aiplang 2.5.0 → 2.6.0

package/bin/aiplang.js

@@ -5,7 +5,7 @@ const fs   = require('fs')
 const path = require('path')
 const http = require('http')
 
-const VERSION     = '2.5.0'
+const VERSION     = '2.6.0'
 const RUNTIME_DIR = path.join(__dirname, '..', 'runtime')
 const cmd         = process.argv[2]
 const args        = process.argv.slice(3)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aiplang",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "AI-first full-stack language. Frontend + Backend + DB + Auth in one file. Competes with Laravel.",
   "keywords": [
     "aiplang",

package/runtime/aiplang-hydrate.js

@@ -77,7 +77,27 @@ function applyAction(data, target, action) {
     const pm = action.match(/^@([a-zA-Z_]+)\.push\(\$result\)$/)
     if (pm) { set(pm[1], [...(get(pm[1]) || []), data]); return }
     const fm = action.match(/^@([a-zA-Z_]+)\.filter\((.+)\)$/)
-    if (fm) { try { set(fm[1], (get(fm[1])||[]).filter(new Function('item', `return (${fm[2]})(item)`))) } catch {} return }
+    if (fm) {
+      // Safe filter: @list.filter(item.status=active) style — no eval/new Function
+      try {
+        const expr = fm[2].trim()
+        const filtered = (get(fm[1]) || []).filter(item => {
+          // Support simple: field=value or field!=value
+          const eq = expr.match(/^([a-zA-Z_.]+)\s*(!?=)\s*(.+)$/)
+          if (eq) {
+            const [, field, op, val] = eq
+            const parts = field.split('.')
+            let v = item
+            for (const p of parts) v = v?.[p]
+            const strV = String(v ?? '')
+            return op === '!=' ? strV !== val.trim() : strV === val.trim()
+          }
+          return true
+        })
+        set(fm[1], filtered)
+      } catch {}
+      return
+    }
     const am = action.match(/^@([a-zA-Z_]+)\s*=\s*\$result$/)
     if (am) { set(am[1], data); return }
   }

package/server/server.js

@@ -53,6 +53,14 @@ const ic    = n => ({bolt:'⚡',rocket:'🚀',shield:'🛡',chart:'📊',star:'
 
 // ── JWT ───────────────────────────────────────────────────────────
 let JWT_SECRET = process.env.JWT_SECRET || 'aiplang-secret-dev'
+// Warn loudly if using dev secret in what looks like production
+if (!process.env.JWT_SECRET) {
+  if (process.env.NODE_ENV === 'production') {
+    console.error('[aiplang] FATAL: JWT_SECRET not set in production. Set JWT_SECRET env var.')
+    process.exit(1)
+  }
+  console.warn('[aiplang] WARNING: JWT_SECRET not set. Using insecure dev default. Set JWT_SECRET in .env')
+}
 let JWT_EXPIRE = '7d'
 const generateJWT = (user) => jwt.sign({ id: user.id, email: user.email, role: user.role || 'user' }, JWT_SECRET, { expiresIn: JWT_EXPIRE })
 const verifyJWT   = (token) => { try { return jwt.verify(token, JWT_SECRET) } catch { return null } }
@@ -103,7 +111,7 @@ async function sendMail(opts) {
     return { messageId: 'mock-' + uuid() }
   }
   return MAIL_TRANSPORTER.sendMail({
-    from: MAIL_CONFIG?.from || 'noreply@aiplang.app',
+    from: MAIL_CONFIG?.from || process.env.MAIL_FROM || 'noreply@localhost',
     ...opts
   })
 }
@@ -638,7 +646,7 @@ function resolveVar(expr, ctx) {
 }
 function evalMath(expr,ctx){try{const r=expr.replace(/\$[\w.]+/g,m=>resolveVar(m,ctx)||0);return Function('"use strict";return('+r+')')()}catch{return 0}}
 function sanitize(o){if(!o)return o;const s={...o};delete s.password;return s}
-function resolveEnv(v){if(!v)return v;if(v.startsWith('$'))return process.env[v.slice(1)]||v;return v}
+function resolveEnv(v){if(!v)return v;if(v.startsWith('$'))return process.env[v.slice(1)]||null;return v}
 
 // ═══════════════════════════════════════════════════════════════════
 // AUTO ADMIN PANEL
@@ -744,9 +752,13 @@ td{padding:.875rem 1.25rem;border-bottom:1px solid rgba(255,255,255,.04);color:#
 </div>
 <script>
 const prefix = '${prefix}'
-const token = localStorage.getItem('admin_token') || ''
+// Token from cookie (set by login) or fallback to localStorage for compat
+function getAdminToken() {
+  const cookie = document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('aiplang_admin='))
+  return cookie ? cookie.split('=')[1] : (localStorage.getItem('admin_token') || '')
+}
 async function api(method, path, body) {
-  const r = await fetch(prefix + '/api' + path, {method, headers:{'Content-Type':'application/json','Authorization':'Bearer '+token},body:body?JSON.stringify(body):undefined})
+  const r = await fetch(prefix + '/api' + path, {method, headers:{'Content-Type':'application/json','Authorization':'Bearer '+getAdminToken()},body:body?JSON.stringify(body):undefined})
   return r.json()
 }
 async function loadModel(name, page=1) {
@@ -784,7 +796,11 @@ function renderAdminLogin(prefix) {
 async function login(){
   const r=await fetch('/api/auth/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value})})
   const d=await r.json()
-  if(d.token){localStorage.setItem('admin_token',d.token);location.href='${prefix}'}
+  if(d.token){
+    localStorage.setItem('admin_token',d.token);
+    document.cookie='aiplang_admin='+d.token+';path=/;SameSite=Strict;max-age=86400';
+    location.href='${prefix}'
+  }
   else document.getElementById('err').textContent=d.error||'Invalid credentials'
 }
 document.addEventListener('keydown',e=>{if(e.key==='Enter')login()})
@@ -804,8 +820,14 @@ class AiplangServer {
 
     // Multipart — don't pre-parse, let S3 upload handler do it
     const isMultipart = (req.headers['content-type'] || '').includes('multipart/form-data')
-    if (req.method !== 'GET' && req.method !== 'DELETE' && !isMultipart) req.body = await parseBody(req)
-    else if (!isMultipart) req.body = {}
+    const hasJsonCT = (req.headers['content-type'] || '').includes('application/json')
+    if (req.method !== 'GET' && req.method !== 'DELETE' && !isMultipart) {
+      req.body = await parseBody(req)
+      if (req.body.__tooBig) {
+        res.writeHead(413, { 'Content-Type': 'application/json' })
+        res.end(JSON.stringify({ error: 'Request body too large' })); return
+      }
+    } else if (!isMultipart) req.body = {}
 
     const parsed = url.parse(req.url, true)
     req.query = parsed.query; req.path = parsed.pathname
@@ -825,6 +847,11 @@ class AiplangServer {
     // CORS — use plugin config if set, otherwise allow all
     const origins = this._corsOrigins || ['*']
     const origin = req.headers['origin'] || ''
+    // Warn once if using wildcard CORS in production
+    if (origins.includes('*') && process.env.NODE_ENV === 'production' && !this._corsWarned) {
+      this._corsWarned = true
+      console.warn('[aiplang] WARNING: CORS is set to * (allow all origins). Use ~use cors origins=https://yourdomain.com in production')
+    }
     const allowOrigin = origins.includes('*') ? '*' : (origins.includes(origin) ? origin : origins[0])
     res.setHeader('Access-Control-Allow-Origin', allowOrigin)
     res.setHeader('Access-Control-Allow-Methods','GET,POST,PUT,PATCH,DELETE,OPTIONS')
@@ -865,8 +892,25 @@ function matchRoute(pattern, reqPath) {
   return params
 }
 function extractToken(req) { const a=req.headers.authorization; return a?.startsWith('Bearer ')?a.slice(7):null }
+const MAX_BODY_BYTES = parseInt(process.env.MAX_BODY_BYTES || '1048576') // 1MB default
 async function parseBody(req) {
-  return new Promise(r=>{let d='';req.on('data',c=>d+=c);req.on('end',()=>{try{r(JSON.parse(d))}catch{r({})}});req.on('error',()=>r({}))})
+  return new Promise((resolve) => {
+    const chunks = []
+    let size = 0, done = false
+    req.on('data', chunk => {
+      if (done) return
+      size += chunk.length
+      if (size > MAX_BODY_BYTES) { done = true; resolve({ __tooBig: true }); return }
+      chunks.push(chunk)
+    })
+    req.on('end', () => {
+      if (done) return
+      done = true
+      try { resolve(JSON.parse(Buffer.concat(chunks).toString())) }
+      catch { resolve({}) }
+    })
+    req.on('error', () => { if (!done) { done = true; resolve({}) } })
+  })
 }
 
 // ═══════════════════════════════════════════════════════════════════
@@ -954,7 +998,7 @@ function setupS3(config) {
     endpoint: config.endpoint ? resolveEnv(config.endpoint) : null,
   }
 
-  const isMock = !S3_CONFIG.key || S3_CONFIG.key.startsWith('$') || S3_CONFIG.key.includes('mock')
+  const isMock = !S3_CONFIG.key || S3_CONFIG.key === null || S3_CONFIG.key.startsWith('$') || S3_CONFIG.key.includes('mock')
   if (isMock) {
     console.log('[aiplang] S3: mock mode (set AWS_ACCESS_KEY_ID for real storage)')
     S3_CLIENT = null
@@ -1289,6 +1333,19 @@ async function startServer(aipFile, port = 3000) {
   const app = parseApp(src)
   const srv = new AiplangServer()
 
+  // Validate required env vars up front
+  const missingEnvs = []
+  for (const envDef of app.env) {
+    if (envDef.required && !process.env[envDef.name]) {
+      missingEnvs.push(envDef.name)
+    }
+  }
+  if (missingEnvs.length) {
+    console.error(`[aiplang] FATAL: Missing required env vars: ${missingEnvs.join(', ')}`)
+    console.error('[aiplang] Set them in .env or export them before starting')
+    process.exit(1)
+  }
+
   // Auth setup
   if (app.auth) {
     JWT_SECRET = resolveEnv(app.auth.secret) || JWT_SECRET
@@ -1372,7 +1429,7 @@ async function startServer(aipFile, port = 3000) {
 
   // Health
   srv.addRoute('GET', '/health', (req, res) => res.json(200, {
-    status:'ok', version:'2.1.3',
+    status:'ok', version:'2.6.0',
     models: app.models.map(m=>m.name),
     routes: app.apis.length, pages: app.pages.length,
     admin: app.admin?.prefix || null,
@@ -1415,7 +1472,7 @@ function setupStripe(config) {
   STRIPE_CONFIG = config
   const key = resolveEnv(config.key) || ''
   // Use mock if key is placeholder, test/mock value, or SDK unavailable
-  const isMock = !key || key.startsWith('$') || key === 'sk_test_mock' || key.includes('mock')
+  const isMock = !key || key === null || key.startsWith('$') || key === 'sk_test_mock' || key.includes('mock')
   if (isMock) {
     console.log('[aiplang] Stripe: mock mode (set STRIPE_SECRET_KEY for real payments)')
     STRIPE = null // will use mockStripe()