create-fluxstack 1.18.0 → 1.18.1

package/app/server/live/rooms/ChatRoom.ts

@@ -2,7 +2,7 @@
 
 import { LiveRoom } from '@fluxstack/live'
 import type { RoomJoinContext, RoomLeaveContext } from '@fluxstack/live'
-import { createHash, timingSafeEqual } from 'crypto'
+import { createHash, randomBytes, timingSafeEqual } from 'crypto'
 
 export interface ChatMessage {
   id: string
@@ -33,15 +33,20 @@ export class ChatRoom extends LiveRoom<ChatState, ChatMeta, ChatEvents> {
   static defaultMeta: ChatMeta = { password: null, createdBy: null }
   static $options = { maxMembers: 100 }
 
-  /** Hash a password using SHA-256. */
+  /** Hash a password using SHA-256 with a random salt. Returns "salt:hash". */
   private static hashPassword(password: string): string {
-    return createHash('sha256').update(password).digest('hex')
+    const salt = randomBytes(16).toString('hex')
+    const hash = createHash('sha256').update(salt + password).digest('hex')
+    return salt + ':' + hash
   }
 
-  /** Constant-time comparison of two hex strings. */
-  private static safeCompare(a: string, b: string): boolean {
-    const bufA = Buffer.from(a, 'hex')
-    const bufB = Buffer.from(b, 'hex')
+  /** Verify a password against a stored "salt:hash" string using constant-time comparison. */
+  private static verifyPassword(password: string, stored: string): boolean {
+    const [salt, hash] = stored.split(':')
+    if (!salt || !hash) return false
+    const computed = createHash('sha256').update(salt + password).digest('hex')
+    const bufA = Buffer.from(computed, 'hex')
+    const bufB = Buffer.from(hash, 'hex')
     if (bufA.length !== bufB.length) return false
     return timingSafeEqual(bufA, bufB)
   }
@@ -56,7 +61,7 @@ export class ChatRoom extends LiveRoom<ChatState, ChatMeta, ChatEvents> {
     // Validate password if room is protected
     if (this.meta.password) {
       const provided = ctx.payload?.password
-      if (!provided || !ChatRoom.safeCompare(ChatRoom.hashPassword(provided), this.meta.password)) {
+      if (!provided || !ChatRoom.verifyPassword(provided, this.meta.password)) {
         return false // Rejected — wrong or missing password
       }
     }

package/app/server/routes/index.ts

@@ -3,6 +3,7 @@ import { usersRoutes } from "./users.routes"
 import { roomRoutes } from "./room.routes"
 import { authRoutes } from "./auth.routes"
 import { pluginClientHooks } from "@core/server/plugin-client-hooks"
+import { FLUXSTACK_VERSION } from "@core/utils/version"
 
 export const apiRoutes = new Elysia({ prefix: "/api" })
   .get("/", () => ({ message: "🔥 Hot Reload funcionando! FluxStack API v1.4.0 ⚡" }), {
@@ -15,24 +16,33 @@ export const apiRoutes = new Elysia({ prefix: "/api" })
       description: 'Returns a welcome message from the FluxStack API'
     }
   })
-  .get("/health", () => ({
-    status: "🚀 Hot Reload ativo!",
-    timestamp: new Date().toISOString(),
-    uptime: `${Math.floor(process.uptime())}s`,
-    version: "1.4.0",
-    environment: "development"
-  }), {
+  .get("/health", () => {
+    const checks = {
+      status: 'ok' as 'ok' | 'degraded' | 'error',
+      timestamp: new Date().toISOString(),
+      uptime: process.uptime(),
+      memory: {
+        used: Math.round(process.memoryUsage().heapUsed / 1024 / 1024),
+        total: Math.round(process.memoryUsage().heapTotal / 1024 / 1024),
+      },
+      version: FLUXSTACK_VERSION,
+    }
+    return checks
+  }, {
     response: t.Object({
       status: t.String(),
       timestamp: t.String(),
-      uptime: t.String(),
+      uptime: t.Number(),
+      memory: t.Object({
+        used: t.Number(),
+        total: t.Number(),
+      }),
       version: t.String(),
-      environment: t.String()
     }),
     detail: {
       tags: ['Health'],
       summary: 'Health Check',
-      description: 'Returns the current health status of the API server'
+      description: 'Returns the current health status of the API including uptime, memory usage, and version'
     }
   })
   // Plugin client hooks endpoint

package/core/framework/server.ts

@@ -157,6 +157,7 @@ export class FluxStackFramework {
     })
 
     this.setupCors()
+    this.setupSecurityHeaders()
     this.setupHeadHandler()
     this.setupElysiaHeadBugFilter()
     this.setupHooks()
@@ -233,6 +234,17 @@ export class FluxStackFramework {
       })
   }
 
+  private setupSecurityHeaders() {
+    // Security headers middleware — protects against common web vulnerabilities
+    this.app.onBeforeHandle(({ set }) => {
+      set.headers['X-Content-Type-Options'] = 'nosniff'
+      set.headers['X-Frame-Options'] = 'DENY'
+      set.headers['X-XSS-Protection'] = '0' // Deprecated, CSP is better
+      set.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+      // CSP is intentionally not set here — apps should configure it per their needs
+    })
+  }
+
   private setupHeadHandler() {
     // Global HEAD handler to prevent Elysia's automatic HEAD conversion bug
     this.app.head("*", ({ request, set }) => {

package/core/utils/version.ts

@@ -3,4 +3,4 @@
  * Single source of truth for version number
  * Auto-synced with package.json
  */
-export const FLUXSTACK_VERSION = '1.18.0'
+export const FLUXSTACK_VERSION = '1.18.1'

package/package.json

@@ -1,107 +1,107 @@
-{
-  "name": "create-fluxstack",
-  "version": "1.18.0",
-  "description": "⚡ Revolutionary full-stack TypeScript framework with Declarative Config System, Elysia + React + Bun",
-  "keywords": [
-    "framework",
-    "full-stack",
-    "typescript",
-    "elysia",
-    "react",
-    "bun",
-    "vite"
-  ],
-  "author": "FluxStack Team",
-  "license": "MIT",
-  "homepage": "https://github.com/MarcosBrendonDePaula/FluxStack",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/MarcosBrendonDePaula/FluxStack.git"
-  },
-  "module": "app/server/index.ts",
-  "type": "module",
-  "bin": {
-    "create-fluxstack": "create-fluxstack.ts"
-  },
-  "scripts": {
-    "dev": "bun run core/cli/index.ts dev",
-    "dev:frontend": "bun run core/cli/index.ts dev --frontend-only",
-    "dev:backend": "bun run core/cli/index.ts dev --backend-only",
-    "build": "cross-env NODE_ENV=production bun run core/cli/index.ts build",
-    "build:frontend": "cross-env NODE_ENV=production bun run core/cli/index.ts build --frontend-only",
-    "build:backend": "cross-env NODE_ENV=production bun run core/cli/index.ts build --backend-only",
-    "build:exe": "cross-env NODE_ENV=production && bun run core/cli/index.ts build && bun run core/cli/index.ts build:exe",
-    "start": "NODE_ENV=production bun dist/index.js",
-    "create": "bun run core/cli/index.ts create",
-    "cli": "bun run core/cli/index.ts",
-    "make:component": "bun run core/cli/index.ts make:component",
-    "sync-version": "bun run core/utils/sync-version.ts",
-    "test": "vitest",
-    "test:ui": "vitest --ui",
-    "test:coverage": "vitest run --coverage",
-    "typecheck:api": "tsc --noEmit -p tsconfig.api-strict.json",
-    "test:e2e": "playwright test",
-    "test:e2e:ui": "playwright test --ui",
-    "test:e2e:headed": "playwright test --headed"
-  },
-  "devDependencies": {
-    "@eslint/js": "^9.30.1",
-    "@noble/curves": "1.2.0",
-    "@noble/hashes": "1.3.2",
-    "@playwright/test": "^1.58.2",
-    "@tailwindcss/vite": "^4.1.13",
-    "@testing-library/jest-dom": "^6.6.4",
-    "@testing-library/react": "^16.3.0",
-    "@testing-library/user-event": "^14.6.1",
-    "@types/bun": "latest",
-    "@types/node": "^24.5.2",
-    "@types/react": "^19.1.8",
-    "@types/react-dom": "^19.1.6",
-    "@vitest/coverage-v8": "^3.2.4",
-    "@vitest/ui": "^3.2.4",
-    "baseline-browser-mapping": "^2.10.7",
-    "cross-env": "^10.1.0",
-    "eslint": "^9.30.1",
-    "eslint-plugin-react-hooks": "^5.2.0",
-    "eslint-plugin-react-refresh": "^0.4.20",
-    "globals": "^16.3.0",
-    "jsdom": "^26.1.0",
-    "rollup": "4.20.0",
-    "tailwindcss": "^4.1.13",
-    "typescript": "^5.8.3",
-    "typescript-eslint": "^8.35.1",
-    "vite-plugin-checker": "^0.12.0",
-    "vite-tsconfig-paths": "^6.0.5",
-    "vitest": "^3.2.4"
-  },
-  "dependencies": {
-    "@elysiajs/eden": "^1.3.2",
-    "@elysiajs/swagger": "^1.3.1",
-    "@fluxstack/config": "^1.0.0",
-    "@fluxstack/live": "^0.5.1",
-    "@fluxstack/live-client": "^0.5.1",
-    "@fluxstack/live-elysia": "^0.5.1",
-    "@fluxstack/live-react": "^0.5.1",
-    "@fluxstack/plugin-crypto-auth": "^1.0.0",
-    "@fluxstack/plugin-csrf-protection": "^1.1.0",
-    "@vitejs/plugin-react": "^4.6.0",
-    "chalk": "^5.3.0",
-    "commander": "^12.1.0",
-    "elysia": "^1.4.6",
-    "lightningcss": "^1.30.1",
-    "ora": "^8.1.0",
-    "react": "^19.1.0",
-    "react-dom": "^19.1.0",
-    "react-icons": "^5.5.0",
-    "react-router": "^7.9.3",
-    "uuid": "^13.0.0",
-    "vite": "^7.1.7",
-    "winston": "^3.18.3",
-    "winston-daily-rotate-file": "^5.0.0",
-    "zustand": "^5.0.8"
-  },
-  "engines": {
-    "bun": ">=1.2.0"
-  },
-  "preferredPackageManager": "bun"
-}
+{
+  "name": "create-fluxstack",
+  "version": "1.18.1",
+  "description": "⚡ Revolutionary full-stack TypeScript framework with Declarative Config System, Elysia + React + Bun",
+  "keywords": [
+    "framework",
+    "full-stack",
+    "typescript",
+    "elysia",
+    "react",
+    "bun",
+    "vite"
+  ],
+  "author": "FluxStack Team",
+  "license": "MIT",
+  "homepage": "https://github.com/MarcosBrendonDePaula/FluxStack",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/MarcosBrendonDePaula/FluxStack.git"
+  },
+  "module": "app/server/index.ts",
+  "type": "module",
+  "bin": {
+    "create-fluxstack": "create-fluxstack.ts"
+  },
+  "scripts": {
+    "dev": "bun run core/cli/index.ts dev",
+    "dev:frontend": "bun run core/cli/index.ts dev --frontend-only",
+    "dev:backend": "bun run core/cli/index.ts dev --backend-only",
+    "build": "cross-env NODE_ENV=production bun run core/cli/index.ts build",
+    "build:frontend": "cross-env NODE_ENV=production bun run core/cli/index.ts build --frontend-only",
+    "build:backend": "cross-env NODE_ENV=production bun run core/cli/index.ts build --backend-only",
+    "build:exe": "cross-env NODE_ENV=production && bun run core/cli/index.ts build && bun run core/cli/index.ts build:exe",
+    "start": "NODE_ENV=production bun dist/index.js",
+    "create": "bun run core/cli/index.ts create",
+    "cli": "bun run core/cli/index.ts",
+    "make:component": "bun run core/cli/index.ts make:component",
+    "sync-version": "bun run core/utils/sync-version.ts",
+    "test": "vitest",
+    "test:ui": "vitest --ui",
+    "test:coverage": "vitest run --coverage",
+    "typecheck:api": "tsc --noEmit -p tsconfig.api-strict.json",
+    "test:e2e": "playwright test",
+    "test:e2e:ui": "playwright test --ui",
+    "test:e2e:headed": "playwright test --headed"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.30.1",
+    "@noble/curves": "1.2.0",
+    "@noble/hashes": "1.3.2",
+    "@playwright/test": "^1.58.2",
+    "@tailwindcss/vite": "^4.1.13",
+    "@testing-library/jest-dom": "^6.6.4",
+    "@testing-library/react": "^16.3.0",
+    "@testing-library/user-event": "^14.6.1",
+    "@types/bun": "latest",
+    "@types/node": "^24.5.2",
+    "@types/react": "^19.1.8",
+    "@types/react-dom": "^19.1.6",
+    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/ui": "^3.2.4",
+    "baseline-browser-mapping": "^2.10.7",
+    "cross-env": "^10.1.0",
+    "eslint": "^9.30.1",
+    "eslint-plugin-react-hooks": "^5.2.0",
+    "eslint-plugin-react-refresh": "^0.4.20",
+    "globals": "^16.3.0",
+    "jsdom": "^26.1.0",
+    "rollup": "4.20.0",
+    "tailwindcss": "^4.1.13",
+    "typescript": "^5.8.3",
+    "typescript-eslint": "^8.35.1",
+    "vite-plugin-checker": "^0.12.0",
+    "vite-tsconfig-paths": "^6.0.5",
+    "vitest": "^3.2.4"
+  },
+  "dependencies": {
+    "@elysiajs/eden": "^1.3.2",
+    "@elysiajs/swagger": "^1.3.1",
+    "@fluxstack/config": "^1.0.0",
+    "@fluxstack/live": "^0.6.0",
+    "@fluxstack/live-client": "^0.6.0",
+    "@fluxstack/live-elysia": "^0.6.0",
+    "@fluxstack/live-react": "^0.6.0",
+    "@fluxstack/plugin-crypto-auth": "^1.0.0",
+    "@fluxstack/plugin-csrf-protection": "^1.1.0",
+    "@vitejs/plugin-react": "^4.6.0",
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "elysia": "^1.4.6",
+    "lightningcss": "^1.30.1",
+    "ora": "^8.1.0",
+    "react": "^19.1.0",
+    "react-dom": "^19.1.0",
+    "react-icons": "^5.5.0",
+    "react-router": "^7.9.3",
+    "uuid": "^13.0.0",
+    "vite": "^7.1.7",
+    "winston": "^3.18.3",
+    "winston-daily-rotate-file": "^5.0.0",
+    "zustand": "^5.0.8"
+  },
+  "engines": {
+    "bun": ">=1.2.0"
+  },
+  "preferredPackageManager": "bun"
+}