db-model-router 1.0.6 → 1.0.8

package/dbmr.schema.json

@@ -9,28 +9,6 @@
     "loki": false
   },
   "tables": {
-    "users": {
-      "columns": {
-        "user_id": "auto_increment",
-        "name": "required|string",
-        "email": "required|string",
-        "password_hash": "required|string",
-        "phone": "string",
-        "avatar_url": "string",
-        "role": "required|string",
-        "is_deleted": "boolean",
-        "created_at": "datetime",
-        "updated_at": "datetime"
-      },
-      "pk": "user_id",
-      "unique": ["email"],
-      "softDelete": "is_deleted",
-      "timestamps": {
-        "created_at": "created_at",
-        "modified_at": "updated_at"
-      },
-      "parent": null
-    },
     "addresses": {
       "columns": {
         "address_id": "auto_increment",
@@ -44,13 +22,13 @@
         "country": "required|string",
         "is_default": "boolean",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "address_id",
       "unique": ["address_id"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": null
     },
@@ -65,13 +43,13 @@
         "sort_order": "integer",
         "is_active": "boolean",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "category_id",
       "unique": ["slug"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": null
     },
@@ -97,14 +75,14 @@
         "is_deleted": "boolean",
         "meta": "object",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "product_id",
       "unique": ["sku", "slug"],
       "softDelete": "is_deleted",
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": null
     },
@@ -136,13 +114,13 @@
         "attributes": "object",
         "is_active": "boolean",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "variant_id",
       "unique": ["sku"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": "products"
     },
@@ -157,13 +135,13 @@
         "is_verified": "boolean",
         "is_approved": "boolean",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "review_id",
       "unique": ["review_id"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": "products"
     },
@@ -174,13 +152,13 @@
         "session_id": "string",
         "currency": "required|string",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "cart_id",
       "unique": ["cart_id"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": null
     },
@@ -193,13 +171,13 @@
         "quantity": "required|integer",
         "unit_price": "required|numeric",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "cart_item_id",
       "unique": ["cart_item_id"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": "carts"
     },
@@ -219,13 +197,13 @@
         "billing_address_id": "integer",
         "notes": "string",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "order_id",
       "unique": ["order_number"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": null
     },
@@ -261,13 +239,13 @@
         "status": "required|string",
         "paid_at": "datetime",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "payment_id",
       "unique": ["payment_id"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": "orders"
     },
@@ -281,13 +259,13 @@
         "shipped_at": "datetime",
         "delivered_at": "datetime",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "shipment_id",
       "unique": ["shipment_id"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": "orders"
     },
@@ -305,13 +283,13 @@
         "expires_at": "datetime",
         "is_active": "boolean",
         "created_at": "datetime",
-        "updated_at": "datetime"
+        "modified_at": "datetime"
       },
       "pk": "coupon_id",
       "unique": ["code"],
       "timestamps": {
         "created_at": "created_at",
-        "modified_at": "updated_at"
+        "modified_at": "modified_at"
       },
       "parent": null
     },

package/demo/.dockerignore

@@ -0,0 +1,7 @@
+node_modules
+npm-debug.log
+.env
+.env.example
+.git
+.gitignore
+data

package/demo/.env.example

@@ -0,0 +1,15 @@
+# Server
+PORT=3000
+API_BASE_PATH=/api
+
+# Database
+DB_TYPE=sqlite3
+DB_NAME=./data/data.db
+
+# Session
+SESSION_SECRET=your_session_secret
+
+# Logging
+APP_NAME=your_app_name
+LOG_LEVEL=info
+LOKI_HOST=http://your-loki-host:3100

package/demo/Dockerfile

@@ -0,0 +1,20 @@
+FROM node:alpine
+
+WORKDIR /app
+
+# Install dependencies
+COPY package*.json ./
+RUN npm ci --omit=dev
+
+# Copy application files
+COPY app.js ./
+COPY commons/ ./commons/
+COPY middleware/ ./middleware/
+COPY route/ ./route/
+COPY migrations/ ./migrations/
+
+# Expose port
+EXPOSE 3000
+
+# Start the application
+CMD ["node", "app.js"]

package/demo/app.js

@@ -0,0 +1,39 @@
+import express from "express";
+import "./commons/db.js";
+import configureSession from "./commons/session.js";
+import applySecurity from "./commons/security.js";
+import logger from "./middleware/logger.js";
+import routes from "./routes/index.js";
+import { fileURLToPath } from 'node:url';
+import path from "path";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const app = express();
+const PORT = process.env.PORT || 3000;
+
+// Middleware
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+
+// Security (helmet, rate limiting, custom headers)
+applySecurity(app);
+
+// Session
+app.use(configureSession());
+
+// Logger
+app.use(logger);
+
+// Routes
+app.use(process.env.API_BASE_PATH || "/api", routes);
+
+// Error handler
+app.use((err, req, res, next) => {
+  console.error(err.stack);
+  res.status(500).json({ type: "danger", message: "Internal Server Error" });
+});
+
+app.listen(PORT, () => {
+  console.log(`Server running on port ${PORT}`);
+});
+
+export default app;

package/demo/commons/add_migration.js

@@ -0,0 +1,43 @@
+#!/usr/bin/env node
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+/**
+ * Create a new timestamped migration file.
+ * @param {string} migrationsDir - absolute path to migrations folder
+ * @param {string} [name] - migration name (default: "migration")
+ * @returns {string} the created filename
+ */
+export default function addMigration(migrationsDir, name) {
+  const migrationName = name || "migration";
+  const now = new Date();
+  const y = String(now.getFullYear()).padStart(4, "0");
+  const mo = String(now.getMonth() + 1).padStart(2, "0");
+  const d = String(now.getDate()).padStart(2, "0");
+  const h = String(now.getHours()).padStart(2, "0");
+  const mi = String(now.getMinutes()).padStart(2, "0");
+  const s = String(now.getSeconds()).padStart(2, "0");
+  const ts = `${y}${mo}${d}${h}${mi}${s}`;
+
+  const filename = `${ts}_${migrationName}.sql`;
+  const filePath = path.join(migrationsDir, filename);
+
+  if (!fs.existsSync(migrationsDir)) {
+    fs.mkdirSync(migrationsDir, { recursive: true });
+  }
+
+  fs.writeFileSync(filePath, "-- Write your migration SQL here\n");
+  console.log(`Created migration: ${filename}`);
+  return filename;
+}
+
+// Run as standalone script
+const isMain = process.argv[1] && fs.realpathSync(process.argv[1]) === fs.realpathSync(fileURLToPath(import.meta.url));
+if (isMain) {
+  const migrationsDir = path.join(__dirname, "../migrations");
+  const name = process.argv[2] || "migration";
+  addMigration(migrationsDir, name);
+}

package/demo/commons/db.js

@@ -0,0 +1,17 @@
+import "dotenv/config";
+import dbModelRouter from "db-model-router";
+
+// Initialize database adapter
+dbModelRouter.init("sqlite3");
+
+// Connect to database
+dbModelRouter.db.connect({
+  database: process.env.DB_NAME || "./data/data.db",
+});
+
+// Make db available globally across the application
+const db = dbModelRouter.db;
+global.db = db;
+
+export { db };
+export default db;

package/demo/commons/migrate.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+/**
+ * Run all pending SQL migrations from the migrations directory.
+ * @param {object} db - db-model-router db instance
+ * @param {string} migrationsDir - absolute path to migrations folder
+ */
+export default async function runMigrations(db, migrationsDir) {
+  const files = fs.readdirSync(migrationsDir)
+    .filter(f => f.endsWith(".sql"))
+    .sort();
+
+  let executed;
+  try {
+    const result = await db.query("SELECT filename FROM _migrations");
+    executed = new Set((result || []).map(r => r.filename));
+  } catch (e) {
+    executed = new Set();
+  }
+
+  let ran = 0;
+  for (const file of files) {
+    if (executed.has(file)) {
+      console.log(`  Skipping (already executed): ${file}`);
+      continue;
+    }
+    const filePath = path.join(migrationsDir, file);
+    const content = fs.readFileSync(filePath, "utf8");
+    const checksum = crypto.createHash("md5").update(content).digest("hex");
+
+    console.log(`  Running migration: ${file}`);
+    await db.query(content);
+    await db.query(
+      "INSERT INTO _migrations (filename, checksum) VALUES (?, ?)",
+      [file, checksum]
+    );
+    console.log(`  Completed: ${file}`);
+    ran++;
+  }
+
+  if (ran === 0) {
+    console.log("No pending migrations.");
+  } else {
+    console.log(`\n${ran} migration(s) complete.`);
+  }
+}
+
+// Run as standalone script
+const isMain = process.argv[1] && fs.realpathSync(process.argv[1]) === fs.realpathSync(fileURLToPath(import.meta.url));
+if (isMain) {
+  await import("dotenv/config");
+  const pkg = await import("db-model-router");
+  const mod = pkg.default || pkg;
+  mod.init("sqlite3");
+  mod.db.connect({
+    database: process.env.DB_NAME || "./data/data.db",
+});
+  const migrationsDir = path.join(__dirname, "../migrations");
+  runMigrations(mod.db, migrationsDir)
+    .then(() => process.exit(0))
+    .catch(err => { console.error("Migration failed:", err); process.exit(1); });
+}

package/demo/commons/modules.js

@@ -0,0 +1,18 @@
+/**
+ * Registry of all SaaS module names.
+ * This is the single source of truth for valid module identifiers
+ * used by the permission system.
+ *
+ * @type {string[]}
+ */
+export const modules = ["users", "tenants", "roles", "permissions", "webhooks"];
+
+/**
+ * Check whether a given name is a registered module.
+ *
+ * @param {string} name - The module name to validate
+ * @returns {boolean} True if the name exists in the modules registry
+ */
+export function isValidModule(name) {
+  return modules.includes(name);
+}

package/demo/commons/password.js

@@ -0,0 +1,36 @@
+import crypto from "crypto";
+
+/**
+ * Hash a password using scrypt with a random salt.
+ * Returns a string in the format "salt:derivedKey" (both hex-encoded).
+ *
+ * @param {string} password - The plaintext password to hash
+ * @returns {Promise<string>} The hashed password string
+ */
+export function hashPassword(password) {
+  const salt = crypto.randomBytes(16).toString("hex");
+  return new Promise((resolve, reject) => {
+    crypto.scrypt(password, salt, 64, (err, derivedKey) => {
+      if (err) reject(err);
+      resolve(salt + ":" + derivedKey.toString("hex"));
+    });
+  });
+}
+
+/**
+ * Verify a password against a previously hashed value.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @param {string} password - The plaintext password to verify
+ * @param {string} hash - The stored hash in "salt:derivedKey" format
+ * @returns {Promise<boolean>} True if the password matches, false otherwise
+ */
+export function verifyPassword(password, hash) {
+  const [salt, key] = hash.split(":");
+  return new Promise((resolve, reject) => {
+    crypto.scrypt(password, salt, 64, (err, derivedKey) => {
+      if (err) reject(err);
+      resolve(crypto.timingSafeEqual(Buffer.from(key, "hex"), derivedKey));
+    });
+  });
+}

package/demo/commons/security.js

@@ -0,0 +1,30 @@
+import helmet from "helmet";
+import rateLimit from "express-rate-limit";
+
+/**
+ * Apply security middleware to the Express app.
+ * Includes: Helmet, rate limiting, custom security headers.
+ * @param {import("express").Application} app
+ */
+export default function applySecurity(app) {
+  // Helmet — sets various HTTP headers for security
+  app.use(helmet());
+
+  // Rate limiting
+  app.use(rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 100,
+    standardHeaders: true,
+    legacyHeaders: false,
+  }));
+
+  // Custom security headers (override or extend as needed)
+  app.use((req, res, next) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("X-XSS-Protection", "1; mode=block");
+    res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+    res.removeHeader("X-Powered-By");
+    next();
+  });
+}

package/demo/commons/session.js

@@ -0,0 +1,13 @@
+import session from "express-session";
+
+/**
+ * Configure and return session middleware.
+ * Session store: memory
+ */
+export default function configureSession() {
+  return session({
+    secret: process.env.SESSION_SECRET || "change-me",
+    resave: false,
+    saveUninitialized: false,
+  });
+}

package/demo/commons/webhook.js

@@ -0,0 +1,81 @@
+import crypto from "crypto";
+
+/**
+ * Retry delay schedule in seconds.
+ * Attempt 0: immediate, 1: 1 min, 2: 5 min, 3: 1 hour, 4: 1 day.
+ *
+ * @type {number[]}
+ */
+export const RETRY_DELAYS = [0, 60, 300, 3600, 86400];
+
+/**
+ * Sign a webhook payload using HMAC-SHA256.
+ *
+ * @param {object} payload - The payload object to sign
+ * @param {string} secret - The tenant's webhook secret
+ * @returns {string} Hex-encoded HMAC-SHA256 signature
+ */
+export function signPayload(payload, secret) {
+  const body = JSON.stringify(payload);
+  return crypto.createHmac("sha256", secret).update(body).digest("hex");
+}
+
+/**
+ * Look up the configured webhook for a tenant.
+ * TODO: Replace this stub with actual database lookup.
+ */
+export async function lookupWebhook(tenantId) {
+  return null;
+}
+
+/**
+ * Log a webhook delivery event.
+ * TODO: Replace this stub with actual database insert into webhook_logs.
+ */
+export async function logWebhookEvent(webhookId, tenantId, eventType, payload, status, responseBody, responseStatusCode) {
+  // Stub: replace with actual DB insert
+}
+
+/**
+ * Delay execution for the specified number of milliseconds.
+ */
+export function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+/**
+ * Send a webhook notification to the configured endpoint for a tenant.
+ * Retries delivery up to 5 times with exponential backoff.
+ */
+export async function sendWebhook(tenantId, event, context) {
+  const webhook = await lookupWebhook(tenantId);
+  if (!webhook) return;
+
+  const payload = { context, event, timestamp: new Date().toISOString() };
+  payload.signature = signPayload(payload, webhook.secret);
+
+  for (let attempt = 0; attempt < RETRY_DELAYS.length; attempt++) {
+    if (attempt > 0) {
+      await delay(RETRY_DELAYS[attempt] * 1000);
+      console.log(`Webhook retry attempt ${attempt}, delay: ${RETRY_DELAYS[attempt]}s`);
+    }
+    try {
+      const response = await fetch(webhook.url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", "X-Webhook-Key": webhook.key },
+        body: JSON.stringify(payload),
+      });
+      await logWebhookEvent(
+        webhook.id, tenantId, event.type, payload,
+        response.ok ? "success" : "failed",
+        await response.text(), response.status
+      );
+      if (response.ok) return;
+    } catch (err) {
+      await logWebhookEvent(
+        webhook.id, tenantId, event.type, payload,
+        "error", err.message, null
+      );
+    }
+  }
+}