string}>(refreshRes.body.data.token);
+    const refreshedRefreshPayload = decodeTokenPayload<{sid?: string}>(
+      refreshRes.body.data.refreshToken
+    );
+
+    expect(refreshedTokenPayload.sid).toBe(loginSessionId);
+    expect(refreshedRefreshPayload.sid).toBe(loginSessionId);
+    expect(refreshRes.headers["x-session-id"]).toBe(loginSessionId);
+
+    const foodRes = await agent
+      .get("/food")
+      .set("authorization", `Bearer ${refreshRes.body.data.token}`)
+      .expect(200);
+    expect(foodRes.headers["x-session-id"]).toBe(loginSessionId);
+  });
+
   it("completes token login e2e", async () => {
     const res = await agent
       .post("/auth/login")

package/src/auth.ts

@@ -1,3 +1,4 @@
+import {randomUUID} from "node:crypto";
 import express from "express";
 import jwt, {type JwtPayload} from "jsonwebtoken";
 import type {Model, ObjectId} from "mongoose";
@@ -11,9 +12,15 @@ import {
 } from "passport-jwt";
 import {Strategy as LocalStrategy} from "passport-local";
 
-import {APIError, apiErrorMiddleware} from "./errors";
+import {APIError, apiErrorMiddleware, errorMessage} from "./errors";
 import type {AuthOptions} from "./expressServer";
 import {logger} from "./logger";
+import {
+  getSessionIdFromJwtPayload,
+  type JwtSessionPayload,
+  setRequestContext,
+  updateRequestContextFromRequest,
+} from "./requestContext";
 
 export interface User {
   _id: ObjectId | string;
@@ -31,14 +38,22 @@ export interface User {
 export interface UserModel extends Model<User> {
   createAnonymousUser?: (id?: string) => Promise<User>;
   // Allows additional setup during signup. This will be passed the rest of req.body from the signup
-  postCreate?: (body: any) => Promise<void>;
+  postCreate?: (body: Record<string, unknown>) => Promise<void>;
 
+  // biome-ignore lint/suspicious/noExplicitAny: passport-local-mongoose return types are untyped
   createStrategy(): any;
+  // biome-ignore lint/suspicious/noExplicitAny: passport-local-mongoose return types are untyped
   serializeUser(): any;
+  // biome-ignore lint/suspicious/noExplicitAny: passport-local-mongoose return types are untyped
   deserializeUser(): any;
+  // biome-ignore lint/suspicious/noExplicitAny: passport-local-mongoose return types are untyped
   findByUsername(username: string, findOpts: any): any;
 }
 
+export interface GenerateTokensOptions {
+  sessionId?: string;
+}
+
 export function authenticateMiddleware(anonymous = false) {
   const strategies = ["jwt"];
   if (anonymous) {
@@ -49,7 +64,7 @@ export function authenticateMiddleware(anonymous = false) {
     failWithError: true,
     session: false,
   });
-  return (req: any, res: any, next: any) => {
+  return (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (req.user) {
       return next();
     }
@@ -61,27 +76,29 @@ export async function signupUser(
   userModel: UserModel,
   email: string,
   password: string,
-  body?: any
+  body?: Record<string, unknown>
 ) {
   // Strip email and password from the body. They can cause mongoose to throw an error if strict is
   // set.
-  const {email: _email, password: _password, ...bodyRest} = body;
+  const {email: _email, password: _password, ...bodyRest} = body ?? {};
 
   try {
+    // biome-ignore lint/suspicious/noExplicitAny: passport-local-mongoose's register() is untyped
     const user = await (userModel as any).register({email, ...bodyRest}, password);
 
     if (user.postCreate) {
       try {
         await user.postCreate(bodyRest);
-      } catch (error: any) {
+      } catch (error: unknown) {
         logger.error(`Error in user.postCreate: ${error}`);
         throw error;
       }
     }
     await user.save();
     return user;
-  } catch (error: any) {
-    throw new APIError({title: error.message});
+  } catch (error: unknown) {
+    const message = errorMessage(error);
+    throw new APIError({title: message});
   }
 }
 
@@ -102,16 +119,22 @@ export async function signupUser(
  * authentication providers) to reuse and customize the same token generation logic.
  * This ensures consistent and secure token issuance across different authentication flows.
  */
-export const generateTokens = async (user: any, authOptions?: AuthOptions) => {
+export const generateTokens = async (
+  user: unknown,
+  authOptions?: AuthOptions,
+  options: GenerateTokensOptions = {}
+) => {
   const tokenSecretOrKey = process.env.TOKEN_SECRET;
   if (!tokenSecretOrKey) {
     throw new Error("TOKEN_SECRET must be set in env.");
   }
-  if (!user?._id) {
+  const tokenUser = user as {_id?: ObjectId | string} | null | undefined;
+  if (!tokenUser?._id) {
     logger.warn("No user found for token generation");
     return {refreshToken: null, token: null};
   }
-  let payload: Record<string, any> = {id: user._id.toString()};
+  const sessionId = options.sessionId ?? randomUUID();
+  let payload: Record<string, unknown> = {id: String(tokenUser._id), sid: sessionId};
   if (authOptions?.generateJWTPayload) {
     payload = {...authOptions.generateJWTPayload(user), ...payload};
   }
@@ -137,7 +160,7 @@ export const generateTokens = async (user: any, authOptions?: AuthOptions) => {
 
   const token = jwt.sign(payload, tokenSecretOrKey, tokenOptions);
   const refreshTokenSecretOrKey = process.env.REFRESH_TOKEN_SECRET;
-  let refreshToken;
+  let refreshToken: string | undefined;
   if (refreshTokenSecretOrKey) {
     const refreshTokenOptions: jwt.SignOptions = {
       expiresIn: "30d",
@@ -159,7 +182,7 @@ export const generateTokens = async (user: any, authOptions?: AuthOptions) => {
   } else {
     logger.info("REFRESH_TOKEN_SECRET not set so refresh tokens will not be issued");
   }
-  return {refreshToken, token};
+  return {refreshToken, sessionId, token};
 };
 
 // TODO allow customization
@@ -215,7 +238,7 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
     passport.use(
       "jwt",
       new JwtStrategy(jwtOpts, async (jwtPayload: JwtPayload, done) => {
-        let user;
+        let user: User | null = null;
         if (!jwtPayload) {
           return done(null, false);
         }
@@ -241,7 +264,11 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
 
   // Adds req.user to the request. This may wind up duplicating requests with passport,
   // but passport doesn't give us req.user early enough.
-  async function decodeJWTMiddleware(req, res, next) {
+  async function decodeJWTMiddleware(
+    req: express.Request,
+    res: express.Response,
+    next: express.NextFunction
+  ) {
     if (!process.env.TOKEN_SECRET) {
       return next();
     }
@@ -260,21 +287,34 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
       return next();
     }
 
-    let decoded;
+    let decoded: jwt.JwtPayload | undefined;
 
     try {
       decoded = jwt.verify(token, process.env.TOKEN_SECRET, {
         issuer: process.env.TOKEN_ISSUER,
       }) as jwt.JwtPayload;
-    } catch (error: any) {
+    } catch (error: unknown) {
       const userText = req.user?._id ? ` for user ${req.user._id} ` : "";
-      const details = `[jwt] Error decoding token${userText}: ${error}, expired at ${error?.expiredAt}, current time: ${Date.now()}`;
+      const expiredAt =
+        error && typeof error === "object" && "expiredAt" in error
+          ? (error as {expiredAt?: unknown}).expiredAt
+          : undefined;
+      const message = errorMessage(error);
+      const details = `[jwt] Error decoding token${userText}: ${error}, expired at ${expiredAt}, current time: ${Date.now()}`;
       logger.debug(details);
-      return res.status(401).json({details, message: error?.message});
+      return res.status(401).json({details, message});
     }
-    if (decoded.id) {
+    if (decoded?.id) {
+      const sessionId = getSessionIdFromJwtPayload(decoded as JwtSessionPayload);
+      req.authTokenPayload = decoded as JwtSessionPayload;
+      if (sessionId) {
+        req.sessionId = sessionId;
+        setRequestContext({sessionId});
+      }
       try {
-        req.user = await userModel.findById(decoded.id);
+        const user = await userModel.findById(decoded.id);
+        req.user = user as unknown as express.Request["user"];
+        updateRequestContextFromRequest(req, res);
         if (req.user?.disabled) {
           logger.warn(`[jwt] User ${req.user.id} is disabled`);
           return res.status(401).json({status: 401, title: "User is disabled"});
@@ -286,6 +326,7 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
     return next();
   }
   app.use(decodeJWTMiddleware);
+  // biome-ignore lint/suspicious/noExplicitAny: express 5 type for urlencoded doesn't match RequestHandler
   app.use(express.urlencoded({extended: false}) as any);
 }
 
@@ -296,23 +337,35 @@ export function addAuthRoutes(
 ): void {
   const router = express.Router();
   router.post("/login", async (req, res, next) => {
-    passport.authenticate("local", {session: false}, async (err: any, user: any, info: any) => {
-      if (err) {
-        logger.error(`Error logging in: ${err}`);
-        return next(err);
-      }
-      if (!user) {
-        logger.warn(`Invalid login: ${info}`);
-        return res.status(401).json({message: info?.message});
-      }
-      if (process.env.NODE_ENV !== "test") {
-        logger.info(`User logged in: ${user._id}, type: ${(user as any).type || "N/A"}`);
+    passport.authenticate(
+      "local",
+      {session: false},
+      async (
+        err: Error | null,
+        user: (User & {type?: string}) | false | null,
+        info: {message?: string} | undefined
+      ) => {
+        if (err) {
+          logger.error(`Error logging in: ${err}`);
+          return next(err);
+        }
+        if (!user) {
+          logger.warn(`Invalid login: ${info}`);
+          return res.status(401).json({message: info?.message});
+        }
+        if (process.env.NODE_ENV !== "test") {
+          logger.info(`User logged in: ${user._id}, type: ${user.type || "N/A"}`);
+        }
+        const tokens = await generateTokens(user, authOptions);
+        if (tokens.sessionId) {
+          setRequestContext({sessionId: tokens.sessionId, userId: String(user._id)});
+          res.setHeader("X-Session-ID", tokens.sessionId);
+        }
+        return res.json({
+          data: {refreshToken: tokens.refreshToken, token: tokens.token, userId: user?._id},
+        });
       }
-      const tokens = await generateTokens(user, authOptions);
-      return res.json({
-        data: {refreshToken: tokens.refreshToken, token: tokens.token, userId: user?._id},
-      });
-    })(req, res, next);
+    )(req, res, next);
   });
 
   router.post("/refresh_token", async (req, res) => {
@@ -329,16 +382,25 @@ export function addAuthRoutes(
       return res.status(401).json({message: "No REFRESH_TOKEN_SECRET set, cannot refresh token"});
     }
     const refreshTokenSecretOrKey = process.env.REFRESH_TOKEN_SECRET;
-    let decoded;
+    let decoded: JwtPayload;
     try {
       decoded = jwt.verify(req.body.refreshToken, refreshTokenSecretOrKey) as JwtPayload;
-    } catch (error: any) {
+    } catch (error: unknown) {
       logger.error(`Error refreshing token for user ${req.user?.id}: ${error}`);
-      return res.status(401).json({message: error?.message});
+      const message = errorMessage(error);
+      return res.status(401).json({message});
     }
     if (decoded?.id) {
       const user = await userModel.findById(decoded.id);
-      const tokens = await generateTokens(user, authOptions);
+      const sessionId = getSessionIdFromJwtPayload(decoded as JwtSessionPayload);
+      const tokens = await generateTokens(user, authOptions, {sessionId});
+      if (tokens.sessionId) {
+        setRequestContext({
+          sessionId: tokens.sessionId,
+          userId: user?._id ? String(user._id) : undefined,
+        });
+        res.setHeader("X-Session-ID", tokens.sessionId);
+      }
       logger.debug(`Refreshed token for ${user?.id}`);
       return res.json({data: {refreshToken: tokens.refreshToken, token: tokens.token}});
     }
@@ -351,10 +413,17 @@ export function addAuthRoutes(
     router.post(
       "/signup",
       passport.authenticate("signup", {failWithError: true, session: false}),
-      async (req: any, res: any) => {
+      async (req: express.Request, res: express.Response) => {
         const tokens = await generateTokens(req.user, authOptions);
+        if (tokens.sessionId) {
+          setRequestContext({
+            sessionId: tokens.sessionId,
+            userId: req.user?._id ? String(req.user._id) : undefined,
+          });
+          res.setHeader("X-Session-ID", tokens.sessionId);
+        }
         return res.json({
-          data: {refreshToken: tokens.refreshToken, token: tokens.token, userId: req.user._id},
+          data: {refreshToken: tokens.refreshToken, token: tokens.token, userId: req.user?._id},
         });
       }
     );
@@ -379,8 +448,8 @@ export function addMeRoutes(
       logger.debug("Not user data found for /me");
       return res.sendStatus(404);
     }
-    const dataObject = data.toObject();
-    (dataObject as any).id = data._id;
+    const dataObject = data.toObject() as unknown as Record<string, unknown>;
+    dataObject.id = data._id;
     return res.json({data: dataObject});
   });
 
@@ -396,17 +465,18 @@ export function addMeRoutes(
     // try {
     //   body = transform(req.body, "update", req.user);
     // } catch (e) {
-    //   return res.status(403).send({message: (e as any).message});
+    //   return res.status(403).send({message: (e as Error).message});
     // }
     try {
       Object.assign(doc, req.body);
       await doc.save();
 
-      const dataObject = doc.toObject();
-      (dataObject as any).id = doc._id;
+      const dataObject = doc.toObject() as unknown as Record<string, unknown>;
+      dataObject.id = doc._id;
       return res.json({data: dataObject});
-    } catch (error) {
-      return res.status(403).send({message: (error as any).message});
+    } catch (error: unknown) {
+      const message = errorMessage(error);
+      return res.status(403).send({message});
     }
   });
 

package/src/betterAuthApp.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {afterAll, afterEach, describe, expect, it} from "bun:test";
 import express from "express";
 import {MongoMemoryServer} from "mongodb-memory-server";

package/src/betterAuthSetup.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {afterAll, afterEach, describe, expect, it, mock} from "bun:test";
 import express from "express";
 import {MongoMemoryServer} from "mongodb-memory-server";