@tstdl/base 0.93.84 → 0.93.86

package/authentication/client/authentication.service.d.ts

@@ -84,10 +84,10 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      */
     get definedTenantId(): string;
     /**
-     * Get current subject or throw if not available
+     * Get current subjectId or throw if not available
      * @throws Will throw if subject is not available
      */
-    get definedSubject(): string;
+    get definedSubjectId(): string;
     /** Whether a valid token is available (not undefined and not expired) */
     get hasValidToken(): boolean;
     constructor();

package/authentication/client/authentication.service.js

@@ -140,10 +140,10 @@ let AuthenticationClientService = class AuthenticationClientService {
         return this.definedToken.tenant;
     }
     /**
-     * Get current subject or throw if not available
+     * Get current subjectId or throw if not available
      * @throws Will throw if subject is not available
      */
-    get definedSubject() {
+    get definedSubjectId() {
         return this.definedToken.subject;
     }
     /** Whether a valid token is available (not undefined and not expired) */

package/authentication/models/authentication-credentials.model.d.ts

@@ -1,13 +1,10 @@
 import { TenantEntity, type Uuid } from '../../orm/index.js';
 export declare class AuthenticationCredentials extends TenantEntity {
-    subject: Uuid;
+    subjectId: Uuid;
+    /** The version of the hash algorithm used. */
     hashVersion: number;
-    /**
-     * The salt used to hash the secret.
-     */
+    /** The salt used to hash the secret. */
     salt: Uint8Array<ArrayBuffer>;
-    /**
-     * The hashed secret.
-     */
+    /** The hashed secret. */
     hash: Uint8Array<ArrayBuffer>;
 }

package/authentication/models/authentication-credentials.model.js

@@ -11,22 +11,19 @@ import { Table, TenantEntity, TenantReference, Unique, UuidProperty } from '../.
 import { Integer, Uint8ArrayProperty } from '../../schema/index.js';
 import { Subject } from './subject.model.js';
 let AuthenticationCredentials = class AuthenticationCredentials extends TenantEntity {
-    subject;
+    subjectId;
+    /** The version of the hash algorithm used. */
     hashVersion;
-    /**
-     * The salt used to hash the secret.
-     */
+    /** The salt used to hash the secret. */
     salt;
-    /**
-     * The hashed secret.
-     */
+    /** The hashed secret. */
     hash;
 };
 __decorate([
     TenantReference(() => Subject),
     UuidProperty(),
     __metadata("design:type", String)
-], AuthenticationCredentials.prototype, "subject", void 0);
+], AuthenticationCredentials.prototype, "subjectId", void 0);
 __decorate([
     Integer(),
     __metadata("design:type", Number)
@@ -41,6 +38,6 @@ __decorate([
 ], AuthenticationCredentials.prototype, "hash", void 0);
 AuthenticationCredentials = __decorate([
     Table('credentials', { schema: 'authentication' }),
-    Unique(['tenantId', 'subject'])
+    Unique(['tenantId', 'subjectId'])
 ], AuthenticationCredentials);
 export { AuthenticationCredentials };

package/authentication/models/authentication-session.model.d.ts

@@ -1,16 +1,13 @@
 import type { Timestamp, Uuid } from '../../orm/index.js';
 import { TenantEntity } from '../../orm/index.js';
 export declare class AuthenticationSession extends TenantEntity {
-    subject: Uuid;
+    subjectId: Uuid;
     begin: Timestamp;
     end: Timestamp;
+    /** The version of the hash algorithm used. */
     refreshTokenHashVersion: number;
-    /**
-     * The salt used to hash the refresh token.
-     */
+    /** The salt used to hash the refresh token. */
     refreshTokenSalt: Uint8Array<ArrayBuffer>;
-    /**
-     * The hashed refresh token.
-     */
+    /** The hashed refresh token. */
     refreshTokenHash: Uint8Array<ArrayBuffer>;
 }

package/authentication/models/authentication-session.model.js

@@ -11,24 +11,21 @@ import { Table, TenantEntity, TenantReference, TimestampProperty, UuidProperty }
 import { Integer, Uint8ArrayProperty } from '../../schema/index.js';
 import { Subject } from './subject.model.js';
 let AuthenticationSession = class AuthenticationSession extends TenantEntity {
-    subject;
+    subjectId;
     begin;
     end;
+    /** The version of the hash algorithm used. */
     refreshTokenHashVersion;
-    /**
-     * The salt used to hash the refresh token.
-     */
+    /** The salt used to hash the refresh token. */
     refreshTokenSalt;
-    /**
-     * The hashed refresh token.
-     */
+    /** The hashed refresh token. */
     refreshTokenHash;
 };
 __decorate([
     TenantReference(() => Subject),
     UuidProperty(),
     __metadata("design:type", String)
-], AuthenticationSession.prototype, "subject", void 0);
+], AuthenticationSession.prototype, "subjectId", void 0);
 __decorate([
     TimestampProperty(),
     __metadata("design:type", Number)

package/authentication/models/token.model.d.ts

@@ -2,9 +2,7 @@ import type { Record } from '../../types/index.js';
 import type { JwtToken, JwtTokenHeader } from '../../utils/jwt.js';
 import type { TokenPayloadBase } from './token-payload-base.model.js';
 export type TokenHeader = {
-    /**
-     * Token version.
-     */
+    /** Token version. */
     v: number;
 };
 /**
@@ -18,42 +16,26 @@ export type Token<AdditionalTokenPayload extends Record = Record<never>> = JwtTo
  */
 export type TokenPayload<T extends Record = Record<never>> = T & TokenPayloadBase;
 export type RefreshToken = JwtToken<{
-    /**
-     * Expiration timestamp in seconds.
-     */
+    /** Expiration timestamp in seconds. */
     exp: number;
-    /**
-     * The tenant id.
-     */
+    /** The tenant id. */
     tenant: string;
-    /**
-     * The subject of the token.
-     */
+    /** The subject of the token. */
     subject: string;
-    /**
-     * The subject of the impersonator, if any.
-     */
+    /** The subject of the impersonator, if any. */
     impersonator?: string;
-    /**
-     * The id of the session.
-     */
+    /** The id of the session. */
     session: string;
-    /**
-     * The secret to use for refreshing the token.
-     */
+    /** The secret to use for refreshing the token. */
     secret: string;
 }>;
 export type SecretResetToken = JwtToken<{
-    /**
-     * Expiration timestamp in seconds.
-     */
+    /** Issued at timestamp in seconds. */
+    iat: number;
+    /** Expiration timestamp in seconds. */
     exp: number;
-    /**
-     * The tenant id.
-     */
+    /** The tenant id. */
     tenant: string;
-    /**
-     * The subject for which to reset the secret.
-     */
+    /** The subject for which to reset the secret. */
     subject: string;
 }>;

package/authentication/server/authentication.audit.d.ts

@@ -15,6 +15,7 @@ export type AuthenticationAuditEvents = {
     };
     'refresh-failure': {
         reason: string;
+        sessionId: string | null;
     };
     'impersonate-success': {
         impersonatedSubjectId: string;

package/authentication/server/authentication.service.js

@@ -25,7 +25,7 @@ import { currentTimestamp, timestampToTimestampSeconds } from '../../utils/date-
 import { timingSafeBinaryEquals } from '../../utils/equals.js';
 import { createJwtTokenString } from '../../utils/jwt.js';
 import { getRandomBytes, getRandomString } from '../../utils/random.js';
-import { assertDefinedPass, isBinaryData, isString, isUndefined } from '../../utils/type-guards.js';
+import { isBinaryData, isDefined, isString, isUndefined } from '../../utils/type-guards.js';
 import { millisecondsPerDay, millisecondsPerMinute } from '../../utils/units.js';
 import { AuthenticationCredentials, AuthenticationSession, Subject, User } from '../models/index.js';
 import { AuthenticationAncillaryService, GetTokenPayloadContextAction } from './authentication-ancillary.service.js';
@@ -63,6 +63,13 @@ export class AuthenticationServiceOptions {
      */
     secretResetTokenTimeToLive;
 }
+const HASH_ITERATIONS = 250000;
+const HASH_LENGTH_BITS = 512;
+const HASH_LENGTH_BYTES = HASH_LENGTH_BITS / 8;
+const JWT_ID_LENGTH = 24;
+const REFRESH_TOKEN_SECRET_LENGTH = 64;
+const SALT_LENGTH = 32;
+const SIGNING_SECRETS_DERIVATION_ITERATIONS = 500000;
 const SIGNING_SECRETS_LENGTH = 64;
 /**
  * Handles authentication on server side.
@@ -136,18 +143,18 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         if (options?.skipValidation != true) {
             await this.#authenticationSecretRequirementsValidator.validateSecretRequirements(secret);
         }
-        const salt = getRandomBytes(32);
+        const salt = getRandomBytes(SALT_LENGTH);
         const hash = await this.getHash(secret, salt);
         await this.#credentialsRepository.transaction(async (tx) => {
-            await this.#credentialsRepository.withTransaction(tx).upsert('subject', {
+            await this.#credentialsRepository.withTransaction(tx).upsert(['tenantId', 'subjectId'], {
                 tenantId: subject.tenantId,
-                subject: subject.id,
+                subjectId: subject.id,
                 hashVersion: 1,
                 salt,
                 hash,
             });
             if (options?.skipSessionInvalidation != true) {
-                await this.#sessionRepository.withTransaction(tx).updateManyByQuery({ tenantId: subject.tenantId, subject: subject.id }, { end: currentTimestamp() });
+                await this.#sessionRepository.withTransaction(tx).updateManyByQuery({ tenantId: subject.tenantId, subjectId: subject.id }, { end: currentTimestamp() });
             }
         });
     }
@@ -159,15 +166,18 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      */
     async authenticate(subject, secret) {
         const actualSubject = await this.tryResolveSubject(subject);
-        // Always try to load credentials, even if the subject is not resolved, to reduce information leakage.
-        // If the subject is not resolved, we will create a new credentials entry with an empty salt and hash.
-        // This way, we do not leak if the subject exists or not via timing attacks.
-        const credentials = await this.#credentialsRepository.tryLoadByQuery({ tenantId: actualSubject?.tenantId ?? NIL_UUID, subject: actualSubject?.id ?? NIL_UUID })
-            ?? { subject: actualSubject, salt: new Uint8Array(), hash: new Uint8Array() };
+        // we use a random uuid instead of null here to reduce timing attack surface by DB optimiziations
+        const queryTenantId = actualSubject?.tenantId ?? crypto.randomUUID();
+        const querySubjectId = actualSubject?.id ?? crypto.randomUUID();
+        const loadedCredentials = await this.#credentialsRepository.tryLoadByQuery({
+            tenantId: queryTenantId,
+            subjectId: querySubjectId,
+        });
+        const credentials = loadedCredentials ?? { salt: new Uint8Array(SALT_LENGTH), hash: new Uint8Array(HASH_LENGTH_BYTES) };
         const hash = await this.getHash(secret, credentials.salt);
         const valid = timingSafeBinaryEquals(hash, credentials.hash);
-        if (valid) {
-            return { success: true, subject: assertDefinedPass(actualSubject, 'Subject should be defined if authentication is valid but it is not.') };
+        if (valid && isDefined(actualSubject) && isDefined(loadedCredentials)) {
+            return { success: true, subject: actualSubject };
         }
         return { success: false };
     }
@@ -184,7 +194,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         return await this.#sessionRepository.transaction(async (tx) => {
             const session = await this.#sessionRepository.withTransaction(tx).insert({
                 tenantId: subject.tenantId,
-                subject: subject.id,
+                subjectId: subject.id,
                 begin: now,
                 end,
                 refreshTokenHashVersion: 0,
@@ -255,9 +265,9 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         await this.#sessionRepository.update(sessionId, { end: now });
         await authAuditor.info('logout', {
             tenantId: session.tenantId,
-            actor: session.subject,
+            actor: session.subjectId,
             actorType: ActorType.User,
-            targetId: session.subject,
+            targetId: session.subjectId,
             targetType: 'User',
             details: { sessionId },
         });
@@ -282,12 +292,18 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
                 throw new InvalidTokenError('Session is expired.');
             }
             if (!timingSafeBinaryEquals(hash, session.refreshTokenHash)) {
+                await this.endSession(sessionId, auditor);
+                await authAuditor.warn('refresh-failure', {
+                    targetId: session.tenantId,
+                    targetType: 'User',
+                    details: { sessionId, reason: 'Token reuse detected. Session revoked.' },
+                });
                 throw new InvalidTokenError('Invalid refresh token.');
             }
             const now = currentTimestamp();
             const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
             const newEnd = now + this.refreshTokenTimeToLive;
-            const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subject });
+            const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subjectId });
             const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
             const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
             const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator });
@@ -299,9 +315,9 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             });
             await authAuditor.info('refresh-success', {
                 tenantId: session.tenantId,
-                actor: session.subject,
+                actor: session.subjectId,
                 actorType: ActorType.User,
-                targetId: session.subject,
+                targetId: session.subjectId,
                 targetType: 'User',
                 details: { sessionId },
             });
@@ -311,7 +327,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             await authAuditor.warn('refresh-failure', {
                 targetId: NIL_UUID,
                 targetType: 'User',
-                details: { reason: error.message },
+                details: { sessionId: null, reason: error.message },
             });
             throw error;
         }
@@ -458,6 +474,21 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         try {
             const token = await this.validateSecretResetToken(tokenString);
+            const credentials = await this.#credentialsRepository.tryLoadByQuery({
+                tenantId: token.payload.tenant,
+                subjectId: token.payload.subject,
+            });
+            if (isDefined(credentials)) {
+                const lastUpdateSeconds = timestampToTimestampSeconds(credentials.metadata.revisionTimestamp);
+                if (token.payload.iat < lastUpdateSeconds) {
+                    await authAuditor.info('reset-secret-failure', {
+                        targetId: token.payload.subject,
+                        targetType: 'User',
+                        details: { reason: 'Token is invalid (credentials have already been changed).' },
+                    });
+                    throw new InvalidTokenError();
+                }
+            }
             const subject = await this.#subjectRepository.loadByQuery({ tenantId: token.payload.tenant, id: token.payload.subject });
             await this.setCredentials(subject, newSecret);
             await authAuditor.info('reset-secret-success', {
@@ -580,7 +611,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             typ: 'JWT',
         };
         const payload = {
-            jti: jwtId ?? getRandomString(24, Alphabet.LowerUpperCaseNumbers),
+            jti: jwtId ?? getRandomString(JWT_ID_LENGTH, Alphabet.LowerUpperCaseNumbers),
             iat: issuedAt ?? timestampToTimestampSeconds(timestamp),
             exp: expiration ?? timestampToTimestampSeconds(timestamp + this.tokenTimeToLive),
             refreshTokenExp: timestampToTimestampSeconds(refreshTokenExpiration),
@@ -607,8 +638,8 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @returns The created refresh token.
      */
     async createRefreshToken(subject, sessionId, expirationTimestamp, options) {
-        const secret = getRandomString(64, Alphabet.LowerUpperCaseNumbers);
-        const salt = getRandomBytes(32);
+        const secret = getRandomString(REFRESH_TOKEN_SECRET_LENGTH, Alphabet.LowerUpperCaseNumbers);
+        const salt = getRandomBytes(SALT_LENGTH);
         const hash = await this.getHash(secret, salt);
         const jsonToken = {
             header: {
@@ -647,12 +678,14 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
         return subjects[0];
     }
     async createSecretResetToken(subject, expirationTimestamp) {
+        const iat = timestampToTimestampSeconds(currentTimestamp());
         const jsonToken = {
             header: {
                 alg: 'HS256',
                 typ: 'JWT',
             },
             payload: {
+                iat,
                 exp: timestampToTimestampSeconds(expirationTimestamp),
                 subject: subject.id,
                 tenant: subject.tenantId,
@@ -663,9 +696,9 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     }
     async deriveSigningSecrets(secret) {
         const key = await importPbkdf2Key(secret);
-        const saltBase64 = await this.#keyValueStore.getOrSet('derivationSalt', encodeBase64(getRandomBytes(32)));
+        const saltBase64 = await this.#keyValueStore.getOrSet('derivationSalt', encodeBase64(getRandomBytes(SALT_LENGTH)));
         const salt = decodeBase64(saltBase64);
-        const algorithm = { name: 'PBKDF2', hash: 'SHA-512', iterations: 500000, salt };
+        const algorithm = { name: 'PBKDF2', hash: 'SHA-512', iterations: SIGNING_SECRETS_DERIVATION_ITERATIONS, salt };
         const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await deriveBytesMultiple(algorithm, key, 3, SIGNING_SECRETS_LENGTH);
         this.derivedTokenSigningSecret = derivedTokenSigningSecret;
         this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;
@@ -673,7 +706,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     }
     async getHash(secret, salt) {
         const key = await importPbkdf2Key(secret);
-        const hash = await globalThis.crypto.subtle.deriveBits({ name: 'PBKDF2', hash: 'SHA-512', iterations: 250000, salt }, key, 512);
+        const hash = await globalThis.crypto.subtle.deriveBits({ name: 'PBKDF2', hash: 'SHA-512', iterations: HASH_ITERATIONS, salt }, key, HASH_LENGTH_BITS);
         return new Uint8Array(hash);
     }
 };

package/authentication/server/drizzle/{0000_majestic_proudstar.sql → 0000_normal_paper_doll.sql}

@@ -3,7 +3,7 @@ CREATE TYPE "authentication"."user_status" AS ENUM('active', 'suspended', 'pendi
 CREATE TABLE "authentication"."credentials" (
 	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
 	"tenant_id" uuid NOT NULL,
-	"subject" uuid NOT NULL,
+	"subject_id" uuid NOT NULL,
 	"hash_version" integer NOT NULL,
 	"salt" "bytea" NOT NULL,
 	"hash" "bytea" NOT NULL,
@@ -13,13 +13,13 @@ CREATE TABLE "authentication"."credentials" (
 	"delete_timestamp" timestamp with time zone,
 	"attributes" jsonb DEFAULT '{}'::jsonb NOT NULL,
 	CONSTRAINT "credentials_tenant_id_id_pk" PRIMARY KEY("tenant_id","id"),
-	CONSTRAINT "credentials_tenant_id_subject_unique" UNIQUE("tenant_id","subject")
+	CONSTRAINT "credentials_tenant_id_subject_id_unique" UNIQUE("tenant_id","subject_id")
 );
 --> statement-breakpoint
 CREATE TABLE "authentication"."session" (
 	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
 	"tenant_id" uuid NOT NULL,
-	"subject" uuid NOT NULL,
+	"subject_id" uuid NOT NULL,
 	"begin" timestamp with time zone NOT NULL,
 	"end" timestamp with time zone NOT NULL,
 	"refresh_token_hash_version" integer NOT NULL,
@@ -96,8 +96,8 @@ CREATE TABLE "authentication"."user" (
 	CONSTRAINT "user_tenant_id_email_unique" UNIQUE("tenant_id","email")
 );
 --> statement-breakpoint
-ALTER TABLE "authentication"."credentials" ADD CONSTRAINT "credentials_id_subject_fkey" FOREIGN KEY ("tenant_id","subject") REFERENCES "authentication"."subject"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "authentication"."session" ADD CONSTRAINT "session_id_subject_fkey" FOREIGN KEY ("tenant_id","subject") REFERENCES "authentication"."subject"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "authentication"."credentials" ADD CONSTRAINT "credentials_id_subject_fkey" FOREIGN KEY ("tenant_id","subject_id") REFERENCES "authentication"."subject"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "authentication"."session" ADD CONSTRAINT "session_id_subject_fkey" FOREIGN KEY ("tenant_id","subject_id") REFERENCES "authentication"."subject"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "authentication"."service_account" ADD CONSTRAINT "service_account_id_subject_fkey" FOREIGN KEY ("tenant_id","parent") REFERENCES "authentication"."subject"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "authentication"."subject" ADD CONSTRAINT "subject_id_system_account_fkey" FOREIGN KEY ("tenant_id","system_account_id") REFERENCES "authentication"."system_account"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "authentication"."subject" ADD CONSTRAINT "subject_id_user_fkey" FOREIGN KEY ("tenant_id","user_id") REFERENCES "authentication"."user"("tenant_id","id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint

package/authentication/server/drizzle/meta/0000_snapshot.json

@@ -1,5 +1,5 @@
 {
-  "id": "9385eff0-25d7-4ef6-be4b-8019af0a1424",
+  "id": "685f89da-0f2a-4523-9cbc-c9daea5f70c2",
   "prevId": "00000000-0000-0000-0000-000000000000",
   "version": "7",
   "dialect": "postgresql",
@@ -21,8 +21,8 @@
           "primaryKey": false,
           "notNull": true
         },
-        "subject": {
-          "name": "subject",
+        "subject_id": {
+          "name": "subject_id",
           "type": "uuid",
           "primaryKey": false,
           "notNull": true
@@ -86,7 +86,7 @@
           "schemaTo": "authentication",
           "columnsFrom": [
             "tenant_id",
-            "subject"
+            "subject_id"
           ],
           "columnsTo": [
             "tenant_id",
@@ -106,12 +106,12 @@
         }
       },
       "uniqueConstraints": {
-        "credentials_tenant_id_subject_unique": {
-          "name": "credentials_tenant_id_subject_unique",
+        "credentials_tenant_id_subject_id_unique": {
+          "name": "credentials_tenant_id_subject_id_unique",
           "nullsNotDistinct": false,
           "columns": [
             "tenant_id",
-            "subject"
+            "subject_id"
           ]
         }
       },
@@ -136,8 +136,8 @@
           "primaryKey": false,
           "notNull": true
         },
-        "subject": {
-          "name": "subject",
+        "subject_id": {
+          "name": "subject_id",
           "type": "uuid",
           "primaryKey": false,
           "notNull": true
@@ -213,7 +213,7 @@
           "schemaTo": "authentication",
           "columnsFrom": [
             "tenant_id",
-            "subject"
+            "subject_id"
           ],
           "columnsTo": [
             "tenant_id",

package/authentication/server/drizzle/meta/_journal.json

@@ -5,8 +5,8 @@
     {
       "idx": 0,
       "version": "7",
-      "when": 1767838186408,
-      "tag": "0000_majestic_proudstar",
+      "when": 1767839299143,
+      "tag": "0000_normal_paper_doll",
       "breakpoints": true
     }
   ]

package/examples/document-management/main.js

@@ -28,6 +28,7 @@ import { configurePostgresQueue, migratePostgresQueueSchema } from '../../queue/
 import { configureDefaultSignalsImplementation } from '../../signals/implementation/configure.js';
 import { boolean, positiveInteger, string } from '../../utils/config-parser.js';
 import { TstdlCategoryParents, TstdlDocumentCategoryLabels, TstdlDocumentPropertyConfiguration, TstdlDocumentTypeCategories, TstdlDocumentTypeLabels, TstdlDocumentTypeProperties } from './categories-and-types.js';
+import { configurePostgresCircuitBreaker, migratePostgresCircuitBreaker } from '../../circuit-breaker/postgres/module.js';
 const config = {
     database: {
         host: string('DATABASE_HOST', '127.0.0.1'),
@@ -87,6 +88,7 @@ async function bootstrap() {
     const injector = inject(Injector);
     configureNodeHttpServer();
     configurePostgresQueue();
+    configurePostgresCircuitBreaker();
     configureLocalMessageBus();
     configureDefaultSignalsImplementation();
     configureGenkit({
@@ -134,8 +136,9 @@ async function bootstrap() {
         apiKey: config.ai.apiKey,
         keyFile: config.ai.keyFile,
     });
-    await runInInjectionContext(injector, async () => await migrateDocumentManagementSchema());
-    await runInInjectionContext(injector, async () => await migratePostgresQueueSchema());
+    await runInInjectionContext(injector, migrateDocumentManagementSchema);
+    await runInInjectionContext(injector, migratePostgresCircuitBreaker);
+    await runInInjectionContext(injector, migratePostgresQueueSchema);
 }
 async function main() {
     const tenantId = '00000000-0000-0000-0000-000000000000';

package/orm/sqls.d.ts

@@ -91,7 +91,7 @@ export declare function exclusiveNotNull(...columns: Column[]): SQL;
  *   that defines the default condition to apply when a `Column` is provided in `conditionMapping`.
  *   By default, it generates an `IS NOT NULL` check.
  */
-export declare function enumerationCaseWhen<T extends EnumerationObject>(enumeration: T, discriminator: Column, conditionMapping: Record<EnumerationValue<T>, Column | boolean | SQL>, defaultColumnCondition?: (column: Column) => SQL<unknown>): SQL;
+export declare function enumerationCaseWhen<T extends EnumerationObject>(enumeration: T, discriminator: Column, conditionMapping: Record<EnumerationValue<T>, Column | [Column, ...Column[]] | boolean | SQL>, defaultColumnCondition?: (column: [Column, ...Column[]]) => SQL<unknown> | undefined): SQL;
 export declare function array<T>(values: SQL<T>[]): SQL<T[]>;
 export declare function array<T = unknown>(values: SQLChunk[]): SQL<T[]>;
 export declare function autoAlias<T>(column: AnyColumn<{

package/orm/sqls.js

@@ -68,7 +68,7 @@ export function exclusiveNotNull(...columns) {
  *   that defines the default condition to apply when a `Column` is provided in `conditionMapping`.
  *   By default, it generates an `IS NOT NULL` check.
  */
-export function enumerationCaseWhen(enumeration, discriminator, conditionMapping, defaultColumnCondition = (column) => sqlIsNotNull(column)) {
+export function enumerationCaseWhen(enumeration, discriminator, conditionMapping, defaultColumnCondition = (column) => isArray(column) ? and(...column.map((col) => sqlIsNotNull(col))) : sqlIsNotNull(column)) {
     const whens = [];
     for (const [key, value] of objectEntries(conditionMapping)) {
         const condition = match(value)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.93.84",
+  "version": "0.93.86",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"
@@ -145,7 +145,7 @@
   "peerDependencies": {
     "@genkit-ai/google-genai": "^1.27",
     "@google-cloud/storage": "^7.18",
-    "@google/genai": "^1.34",
+    "@google/genai": "^1.35",
     "@toon-format/toon": "^2.1.0",
     "@tstdl/angular": "^0.93",
     "@zxcvbn-ts/core": "^3.0",
@@ -174,7 +174,7 @@
     }
   },
   "devDependencies": {
-    "@stylistic/eslint-plugin": "5.6",
+    "@stylistic/eslint-plugin": "5.7",
     "@types/koa__router": "12.0",
     "@types/luxon": "3.7",
     "@types/mjml": "4.7",