aegisnode 0.0.3 → 0.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegisnode",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "A view-first Node.js framework for modular web apps and JSON APIs with CLI scaffolding, runtime injection, auth, uploads, i18n, mail, and WebSocket support.",
   "type": "module",
   "main": "./src/index.js",

package/scripts/smoke-test.js

@@ -10,6 +10,7 @@ import { createApp } from '../src/cli/commands/createapp.js';
 import { generateArtifact } from '../src/cli/commands/generate.js';
 import { createKernel } from '../src/runtime/kernel.js';
 import { runServer } from '../src/cli/commands/runserver.js';
+import { runGenerateLoader } from '../src/cli/commands/generateloader.js';
 import { runProject } from '../src/index.js';
 import { createAuthManager, normalizeAuthConfig } from '../src/runtime/auth.js';
 import { loadProjectConfig } from '../src/runtime/config.js';
@@ -137,8 +138,10 @@ async function main() {
   await startProject({ projectName, cwd: sandboxRoot });
   const generatedProjectEnv = await fs.readFile(path.join(projectRoot, '.env'), 'utf8');
   assert.match(generatedProjectEnv, /^APP_SECRET=.{16,}$/m);
+  const generatedAppSecret = generatedProjectEnv.match(/^APP_SECRET=(.+)$/m)?.[1]?.trim();
+  assert.ok(generatedAppSecret);
   const generatedSettings = await fs.readFile(path.join(projectRoot, 'settings.js'), 'utf8');
-  assert.match(generatedSettings, /appSecret:\s*process\.env\.APP_SECRET\s*\|\|\s*''/);
+  assert.ok(generatedSettings.includes(`appSecret: process.env.APP_SECRET || ${JSON.stringify(generatedAppSecret)}`));
   await assert.rejects(
     () => runProject({
       rootDir: projectRoot,
@@ -404,6 +407,74 @@ dkcqnJD4SGWVeG+KhA==
     await fs.access(filePath);
   }
 
+  await fs.unlink(path.join(projectRoot, 'app.js'));
+  await fs.unlink(path.join(projectRoot, 'loader.cjs'));
+  const restoredStartupEntries = await runGenerateLoader({
+    projectRoot,
+    output: {
+      log() {},
+    },
+  });
+  assert.equal(restoredStartupEntries.createdApp, true);
+  assert.equal(restoredStartupEntries.createdLoader, true);
+  await fs.access(path.join(projectRoot, 'app.js'));
+  await fs.access(path.join(projectRoot, 'loader.cjs'));
+
+  await fs.writeFile(
+    path.join(envProjectRoot, 'settings.js'),
+    `export default {
+  appName: 'envdemo',
+  env: 'production',
+  logging: {
+    level: 'info',
+  },
+  security: {
+    appSecret: process.env.APP_SECRET || '',
+    ddos: {
+      maxRequests: 120,
+    },
+  },
+  environments: {
+    default: {
+      security: {
+        ddos: {
+          windowMs: 45000,
+        },
+      },
+    },
+    production: {
+      logging: { level: 'warn' },
+      security: { ddos: { maxRequests: 80 } },
+    },
+  },
+};
+`,
+    'utf8',
+  );
+  await fs.unlink(path.join(envProjectRoot, 'loader.cjs'));
+  const missingLoaderDoctorReport = await runDoctor({
+    projectRoot: envProjectRoot,
+    failOnError: false,
+    output: {
+      log() {},
+    },
+  });
+  assert.equal(missingLoaderDoctorReport.summary.errors, 1);
+  assert.ok(
+    missingLoaderDoctorReport.entries.some((entry) => (
+      entry.level === 'ERROR'
+      && /loader\.cjs is missing for production startup/.test(entry.message)
+    )),
+  );
+  const restoredProductionLoader = await runGenerateLoader({
+    projectRoot: envProjectRoot,
+    output: {
+      log() {},
+    },
+  });
+  assert.equal(restoredProductionLoader.createdLoader, true);
+  await fs.access(path.join(envProjectRoot, 'loader.cjs'));
+
   const registryPackages = new Map([
     ['alpha', '2.0.0'],
     ['@scope/bravo', '3.4.0'],
@@ -1288,7 +1359,7 @@ export default {
   );
   await fs.writeFile(
     path.join(projectRoot, 'routes.js'),
-    `export default {\n  register(route) {\n    route.get('/csrf-token', (req, res) => {\n      res.json({ token: req.csrfToken() });\n    });\n\n    route.get('/csrf-form', (req, res) => {\n      return res.render('csrf-form', { layout: false });\n    });\n\n    route.post('/submit', (req, res) => {\n      res.json({ ok: true, body: req.body || {} });\n    });\n  },\n};\n`,
+    `export default {\n  register(route) {\n    route.get('/csrf-token', (req, res) => {\n      res.json({ token: req.csrfToken() });\n    });\n\n    route.get('/csrf-form', (req, res) => {\n      return res.render('csrf-form', { layout: false });\n    });\n\n    route.post('/submit', (req, res) => {\n      res.json({ ok: true, body: req.body || {} });\n    });\n\n    route.post('/submit-upload', route.upload.none(), (req, res) => {\n      res.json({ ok: true, body: req.body || {} });\n    });\n  },\n};\n`,
     'utf8',
   );
 
@@ -1361,6 +1432,32 @@ export default {
   assert.equal(validJsonTokenJson.ok, true);
   assert.equal(validJsonTokenJson.body.name, 'json-with-token');
 
+  const missingMultipartTokenBody = new FormData();
+  missingMultipartTokenBody.set('name', 'multipart-without-token');
+  const missingMultipartTokenResponse = await fetch(`http://127.0.0.1:${csrfPort}/submit-upload`, {
+    method: 'POST',
+    headers: {
+      cookie: csrfCookie,
+    },
+    body: missingMultipartTokenBody,
+  });
+  assert.equal(missingMultipartTokenResponse.status, 403);
+
+  const validMultipartTokenBody = new FormData();
+  validMultipartTokenBody.set('_csrf', csrfTokenJson.token);
+  validMultipartTokenBody.set('name', 'multipart-with-token');
+  const validMultipartTokenResponse = await fetch(`http://127.0.0.1:${csrfPort}/submit-upload`, {
+    method: 'POST',
+    headers: {
+      cookie: csrfCookie,
+    },
+    body: validMultipartTokenBody,
+  });
+  assert.equal(validMultipartTokenResponse.status, 200);
+  const validMultipartTokenJson = await validMultipartTokenResponse.json();
+  assert.equal(validMultipartTokenJson.ok, true);
+  assert.equal(validMultipartTokenJson.body.name, 'multipart-with-token');
+
   const csrfFormResponse = await fetch(`http://127.0.0.1:${csrfPort}/csrf-form`, {
     headers: {
       cookie: csrfCookie,

package/src/cli/commands/doctor.js

@@ -70,6 +70,30 @@ async function runAppChecks(rootDir, config, collector) {
   }
 }
 
+async function runStartupEntryChecks(rootDir, config, collector) {
+  const env = String(config.env || process.env.NODE_ENV || 'development').trim().toLowerCase();
+  const appEntryPath = path.join(rootDir, 'app.js');
+  const loaderEntryPath = path.join(rootDir, 'loader.cjs');
+  const appEntryExists = await fileExists(appEntryPath);
+  const loaderEntryExists = await fileExists(loaderEntryPath);
+
+  if (appEntryExists) {
+    collector.ok('app.js exists.');
+  } else if (env === 'production') {
+    collector.error('app.js is missing for production startup. Run "aegisnode generateloader" to restore startup entry files.');
+  } else {
+    collector.warn('app.js is missing. Run "aegisnode generateloader" to restore startup entry files.');
+  }
+
+  if (loaderEntryExists) {
+    collector.ok('loader.cjs exists.');
+  } else if (env === 'production') {
+    collector.error('loader.cjs is missing for production startup. Run "aegisnode generateloader" to restore it.');
+  } else {
+    collector.warn('loader.cjs is missing. Generate it with "aegisnode generateloader" before non-development startup.');
+  }
+}
+
 function runSecurityChecks(config, collector) {
   const env = String(config.env || process.env.NODE_ENV || 'development');
   const security = config.security || {};
@@ -179,6 +203,7 @@ export async function runDoctor({
   collector.ok(`Environment: ${config.env || 'development'}`);
 
   await runAppChecks(resolvedRoot, config, collector);
+  await runStartupEntryChecks(resolvedRoot, config, collector);
   runSecurityChecks(config, collector);
   runAuthChecks(config, collector);
   runApiChecks(config, collector);

package/src/cli/commands/generateloader.js

@@ -0,0 +1,37 @@
+import path from 'path';
+import { exists, writeFile } from '../utils/fs.js';
+import { resolveProjectRoot } from '../utils/project.js';
+import { renderProjectAppJs, renderProjectLoaderCjs } from '../utils/scaffolds.js';
+
+async function ensureStartupFile(rootDir, fileName, content, output) {
+  const target = path.join(rootDir, fileName);
+  if (await exists(target)) {
+    output.log(`${fileName} already exists.`);
+    return false;
+  }
+
+  await writeFile(target, content);
+  output.log(`Generated ${fileName}.`);
+  return true;
+}
+
+export async function runGenerateLoader({
+  projectRoot,
+  output = console,
+} = {}) {
+  const resolvedRoot = await resolveProjectRoot(projectRoot || process.cwd());
+  const createdApp = await ensureStartupFile(resolvedRoot, 'app.js', renderProjectAppJs(), output);
+  const createdLoader = await ensureStartupFile(resolvedRoot, 'loader.cjs', renderProjectLoaderCjs(), output);
+
+  if (!createdApp && !createdLoader) {
+    output.log(`Startup entry files already exist in ${resolvedRoot}`);
+  } else {
+    output.log(`Startup entry files are ready in ${resolvedRoot}`);
+  }
+
+  return {
+    rootDir: resolvedRoot,
+    createdApp,
+    createdLoader,
+  };
+}

package/src/cli/commands/startproject.js

@@ -53,7 +53,7 @@ async function createBaseProjectFiles(projectRoot, projectName) {
   await writeFile(path.join(projectRoot, '.env'), renderProjectEnv(appSecret));
   await writeFile(path.join(projectRoot, '.env.example'), renderEnvExample());
 
-  await writeFile(path.join(projectRoot, 'settings.js'), renderProjectSettings(projectName, apps));
+  await writeFile(path.join(projectRoot, 'settings.js'), renderProjectSettings(projectName, apps, appSecret));
   await writeFile(path.join(projectRoot, 'routes.js'), renderProjectRoutes());
 }
 

package/src/cli/index.js

@@ -4,6 +4,7 @@ import { runServer } from './commands/runserver.js';
 import { generateArtifact } from './commands/generate.js';
 import { runDoctor } from './commands/doctor.js';
 import { runUpdateDependencies } from './commands/updatedeps.js';
+import { runGenerateLoader } from './commands/generateloader.js';
 
 function printHelp() {
   console.log(`AegisNode CLI
@@ -13,6 +14,7 @@ Usage:
   aegisnode createapp <app-name> [--project <path>] [--mount </path>]
   aegisnode generate <type> <name> --app <app-name> [--project <path>]
   aegisnode runserver [--project <path>] [--port <number>]
+  aegisnode generateloader [--project <path>]
   aegisnode doctor [--project <path>]
   aegisnode updatedeps [--project <path>]
 
@@ -24,6 +26,7 @@ Examples:
   aegisnode createapp users
   aegisnode generate view user --app users
   aegisnode generate validator user --app users
+  aegisnode generateloader --project blog
   aegisnode updatedeps --project blog
 `);
 }
@@ -126,6 +129,14 @@ export async function runCli(argv) {
       return;
     }
 
+    case 'generateloader':
+    case 'loader': {
+      await runGenerateLoader({
+        projectRoot: flags.project ? String(flags.project) : process.cwd(),
+      });
+      return;
+    }
+
     case 'updatedeps': {
       await runUpdateDependencies({
         projectRoot: flags.project ? String(flags.project) : process.cwd(),

package/src/cli/utils/scaffolds.js

@@ -53,7 +53,7 @@ export function renderProjectLoaderCjs() {
 `;
 }
 
-export function renderProjectSettings(projectName, apps) {
+export function renderProjectSettings(projectName, apps, appSecret = '') {
   return `export default {
   appName: '${projectName}',
   env: process.env.NODE_ENV || 'development',
@@ -61,8 +61,9 @@ export function renderProjectSettings(projectName, apps) {
   port: process.env.PORT ? Number(process.env.PORT) : 3000,
   trustProxy: false,
   security: {
-    // Loaded from .env by default. Replace or rotate APP_SECRET in production.
-    appSecret: process.env.APP_SECRET || '',
+    // Loaded from .env by default. Scaffold also embeds the generated secret as a fallback.
+    // Replace or rotate APP_SECRET in production.
+    appSecret: process.env.APP_SECRET || ${JSON.stringify(appSecret)},
   },
   logging: {
     level: process.env.LOG_LEVEL || 'info',

package/src/runtime/kernel.js

@@ -3148,6 +3148,16 @@ function attachCsrfProtection(expressApp, config, logger, auth = null) {
     }
 
     const provided = extractCsrfToken(req, csrfConfig);
+    if (!provided && isMultipartRequestContentType(req.headers?.['content-type'])) {
+      req.aegis = req.aegis || {};
+      req.aegis.csrf = {
+        deferredMultipart: true,
+        fieldName: csrfConfig.fieldName,
+        token,
+      };
+      return next();
+    }
+
     if (!provided || !constantTimeEqual(provided, token)) {
       return res.status(403).json({ error: 'CSRF token missing or invalid' });
     }

package/src/runtime/upload.js

@@ -120,6 +120,47 @@ function createUploadError(code, message, statusCode) {
   return error;
 }
 
+function constantTimeEqual(left, right) {
+  if (typeof left !== 'string' || typeof right !== 'string') {
+    return false;
+  }
+
+  const a = Buffer.from(left);
+  const b = Buffer.from(right);
+  if (a.length !== b.length) {
+    return false;
+  }
+
+  try {
+    return crypto.timingSafeEqual(a, b);
+  } catch {
+    return false;
+  }
+}
+
+function validateDeferredMultipartCsrf(req) {
+  const csrfState = req?.aegis?.csrf;
+  if (!csrfState || csrfState.deferredMultipart !== true) {
+    return null;
+  }
+
+  const expected = typeof csrfState.token === 'string' ? csrfState.token : '';
+  const fieldName = typeof csrfState.fieldName === 'string' && csrfState.fieldName.length > 0
+    ? csrfState.fieldName
+    : '_csrf';
+  const provided = req?.body && typeof req.body === 'object'
+    ? req.body[fieldName]
+    : '';
+
+  delete req.aegis.csrf;
+
+  if (!expected || typeof provided !== 'string' || !constantTimeEqual(provided, expected)) {
+    return createUploadError('AEGIS_CSRF_INVALID', 'CSRF token missing or invalid', 403);
+  }
+
+  return null;
+}
+
 function resolveUploadError(error) {
   if (!error) {
     return null;
@@ -207,6 +248,13 @@ function wrapUploadMiddleware(middleware) {
   return (req, res, next) => {
     middleware(req, res, (error) => {
       if (!error) {
+        const csrfError = validateDeferredMultipartCsrf(req);
+        if (csrfError) {
+          res.status(csrfError.statusCode || 403).json({
+            error: csrfError.message || 'CSRF token missing or invalid',
+          });
+          return;
+        }
         next();
         return;
       }