@underpostnet/underpost 2.97.1 → 2.97.5

package/README.md

@@ -18,7 +18,7 @@
 
 <!-- badges -->
 
-[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/2.97.1)](https://socket.dev/npm/package/underpost/overview/2.97.1) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
+[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/2.97.5)](https://socket.dev/npm/package/underpost/overview/2.97.5) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
 
 <!-- end-badges -->
 
@@ -66,7 +66,7 @@ Run dev client server
 npm run dev
 ```
 <!-- -->
-## underpost ci/cd cli v2.97.1
+## underpost ci/cd cli v2.97.5
 
 ### Usage: `underpost [options] [command]`
   ```

package/cli.md

@@ -1,4 +1,4 @@
-## underpost ci/cd cli v2.97.1
+## underpost ci/cd cli v2.97.5
 
 ### Usage: `underpost [options] [command]`
   ```
@@ -589,6 +589,8 @@ Options:
   --paths <paths>                            Comma-separated list of paths to filter database operations.
   --ns <ns-name>                             Kubernetes namespace context for database operations (defaults to "default").
   --macro-rollback-export <n-commits-reset>  Exports a macro rollback script that reverts the last n commits (Git integration required).
+  --clean-fs-collection                      Cleans orphaned File documents from collections that are not referenced by any models.
+  --clean-fs-dry-run                         Dry run mode - shows what would be deleted without actually deleting (use with --clean-fs-collection).
   --dev                                      Sets the development cli context
   --kubeadm                                  Enables the kubeadm context for database operations.
   --kind                                     Enables the kind context for database operations.

package/conf.js

@@ -39,6 +39,7 @@ const DefaultConf = /**/ {
           'LogOut',
           'Router',
           'Account',
+          'PublicProfile',
           'Auth',
           'FullScreen',
           'RichText',
@@ -91,6 +92,7 @@ const DefaultConf = /**/ {
         { path: '/account', client: 'Default', ssr: 'Default' },
         { path: '/docs', client: 'Default', ssr: 'Default' },
         { path: '/recover', client: 'Default', ssr: 'Default' },
+        { path: '/u', client: 'Default', ssr: 'Default' },
         { path: '/default-management', client: 'Default', ssr: 'Default' },
         { client: 'Default', ssr: 'Default', path: '/404', title: '404 Not Found' },
         { client: 'Default', ssr: 'Default', path: '/500', title: '500 Server Error' },

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: localhost/rockylinux9-underpost:v2.97.1
+          image: localhost/rockylinux9-underpost:v2.97.5
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -100,7 +100,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: localhost/rockylinux9-underpost:v2.97.1
+          image: localhost/rockylinux9-underpost:v2.97.5
           #          resources:
           #            requests:
           #              memory: "124Ki"

package/manifests/deployment/dd-test-development/deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-blue
-          image: localhost/rockylinux9-underpost:v2.97.1
+          image: localhost/rockylinux9-underpost:v2.97.5
 
           command:
             - /bin/sh
@@ -103,7 +103,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-green
-          image: localhost/rockylinux9-underpost:v2.97.1
+          image: localhost/rockylinux9-underpost:v2.97.5
 
           command:
             - /bin/sh

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "@underpostnet/underpost",
-    "version": "2.97.1",
+    "version": "2.97.5",
     "description": "pwa api rest template",
     "scripts": {
         "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",

package/src/api/core/core.service.js

@@ -8,11 +8,6 @@ const CoreService = {
   post: async (req, res, options) => {
     /** @type {import('./core.model.js').CoreModel} */
     const Core = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.Core;
-    if (req.path.startsWith('/sh')) {
-      if (req.body.stdout) return shellExec(req.body.sh, { stdout: true });
-      shellExec(req.body.sh, { async: true });
-      return 'Command "' + req.body.sh + '" running';
-    }
     return await new Core(req.body).save();
   },
   get: async (req, res, options) => {

package/src/api/default/default.service.js

@@ -1,5 +1,6 @@
 import { DataBaseProvider } from '../../db/DataBaseProvider.js';
 import { loggerFactory } from '../../server/logger.js';
+import { DataQuery } from '../../server/data-query.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -13,12 +14,13 @@ const DefaultService = {
     /** @type {import('./default.model.js').DefaultModel} */
     const Default = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.Default;
     if (req.params.id) return await Default.findById(req.params.id);
-    const { query, page = 1, limit = 10, sort = { updatedAt: -1 } } = req.query;
-    const queryPayload = query ? JSON.parse(query) : {};
-    const skip = (page - 1) * limit;
+
+    // Parse query parameters using DataQuery helper
+    const { query, sort, skip, limit, page } = DataQuery.parse(req.query);
+
     const [data, total] = await Promise.all([
-      Default.find(queryPayload).sort(sort).limit(limit).skip(skip),
-      Default.countDocuments(queryPayload),
+      Default.find(query).sort(sort).limit(limit).skip(skip),
+      Default.countDocuments(query),
     ]);
 
     const totalPages = Math.ceil(total / limit);

package/src/api/document/document.model.js

@@ -60,7 +60,7 @@ const DocumentDto = {
       return {
         path: 'userId',
         model: 'User',
-        select: '_id email username profileImageId',
+        select: '_id email username profileImageId role briefDescription',
         populate: {
           path: 'profileImageId',
           model: 'File',

package/src/api/document/document.router.js

@@ -16,6 +16,11 @@ const DocumentRouter = (options) => {
   router.put(`/:id`, authMiddleware, async (req, res) => await DocumentController.put(req, res, options));
   router.put(`/`, authMiddleware, async (req, res) => await DocumentController.put(req, res, options));
   router.patch(`/:id/copy-share-link`, async (req, res) => await DocumentController.patch(req, res, options));
+  router.patch(
+    `/:id/toggle-public`,
+    authMiddleware,
+    async (req, res) => await DocumentController.patch(req, res, options),
+  );
   router.delete(`/:id`, authMiddleware, async (req, res) => await DocumentController.delete(req, res, options));
   router.delete(`/`, authMiddleware, async (req, res) => await DocumentController.delete(req, res, options));
   return router;

package/src/api/document/document.service.js

@@ -4,6 +4,7 @@ import { DocumentDto } from './document.model.js';
 import { uniqueArray } from '../../client/components/core/CommonJs.js';
 import { getBearerToken, verifyJWT } from '../../server/auth.js';
 import { isValidObjectId } from 'mongoose';
+import { FileCleanup } from '../file/file.service.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -32,8 +33,6 @@ const DocumentService = {
     const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
 
     // High-query endpoint for typeahead search
-    // ============================================
-    // OPTIMIZATION GOAL: MAXIMIZE search results with MINIMUM match requirements
     //
     // Security Model:
     // - Unauthenticated users: CAN see public documents (isPublic=true) from publishers (admin/moderator)
@@ -111,6 +110,7 @@ const DocumentService = {
           .sort({ createdAt: -1 })
           .limit(limit)
           .select('_id title tags createdAt userId isPublic')
+          .populate(DocumentDto.populate.user())
           .lean();
 
         const sanitizedData = data.map((doc) => {
@@ -118,9 +118,23 @@ const DocumentService = {
             ...doc,
             tags: DocumentDto.filterPublicTag(doc.tags),
           };
+          // For unauthenticated users, only include user data if document is public AND creator is publisher
           if (!user || user.role === 'guest') {
-            const { userId, ...rest } = filteredDoc;
-            return rest;
+            const isPublisher = doc.userId && (doc.userId.role === 'admin' || doc.userId.role === 'moderator');
+            if (!doc.isPublic || !isPublisher) {
+              const { userId, ...rest } = filteredDoc;
+              return rest;
+            }
+            // Remove role field from userId before sending to client
+            if (filteredDoc.userId && filteredDoc.userId.role) {
+              const { role, ...userWithoutRole } = filteredDoc.userId;
+              filteredDoc.userId = userWithoutRole;
+            }
+          }
+          // Remove role field from userId before sending to client (authenticated users)
+          if (filteredDoc.userId && filteredDoc.userId.role) {
+            const { role, ...userWithoutRole } = filteredDoc.userId;
+            filteredDoc.userId = userWithoutRole;
           }
           return filteredDoc;
         });
@@ -233,18 +247,27 @@ const DocumentService = {
         .sort({ createdAt: -1 })
         .limit(limit)
         .select('_id title tags createdAt userId isPublic')
+        .populate(DocumentDto.populate.user())
         .lean();
 
-      // Sanitize response - remove userId for public users and filter 'public' from tags
+      // Sanitize response - include userId for public documents from publishers, filter 'public' from tags
       const sanitizedData = data.map((doc) => {
         const filteredDoc = {
           ...doc,
           tags: DocumentDto.filterPublicTag(doc.tags),
         };
+        // For unauthenticated users, only include user data if document is public AND creator is publisher
         if (!user || user.role === 'guest') {
-          // Remove userId from response for unauthenticated users
-          const { userId, ...rest } = filteredDoc;
-          return rest;
+          const isPublisher = doc.userId && (doc.userId.role === 'admin' || doc.userId.role === 'moderator');
+          if (!doc.isPublic || !isPublisher) {
+            const { userId, ...rest } = filteredDoc;
+            return rest;
+          }
+        }
+        // Remove role field from userId before sending to client (all users)
+        if (filteredDoc.userId && filteredDoc.userId.role) {
+          const { role, ...userWithoutRole } = filteredDoc.userId;
+          filteredDoc.userId = userWithoutRole;
         }
         return filteredDoc;
       });
@@ -330,16 +353,22 @@ const DocumentService = {
       } else {
         // Unauthenticated user: only public documents from publishers
         // If 'public' tag requested, it's redundant but handled by isPublic: true
-        queryPayload = {
-          userId: { $in: publisherUsers.map((p) => p._id) },
-          isPublic: true,
-          ...(requestedTags.length > 0 ? { tags: { $all: requestedTags } } : {}),
-        };
+        // When cid is provided, we relax the publisher filter and check in post-processing
+        const cidList = req.query.cid ? req.query.cid.split(',').filter((cid) => isValidObjectId(cid)) : null;
 
-        // Add cid filter if present
-        if (req.query.cid) {
-          queryPayload._id = {
-            $in: req.query.cid.split(',').filter((cid) => isValidObjectId(cid)),
+        if (cidList && cidList.length > 0) {
+          // For cid queries, just filter by public and tags, check publisher in post-processing
+          queryPayload = {
+            _id: { $in: cidList },
+            isPublic: true,
+            ...(requestedTags.length > 0 ? { tags: { $all: requestedTags } } : {}),
+          };
+        } else {
+          // For non-cid queries, filter by publisher at query level
+          queryPayload = {
+            userId: { $in: publisherUsers.map((p) => p._id) },
+            isPublic: true,
+            ...(requestedTags.length > 0 ? { tags: { $all: requestedTags } } : {}),
           };
         }
       }
@@ -358,29 +387,43 @@ const DocumentService = {
       // sort in descending (-1) order by length
       const sort = { createdAt: -1 };
 
+      // Populate user data for authenticated users OR for public documents from publishers
+      // This allows unauthenticated users to see creator profiles on public content
+      const shouldPopulateUser = user && user.role !== 'guest';
+      // Check if query contains public documents (either in $or array or flat query)
+      const hasPublicDocuments =
+        queryPayload.isPublic === true ||
+        queryPayload.$or?.some(
+          (condition) => condition.isPublic === true || (condition.userId && condition.isPublic === true),
+        );
+
       const data = await Document.find(queryPayload)
         .sort(sort)
         .limit(limit)
         .skip(skip)
         .populate(DocumentDto.populate.file())
         .populate(DocumentDto.populate.mdFile())
-        .populate(user && user.role !== 'guest' ? DocumentDto.populate.user() : null);
+        .populate(shouldPopulateUser || hasPublicDocuments ? DocumentDto.populate.user() : null);
 
       const lastDoc = await Document.findOne(queryPayload, '_id').sort({ createdAt: 1 });
       const lastId = lastDoc ? lastDoc._id : null;
 
-      // Add totalCopyShareLinkCount to each document and filter 'public' from tags
-      const dataWithCounts = data.map((doc) => {
-        const docObj = doc.toObject ? doc.toObject() : doc;
-        return {
-          ...docObj,
-          tags: DocumentDto.filterPublicTag(docObj.tags),
-          totalCopyShareLinkCount: DocumentDto.getTotalCopyShareLinkCount(doc),
-        };
-      });
-
       return {
-        data: dataWithCounts,
+        data: data.map((doc) => {
+          const docObj = doc.toObject ? doc.toObject() : doc;
+          let userInfo = docObj.userId;
+          const isPublisher = userInfo && (userInfo.role === 'admin' || userInfo.role === 'moderator');
+          const isOwnDoc = user && user._id.toString() === docObj.userId._id.toString();
+          if ((!docObj.isPublic || !isPublisher) && !isOwnDoc) userInfo = undefined;
+          return {
+            ...docObj,
+            role: undefined,
+            email: undefined,
+            userId: userInfo,
+            tags: DocumentDto.filterPublicTag(docObj.tags),
+            totalCopyShareLinkCount: DocumentDto.getTotalCopyShareLinkCount(doc),
+          };
+        }),
         lastId,
       };
     }
@@ -398,8 +441,17 @@ const DocumentService = {
         // Add totalCopyShareLinkCount to each document and filter 'public' from tags
         return data.map((doc) => {
           const docObj = doc.toObject ? doc.toObject() : doc;
+
+          // Remove role field from userId before sending to client
+          let userInfo = docObj.userId;
+          if (userInfo && userInfo.role) {
+            const { role, ...userWithoutRole } = userInfo;
+            userInfo = userWithoutRole;
+          }
+
           return {
             ...docObj,
+            userId: userInfo,
             tags: DocumentDto.filterPublicTag(docObj.tags),
             totalCopyShareLinkCount: DocumentDto.getTotalCopyShareLinkCount(doc),
           };
@@ -420,15 +472,12 @@ const DocumentService = {
 
         if (document.userId.toString() !== req.auth.user._id) throw new Error('invalid user');
 
-        if (document.mdFileId) {
-          const file = await File.findOne({ _id: document.mdFileId });
-          if (file) await File.findByIdAndDelete(document.mdFileId);
-        }
-
-        if (document.fileId) {
-          const file = await File.findOne({ _id: document.fileId });
-          if (file) await File.findByIdAndDelete(document.fileId);
-        }
+        // Clean up all associated files
+        await FileCleanup.deleteDocumentFiles({
+          doc: document,
+          fileFields: ['fileId', 'mdFileId'],
+          File,
+        });
 
         return await Document.findByIdAndDelete(req.params.id);
       }
@@ -445,15 +494,13 @@ const DocumentService = {
         const document = await Document.findOne({ _id: req.params.id });
         if (!document) throw new Error(`Document not found`);
 
-        if (document.mdFileId) {
-          const file = await File.findOne({ _id: document.mdFileId });
-          if (file) await File.findByIdAndDelete(document.mdFileId);
-        }
-
-        if (document.fileId) {
-          const file = await File.findOne({ _id: document.fileId });
-          if (file) await File.findByIdAndDelete(document.fileId);
-        }
+        // Clean up old files if they are being replaced
+        await FileCleanup.cleanupReplacedFiles({
+          oldDoc: document,
+          newData: req.body,
+          fileFields: ['fileId', 'mdFileId'],
+          File,
+        });
 
         // Extract 'public' from tags and set isPublic field on update
         const { isPublic, tags } = DocumentDto.extractPublicFromTags(req.body.tags);
@@ -468,6 +515,17 @@ const DocumentService = {
     /** @type {import('./document.model.js').DocumentModel} */
     const Document = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.Document;
 
+    if (req.path.includes('/toggle-public')) {
+      const document = await Document.findById(req.params.id);
+      if (!document) throw new Error('Document not found');
+
+      // Toggle the isPublic field
+      document.isPublic = !document.isPublic;
+      await document.save();
+
+      return { _id: document._id, isPublic: document.isPublic };
+    }
+
     if (req.path.includes('/copy-share-link')) {
       const document = await Document.findById(req.params.id);
       if (!document) throw new Error('Document not found');

package/src/api/file/file.model.js

@@ -1,10 +1,23 @@
+/**
+ * File model and schema definitions for MongoDB/Mongoose.
+ * Provides the File schema, model, and Data Transfer Object (DTO) for file operations.
+ *
+ * @module src/api/file/file.model.js
+ * @namespace FileModelServer
+ */
+
 import { Schema, model } from 'mongoose';
 
+/**
+ * Mongoose schema definition for File documents.
+ * @type {Schema}
+ * @memberof FileModelServer
+ */
 const FileSchema = new Schema({
-  name: { type: String },
-  data: { type: Buffer },
+  name: { type: String, required: true },
+  data: { type: Buffer, required: true },
   size: { type: Number },
-  encoding: { type: String },
+  encoding: { type: String, default: 'utf-8' },
   tempFilePath: { type: String },
   truncated: { type: Boolean },
   mimetype: { type: String },
@@ -12,8 +25,103 @@ const FileSchema = new Schema({
   cid: { type: String },
 });
 
+/**
+ * Mongoose model for File documents.
+ * @type {import('mongoose').Model}
+ * @memberof FileModelServer
+ */
 const FileModel = model('File', FileSchema);
 
+/**
+ * Provider schema alias for File schema.
+ * Used for database provider compatibility.
+ * @type {Schema}
+ * @memberof FileModelServer
+ */
 const ProviderSchema = FileSchema;
 
-export { FileSchema, FileModel, ProviderSchema };
+/**
+ * File Data Transfer Object (DTO) for the model layer.
+ * Provides core transformation methods for file documents including metadata extraction,
+ * full document conversion, and filename normalization utilities.
+ * @namespace FileModelServer.FileModelDto
+ * @memberof FileModelServer
+ */
+const FileModelDto = {
+  /**
+   * Returns file metadata only (no buffer data).
+   * Used for list responses and API integration.
+   * @function toMetadata
+   * @memberof FileModelServer.FileModelDto
+   * @param {Object} file - File document from database.
+   * @returns {Object|null} File metadata object, or null if file is falsy.
+   */
+  toMetadata: (file) => {
+    if (!file) return null;
+    return {
+      _id: file._id,
+      name: file.name || '',
+      mimetype: file.mimetype || 'application/octet-stream',
+      size: file.size || 0,
+      md5: file.md5 || '',
+      cid: file.cid || '',
+      createdAt: file.createdAt,
+      updatedAt: file.updatedAt,
+    };
+  },
+
+  /**
+   * Returns file with complete data.
+   * Used only when explicitly requested (e.g., file/blob endpoint).
+   * @function toFull
+   * @memberof FileModelServer.FileModelDto
+   * @param {Object} file - File document from database.
+   * @returns {Object|null} Complete file object with buffer data, or null if file is falsy.
+   */
+  toFull: (file) => {
+    if (!file) return null;
+    return {
+      _id: file._id,
+      name: file.name || '',
+      mimetype: file.mimetype || 'application/octet-stream',
+      size: file.size || 0,
+      md5: file.md5 || '',
+      cid: file.cid || '',
+      data: file.data,
+      encoding: file.encoding || 'utf-8',
+      createdAt: file.createdAt,
+      updatedAt: file.updatedAt,
+    };
+  },
+
+  /**
+   * Transforms array of files to metadata only.
+   * @function toMetadataArray
+   * @memberof FileModelServer.FileModelDto
+   * @param {Array} files - Array of file documents.
+   * @returns {Array} Array of file metadata objects.
+   */
+  toMetadataArray: (files) => {
+    if (!Array.isArray(files)) return [];
+    return files.map((file) => FileModelDto.toMetadata(file));
+  },
+
+  /**
+   * Ensures UTF-8 encoding for filenames.
+   * Fixes issues with special characters (e.g., ñ, é, ü).
+   * @function normalizeFilename
+   * @memberof FileModelServer.FileModelDto
+   * @param {string} filename - Raw filename from upload.
+   * @returns {string} UTF-8 encoded filename.
+   */
+  normalizeFilename: (filename) => {
+    if (!filename) return '';
+    // Ensure string and normalize to UTF-8
+    let normalized = String(filename);
+    // Replace any incorrectly encoded sequences
+    normalized = Buffer.from(normalized, 'utf8').toString('utf8');
+    return normalized;
+  },
+};
+
+export { FileSchema, FileModel, ProviderSchema, FileModelDto };

package/src/api/file/file.ref.json

@@ -0,0 +1,42 @@
+[
+  {
+    "api": "company",
+    "model": {
+      "logo": true
+    }
+  },
+  {
+    "api": "cyberia-biome",
+    "model": {
+      "fileId": true,
+      "topLevelColorFileId": true
+    }
+  },
+  {
+    "api": "cyberia-tile",
+    "model": {
+      "fileId": true
+    }
+  },
+  {
+    "api": "cyberia-world",
+    "model": {
+      "adjacentFace": {
+        "fileId": true
+      }
+    }
+  },
+  {
+    "api": "document",
+    "model": {
+      "fileId": true,
+      "mdFileId": true
+    }
+  },
+  {
+    "api": "user",
+    "model": {
+      "profileImageId": true
+    }
+  }
+]