npm - @terreno/api - Versions diffs - 0.20.2 → 0.22.0 - Mend

@terreno/api 0.20.2 → 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (107) hide show

package/.ai/guidelines/core.md +71 -0
package/.ai/skills/mongoose-schema-safety/SKILL.md +143 -0
package/README.md +54 -1
package/bunfig.toml +1 -1
package/dist/__tests__/versionCheckPlugin.test.js +29 -7
package/dist/actions.openApi.test.js +13 -11
package/dist/api.js +98 -11
package/dist/api.query.test.js +31 -1
package/dist/api.test.js +211 -0
package/dist/auth.test.js +418 -43
package/dist/betterAuth.d.ts +1 -1
package/dist/consentApp.test.js +1 -0
package/dist/example.js +4 -4
package/dist/expressServer.d.ts +0 -22
package/dist/expressServer.js +1 -125
package/dist/expressServer.test.js +90 -91
package/dist/githubAuth.test.js +22 -22
package/dist/logger.d.ts +154 -0
package/dist/logger.js +445 -26
package/dist/logger.test.js +435 -0
package/dist/middleware.d.ts +7 -0
package/dist/middleware.js +58 -1
package/dist/middleware.test.js +159 -0
package/dist/models/consentForm.js +2 -1
package/dist/models/consentResponse.js +2 -1
package/dist/models/versionConfig.js +2 -1
package/dist/openApi.test.js +10 -17
package/dist/openApiBuilder.d.ts +18 -0
package/dist/openApiBuilder.js +21 -0
package/dist/openApiBuilder.test.js +34 -10
package/dist/permissions.test.js +10 -43
package/dist/populate.test.js +10 -42
package/dist/realtime/changeStreamWatcher.d.ts +4 -4
package/dist/realtime/changeStreamWatcher.js +2 -4
package/dist/realtime/queryMatcher.d.ts +1 -1
package/dist/realtime/queryMatcher.js +39 -14
package/dist/realtime/types.d.ts +3 -3
package/dist/requestContext.d.ts +61 -0
package/dist/requestContext.js +74 -0
package/dist/secretProviders.test.js +335 -0
package/dist/syncConsents.test.js +2 -2
package/dist/terrenoApp.d.ts +27 -15
package/dist/terrenoApp.js +24 -14
package/dist/terrenoApp.test.js +52 -0
package/dist/tests/bunSetup.js +66 -262
package/dist/tests/createTestData.d.ts +9 -0
package/dist/tests/createTestData.js +272 -0
package/dist/tests/models.d.ts +71 -0
package/dist/tests/models.js +134 -0
package/dist/tests/mongoTestSetup.d.ts +7 -0
package/dist/tests/mongoTestSetup.js +150 -0
package/dist/tests/testEnv.d.ts +0 -0
package/dist/tests/testEnv.js +6 -0
package/dist/tests/testHelper.d.ts +22 -0
package/dist/tests/testHelper.js +115 -0
package/dist/tests/types.d.ts +29 -0
package/dist/tests/types.js +2 -0
package/dist/tests.d.ts +10 -78
package/dist/tests.js +24 -241
package/dist/transformers.test.js +14 -50
package/package.json +18 -4
package/src/__snapshots__/openApiBuilder.test.ts.snap +1 -0
package/src/__tests__/versionCheckPlugin.test.ts +43 -15
package/src/actions.openApi.test.ts +12 -10
package/src/api.query.test.ts +24 -1
package/src/api.test.ts +169 -0
package/src/api.ts +71 -0
package/src/auth.test.ts +287 -39
package/src/betterAuth.ts +1 -1
package/src/consentApp.test.ts +1 -0
package/src/example.ts +4 -4
package/src/expressServer.test.ts +82 -85
package/src/expressServer.ts +1 -213
package/src/githubAuth.test.ts +22 -22
package/src/logger.test.ts +466 -1
package/src/logger.ts +477 -14
package/src/middleware.test.ts +74 -2
package/src/middleware.ts +57 -0
package/src/models/consentForm.ts +3 -4
package/src/models/consentResponse.ts +6 -4
package/src/models/versionConfig.ts +3 -4
package/src/openApi.test.ts +10 -17
package/src/openApiBuilder.test.ts +27 -10
package/src/openApiBuilder.ts +24 -0
package/src/permissions.test.ts +8 -23
package/src/populate.test.ts +7 -22
package/src/realtime/changeStreamWatcher.ts +15 -10
package/src/realtime/queryMatcher.ts +54 -27
package/src/realtime/types.ts +4 -4
package/src/requestContext.ts +86 -0
package/src/secretProviders.test.ts +219 -1
package/src/syncConsents.test.ts +1 -1
package/src/terrenoApp.test.ts +38 -0
package/src/terrenoApp.ts +37 -15
package/src/tests/bunSetup.ts +22 -236
package/src/tests/createTestData.ts +176 -0
package/src/tests/models.ts +164 -0
package/src/tests/mongoTestSetup.ts +69 -0
package/src/tests/testEnv.ts +4 -0
package/src/tests/testHelper.ts +57 -0
package/src/tests/types.ts +35 -0
package/src/tests.ts +40 -231
package/src/transformers.test.ts +11 -30
package/tsconfig.typedoc.json +4 -0
package/dist/tests/index.d.ts +0 -1
package/dist/tests/index.js +0 -17
package/src/tests/index.ts +0 -1

package/src/auth.test.ts CHANGED Viewed

@@ -7,10 +7,10 @@ import type TestAgent from "supertest/lib/agent";
 import {modelRouter} from "./api";
 import {addAuthRoutes, addMeRoutes, generateTokens, setupAuth} from "./auth";
-import {setupServer} from "./expressServer";
 import {Permissions} from "./permissions";
 import {getCurrentRequestContext} from "./requestContext";
-import {type Food, FoodModel, getBaseServer, setupDb, UserModel} from "./tests";
+import {TerrenoApp} from "./terrenoApp";
+import {type Food, FoodModel, getBaseServer, setupDb, setupTestData, UserModel} from "./tests";
 import {AdminOwnerTransformer} from "./transformers";
 import {timeout} from "./utils";
@@ -29,38 +29,16 @@ describe("auth tests", () => {
     stage: string;
     userId?: string;
   }>;
-  let notAdmin: any;
   let agent: TestAgent;
   beforeEach(async () => {
     // Reset to real time - don't freeze time here as passport-local-mongoose
     // lockout mechanism needs real time to progress
     setSystemTime();
-    [admin, notAdmin] = await setupDb();
+    const testData = await setupTestData();
+    admin = testData.users.admin;
     contextEvents = [];
-    await Promise.all([
-      FoodModel.create({
-        calories: 1,
-        created: new Date(),
-        name: "Spinach",
-        ownerId: notAdmin._id,
-      }),
-      FoodModel.create({
-        calories: 100,
-        created: Date.now() - 10,
-        hidden: true,
-        name: "Apple",
-        ownerId: admin._id,
-      }),
-      FoodModel.create({
-        calories: 100,
-        created: Date.now() - 10,
-        name: "Carrots",
-        ownerId: admin._id,
-      }),
-    ]);
     function addRoutes(router: express.Router): void {
       router.use(
         "/food",
@@ -151,11 +129,11 @@ describe("auth tests", () => {
         })
       );
     }
-    app = setupServer({
-      addRoutes,
+    app = new TerrenoApp({
+      configureApp: addRoutes,
       skipListen: true,
       userModel: UserModel as any,
-    });
+    }).build();
     agent = supertest.agent(app);
   });
@@ -217,7 +195,7 @@ describe("auth tests", () => {
     // Use token to see 2 foods + the one we just created
     const getRes = await agent.get("/food").expect(200);
-    expect(getRes.body.data).toHaveLength(3);
+    expect(getRes.body.data).toHaveLength(4);
     expect(getRes.body.data.find((f: any) => f.name === "Peas")).toBeDefined();
     const updateRes = await agent
@@ -396,7 +374,7 @@ describe("auth tests", () => {
     // Use token to see admin foods
     const getRes = await agent.get("/food").expect(200);
-    expect(getRes.body.data).toHaveLength(3);
+    expect(getRes.body.data).toHaveLength(4);
     const food = getRes.body.data.find((f: any) => f.name === "Apple");
     expect(food).toBeDefined();
@@ -826,12 +804,12 @@ describe("addAuthRoutes /refresh_token error paths", () => {
   beforeEach(async () => {
     setSystemTime();
-    await setupDb();
-    app = setupServer({
-      addRoutes: () => {},
+    await setupTestData();
+    app = new TerrenoApp({
+      configureApp: () => {},
       skipListen: true,
       userModel: UserModel as any,
-    });
+    }).build();
     agent = supertest.agent(app);
   });
@@ -891,12 +869,12 @@ describe("addMeRoutes edge cases", () => {
   beforeEach(async () => {
     setSystemTime();
-    await setupDb();
-    app = setupServer({
-      addRoutes: () => {},
+    await setupTestData();
+    app = new TerrenoApp({
+      configureApp: () => {},
       skipListen: true,
       userModel: UserModel as any,
-    });
+    }).build();
     agent = supertest.agent(app);
   });
@@ -926,4 +904,274 @@ describe("addMeRoutes edge cases", () => {
     // Either 404 (user not found in /me handler) or 401 (auth middleware rejects)
     expect([401, 404]).toContain(res.status);
   });
+  it("PATCH /auth/me returns 404 when user is deleted after auth", async () => {
+    const [_admin, notAdmin] = await setupDb();
+    const jwtLib = (await import("jsonwebtoken")).default;
+    const notAdminId = (notAdmin as unknown as {_id: {toString(): string}})._id;
+    const token = jwtLib.sign({id: notAdminId.toString()}, process.env.TOKEN_SECRET as string, {
+      issuer: process.env.TOKEN_ISSUER,
+    });
+    await UserModel.deleteOne({_id: notAdminId});
+    const res = await agent
+      .patch("/auth/me")
+      .set("authorization", `Bearer ${token}`)
+      .send({email: "x@x.com"});
+    expect([401, 404]).toContain(res.status);
+  });
+  it("PATCH /auth/me returns 403 on validation error", async () => {
+    const [admin] = await setupDb();
+    const jwtLib = (await import("jsonwebtoken")).default;
+    const adminId = (admin as unknown as {_id: {toString(): string}})._id;
+    const token = jwtLib.sign({id: adminId.toString()}, process.env.TOKEN_SECRET as string, {
+      issuer: process.env.TOKEN_ISSUER,
+    });
+    const res = await agent
+      .patch("/auth/me")
+      .set("authorization", `Bearer ${token}`)
+      .send({admin: "not_a_boolean_value_but_will_be_cast"});
+    expect([200, 403]).toContain(res.status);
+  });
+});
+describe("Secret prefix authorization bypass", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+  beforeEach(async () => {
+    setSystemTime();
+    await setupTestData();
+    app = new TerrenoApp({
+      configureApp: (router: express.Router) => {
+        router.use(
+          "/food",
+          modelRouter(FoodModel, {
+            allowAnonymous: true,
+            permissions: {
+              create: [],
+              delete: [],
+              list: [Permissions.IsAny],
+              read: [Permissions.IsAny],
+              update: [],
+            },
+          })
+        );
+      },
+      skipListen: true,
+      userModel: UserModel as any,
+    }).build();
+    agent = supertest.agent(app);
+  });
+  afterEach(() => {
+    setSystemTime();
+  });
+  it("passes through with Secret prefix authorization header without JWT decoding", async () => {
+    const res = await agent.get("/food").set("authorization", "Secret my-secret-token").expect(200);
+    expect(res.body.data).toBeDefined();
+  });
+});
+describe("generateTokens env integration", () => {
+  const OLD_ENV = process.env;
+  beforeEach(() => {
+    process.env = {...OLD_ENV};
+    process.env.TOKEN_SECRET = "secret";
+    process.env.REFRESH_TOKEN_SECRET = "refresh_secret";
+  });
+  afterEach(() => {
+    process.env = OLD_ENV;
+  });
+  it("includes TOKEN_ISSUER in token when set", async () => {
+    process.env.TOKEN_ISSUER = "test-issuer";
+    const result = await generateTokens({_id: "user-123"});
+    const decoded = decodeTokenPayload<{iss?: string}>(result.token as string);
+    expect(decoded.iss).toBe("test-issuer");
+  });
+  it("generates a unique sessionId when none provided", async () => {
+    const result1 = await generateTokens({_id: "user-123"});
+    const result2 = await generateTokens({_id: "user-123"});
+    expect(result1.sessionId).toBeDefined();
+    expect(result2.sessionId).toBeDefined();
+    expect(result1.sessionId).not.toBe(result2.sessionId);
+  });
+  it("uses provided sessionId from options", async () => {
+    const result = await generateTokens({_id: "user-123"}, undefined, {
+      sessionId: "custom-session-id",
+    });
+    const decoded = decodeTokenPayload<{sid?: string}>(result.token as string);
+    expect(decoded.sid).toBe("custom-session-id");
+    expect(result.sessionId).toBe("custom-session-id");
+  });
+});
+describe("refresh_token without REFRESH_TOKEN_SECRET", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+  const OLD_ENV = process.env;
+  beforeEach(async () => {
+    setSystemTime();
+    process.env = {...OLD_ENV};
+    await setupTestData();
+    app = new TerrenoApp({
+      configureApp: () => {},
+      skipListen: true,
+      userModel: UserModel as any,
+    }).build();
+    agent = supertest.agent(app);
+  });
+  afterEach(() => {
+    setSystemTime();
+    process.env = OLD_ENV;
+  });
+  it("returns 401 when REFRESH_TOKEN_SECRET is not set", async () => {
+    process.env.REFRESH_TOKEN_SECRET = "";
+    const res = await agent
+      .post("/auth/refresh_token")
+      .send({refreshToken: "some-token"})
+      .expect(401);
+    expect(res.body.message).toContain("No REFRESH_TOKEN_SECRET set");
+  });
+});
+describe("generateTokens with custom TOKEN_EXPIRES_IN", () => {
+  const OLD_ENV = process.env;
+  beforeEach(() => {
+    process.env = {...OLD_ENV};
+    process.env.TOKEN_SECRET = "secret";
+    process.env.REFRESH_TOKEN_SECRET = "refresh_secret";
+  });
+  afterEach(() => {
+    process.env = OLD_ENV;
+  });
+  it("uses TOKEN_EXPIRES_IN when set to a valid duration", async () => {
+    process.env.TOKEN_EXPIRES_IN = "1h";
+    const result = await generateTokens({_id: "user-123"});
+    expect(result.token).toBeDefined();
+    const decoded = decodeTokenPayload<{exp: number; iat: number}>(result.token as string);
+    const diffSeconds = decoded.exp - decoded.iat;
+    // 1h = 3600s
+    expect(diffSeconds).toBe(3600);
+  });
+  it("uses REFRESH_TOKEN_EXPIRES_IN when set to a valid duration", async () => {
+    process.env.REFRESH_TOKEN_EXPIRES_IN = "7d";
+    const result = await generateTokens({_id: "user-123"});
+    expect(result.refreshToken).toBeDefined();
+    const decoded = decodeTokenPayload<{exp: number; iat: number}>(result.refreshToken as string);
+    const diffSeconds = decoded.exp - decoded.iat;
+    // 7d = 604800s
+    expect(diffSeconds).toBe(604800);
+  });
+});
+describe("JWT cookie extraction and /me routes edge cases", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+  const OLD_ENV = process.env;
+  beforeEach(async () => {
+    setSystemTime();
+    process.env = {...OLD_ENV};
+    await setupTestData();
+    app = new TerrenoApp({
+      configureApp: () => {},
+      skipListen: true,
+      userModel: UserModel as any,
+    }).build();
+    agent = supertest.agent(app);
+  });
+  afterEach(() => {
+    setSystemTime();
+    process.env = OLD_ENV;
+  });
+  it("returns 401 for /me when no user is authenticated", async () => {
+    const res = await agent.get("/auth/me").expect(401);
+    expect(res.status).toBe(401);
+  });
+  it("returns 401 for PATCH /me when no user is authenticated", async () => {
+    const res = await agent.patch("/auth/me").send({name: "Updated"}).expect(401);
+    expect(res.status).toBe(401);
+  });
+  it("returns 404 for /me when user is deleted from database", async () => {
+    // Login, then delete the user, then try /me
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "notAdmin@example.com", password: "password"})
+      .expect(200);
+    const {token, userId} = loginRes.body.data;
+    // Delete the user from DB
+    await UserModel.deleteOne({_id: userId});
+    const freshAgent = supertest.agent(app);
+    const res = await freshAgent.get("/auth/me").set("authorization", `Bearer ${token}`);
+    // Without the user, the JWT verify succeeds but findById returns null
+    expect([401, 404]).toContain(res.status);
+  });
+});
+describe("login error and disabled user paths", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+  beforeEach(async () => {
+    setSystemTime();
+    await setupTestData();
+    app = new TerrenoApp({
+      configureApp: () => {},
+      skipListen: true,
+      userModel: UserModel as any,
+    }).build();
+    agent = supertest.agent(app);
+  });
+  afterEach(() => {
+    setSystemTime();
+  });
+  it("returns 401 with message for invalid credentials (no user found)", async () => {
+    const res = await agent
+      .post("/auth/login")
+      .send({email: "nonexistent@example.com", password: "wrong"})
+      .expect(401);
+    expect(res.body.message).toBeDefined();
+  });
+  it("returns 401 when disabled user tries to access protected route", async () => {
+    // Login to get token
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "notAdmin@example.com", password: "password"})
+      .expect(200);
+    const {token, userId} = loginRes.body.data;
+    // Disable the user
+    await UserModel.findByIdAndUpdate(userId, {disabled: true});
+    // Try to access /me with disabled user's token
+    const freshAgent = supertest.agent(app);
+    const res = await freshAgent
+      .get("/auth/me")
+      .set("authorization", `Bearer ${token}`)
+      .expect(401);
+    expect(res.body.title).toContain("disabled");
+  });
 });

package/src/betterAuth.ts CHANGED Viewed

@@ -63,7 +63,7 @@ export interface BetterAuthConfig {
 }
 /**
- * Auth provider selection for setupServer.
+ * Auth provider selection for TerrenoApp.
  * - "jwt": Traditional JWT/Passport authentication (default)
  * - "better-auth": Better Auth with OAuth support
  */

package/src/consentApp.test.ts CHANGED Viewed

@@ -39,6 +39,7 @@ describe("ConsentApp", () => {
     it("returns empty list when no forms exist", async () => {
       const res = await adminAgent.get("/consent-forms").expect(200);
       expect(res.body.data).toHaveLength(0);
+      expect(res.body.requestId).toBe(res.headers["x-request-id"]);
     });
     it("lists consent forms for admins", async () => {

package/src/example.ts CHANGED Viewed

@@ -4,7 +4,6 @@ import passportLocalMongoose from "passport-local-mongoose";
 import {type ModelRouterOptions, modelRouter} from "./api";
 import {addAuthRoutes, setupAuth, type UserModel as UserMongooseModel} from "./auth";
-import {setupServer} from "./expressServer";
 import {logger} from "./logger";
 import {Permissions} from "./permissions";
 import {
@@ -14,6 +13,7 @@ import {
   findOneOrNone,
   isDeletedPlugin,
 } from "./plugins";
+import {TerrenoApp} from "./terrenoApp";
 mongoose
   .connect("mongodb://localhost:27017/example")
@@ -116,12 +116,12 @@ const getBaseServer = () => {
     );
   };
-  return setupServer({
-    addRoutes,
+  return new TerrenoApp({
+    configureApp: addRoutes,
     loggingOptions: {
       level: "debug",
     },
     userModel: UserModel as unknown as UserMongooseModel,
-  });
+  }).build();
 };
 getBaseServer();