kuzzle 2.18.0 → 2.18.1

package/lib/api/controllers/authController.js

@@ -35,6 +35,7 @@ const { NativeController } = require('./baseController');
 const formatProcessing = require('../../core/auth/formatProcessing');
 const { User } = require('../../model/security/user');
 const ApiKey = require('../../model/storage/apiKey');
+const SecurityController = require('./securityController');
 
 /**
  * @class AuthController
@@ -471,7 +472,7 @@ class AuthController extends NativeController {
         userId,
       });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on user "${userId}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on user "${userId}."`);
 
     return formatProcessing.serializeUser(user);
   }

package/lib/api/controllers/documentController.js

@@ -228,8 +228,12 @@ class DocumentController extends NativeController {
       mimeType = 'text/csv';
     }
 
-    request.response.setHeader('Content-Type', mimeType);
-    request.response.setHeader('Content-Disposition', `attachment; filename="${index}-${collection}.${format}"`);
+    request.response.configure({
+      headers: {
+        'Content-Disposition': `attachment; filename="${index}-${collection}.${format}"`,
+        'Content-Type': mimeType,
+      }
+    });
 
     return dumpCollectionDocuments(
       index,

package/lib/api/controllers/securityController.js

@@ -38,6 +38,11 @@ const { generateRandomName } = require('../../util/name-generator');
  * @class SecurityController
  */
 class SecurityController extends NativeController {
+
+  static userOrSdk (userId) {
+    return userId === null ? 'EmbeddedSDK' : `User "${userId}"`;
+  }
+
   constructor () {
     super([
       'checkRights',
@@ -150,7 +155,7 @@ class SecurityController extends NativeController {
       refresh,
     });
 
-    global.kuzzle.log.info(`[SECURITY] User "${creatorId}" applied action "${request.input.action}" on user "${userId}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(creatorId)} applied action "${request.input.action}" on user "${userId}."`);
     return apiKey.serialize({ includeToken: true });
   }
 
@@ -372,7 +377,7 @@ class SecurityController extends NativeController {
       userId,
     });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on role "${role._id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on role "${role._id}."`);
     return formatProcessing.serializeRole(role);
   }
 
@@ -393,7 +398,7 @@ class SecurityController extends NativeController {
       userId,
     });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on role "${role._id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on role "${role._id}."`);
     return formatProcessing.serializeRole(role);
   }
 
@@ -410,7 +415,7 @@ class SecurityController extends NativeController {
       refresh: request.getRefresh('wait_for')
     });
 
-    global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" applied action "${request.input.action} on role "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} applied action "${request.input.action} on role "${id}."`);
 
     // @todo This avoids a breaking change... but we should really return
     // an acknowledgment.
@@ -473,7 +478,7 @@ class SecurityController extends NativeController {
         userId,
       });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on profile "${profile._id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on profile "${profile._id}."`);
 
     return formatProcessing.serializeProfile(profile);
   }
@@ -502,7 +507,7 @@ class SecurityController extends NativeController {
         userId,
       });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on profile "${profile._id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on profile "${profile._id}."`);
 
     return formatProcessing.serializeProfile(profile);
   }
@@ -523,7 +528,7 @@ class SecurityController extends NativeController {
 
     await this.ask('core:security:profile:delete', id, options);
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on profile "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on profile "${id}."`);
 
     // @todo - replace by an acknowledgement
     return { _id: id };
@@ -603,7 +608,8 @@ class SecurityController extends NativeController {
       ids = request.getBodyArray('ids');
     }
     else {
-      ids = request.getString('ids').split(',');
+      // @deprecated Should be replaced with request.getArray('ids')
+      ids = request.getArrayLegacy('ids');
     }
 
     const users = await this.ask('core:security:user:mGet', ids);
@@ -758,7 +764,7 @@ class SecurityController extends NativeController {
 
     await this.ask('core:security:user:delete', id, options);
 
-    global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" applied action "${request.input.action}" on user "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} applied action "${request.input.action}" on user "${id}."`);
 
     return { _id: id };
   }
@@ -865,7 +871,7 @@ class SecurityController extends NativeController {
       content,
       { refresh: request.getRefresh('wait_for'), userId });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on user "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on user "${id}."`);
 
     return formatProcessing.serializeUser(user);
   }
@@ -888,7 +894,7 @@ class SecurityController extends NativeController {
       userId,
     });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on profile "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on profile "${id}."`);
     return formatProcessing.serializeProfile(updated);
   }
 
@@ -910,7 +916,7 @@ class SecurityController extends NativeController {
       userId,
     });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on role "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on role "${id}."`);
 
     return formatProcessing.serializeRole(updated);
   }
@@ -951,7 +957,7 @@ class SecurityController extends NativeController {
       }
     }
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}".`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}".`);
 
     return user;
   }
@@ -1040,7 +1046,7 @@ class SecurityController extends NativeController {
 
     const createMethod = this.getStrategyMethod(strategy, 'create');
 
-    global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" applied action "${request.input.action}" on user "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} applied action "${request.input.action}" on user "${id}."`);
     return createMethod(request, body, id, strategy);
   }
 
@@ -1064,7 +1070,7 @@ class SecurityController extends NativeController {
 
     const updateMethod = this.getStrategyMethod(strategy, 'update');
 
-    global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" applied action "${request.input.action}" on user "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} applied action "${request.input.action}" on user "${id}."`);
 
     return updateMethod(request, body, id, strategy);
   }
@@ -1117,7 +1123,7 @@ class SecurityController extends NativeController {
 
     await deleteMethod(request, id, strategy);
 
-    global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" applied action "${request.input.action}" on user "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} applied action "${request.input.action}" on user "${id}."`);
 
     return { acknowledged: true };
   }
@@ -1228,10 +1234,10 @@ class SecurityController extends NativeController {
     }
 
     if (successes.length > 1000) {
-      global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" deleted the following ${type}s: ${successes.slice(0, 1000).join(', ')}... (${successes.length - 1000} more users deleted)."`);
+      global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} deleted the following ${type}s: ${successes.slice(0, 1000).join(', ')}... (${successes.length - 1000} more users deleted)."`);
     }
     else {
-      global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" deleted the following ${type}s: ${successes.join(', ')}."`);
+      global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} deleted the following ${type}s: ${successes.join(', ')}."`);
     }
 
     return successes;
@@ -1253,7 +1259,7 @@ class SecurityController extends NativeController {
         userId,
       });
 
-    global.kuzzle.log.info(`[SECURITY] User "${userId}" applied action "${request.input.action}" on user "${id}."`);
+    global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}" on user "${id}."`);
 
     return formatProcessing.serializeUser(updated);
   }
@@ -1347,7 +1353,7 @@ class SecurityController extends NativeController {
     }
 
     if (creationFailure === null) {
-      global.kuzzle.log.info(`[SECURITY] User "${request.getKuid()}" applied action "${request.input.action}" on user "${id}."`);
+      global.kuzzle.log.info(`[SECURITY] ${SecurityController.userOrSdk(request.getKuid())} applied action "${request.input.action}" on user "${id}."`);
       return createdUser;
     }
 

package/lib/api/controllers/serverController.js

@@ -188,7 +188,8 @@ class ServerController extends NativeController {
 
     let services;
     if (typeof request.input.args.services === 'string') {
-      services = request.input.args.services.split(',');
+      // @deprecated Should be replaced with request.getArray('services')
+      services = request.getArrayLegacy('services');
     }
     if (! services || services.includes('internalCache')) {
       try {

package/lib/api/documentExtractor.js

@@ -56,7 +56,8 @@ const extractors = ([
             ids = request.input.args.ids;
           }
           else if (typeof request.input.args.ids === 'string') {
-            ids = request.input.args.ids.split(',');
+            // @deprecated Should be replaced with request.getArray('ids')
+            ids = request.getArrayLegacy('ids');
           }
           else {
             throw assertionError.get(

package/lib/api/request/kuzzleRequest.d.ts

@@ -258,6 +258,9 @@ export declare class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -266,9 +269,29 @@ export declare class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name: string, def?: [] | undefined): any[];
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name: string, def?: [] | undefined): any[];
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -374,6 +397,7 @@ export declare class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
     private _getBoolean;
     /**
@@ -419,6 +443,7 @@ export declare class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
     private _getObject;
 }

package/lib/api/request/kuzzleRequest.js

@@ -228,7 +228,9 @@ class KuzzleRequest {
         }
         this.status = options.status || 200;
         if (options.headers) {
-            this.response.setHeaders(options.headers);
+            this.response.configure({
+                headers: options.headers
+            });
         }
         if (options.raw !== undefined) {
             this.response.raw = options.raw;
@@ -465,7 +467,7 @@ class KuzzleRequest {
      * @param name parameter name
      */
     getBoolean(name) {
-        return this._getBoolean(this.input.args, name, name);
+        return this._getBoolean(this.input.args, name, name, true);
     }
     /**
      * Gets a parameter from a request arguments and checks that it is a number
@@ -509,6 +511,9 @@ class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -517,11 +522,56 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name, def = undefined) {
-        return this._getArray(this.input.args, name, name, def);
+        return this._getArray(this.input.args, name, name, def, true);
+    }
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name, def = undefined) {
+        const value = (0, lodash_1.get)(this.input.args, name, def);
+        if (value === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (Array.isArray(value)) {
+            return value;
+        }
+        if (typeof value !== 'string') {
+            throw assertionError.get('invalid_type', name, 'array');
+        }
+        // If we are using the HTTP protocol and we have a string instead of an Array
+        // we try to parse it as JSON
+        if (this.context.connection.protocol === 'http') {
+            try {
+                const parsedValue = JSON.parse(value);
+                if (Array.isArray(parsedValue)) {
+                    return parsedValue;
+                }
+            }
+            catch (e) {
+                // Do nothing, let the code continue
+            }
+        }
+        return value.split(',');
     }
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -530,7 +580,7 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an object
      */
     getObject(name, def = undefined) {
-        return this._getObject(this.input.args, name, name, def);
+        return this._getObject(this.input.args, name, name, def, true);
     }
     /**
      * Gets a parameter from a request arguments and check with moment.js if the date is an ISO8601 format date
@@ -677,13 +727,7 @@ class KuzzleRequest {
             || this.context.connection.misc.verb !== 'GET') {
             return this.getBody({});
         }
-        const searchBody = this.getString('searchBody', '{}');
-        try {
-            return JSON.parse(searchBody);
-        }
-        catch (err) {
-            throw assertionError.get('invalid_argument', err.message);
-        }
+        return this.getObject('searchBody', {});
     }
     /**
      * Returns the search params.
@@ -736,16 +780,17 @@ class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getBoolean(obj, name, errorName) {
+    _getBoolean(obj, name, errorName, querystring = false) {
         let value = (0, lodash_1.get)(obj, name);
         // In HTTP, booleans are flags: if it's in the querystring, it's set,
         // whatever its value.
         // If a user needs to unset the option, they need to remove it from the
         // querystring.
-        if (this.context.connection.protocol === 'http') {
+        if (this.context.connection.protocol === 'http' && querystring) {
             value = value !== undefined;
-            obj[name] = value;
+            (0, lodash_1.set)(obj, name, value);
         }
         else if (value === undefined || value === null) {
             value = false;
@@ -822,12 +867,30 @@ class KuzzleRequest {
      * @param errorName name to use in error messages
      * @param def default value
      */
-    _getArray(obj, name, errorName, def = undefined) {
+    _getArray(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!Array.isArray(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if (Array.isArray(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'array');
         }
         return value;
@@ -839,13 +902,32 @@ class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getObject(obj, name, errorName, def = undefined) {
+    _getObject(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!(0, safeObject_1.isPlainObject)(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if ((0, safeObject_1.isPlainObject)(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'object');
         }
         return value;

package/lib/api/request/requestResponse.js

@@ -49,6 +49,11 @@ const assert = __importStar(require("../../util/assertType"));
 // \u200b is a zero width space, used to masquerade console.log output
 const _request = 'request\u200b';
 const _headers = 'headers\u200b';
+const _userHeaders = 'userHeaders\u200b'; // List of headers to be sent in the response
+// List of headers that should not be present in the body of the response
+const restrictedHeaders = [
+    'set-cookie',
+];
 class Headers {
     constructor() {
         this.namesMap = new Map();
@@ -150,6 +155,7 @@ class RequestResponse {
         this.raw = false;
         this[_request] = request;
         this[_headers] = new Headers();
+        this[_userHeaders] = new Set();
         Object.seal(this);
     }
     /**
@@ -254,6 +260,9 @@ class RequestResponse {
     configure(options = {}) {
         if (options.headers) {
             this.setHeaders(options.headers);
+            for (const key of Object.keys(options.headers)) {
+                this[_userHeaders].add(key.toLowerCase());
+            }
         }
         if (options.status) {
             this.status = options.status;
@@ -316,6 +325,21 @@ class RequestResponse {
                 status: this.status,
             };
         }
+        const filteredHeaders = {};
+        for (const name of this[_userHeaders]) {
+            filteredHeaders[name] = this.getHeader(name);
+        }
+        /**
+         * Remove headers that are not allowed to be sent to the client in the response's body
+         * For example "set-cookie" headers should only be visible by the browser,
+         * otherwise they may leak information about the server's cookies, since the browser will
+         * not be able to restrict them to the domain of the request.
+        */
+        for (const header of restrictedHeaders) {
+            if (filteredHeaders[header] !== undefined) {
+                filteredHeaders[header] = undefined;
+            }
+        }
         return {
             content: {
                 action: this.action,
@@ -323,6 +347,7 @@ class RequestResponse {
                 controller: this.controller,
                 deprecations: this.deprecations,
                 error: this.error,
+                headers: filteredHeaders,
                 index: this.index,
                 node: this.node,
                 requestId: this.requestId,

package/lib/core/backend/backendController.d.ts

@@ -86,5 +86,11 @@ export declare class BackendController extends ApplicationManager {
      * @param controller Controller class
      */
     use(controller: Controller): void;
-    private _add;
+    /**
+     * Adds the controller definition to the list of application controllers.
+     *
+     * This method also check if the definition is valid to throw with a stacktrace
+     * beginning on the user code adding the controller.
+     */
+    private add;
 }

package/lib/core/backend/backendController.js

@@ -42,11 +42,15 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BackendController = void 0;
 const inflector_1 = require("../../util/inflector");
 const kerror = __importStar(require("../../kerror"));
 const index_1 = require("./index");
+const plugin_1 = __importDefault(require("../plugin/plugin"));
 const assertionError = kerror.wrap('plugin', 'assert');
 const runtimeError = kerror.wrap('plugin', 'runtime');
 class BackendController extends index_1.ApplicationManager {
@@ -74,7 +78,8 @@ class BackendController extends index_1.ApplicationManager {
         if (this._application.started) {
             throw runtimeError.get('already_started', 'controller');
         }
-        this._add(name, definition);
+        plugin_1.default.checkControllerDefinition(name, definition);
+        this.add(name, definition);
     }
     /**
      * Uses a new controller class.
@@ -147,6 +152,7 @@ class BackendController extends index_1.ApplicationManager {
             controller.name = inflector_1.Inflector.kebabCase(controller.constructor.name)
                 .replace('-controller', '');
         }
+        plugin_1.default.checkControllerDefinition(controller.name, controller.definition);
         for (const [action, definition] of Object.entries(controller.definition.actions)) {
             if (typeof definition.handler !== 'function') {
                 throw assertionError.get('invalid_controller_definition', controller.name, `Handler for action "${action}" is not a function.`);
@@ -158,9 +164,15 @@ class BackendController extends index_1.ApplicationManager {
                 definition.handler = definition.handler.bind(controller);
             }
         }
-        this._add(controller.name, controller.definition);
+        this.add(controller.name, controller.definition);
     }
-    _add(name, definition) {
+    /**
+     * Adds the controller definition to the list of application controllers.
+     *
+     * This method also check if the definition is valid to throw with a stacktrace
+     * beginning on the user code adding the controller.
+     */
+    add(name, definition) {
         if (this._application._controllers[name]) {
             throw assertionError.get('invalid_controller_definition', name, 'A controller with this name already exists');
         }

package/lib/core/network/protocols/httpwsProtocol.js

@@ -256,10 +256,15 @@ class HttpWsProtocol extends Protocol {
   }
 
   wsOnUpgradeHandler (res, req, context) {
+    const headers = {};
+    // Extract headers from uWS request
+    req.forEach((header, value) => {
+      headers[header] = value;
+    });
+
     res.upgrade(
       {
-        cookie: req.getHeader('cookie'),
-        origin: req.getHeader('origin'),
+        headers,
       },
       req.getHeader('sec-websocket-key'),
       req.getHeader('sec-websocket-protocol'),
@@ -273,10 +278,7 @@ class HttpWsProtocol extends Protocol {
     const connection = new ClientConnection(
       this.name,
       [ip],
-      {
-        cookie: socket.cookie,
-        origin: socket.origin
-      }
+      socket.headers
     );
 
     this.entryPoint.newConnection(connection);

package/lib/core/plugin/plugin.js

@@ -300,6 +300,13 @@ class Plugin {
         'Controller definition must be an object');
     }
 
+    if (! isPlainObject(definition.actions)) {
+      throw assertionError.get(
+        'invalid_controller_definition',
+        name,
+        'Controller definition "actions" property must be an object');
+    }
+
     for (const [action, actionDefinition] of Object.entries(definition.actions)) {
       const actionProperties = Object.keys(actionDefinition);
 

package/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "kuzzle",
-  "version": "2.18.0",
+  "version": "2.18.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "kuzzle",
   "author": "The Kuzzle Team <support@kuzzle.io>",
-  "version": "2.18.0",
+  "version": "2.18.1",
   "description": "Kuzzle is an open-source solution that handles all the data management through a secured API, with a large choice of protocols.",
   "bin": {
     "kuzzle": "bin/start-kuzzle-server"