aegisnode 0.0.2 → 0.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegisnode",
-  "version": "0.0.2",
+  "version": "0.0.4",
   "description": "A view-first Node.js framework for modular web apps and JSON APIs with CLI scaffolding, runtime injection, auth, uploads, i18n, mail, and WebSocket support.",
   "type": "module",
   "main": "./src/index.js",
@@ -16,7 +16,6 @@
     "test": "node ./scripts/smoke-test.js"
   },
   "files": [
-    "assets",
     "bin",
     "src",
     "scripts",
@@ -38,7 +37,11 @@
     "uploads",
     "websocket"
   ],
-  "author": "",
+  "author": "jason90 <sidiki90@gmail.com>",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/jason09/aegisnode.git"
+  },
   "license": "MIT",
   "dependencies": {
     "ejs": "^3.1.10",

package/scripts/smoke-test.js

@@ -10,6 +10,7 @@ import { createApp } from '../src/cli/commands/createapp.js';
 import { generateArtifact } from '../src/cli/commands/generate.js';
 import { createKernel } from '../src/runtime/kernel.js';
 import { runServer } from '../src/cli/commands/runserver.js';
+import { runGenerateLoader } from '../src/cli/commands/generateloader.js';
 import { runProject } from '../src/index.js';
 import { createAuthManager, normalizeAuthConfig } from '../src/runtime/auth.js';
 import { loadProjectConfig } from '../src/runtime/config.js';
@@ -137,8 +138,10 @@ async function main() {
   await startProject({ projectName, cwd: sandboxRoot });
   const generatedProjectEnv = await fs.readFile(path.join(projectRoot, '.env'), 'utf8');
   assert.match(generatedProjectEnv, /^APP_SECRET=.{16,}$/m);
+  const generatedAppSecret = generatedProjectEnv.match(/^APP_SECRET=(.+)$/m)?.[1]?.trim();
+  assert.ok(generatedAppSecret);
   const generatedSettings = await fs.readFile(path.join(projectRoot, 'settings.js'), 'utf8');
-  assert.match(generatedSettings, /appSecret:\s*process\.env\.APP_SECRET\s*\|\|\s*''/);
+  assert.ok(generatedSettings.includes(`appSecret: process.env.APP_SECRET || ${JSON.stringify(generatedAppSecret)}`));
   await assert.rejects(
     () => runProject({
       rootDir: projectRoot,
@@ -404,6 +407,74 @@ dkcqnJD4SGWVeG+KhA==
     await fs.access(filePath);
   }
 
+  await fs.unlink(path.join(projectRoot, 'app.js'));
+  await fs.unlink(path.join(projectRoot, 'loader.cjs'));
+  const restoredStartupEntries = await runGenerateLoader({
+    projectRoot,
+    output: {
+      log() {},
+    },
+  });
+  assert.equal(restoredStartupEntries.createdApp, true);
+  assert.equal(restoredStartupEntries.createdLoader, true);
+  await fs.access(path.join(projectRoot, 'app.js'));
+  await fs.access(path.join(projectRoot, 'loader.cjs'));
+
+  await fs.writeFile(
+    path.join(envProjectRoot, 'settings.js'),
+    `export default {
+  appName: 'envdemo',
+  env: 'production',
+  logging: {
+    level: 'info',
+  },
+  security: {
+    appSecret: process.env.APP_SECRET || '',
+    ddos: {
+      maxRequests: 120,
+    },
+  },
+  environments: {
+    default: {
+      security: {
+        ddos: {
+          windowMs: 45000,
+        },
+      },
+    },
+    production: {
+      logging: { level: 'warn' },
+      security: { ddos: { maxRequests: 80 } },
+    },
+  },
+};
+`,
+    'utf8',
+  );
+  await fs.unlink(path.join(envProjectRoot, 'loader.cjs'));
+  const missingLoaderDoctorReport = await runDoctor({
+    projectRoot: envProjectRoot,
+    failOnError: false,
+    output: {
+      log() {},
+    },
+  });
+  assert.equal(missingLoaderDoctorReport.summary.errors, 1);
+  assert.ok(
+    missingLoaderDoctorReport.entries.some((entry) => (
+      entry.level === 'ERROR'
+      && /loader\.cjs is missing for production startup/.test(entry.message)
+    )),
+  );
+  const restoredProductionLoader = await runGenerateLoader({
+    projectRoot: envProjectRoot,
+    output: {
+      log() {},
+    },
+  });
+  assert.equal(restoredProductionLoader.createdLoader, true);
+  await fs.access(path.join(envProjectRoot, 'loader.cjs'));
+
   const registryPackages = new Map([
     ['alpha', '2.0.0'],
     ['@scope/bravo', '3.4.0'],
@@ -1288,7 +1359,7 @@ export default {
   );
   await fs.writeFile(
     path.join(projectRoot, 'routes.js'),
-    `export default {\n  register(route) {\n    route.get('/csrf-token', (req, res) => {\n      res.json({ token: req.csrfToken() });\n    });\n\n    route.get('/csrf-form', (req, res) => {\n      return res.render('csrf-form', { layout: false });\n    });\n\n    route.post('/submit', (req, res) => {\n      res.json({ ok: true, body: req.body || {} });\n    });\n  },\n};\n`,
+    `export default {\n  register(route) {\n    route.get('/csrf-token', (req, res) => {\n      res.json({ token: req.csrfToken() });\n    });\n\n    route.get('/csrf-form', (req, res) => {\n      return res.render('csrf-form', { layout: false });\n    });\n\n    route.post('/submit', (req, res) => {\n      res.json({ ok: true, body: req.body || {} });\n    });\n\n    route.post('/submit-upload', route.upload.none(), (req, res) => {\n      res.json({ ok: true, body: req.body || {} });\n    });\n  },\n};\n`,
     'utf8',
   );
 
@@ -1361,6 +1432,32 @@ export default {
   assert.equal(validJsonTokenJson.ok, true);
   assert.equal(validJsonTokenJson.body.name, 'json-with-token');
 
+  const missingMultipartTokenBody = new FormData();
+  missingMultipartTokenBody.set('name', 'multipart-without-token');
+  const missingMultipartTokenResponse = await fetch(`http://127.0.0.1:${csrfPort}/submit-upload`, {
+    method: 'POST',
+    headers: {
+      cookie: csrfCookie,
+    },
+    body: missingMultipartTokenBody,
+  });
+  assert.equal(missingMultipartTokenResponse.status, 403);
+
+  const validMultipartTokenBody = new FormData();
+  validMultipartTokenBody.set('_csrf', csrfTokenJson.token);
+  validMultipartTokenBody.set('name', 'multipart-with-token');
+  const validMultipartTokenResponse = await fetch(`http://127.0.0.1:${csrfPort}/submit-upload`, {
+    method: 'POST',
+    headers: {
+      cookie: csrfCookie,
+    },
+    body: validMultipartTokenBody,
+  });
+  assert.equal(validMultipartTokenResponse.status, 200);
+  const validMultipartTokenJson = await validMultipartTokenResponse.json();
+  assert.equal(validMultipartTokenJson.ok, true);
+  assert.equal(validMultipartTokenJson.body.name, 'multipart-with-token');
+
   const csrfFormResponse = await fetch(`http://127.0.0.1:${csrfPort}/csrf-form`, {
     headers: {
       cookie: csrfCookie,

package/src/cli/commands/doctor.js

@@ -70,6 +70,30 @@ async function runAppChecks(rootDir, config, collector) {
   }
 }
 
+async function runStartupEntryChecks(rootDir, config, collector) {
+  const env = String(config.env || process.env.NODE_ENV || 'development').trim().toLowerCase();
+  const appEntryPath = path.join(rootDir, 'app.js');
+  const loaderEntryPath = path.join(rootDir, 'loader.cjs');
+  const appEntryExists = await fileExists(appEntryPath);
+  const loaderEntryExists = await fileExists(loaderEntryPath);
+
+  if (appEntryExists) {
+    collector.ok('app.js exists.');
+  } else if (env === 'production') {
+    collector.error('app.js is missing for production startup. Run "aegisnode generateloader" to restore startup entry files.');
+  } else {
+    collector.warn('app.js is missing. Run "aegisnode generateloader" to restore startup entry files.');
+  }
+
+  if (loaderEntryExists) {
+    collector.ok('loader.cjs exists.');
+  } else if (env === 'production') {
+    collector.error('loader.cjs is missing for production startup. Run "aegisnode generateloader" to restore it.');
+  } else {
+    collector.warn('loader.cjs is missing. Generate it with "aegisnode generateloader" before non-development startup.');
+  }
+}
+
 function runSecurityChecks(config, collector) {
   const env = String(config.env || process.env.NODE_ENV || 'development');
   const security = config.security || {};
@@ -179,6 +203,7 @@ export async function runDoctor({
   collector.ok(`Environment: ${config.env || 'development'}`);
 
   await runAppChecks(resolvedRoot, config, collector);
+  await runStartupEntryChecks(resolvedRoot, config, collector);
   runSecurityChecks(config, collector);
   runAuthChecks(config, collector);
   runApiChecks(config, collector);

package/src/cli/commands/generateloader.js

@@ -0,0 +1,37 @@
+import path from 'path';
+import { exists, writeFile } from '../utils/fs.js';
+import { resolveProjectRoot } from '../utils/project.js';
+import { renderProjectAppJs, renderProjectLoaderCjs } from '../utils/scaffolds.js';
+
+async function ensureStartupFile(rootDir, fileName, content, output) {
+  const target = path.join(rootDir, fileName);
+  if (await exists(target)) {
+    output.log(`${fileName} already exists.`);
+    return false;
+  }
+
+  await writeFile(target, content);
+  output.log(`Generated ${fileName}.`);
+  return true;
+}
+
+export async function runGenerateLoader({
+  projectRoot,
+  output = console,
+} = {}) {
+  const resolvedRoot = await resolveProjectRoot(projectRoot || process.cwd());
+  const createdApp = await ensureStartupFile(resolvedRoot, 'app.js', renderProjectAppJs(), output);
+  const createdLoader = await ensureStartupFile(resolvedRoot, 'loader.cjs', renderProjectLoaderCjs(), output);
+
+  if (!createdApp && !createdLoader) {
+    output.log(`Startup entry files already exist in ${resolvedRoot}`);
+  } else {
+    output.log(`Startup entry files are ready in ${resolvedRoot}`);
+  }
+
+  return {
+    rootDir: resolvedRoot,
+    createdApp,
+    createdLoader,
+  };
+}

package/src/cli/commands/startproject.js

@@ -53,7 +53,7 @@ async function createBaseProjectFiles(projectRoot, projectName) {
   await writeFile(path.join(projectRoot, '.env'), renderProjectEnv(appSecret));
   await writeFile(path.join(projectRoot, '.env.example'), renderEnvExample());
 
-  await writeFile(path.join(projectRoot, 'settings.js'), renderProjectSettings(projectName, apps));
+  await writeFile(path.join(projectRoot, 'settings.js'), renderProjectSettings(projectName, apps, appSecret));
   await writeFile(path.join(projectRoot, 'routes.js'), renderProjectRoutes());
 }
 

package/src/cli/index.js

@@ -4,6 +4,7 @@ import { runServer } from './commands/runserver.js';
 import { generateArtifact } from './commands/generate.js';
 import { runDoctor } from './commands/doctor.js';
 import { runUpdateDependencies } from './commands/updatedeps.js';
+import { runGenerateLoader } from './commands/generateloader.js';
 
 function printHelp() {
   console.log(`AegisNode CLI
@@ -13,6 +14,7 @@ Usage:
   aegisnode createapp <app-name> [--project <path>] [--mount </path>]
   aegisnode generate <type> <name> --app <app-name> [--project <path>]
   aegisnode runserver [--project <path>] [--port <number>]
+  aegisnode generateloader [--project <path>]
   aegisnode doctor [--project <path>]
   aegisnode updatedeps [--project <path>]
 
@@ -24,6 +26,7 @@ Examples:
   aegisnode createapp users
   aegisnode generate view user --app users
   aegisnode generate validator user --app users
+  aegisnode generateloader --project blog
   aegisnode updatedeps --project blog
 `);
 }
@@ -126,6 +129,14 @@ export async function runCli(argv) {
       return;
     }
 
+    case 'generateloader':
+    case 'loader': {
+      await runGenerateLoader({
+        projectRoot: flags.project ? String(flags.project) : process.cwd(),
+      });
+      return;
+    }
+
     case 'updatedeps': {
       await runUpdateDependencies({
         projectRoot: flags.project ? String(flags.project) : process.cwd(),

package/src/cli/utils/scaffolds.js

@@ -53,7 +53,7 @@ export function renderProjectLoaderCjs() {
 `;
 }
 
-export function renderProjectSettings(projectName, apps) {
+export function renderProjectSettings(projectName, apps, appSecret = '') {
   return `export default {
   appName: '${projectName}',
   env: process.env.NODE_ENV || 'development',
@@ -61,8 +61,9 @@ export function renderProjectSettings(projectName, apps) {
   port: process.env.PORT ? Number(process.env.PORT) : 3000,
   trustProxy: false,
   security: {
-    // Loaded from .env by default. Replace or rotate APP_SECRET in production.
-    appSecret: process.env.APP_SECRET || '',
+    // Loaded from .env by default. Scaffold also embeds the generated secret as a fallback.
+    // Replace or rotate APP_SECRET in production.
+    appSecret: process.env.APP_SECRET || ${JSON.stringify(appSecret)},
   },
   logging: {
     level: process.env.LOG_LEVEL || 'info',

package/src/runtime/kernel.js

@@ -3148,6 +3148,16 @@ function attachCsrfProtection(expressApp, config, logger, auth = null) {
     }
 
     const provided = extractCsrfToken(req, csrfConfig);
+    if (!provided && isMultipartRequestContentType(req.headers?.['content-type'])) {
+      req.aegis = req.aegis || {};
+      req.aegis.csrf = {
+        deferredMultipart: true,
+        fieldName: csrfConfig.fieldName,
+        token,
+      };
+      return next();
+    }
+
     if (!provided || !constantTimeEqual(provided, token)) {
       return res.status(403).json({ error: 'CSRF token missing or invalid' });
     }

package/src/runtime/upload.js

@@ -120,6 +120,47 @@ function createUploadError(code, message, statusCode) {
   return error;
 }
 
+function constantTimeEqual(left, right) {
+  if (typeof left !== 'string' || typeof right !== 'string') {
+    return false;
+  }
+
+  const a = Buffer.from(left);
+  const b = Buffer.from(right);
+  if (a.length !== b.length) {
+    return false;
+  }
+
+  try {
+    return crypto.timingSafeEqual(a, b);
+  } catch {
+    return false;
+  }
+}
+
+function validateDeferredMultipartCsrf(req) {
+  const csrfState = req?.aegis?.csrf;
+  if (!csrfState || csrfState.deferredMultipart !== true) {
+    return null;
+  }
+
+  const expected = typeof csrfState.token === 'string' ? csrfState.token : '';
+  const fieldName = typeof csrfState.fieldName === 'string' && csrfState.fieldName.length > 0
+    ? csrfState.fieldName
+    : '_csrf';
+  const provided = req?.body && typeof req.body === 'object'
+    ? req.body[fieldName]
+    : '';
+
+  delete req.aegis.csrf;
+
+  if (!expected || typeof provided !== 'string' || !constantTimeEqual(provided, expected)) {
+    return createUploadError('AEGIS_CSRF_INVALID', 'CSRF token missing or invalid', 403);
+  }
+
+  return null;
+}
+
 function resolveUploadError(error) {
   if (!error) {
     return null;
@@ -207,6 +248,13 @@ function wrapUploadMiddleware(middleware) {
   return (req, res, next) => {
     middleware(req, res, (error) => {
       if (!error) {
+        const csrfError = validateDeferredMultipartCsrf(req);
+        if (csrfError) {
+          res.status(csrfError.statusCode || 403).json({
+            error: csrfError.message || 'CSRF token missing or invalid',
+          });
+          return;
+        }
         next();
         return;
       }

package/assets/aegisnode-banner.svg

@@ -1,66 +0,0 @@
-<svg width="1600" height="520" viewBox="0 0 1600 520" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <defs>
-    <linearGradient id="banner-bg" x1="0" y1="0" x2="1600" y2="520" gradientUnits="userSpaceOnUse">
-      <stop stop-color="#0E1737"/>
-      <stop offset="0.5" stop-color="#103C70"/>
-      <stop offset="1" stop-color="#14A49F"/>
-    </linearGradient>
-    <linearGradient id="glow" x1="224" y1="80" x2="496" y2="352" gradientUnits="userSpaceOnUse">
-      <stop stop-color="#FFFFFF" stop-opacity="0.9"/>
-      <stop offset="1" stop-color="#D5EAFF" stop-opacity="0.75"/>
-    </linearGradient>
-    <linearGradient id="line" x1="184" y1="315" x2="392" y2="162" gradientUnits="userSpaceOnUse">
-      <stop stop-color="#0E4E8A"/>
-      <stop offset="1" stop-color="#1AA7A1"/>
-    </linearGradient>
-    <filter id="soft" x="0" y="0" width="1600" height="520" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
-      <feGaussianBlur stdDeviation="0"/>
-    </filter>
-  </defs>
-
-  <rect width="1600" height="520" rx="40" fill="url(#banner-bg)"/>
-
-  <g opacity="0.22" stroke="#A5D7FF" stroke-width="1.4">
-    <path d="M0 90H1600"/>
-    <path d="M0 150H1600"/>
-    <path d="M0 210H1600"/>
-    <path d="M0 270H1600"/>
-    <path d="M0 330H1600"/>
-    <path d="M0 390H1600"/>
-    <path d="M0 450H1600"/>
-  </g>
-
-  <circle cx="1280" cy="160" r="170" fill="#7EC8FF" fill-opacity="0.12"/>
-  <circle cx="1430" cy="390" r="210" fill="#44E0D0" fill-opacity="0.1"/>
-
-  <g filter="url(#soft)">
-    <path d="M288 78L431 135V257C431 341 370 411 288 460C206 411 145 341 145 257V135L288 78Z" fill="url(#glow)"/>
-    <path d="M288 100L409 149V251C409 324 358 386 288 425C218 386 167 324 167 251V149L288 100Z" fill="#E9F4FF"/>
-
-    <g stroke="url(#line)" stroke-width="18" stroke-linecap="round" stroke-linejoin="round">
-      <path d="M200 349L288 190L376 349"/>
-      <path d="M239 285H337"/>
-      <path d="M201 349H376"/>
-    </g>
-
-    <g fill="#0B2A50">
-      <circle cx="200" cy="349" r="16"/>
-      <circle cx="288" cy="190" r="16"/>
-      <circle cx="376" cy="349" r="16"/>
-    </g>
-  </g>
-
-  <g fill="#EAF5FF">
-    <text x="520" y="226" font-family="Segoe UI, Trebuchet MS, Arial, sans-serif" font-size="118" font-weight="700" letter-spacing="0.6">AegisNode</text>
-    <text x="525" y="296" font-family="Segoe UI, Trebuchet MS, Arial, sans-serif" font-size="38" font-weight="500" fill="#CDE8FF">
-      View-first Node.js framework starter
-    </text>
-  </g>
-
-  <g>
-    <rect x="523" y="333" width="510" height="58" rx="14" fill="#0E2D57" fill-opacity="0.78"/>
-    <text x="552" y="372" font-family="Segoe UI, Trebuchet MS, Arial, sans-serif" font-size="28" font-weight="600" fill="#8FE6DA">
-      CLI | DI | Events | SQL/NoSQL | WebSocket
-    </text>
-  </g>
-</svg>

package/assets/aegisnode-icon.svg

@@ -1,43 +0,0 @@
-<svg width="512" height="512" viewBox="0 0 512 512" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <defs>
-    <linearGradient id="bg" x1="44" y1="36" x2="474" y2="496" gradientUnits="userSpaceOnUse">
-      <stop stop-color="#0F1B3D"/>
-      <stop offset="0.55" stop-color="#0F4C81"/>
-      <stop offset="1" stop-color="#14A4A0"/>
-    </linearGradient>
-    <linearGradient id="shield" x1="256" y1="98" x2="256" y2="394" gradientUnits="userSpaceOnUse">
-      <stop stop-color="#F8FAFF" stop-opacity="0.98"/>
-      <stop offset="1" stop-color="#D5E9FF" stop-opacity="0.94"/>
-    </linearGradient>
-    <linearGradient id="accent" x1="175" y1="309" x2="340" y2="189" gradientUnits="userSpaceOnUse">
-      <stop stop-color="#0E4E8A"/>
-      <stop offset="1" stop-color="#1AA7A1"/>
-    </linearGradient>
-  </defs>
-
-  <rect x="20" y="20" width="472" height="472" rx="116" fill="url(#bg)"/>
-
-  <g opacity="0.2" stroke="#9FD4FF" stroke-width="1.2">
-    <path d="M80 138H432"/>
-    <path d="M80 188H432"/>
-    <path d="M80 238H432"/>
-    <path d="M80 288H432"/>
-    <path d="M80 338H432"/>
-    <path d="M80 388H432"/>
-  </g>
-
-  <path d="M256 94L366 138V232C366 296 319 350 256 388C193 350 146 296 146 232V138L256 94Z" fill="url(#shield)"/>
-  <path d="M256 111L351 149V228C351 285 311 334 256 366C201 334 161 285 161 228V149L256 111Z" fill="#E9F4FF"/>
-
-  <g stroke="url(#accent)" stroke-width="14" stroke-linecap="round" stroke-linejoin="round">
-    <path d="M189 304L256 182L323 304"/>
-    <path d="M218 254H294"/>
-    <path d="M190 304H323"/>
-  </g>
-
-  <g fill="#0C2F58">
-    <circle cx="189" cy="304" r="13"/>
-    <circle cx="256" cy="182" r="13"/>
-    <circle cx="323" cy="304" r="13"/>
-  </g>
-</svg>