alepha 0.14.4 → 0.15.1

package/src/core/providers/SchemaValidator.spec.ts

@@ -0,0 +1,236 @@
+import { Alepha, t } from "alepha";
+import { describe, test } from "vitest";
+import { SchemaValidator } from "./SchemaValidator.ts";
+
+describe("SchemaValidator", () => {
+  describe("Basic validation", () => {
+    test("should validate simple objects", async ({ expect }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+        age: t.integer(),
+      });
+
+      const data = {
+        name: "Alice",
+        age: 30,
+      };
+
+      const result = validator.validate(schema, data);
+      expect(result).toEqual(data);
+    });
+
+    test("should trim strings when schema has trim option", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text({ trim: true }),
+      });
+
+      const data = {
+        name: "  Alice  ",
+      };
+
+      const result = validator.validate(schema, data);
+      expect(result.name).toBe("Alice");
+    });
+
+    test("should convert null to undefined for non-nullable fields", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+        bio: t.optional(t.text()),
+      });
+
+      const data = {
+        name: "Alice",
+        bio: null,
+      };
+
+      const result = validator.validate(schema, data);
+      expect(result.name).toBe("Alice");
+      expect(result.bio).toBeUndefined();
+    });
+  });
+
+  describe("Security - Prototype Pollution Protection", () => {
+    test("should filter out __proto__ key from input data", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+      });
+
+      // Input data with __proto__ key via JSON.parse (bypasses literal protection)
+      const data = JSON.parse('{"name":"Alice","__proto__":{"isAdmin":true}}');
+
+      const result = validator.validate(schema, data);
+
+      // __proto__ should not be an own property in the result
+      expect(result.name).toBe("Alice");
+      // Using hasOwnProperty because 'in' operator has special behavior for __proto__
+      expect(Object.hasOwn(result, "__proto__")).toBe(false);
+    });
+
+    test("should filter out constructor key from input data", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+      });
+
+      const data = {
+        name: "Alice",
+        constructor: { prototype: { isAdmin: true } },
+      };
+
+      const result = validator.validate(schema, data);
+
+      expect(result.name).toBe("Alice");
+      expect(Object.hasOwn(result, "constructor")).toBe(false);
+    });
+
+    test("should filter out prototype key from input data", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+      });
+
+      const data = {
+        name: "Alice",
+        prototype: { isAdmin: true },
+      };
+
+      const result = validator.validate(schema, data);
+
+      expect(result.name).toBe("Alice");
+      expect(Object.hasOwn(result, "prototype")).toBe(false);
+    });
+
+    test("should filter unsafe keys from nested objects", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        user: t.object({
+          name: t.text(),
+        }),
+      });
+
+      const data = {
+        user: {
+          name: "Alice",
+          __proto__: { isAdmin: true },
+        },
+      };
+
+      const result = validator.validate(schema, data);
+
+      expect(result.user.name).toBe("Alice");
+      expect(Object.hasOwn(result.user, "__proto__")).toBe(false);
+    });
+
+    test("should not pollute Object.prototype", async ({ expect }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+      });
+
+      // Attempt to pollute Object.prototype via __proto__
+      const maliciousData = JSON.parse(
+        '{"name":"Alice","__proto__":{"polluted":"yes"}}',
+      );
+
+      validator.validate(schema, maliciousData);
+
+      // Object.prototype should not be polluted
+      expect(({} as any).polluted).toBeUndefined();
+    });
+
+    test("should create objects without prototype chain", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+      });
+
+      const data = {
+        name: "Alice",
+      };
+
+      const result = validator.validate(schema, data);
+
+      // The result should not have Object.prototype methods directly accessible
+      // via hasOwnProperty (it should use Object.create(null))
+      expect(result.name).toBe("Alice");
+    });
+  });
+
+  describe("beforeParse", () => {
+    test("should handle arrays correctly", async ({ expect }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        tags: t.array(t.text({ trim: true })),
+      });
+
+      const data = {
+        tags: ["  tag1  ", "  tag2  "],
+      };
+
+      const result = validator.validate(schema, data);
+      expect(result.tags).toEqual(["tag1", "tag2"]);
+    });
+
+    test("should delete undefined values when option is enabled", async ({
+      expect,
+    }) => {
+      const alepha = Alepha.create();
+      const validator = alepha.inject(SchemaValidator);
+
+      const schema = t.object({
+        name: t.text(),
+        bio: t.optional(t.text()),
+      });
+
+      const data = {
+        name: "Alice",
+        bio: undefined,
+      };
+
+      const result = validator.validate(schema, data, {
+        deleteUndefined: true,
+      });
+
+      expect(result.name).toBe("Alice");
+      expect("bio" in result).toBe(false);
+    });
+  });
+});

package/src/core/providers/StateManager.spec.ts

@@ -209,12 +209,16 @@ describe("StateManager", () => {
     });
 
     it("should set values in ALS when context exists", async () => {
-      const store: any = { context: "test-context" };
-      alepha.context.run(() => {
-        stateManager.set("name", "ALS Value");
-      }, store);
+      // Note: AlsProvider spreads the store object, so we check values inside the callback
+      const result = alepha.context.run(
+        () => {
+          stateManager.set("name", "ALS Value");
+          return stateManager.get("name");
+        },
+        { context: "test-context" },
+      );
 
-      expect(store.name).toBe("ALS Value");
+      expect(result).toBe("ALS Value");
     });
 
     it("should set values in local store when no ALS context", () => {
@@ -267,14 +271,16 @@ describe("StateManager", () => {
       stateManager.set("name", "Local Value");
 
       // In ALS context, ALS values should take priority
-      const store: any = { context: "test-context" };
-      const result = alepha.context.run(() => {
-        stateManager.set("name", "ALS Priority");
-        return stateManager.get("name");
-      }, store);
+      // Note: AlsProvider spreads the store object, so we check values inside the callback
+      const result = alepha.context.run(
+        () => {
+          stateManager.set("name", "ALS Priority");
+          return stateManager.get("name");
+        },
+        { context: "test-context" },
+      );
 
       expect(result).toBe("ALS Priority");
-      expect(store.name).toBe("ALS Priority");
     });
 
     it("should not skip event emission when values are the same", async () => {
@@ -291,12 +297,17 @@ describe("StateManager", () => {
     });
 
     it("should delete values from ALS when context exists", async () => {
-      const store = { name: "To Delete", context: "test-context" };
-      alepha.context.run(() => {
-        stateManager.del("name");
-      }, store);
+      // Note: AlsProvider spreads the store object, so we check values inside the callback
+      const result = alepha.context.run(
+        () => {
+          stateManager.set("name", "To Delete");
+          stateManager.del("name");
+          return stateManager.get("name");
+        },
+        { context: "test-context" },
+      );
 
-      expect(store.name).toBeUndefined();
+      expect(result).toBeUndefined();
     });
 
     it("should clear only local store, not ALS", async () => {

package/src/email/providers/LocalEmailProvider.spec.ts

@@ -1,42 +1,27 @@
-import * as fs from "node:fs/promises";
-import * as path from "node:path";
+import { Alepha } from "alepha";
+import { FileSystemProvider, MemoryFileSystemProvider } from "alepha/file";
 import { beforeEach, describe, expect, test, vi } from "vitest";
 import { EmailError } from "../errors/EmailError.ts";
-import { LocalEmailProvider } from "../providers/LocalEmailProvider.ts";
+import {
+  LocalEmailProvider,
+  localEmailOptions,
+} from "../providers/LocalEmailProvider.ts";
 
-// Mock fs and path modules
-vi.mock("node:fs/promises");
-vi.mock("node:path");
+// ---------------------------------------------------------------------------------------------------------------------
 
-// Mock logger
-vi.mock("alepha/logger", () => ({
-  $logger: () => ({
-    debug: vi.fn(),
-    info: vi.fn(),
-    error: vi.fn(),
-  }),
-}));
-
-const mockedFs = vi.mocked(fs);
-const mockedPath = vi.mocked(path);
+const DEFAULT_DIRECTORY = localEmailOptions.options.default.directory;
 
 describe("LocalEmailProvider", () => {
-  let provider: LocalEmailProvider;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    // Setup default path.join mock
-    mockedPath.join.mockImplementation((...args) => args.join("/"));
-  });
-
   describe("send", () => {
-    beforeEach(() => {
-      provider = new LocalEmailProvider({ directory: "test-emails" });
-    });
-
     test("should successfully send email to local file", async () => {
-      mockedFs.mkdir.mockResolvedValue(undefined);
-      mockedFs.writeFile.mockResolvedValue();
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
 
       const to = "test@example.com";
       const subject = "Test Subject";
@@ -48,19 +33,20 @@ describe("LocalEmailProvider", () => {
         body,
       });
 
-      expect(mockedFs.mkdir).toHaveBeenCalledWith("test-emails", {
-        recursive: true,
-      });
-      expect(mockedFs.writeFile).toHaveBeenCalledWith(
-        expect.stringContaining("test@example.com"),
-        expect.stringContaining(subject),
-        "utf8",
-      );
+      expect(memoryFs.writeFileCalls).toHaveLength(1);
+      expect(memoryFs.writeFileCalls[0].path).toContain("test@example.com");
+      expect(memoryFs.writeFileCalls[0].data).toContain(subject);
     });
 
     test("should create proper filename with sanitized email and timestamp", async () => {
-      mockedFs.mkdir.mockResolvedValue(undefined);
-      mockedFs.writeFile.mockResolvedValue();
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
 
       const to = "user+test@example.com";
       const subject = "Test Subject";
@@ -76,17 +62,24 @@ describe("LocalEmailProvider", () => {
         body,
       });
 
-      expect(mockedPath.join).toHaveBeenCalledWith(
-        "test-emails",
+      expect(memoryFs.joinCalls).toHaveLength(1);
+      expect(memoryFs.joinCalls[0]).toEqual([
+        DEFAULT_DIRECTORY,
         "user_test@example.com+2023-01-01T12-00-00-000Z.html",
-      );
+      ]);
 
       vi.useRealTimers();
     });
 
     test("should sanitize special characters in email address", async () => {
-      mockedFs.mkdir.mockResolvedValue(undefined);
-      mockedFs.writeFile.mockResolvedValue();
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
 
       const to = "user<script>@example.com";
       const subject = "Test Subject";
@@ -98,15 +91,21 @@ describe("LocalEmailProvider", () => {
         body,
       });
 
-      expect(mockedPath.join).toHaveBeenCalledWith(
-        "test-emails",
-        expect.stringMatching(/user_script_@example\.com\+.+\.html/),
+      expect(memoryFs.joinCalls).toHaveLength(1);
+      expect(memoryFs.joinCalls[0][1]).toMatch(
+        /user_script_@example\.com\+.+\.html/,
       );
     });
 
     test("should create proper HTML content", async () => {
-      mockedFs.mkdir.mockResolvedValue(undefined);
-      mockedFs.writeFile.mockResolvedValue();
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
 
       const to = "test@example.com";
       const subject = "Test <Subject>";
@@ -118,8 +117,7 @@ describe("LocalEmailProvider", () => {
         body,
       });
 
-      const writeCall = mockedFs.writeFile.mock.calls[0];
-      const htmlContent = writeCall[1] as string;
+      const htmlContent = memoryFs.writeFileCalls[0].data;
 
       expect(htmlContent).toContain("<!DOCTYPE html>");
       expect(htmlContent).toContain("Test &lt;Subject&gt;"); // escaped subject
@@ -130,36 +128,17 @@ describe("LocalEmailProvider", () => {
       expect(htmlContent).toContain("Sent:");
     });
 
-    test("should throw EmailError when mkdir fails", async () => {
-      const mkdirError = new Error("Permission denied");
-      mockedFs.mkdir.mockRejectedValue(mkdirError);
-
-      const to = "test@example.com";
-      const subject = "Test Subject";
-      const body = "<p>Test body</p>";
+    test("should throw EmailError when writeFile fails", async () => {
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
 
-      await expect(
-        provider.send({
-          to,
-          subject,
-          body,
-        }),
-      ).rejects.toThrow(EmailError);
-      await expect(
-        provider.send({
-          to,
-          subject,
-          body,
-        }),
-      ).rejects.toThrow(
-        "Failed to save email to local file: Permission denied",
-      );
-    });
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
 
-    test("should throw EmailError when writeFile fails", async () => {
-      mockedFs.mkdir.mockResolvedValue(undefined);
-      const writeError = new Error("Disk full");
-      mockedFs.writeFile.mockRejectedValue(writeError);
+      memoryFs.writeFileError = new Error("Disk full");
 
       const to = "test@example.com";
       const subject = "Test Subject";
@@ -172,6 +151,7 @@ describe("LocalEmailProvider", () => {
           body,
         }),
       ).rejects.toThrow(EmailError);
+
       await expect(
         provider.send({
           to,
@@ -182,8 +162,16 @@ describe("LocalEmailProvider", () => {
     });
 
     test("should handle non-Error exceptions", async () => {
-      mockedFs.mkdir.mockResolvedValue(undefined);
-      mockedFs.writeFile.mockRejectedValue("String error");
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
+
+      memoryFs.writeFileError = "String error" as unknown as Error;
 
       const to = "test@example.com";
       const subject = "Test Subject";
@@ -196,6 +184,7 @@ describe("LocalEmailProvider", () => {
           body,
         }),
       ).rejects.toThrow(EmailError);
+
       await expect(
         provider.send({
           to,
@@ -204,11 +193,39 @@ describe("LocalEmailProvider", () => {
         }),
       ).rejects.toThrow("Failed to save email to local file: String error");
     });
+
+    test("should handle multiple recipients", async () => {
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+
+      const provider = alepha.inject(LocalEmailProvider);
+      const memoryFs = alepha.inject(MemoryFileSystemProvider);
+      await alepha.start();
+
+      await provider.send({
+        to: ["user1@example.com", "user2@example.com"],
+        subject: "Broadcast",
+        body: "<p>Hello all</p>",
+      });
+
+      expect(memoryFs.writeFileCalls).toHaveLength(2);
+      expect(memoryFs.writeFileCalls[0].path).toContain("user1@example.com");
+      expect(memoryFs.writeFileCalls[1].path).toContain("user2@example.com");
+    });
   });
 
   describe("createEmailHtml", () => {
-    beforeEach(() => {
-      provider = new LocalEmailProvider();
+    let provider: LocalEmailProvider;
+
+    beforeEach(async () => {
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+      provider = alepha.inject(LocalEmailProvider);
+      await alepha.start();
     });
 
     test("should create proper HTML structure", () => {
@@ -290,8 +307,15 @@ describe("LocalEmailProvider", () => {
   });
 
   describe("escapeHtml", () => {
-    beforeEach(() => {
-      provider = new LocalEmailProvider();
+    let provider: LocalEmailProvider;
+
+    beforeEach(async () => {
+      const alepha = Alepha.create().with({
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      });
+      provider = alepha.inject(LocalEmailProvider);
+      await alepha.start();
     });
 
     test("should escape ampersands", () => {