@terreno/api 0.18.0 → 0.20.0

package/src/api.test.ts

@@ -2010,9 +2010,13 @@ describe("@terreno/api", () => {
     });
 
     it("returns 409 when precise conflict timestamp is older than doc.updated", async () => {
+      const ifUnmodifiedSince = DateTime.fromISO("2025-06-15T12:00:01.000Z").toHTTP();
+      if (ifUnmodifiedSince === null) {
+        throw new Error("expected HTTP If-Unmodified-Since value");
+      }
       await agent
         .patch(`/food/${spinach._id}`)
-        .set("If-Unmodified-Since", DateTime.fromISO("2025-06-15T12:00:01.000Z").toHTTP()!)
+        .set("If-Unmodified-Since", ifUnmodifiedSince)
         .set("X-Unmodified-Since-ISO", "2025-06-15T11:59:59.500Z")
         .send({name: "Precise Stale"})
         .expect(409);
@@ -2024,9 +2028,13 @@ describe("@terreno/api", () => {
         {$unset: {updated: ""}}
       );
 
+      const ifUnmodifiedSince = DateTime.fromISO("2025-06-15T11:59:59.999Z").toHTTP();
+      if (ifUnmodifiedSince === null) {
+        throw new Error("expected HTTP If-Unmodified-Since value");
+      }
       const res = await agent
         .patch(`/food/${spinach._id}`)
-        .set("If-Unmodified-Since", DateTime.fromISO("2025-06-15T11:59:59.999Z").toHTTP()!)
+        .set("If-Unmodified-Since", ifUnmodifiedSince)
         .send({name: "Created Fallback"})
         .expect(409);
 

package/src/auth.ts

@@ -54,7 +54,7 @@ export interface GenerateTokensOptions {
   sessionId?: string;
 }
 
-export function authenticateMiddleware(anonymous = false) {
+export const authenticateMiddleware = (anonymous = false) => {
   const strategies = ["jwt"];
   if (anonymous) {
     strategies.push("anonymous");
@@ -70,14 +70,14 @@ export function authenticateMiddleware(anonymous = false) {
     }
     return passportAuth(req, res, next);
   };
-}
+};
 
-export async function signupUser(
+export const signupUser = async (
   userModel: UserModel,
   email: string,
   password: string,
   body?: Record<string, unknown>
-) {
+) => {
   // Strip email and password from the body. They can cause mongoose to throw an error if strict is
   // set.
   const {email: _email, password: _password, ...bodyRest} = body ?? {};
@@ -100,7 +100,7 @@ export async function signupUser(
     const message = errorMessage(error);
     throw new APIError({title: message});
   }
-}
+};
 
 /**
  * Generates both an access token (JWT) and a refresh token for a given user.
@@ -126,7 +126,7 @@ export const generateTokens = async (
 ) => {
   const tokenSecretOrKey = process.env.TOKEN_SECRET;
   if (!tokenSecretOrKey) {
-    throw new Error("TOKEN_SECRET must be set in env.");
+    throw new APIError({status: 500, title: "TOKEN_SECRET must be set in env."});
   }
   const tokenUser = user as {_id?: ObjectId | string} | null | undefined;
   if (!tokenUser?._id) {
@@ -186,7 +186,7 @@ export const generateTokens = async (
 };
 
 // TODO allow customization
-export function setupAuth(app: express.Application, userModel: UserModel) {
+export const setupAuth = (app: express.Application, userModel: UserModel): void => {
   passport.use(new AnonymousStrategy());
   passport.use(userModel.createStrategy());
   passport.use(
@@ -208,7 +208,7 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
   );
 
   if (!userModel.createStrategy) {
-    throw new Error("setupAuth userModel must have .createStrategy()");
+    throw new APIError({status: 500, title: "setupAuth userModel must have .createStrategy()"});
   }
 
   const customTokenExtractor: JwtFromRequestFunction = (req) => {
@@ -228,7 +228,7 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
 
     const secretOrKey = process.env.TOKEN_SECRET;
     if (!secretOrKey) {
-      throw new Error("TOKEN_SECRET must be set in env.");
+      throw new APIError({status: 500, title: "TOKEN_SECRET must be set in env."});
     }
     const jwtOpts: StrategyOptions = {
       issuer: process.env.TOKEN_ISSUER,
@@ -264,11 +264,11 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
 
   // Adds req.user to the request. This may wind up duplicating requests with passport,
   // but passport doesn't give us req.user early enough.
-  async function decodeJWTMiddleware(
+  const decodeJWTMiddleware = async (
     req: express.Request,
     res: express.Response,
     next: express.NextFunction
-  ) {
+  ) => {
     if (!process.env.TOKEN_SECRET) {
       return next();
     }
@@ -324,17 +324,17 @@ export function setupAuth(app: express.Application, userModel: UserModel) {
       }
     }
     return next();
-  }
+  };
   app.use(decodeJWTMiddleware);
   // biome-ignore lint/suspicious/noExplicitAny: express 5 type for urlencoded doesn't match RequestHandler
   app.use(express.urlencoded({extended: false}) as any);
-}
+};
 
-export function addAuthRoutes(
+export const addAuthRoutes = (
   app: express.Application,
   userModel: UserModel,
   authOptions?: AuthOptions
-): void {
+): void => {
   const router = express.Router();
   router.post("/login", async (req, res, next) => {
     passport.authenticate(
@@ -430,13 +430,13 @@ export function addAuthRoutes(
   }
   app.set("etag", false);
   app.use("/auth", router);
-}
+};
 
-export function addMeRoutes(
+export const addMeRoutes = (
   app: express.Application,
   userModel: UserModel,
   _authOptions?: AuthOptions
-): void {
+): void => {
   const router = express.Router();
   router.get("/me", authenticateMiddleware(), async (req, res) => {
     if (!req.user?.id) {
@@ -483,4 +483,4 @@ export function addMeRoutes(
   app.set("etag", false);
   app.use("/auth", router);
   app.use(apiErrorMiddleware);
-}
+};

package/src/configuration.test.ts

@@ -93,16 +93,15 @@ const ScalarConfig = (mongoose.models.ScalarConfig ||
 
 const buildApp = (
   configModel: mongoose.Model<any>,
-  options?: {basePath?: string; fieldOverrides?: Record<string, {widget?: string}>}
+  options?: Partial<Omit<ConstructorParameters<typeof ConfigurationApp>[0], "model">>
 ): express.Application => {
   const app = getBaseServer();
   setupAuth(app, UserModel as any);
   addAuthRoutes(app, UserModel as any);
 
   const configApp = new ConfigurationApp({
-    basePath: options?.basePath,
-    fieldOverrides: options?.fieldOverrides,
     model: configModel,
+    ...options,
   });
   configApp.register(app);
 
@@ -168,6 +167,31 @@ describe("configurationPlugin", () => {
       expect(updated.general.appName).toBe("Changed");
       expect(updated.general.maintenanceMode).toBe(true);
     });
+
+    it("preserves sibling subdoc fields on a partial nested patch", async () => {
+      await TestConfig.updateConfig({general: {appName: "Initial", maintenanceMode: true}});
+      // Patch only one field within the nested subdoc.
+      const updated = await TestConfig.updateConfig({general: {appName: "Renamed"}});
+      expect(updated.general.appName).toBe("Renamed");
+      // Sibling must be preserved (not clobbered back to the default).
+      expect(updated.general.maintenanceMode).toBe(true);
+    });
+
+    it("tolerates legacy/out-of-schema fields already persisted", async () => {
+      // Insert a document containing a field that is not in the (strict: throw) schema.
+      await TestConfig.getConfig();
+      await mongoose.connection.db
+        ?.collection("testconfigs")
+        .updateOne({}, {$set: {legacyField: "stale"}});
+
+      // A full doc.save() would throw under strict: "throw"; $set must not.
+      const updated = await TestConfig.updateConfig({general: {appName: "Survives"}});
+      expect(updated.general.appName).toBe("Survives");
+
+      // The legacy field is left untouched on the document.
+      const raw = await mongoose.connection.db?.collection("testconfigs").findOne({});
+      expect(raw?.legacyField).toBe("stale");
+    });
   });
 
   describe("singleton enforcement", () => {
@@ -327,12 +351,18 @@ describe("ConfigurationApp routes", () => {
       expect(res.body.data.general.appName).toBe("New Name");
     });
 
-    it("redacts secrets in the response", async () => {
+    it("never persists secret field values supplied in the body", async () => {
       const res = await adminAgent
         .patch("/configuration")
-        .send({integrations: {apiKey: "new-secret"}})
+        .send({integrations: {apiKey: "new-secret", webhookUrl: "https://changed.example.com"}})
         .expect(200);
-      expect(res.body.data.integrations.apiKey).toBe("********");
+      // Secret stays empty (stripped); non-secret sibling is updated.
+      expect(res.body.data.integrations.apiKey).toBe("");
+      expect(res.body.data.integrations.webhookUrl).toBe("https://changed.example.com");
+
+      // Confirm the raw stored document holds no secret value.
+      const stored = await (TestConfig as any).getConfig();
+      expect(stored.integrations.apiKey).toBe("");
     });
 
     it("returns 403 for non-admin", async () => {
@@ -344,11 +374,29 @@ describe("ConfigurationApp routes", () => {
   });
 
   describe("POST /configuration/list-secrets", () => {
-    it("returns discovered secret fields", async () => {
+    it("returns discovered secret fields with resolvable status", async () => {
       const res = await adminAgent.post("/configuration/list-secrets").expect(200);
       expect(res.body.secretFields).toHaveLength(1);
       expect(res.body.secretFields[0].path).toBe("integrations.apiKey");
       expect(res.body.secretFields[0].secretName).toBe("external-api-key");
+      // No provider configured -> not resolvable, and no value is ever returned.
+      expect(res.body.secretFields[0].resolvable).toBe(false);
+      expect(res.body.secretFields[0].isConfigured).toBe(false);
+      expect(JSON.stringify(res.body)).not.toContain("super-secret");
+    });
+
+    it("does not mutate the stored config document's secret fields", async () => {
+      await (TestConfig as any).getConfig();
+      await adminAgent.post("/configuration/list-secrets").expect(200);
+      const stored = await (TestConfig as any).getConfig();
+      // list-secrets must never write resolved values into the document.
+      expect(stored.integrations.apiKey).toBe("");
+    });
+
+    it("is also exposed as validate-secrets", async () => {
+      const res = await adminAgent.post("/configuration/validate-secrets").expect(200);
+      expect(res.body.secretFields).toHaveLength(1);
+      expect(res.body.secretFields[0].path).toBe("integrations.apiKey");
     });
 
     it("returns 403 for non-admin", async () => {
@@ -397,3 +445,119 @@ describe("ConfigurationApp with field overrides", () => {
     expect(intSection.fields.webhookUrl.widget).toBe("url");
   });
 });
+
+describe("ConfigurationApp with custom permissions", () => {
+  let app: express.Application;
+  let adminAgent: TestAgent;
+  let notAdminAgent: TestAgent;
+
+  // Terreno-style permission: any authenticated user (not just admins).
+  const isAuthenticated = (_method: any, user?: any): boolean => Boolean(user?.id);
+
+  beforeEach(async () => {
+    await setupDb();
+    await mongoose.connection.db?.collection("testconfigs").deleteMany({});
+    app = buildApp(TestConfig, {
+      permissions: {
+        read: [isAuthenticated],
+        // update intentionally left default (admin-only)
+      },
+    });
+    adminAgent = await authAsUser(app, "admin");
+    notAdminAgent = await authAsUser(app, "notAdmin");
+  });
+
+  it("allows non-admin reads when a custom read permission is supplied", async () => {
+    const res = await notAdminAgent.get("/configuration").expect(200);
+    expect(res.body.data.general.appName).toBe("Test App");
+  });
+
+  it("still rejects unauthenticated reads", async () => {
+    await supertest(app).get("/configuration").expect(401);
+  });
+
+  it("keeps update admin-only by default", async () => {
+    await notAdminAgent
+      .patch("/configuration")
+      .send({general: {appName: "Nope"}})
+      .expect(403);
+    await adminAgent
+      .patch("/configuration")
+      .send({general: {appName: "Yes"}})
+      .expect(200);
+  });
+});
+
+describe("ConfigurationApp with update hooks", () => {
+  let app: express.Application;
+  let adminAgent: TestAgent;
+  let preUpdateCalls: Array<Record<string, unknown>>;
+  let postUpdateCalls: Array<{config: Record<string, unknown>; prev: Record<string, unknown>}>;
+
+  beforeEach(async () => {
+    await setupDb();
+    await mongoose.connection.db?.collection("testconfigs").deleteMany({});
+    preUpdateCalls = [];
+    postUpdateCalls = [];
+    app = buildApp(TestConfig, {
+      postUpdate: async (config, prevValue) => {
+        postUpdateCalls.push({config, prev: prevValue});
+      },
+      preUpdate: async (body) => {
+        preUpdateCalls.push(body);
+        // Normalize: force maintenanceMode on.
+        const general = (body.general as Record<string, unknown>) ?? {};
+        return {...body, general: {...general, maintenanceMode: true}};
+      },
+    });
+    adminAgent = await authAsUser(app, "admin");
+  });
+
+  it("runs preUpdate to transform the body before applying", async () => {
+    const res = await adminAgent
+      .patch("/configuration")
+      .send({general: {appName: "Hooked"}})
+      .expect(200);
+    expect(res.body.data.general.appName).toBe("Hooked");
+    expect(res.body.data.general.maintenanceMode).toBe(true);
+    expect(preUpdateCalls).toHaveLength(1);
+  });
+
+  it("does not persist secret values even if preUpdate re-introduces them", async () => {
+    // Build an app whose preUpdate maliciously/accidentally re-adds a secret path.
+    const leakyApp = buildApp(TestConfig, {
+      preUpdate: (body) => ({
+        ...body,
+        integrations: {...(body.integrations as Record<string, unknown>), apiKey: "leaked-secret"},
+      }),
+    });
+    const agent = await authAsUser(leakyApp, "admin");
+
+    const res = await agent
+      .patch("/configuration")
+      .send({general: {appName: "Safe"}})
+      .expect(200);
+    expect(res.body.data.general.appName).toBe("Safe");
+    expect(res.body.data.integrations.apiKey).toBe("");
+
+    const stored = await (TestConfig as any).getConfig();
+    expect(stored.integrations.apiKey).toBe("");
+  });
+
+  it("runs postUpdate with redacted config and previous value", async () => {
+    // Seed a secret so we can confirm it is redacted in hook payloads.
+    await (TestConfig as any).updateConfig({integrations: {apiKey: "should-not-leak"}});
+    await adminAgent
+      .patch("/configuration")
+      .send({general: {appName: "Audited"}})
+      .expect(200);
+
+    expect(postUpdateCalls).toHaveLength(1);
+    const {config, prev} = postUpdateCalls[0];
+    expect((config.general as any).appName).toBe("Audited");
+    // Secret values must be redacted in both payloads.
+    expect((config.integrations as any).apiKey).toBe("********");
+    expect((prev.integrations as any).apiKey).toBe("********");
+    expect(JSON.stringify(postUpdateCalls)).not.toContain("should-not-leak");
+  });
+});