mastercontroller 1.3.9 → 1.3.12

package/MasterAction.js

@@ -3,16 +3,13 @@
 
 var fileserver = require('fs');
 var toolClass =  require('./MasterTools');
-var tempClass =  require('./MasterTemplate');
-// Templating helpers
-var temp = new tempClass();
 var tools = new toolClass();
+// View templating removed - handled by view engine (e.g., MasterView)
 
 // Node utils
 var path = require('path');
 
-// Vanilla Web Components SSR runtime (LinkeDOM) - executes connectedCallback() and upgrades
-const compileWebComponentsHTML = require('./ssr/runtime-ssr.cjs');
+// SSR runtime removed - handled by view engine
 
 // Enhanced error handling
 const { handleTemplateError, sendErrorResponse } = require('./error/MasterBackendErrorHandler');
@@ -35,22 +32,7 @@ class MasterAction{
 		return MasterAction.__masterCache;
 	}
 
-	getView(location, data){
-		var actionUrl =  MasterAction._master.root + location;
-		const fileResult = safeReadFile(fileserver, actionUrl);
-
-		if (!fileResult.success) {
-			const error = handleTemplateError(fileResult.error.originalError, actionUrl, data);
-			throw error;
-		}
-
-		try {
-			return temp.htmlBuilder(fileResult.content, data);
-		} catch (error) {
-			const mcError = handleTemplateError(error, actionUrl, data);
-			throw mcError;
-		}
-	}
+	// getView() removed - handled by view engine (register via master.useView())
 
 
 	returnJson(data){
@@ -76,52 +58,7 @@ class MasterAction{
 		}
 	}
 
-	// location starts from the view folder. Ex: partialViews/fileName.html
-	returnPartialView(location, data){
-		// SECURITY: Validate path to prevent traversal attacks
-		if (!location || location.includes('..') || location.includes('~') || path.isAbsolute(location)) {
-			logger.warn({
-				code: 'MC_SECURITY_PATH_TRAVERSAL',
-				message: 'Path traversal attempt blocked in returnPartialView',
-				path: location
-			});
-			this.returnError(400, 'Invalid path');
-			return '';
-		}
-
-		const actionUrl = path.resolve(MasterAction._master.root, location);
-
-		// SECURITY: Ensure resolved path is within app root
-		if (!actionUrl.startsWith(MasterAction._master.root)) {
-			logger.warn({
-				code: 'MC_SECURITY_PATH_TRAVERSAL',
-				message: 'Path traversal blocked in returnPartialView',
-				requestedPath: location,
-				resolvedPath: actionUrl
-			});
-			this.returnError(403, 'Forbidden');
-			return '';
-		}
-
-		try {
-			const getAction = fileserver.readFileSync(actionUrl, 'utf8');
-			if (MasterAction._master.overwrite.isTemplate){
-				return MasterAction._master.overwrite.templateRender( data, "returnPartialView");
-			}
-			else{
-				return temp.htmlBuilder(getAction, data);
-			}
-		} catch (error) {
-			logger.error({
-				code: 'MC_ERR_PARTIAL_VIEW',
-				message: 'Failed to read partial view',
-				path: location,
-				error: error.message
-			});
-			this.returnError(404, 'View not found');
-			return '';
-		}
-	}
+	// returnPartialView() removed - handled by view engine (register via master.useView())
 
 	redirectBack(fallback){
 		if(fallback === undefined){
@@ -202,154 +139,13 @@ class MasterAction{
 		MasterAction._master.router._call(requestObj);
 	}
 	
-	// this will allow static pages without master view
-	returnViewWithoutMaster(location, data){
-		var masterView = null;
-		this.params = this.params === undefined ? {} : this.params;
-		this.params = tools.combineObjects(data, this.params);
-		var func = MasterAction._master.viewList;
-        this.params = tools.combineObjects(this.params, func);
-    // Prefer page.js module if present (no legacy .html file)
-    try {
-      const controller = this.__currentRoute.toController;
-      const action = this.__currentRoute.toAction;
-      const pageModuleAbs = path.join(MasterAction._master.root, 'app/views', controller, action, 'page.js');
-      if (fileserver.existsSync(pageModuleAbs)) {
-        if (this._renderPageModule(controller, action, data)) { return; }
-      }
-    } catch (_) {}
+	// returnViewWithoutMaster() removed - handled by view engine (register via master.useView())
 
-		var actionUrl = (location === undefined) ? this.__currentRoute.root + "/app/views/" +  this.__currentRoute.toController + "/" +  this.__currentRoute.toAction + ".html" : MasterAction._master.root + location;
-		var actionView = fileserver.readFileSync(actionUrl, 'utf8');
-		if (MasterAction._master.overwrite.isTemplate){
-			masterView = MasterAction._master.overwrite.templateRender(data, "returnViewWithoutMaster");
-		}
-		else{
-			masterView = temp.htmlBuilder(actionView, data);
-		}
-		if (!this.__requestObject.response._headerSent) {
-			const send = (htmlOut) => {
-				try {
-					this.__requestObject.response.writeHead(200, {'Content-Type': 'text/html'});
-					this.__requestObject.response.end(htmlOut);
-				} catch (e) {
-					// Fallback in case of double send
-				}
-			};
-			try {
-				Promise.resolve(compileWebComponentsHTML(masterView))
-					.then(send)
-					.catch(() => send(masterView));
-			} catch (_) {
-				send(masterView);
-			}
-		}
-	}
+	// returnViewWithoutEngine() removed - handled by view engine (register via master.useView())
 
-	returnViewWithoutEngine(location){
-		// SECURITY: Validate path to prevent traversal attacks
-		if (!location || location.includes('..') || location.includes('~') || path.isAbsolute(location)) {
-			logger.warn({
-				code: 'MC_SECURITY_PATH_TRAVERSAL',
-				message: 'Path traversal attempt blocked in returnViewWithoutEngine',
-				path: location
-			});
-			this.returnError(400, 'Invalid path');
-			return;
-		}
-
-		const actionUrl = path.resolve(MasterAction._master.root, location);
-
-		// SECURITY: Ensure resolved path is within app root
-		if (!actionUrl.startsWith(MasterAction._master.root)) {
-			logger.warn({
-				code: 'MC_SECURITY_PATH_TRAVERSAL',
-				message: 'Path traversal blocked in returnViewWithoutEngine',
-				requestedPath: location,
-				resolvedPath: actionUrl
-			});
-			this.returnError(403, 'Forbidden');
-			return;
-		}
-
-		try {
-			const masterView = fileserver.readFileSync(actionUrl, 'utf8');
-			if (!this.__requestObject.response._headerSent) {
-				this.__requestObject.response.writeHead(200, {'Content-Type': 'text/html'});
-				this.__requestObject.response.end(masterView);
-			}
-		} catch (error) {
-			logger.error({
-				code: 'MC_ERR_VIEW_READ',
-				message: 'Failed to read view file',
-				path: location,
-				error: error.message
-			});
-			this.returnError(404, 'View not found');
-		}
-	}
-
-	returnReact(data, location){
-
-			var masterView = null;
-			data = data === undefined ? {} : data;
-			this.params = this.params === undefined ? {} : this.params;
-			this.params = tools.combineObjects(data, this.params);
-			var func = MasterAction._master.viewList;
-			this.params = tools.combineObjects(this.params, func);
-			var html = MasterAction._master.reactView.compile(this.__currentRoute.toController, this.__currentRoute.toAction, this.__currentRoute.root);
-
-	}
-
-	returnView(data, location){
-
-		var masterView = null;
-		data = data === undefined ? {} : data;
-		this.params = this.params === undefined ? {} : this.params;
-        this.params = tools.combineObjects(data, this.params);
-        var func = MasterAction._master.viewList;
-        this.params = tools.combineObjects(this.params, func);
-    // Prefer page.js module if present (no legacy .html file)
-    try {
-      const controller = this.__currentRoute.toController;
-      const action = this.__currentRoute.toAction;
-      const pageModuleAbs = path.join(MasterAction._master.root, 'app/views', controller, action, 'page.js');
-      if (fileserver.existsSync(pageModuleAbs)) {
-        if (this._renderPageModule(controller, action, data)) { return; }
-      }
-    } catch (_) {}
+	// returnReact() removed - handled by view engine (register via master.useView())
 
-		var viewUrl = (location === undefined || location === "" || location === null) ? this.__currentRoute.root + "/app/views/" + this.__currentRoute.toController + "/" +  this.__currentRoute.toAction + ".html" : MasterAction._master.root + location;
-		var viewFile = fileserver.readFileSync(viewUrl,'utf8');
-		var masterFile = fileserver.readFileSync(this.__currentRoute.root + "/app/views/layouts/master.html", 'utf8');
-		if (MasterAction._master.overwrite.isTemplate){
-			masterView = MasterAction._master.overwrite.templateRender(this.params, "returnView");
-		}
-		else{
-			var childView = temp.htmlBuilder(viewFile, this.params);
-			this.params.yield = childView;
-			masterView = temp.htmlBuilder(masterFile, this.params);
-		}
-		
-		if (!this.__response._headerSent) {
-			const send = (htmlOut) => {
-				try {
-					this.__response.writeHead(200, {'Content-Type': 'text/html'});
-					this.__response.end(htmlOut);
-				} catch (e) {
-					// Fallback in case of double send
-				}
-			};
-			try {
-				Promise.resolve(compileWebComponentsHTML(masterView))
-					.then(send)
-					.catch(() => send(masterView));
-			} catch (_) {
-				send(masterView);
-			}
-		}
-		
-	}
+	// returnView() removed - handled by view engine (register via master.useView())
 
 	close(response, code, content, end){
 		response.writeHead(code, content.type);
@@ -381,58 +177,9 @@ class MasterAction{
 		return false;
 	}
 
-  // Render using a page.js Web Component module when present
-  _renderPageModule(controller, action, data) {
-    try {
-      const pageModuleAbs = path.join(MasterAction._master.root, 'app/views', controller, action, 'page.js');
-      const layoutModuleAbs = path.join(MasterAction._master.root, 'app/views', 'layouts', 'master.js');
-      const stylesPath = '/app/assets/stylesheets/output.css';
-      const pageTag = `home-${action}-page`;
-
-      const htmlDoc =
-`<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8"/>
-    <meta name="viewport" content="width=device-width, initial-scale=1"/>
-    <title>${controller}/${action}</title>
-    <link rel="stylesheet" href="${stylesPath}"/>
-  </head>
-  <body class="geist-variable antialiased">
-    <root-layout>
-      <${pageTag}></${pageTag}>
-    </root-layout>
-    <script type="module" src="/app/views/layouts/master.js"></script>
-    <script type="module" src="/app/views/${controller}/${action}/page.js"></script>
-  </body>
-</html>`;
-
-      const send = (htmlOut) => {
-        try {
-          const res = this.__response || (this.__requestObject && this.__requestObject.response);
-          if (res && !res._headerSent) {
-            res.writeHead(200, { 'Content-Type': 'text/html' });
-            res.end(htmlOut);
-          }
-        } catch (_) {}
-      };
-
-      Promise
-        .resolve(require('./ssr/runtime-ssr.cjs')(htmlDoc, [layoutModuleAbs, pageModuleAbs]))
-        .then(send)
-        .catch(() => send(htmlDoc));
-    } catch (e) {
-      // Fallback to legacy view if something goes wrong
-      console.warn('[SSR] _renderPageModule failed:', e && e.message);
-      return false;
-    }
-    return true;
-  }
+  // _renderPageModule() removed - handled by view engine (register via master.useView())
 
-  // Delegate to standard Enhance-based SSR only
-  returnWebComponent(data) {
-    this.returnView(data);
-  }
+  // returnWebComponent() removed - handled by view engine (register via master.useView())
 
   // ==================== Security Methods ====================
 

package/MasterControl.js

@@ -10,6 +10,7 @@ var fs = require('fs');
 var url = require('url');
 var path = require('path');
 var globSearch = require("glob");
+var crypto = require('crypto'); // CRITICAL FIX: For ETag generation
 
 // Enhanced error handling - setup global handlers
 const { setupGlobalErrorHandlers } = require('./error/MasterErrorMiddleware');
@@ -67,6 +68,7 @@ class MasterControl {
     _hstsMaxAge = 31536000 // 1 year default
     _hstsIncludeSubDomains = true
     _hstsPreload = false
+    _viewEngine = null // Pluggable view engine (MasterView, EJS, Pug, etc.)
 
     #loadTransientListClasses(name, params){
         Object.defineProperty(this.requestList, name, {
@@ -124,35 +126,127 @@ class MasterControl {
         }
     }
 
+    /**
+     * Initialize prototype pollution protection
+     * SECURITY: Prevents malicious modification of Object/Array prototypes
+     */
+    _initPrototypePollutionProtection() {
+        // Only freeze in production to allow for easier debugging in development
+        const isProduction = process.env.NODE_ENV === 'production';
+
+        if (isProduction) {
+            // Freeze prototypes to prevent prototype pollution attacks
+            try {
+                Object.freeze(Object.prototype);
+                Object.freeze(Array.prototype);
+                Object.freeze(Function.prototype);
+
+                logger.info({
+                    code: 'MC_SECURITY_PROTOTYPE_FROZEN',
+                    message: 'Prototypes frozen in production mode for security'
+                });
+            } catch (err) {
+                logger.warn({
+                    code: 'MC_SECURITY_FREEZE_FAILED',
+                    message: 'Failed to freeze prototypes',
+                    error: err.message
+                });
+            }
+        }
+
+        // Add prototype pollution detection utility
+        this._detectPrototypePollution = (obj) => {
+            if (!obj || typeof obj !== 'object') {
+                return false;
+            }
+
+            const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
+
+            for (const key of dangerousKeys) {
+                if (key in obj) {
+                    logger.error({
+                        code: 'MC_SECURITY_PROTOTYPE_POLLUTION',
+                        message: `Prototype pollution detected: ${key} in object`,
+                        severity: 'CRITICAL'
+                    });
+                    return true;
+                }
+            }
+
+            return false;
+        };
+
+        console.log('[MasterControl] Prototype pollution protection initialized');
+    }
+
     // extends class methods to be used inside of the view class using the THIS keyword
     extendView( name, element){
         element = new element();
-        var $that = this;
-        var propertyNames = Object.getOwnPropertyNames( element.__proto__);
+        const propertyNames = Object.getOwnPropertyNames(element.__proto__);
         this.viewList[name] = {};
-        for(var i in propertyNames){
-            if(propertyNames[i] !== "constructor"){
-                if (propertyNames.hasOwnProperty(i)) {
-                    $that.viewList[name][propertyNames[i]] = element[propertyNames[i]];
-                }
+
+        // Fixed: Use for...of instead of for...in for array iteration
+        // Filter out 'constructor' and iterate efficiently
+        for (const propName of propertyNames) {
+            if (propName !== "constructor") {
+                this.viewList[name][propName] = element[propName];
             }
-        };
+        }
     }
 
     // extends class methods to be used inside of the controller class using the THIS keyword
     extendController(element){
         element = new element();
-        var $that = this;
-        var propertyNames = Object.getOwnPropertyNames( element.__proto__);
-        for(var i in propertyNames){
-            if(propertyNames[i] !== "constructor"){
-                if (propertyNames.hasOwnProperty(i)) {
-                    $that.controllerList[propertyNames[i]] = element[propertyNames[i]];
-                }
+        const propertyNames = Object.getOwnPropertyNames(element.__proto__);
+
+        // Fixed: Use for...of instead of for...in for array iteration
+        // Filter out 'constructor' and iterate efficiently
+        for (const propName of propertyNames) {
+            if (propName !== "constructor") {
+                this.controllerList[propName] = element[propName];
             }
-        };
+        }
     }
-    
+
+    /**
+     * Register a view engine (MasterView, React, EJS, Pug, etc.)
+     * This allows for pluggable view rendering
+     *
+     * @param {Object|Function} ViewEngine - View engine class or instance
+     * @param {Object} options - Configuration options for the view engine
+     * @returns {MasterControl} - Returns this for chaining
+     *
+     * @example
+     * // Use MasterView (official view engine)
+     * const MasterView = require('masterview');
+     * master.useView(MasterView, { ssr: true });
+     *
+     * @example
+     * // Use EJS adapter
+     * const EJSAdapter = require('./adapters/ejs');
+     * master.useView(EJSAdapter);
+     */
+    useView(ViewEngine, options = {}) {
+        if (typeof ViewEngine === 'function') {
+            this._viewEngine = new ViewEngine(options);
+        } else {
+            this._viewEngine = ViewEngine;
+        }
+
+        // Let the view engine register itself
+        if (this._viewEngine && this._viewEngine.register) {
+            this._viewEngine.register(this);
+        }
+
+        logger.info({
+            code: 'MC_INFO_VIEW_ENGINE_REGISTERED',
+            message: 'View engine registered',
+            engine: ViewEngine.name || 'Custom'
+        });
+
+        return this;
+    }
+
     /*
     Services are created each time they are requested. 
     It gets a new instance of the injected object, on each request of this object. 
@@ -299,6 +393,9 @@ class MasterControl {
         try {
             var $that = this;
 
+            // SECURITY: Initialize prototype pollution protection
+            this._initPrototypePollutionProtection();
+
             // AUTO-LOAD internal framework modules
             // These are required for the framework to function and are loaded transparently
             const internalModules = {
@@ -313,10 +410,11 @@ class MasterControl {
                 'MasterCors': './MasterCors',
                 'SessionSecurity': './security/SessionSecurity',
                 'MasterSocket': './MasterSocket',
-                'MasterHtml': './MasterHtml',
-                'MasterTemplate': './MasterTemplate',
-                'MasterTools': './MasterTools',
-                'TemplateOverwrite': './TemplateOverwrite'
+                'MasterTools': './MasterTools'
+                // View modules removed - use master.useView(MasterView) instead
+                // 'MasterHtml': './MasterHtml',
+                // 'MasterTemplate': './MasterTemplate',
+                // 'TemplateOverwrite': './TemplateOverwrite'
             };
 
             // Explicit module registration (prevents circular dependency issues)
@@ -331,8 +429,8 @@ class MasterControl {
                 'cors': { path: './MasterCors', exportName: 'MasterCors' },
                 'socket': { path: './MasterSocket', exportName: 'MasterSocket' },
                 'tempdata': { path: './MasterTemp', exportName: 'MasterTemp' },
-                'overwrite': { path: './TemplateOverwrite', exportName: 'TemplateOverwrite' },
                 'session': { path: './security/SessionSecurity', exportName: 'MasterSessionSecurity' }
+                // 'overwrite' removed - will be provided by view engine (master.useView())
             };
 
             for (const [name, config] of Object.entries(moduleRegistry)) {
@@ -354,13 +452,12 @@ class MasterControl {
             // Legacy code uses master.sessions (plural), new API uses master.session (singular)
             $that.sessions = $that.session;
 
-            // Load view and controller extensions (these extend prototypes, not master instance)
+            // Load controller extensions (these extend prototypes, not master instance)
             try {
                 require('./MasterAction');
                 require('./MasterActionFilters');
-                require('./MasterHtml');
-                require('./MasterTemplate');
                 require('./MasterTools');
+                // View extensions (MasterHtml, MasterTemplate) removed - use master.useView() instead
             } catch (e) {
                 console.error('[MasterControl] Failed to load extensions:', e.message);
             }
@@ -683,26 +780,107 @@ class MasterControl {
                         }
                     }
 
-                    // Read and serve the file
-                    fs.readFile(finalPath, function(err, data) {
-                        if (err) {
+                    // CRITICAL FIX: Stream large files instead of reading into memory
+                    // Files >1MB are streamed to prevent memory exhaustion and improve performance
+                    const STREAM_THRESHOLD = 1 * 1024 * 1024; // 1MB
+                    const fileSize = stats.isDirectory() ? fs.statSync(finalPath).size : stats.size;
+                    const ext = path.extname(finalPath);
+                    const mimeType = $that.router.findMimeType(ext);
+
+                    // CRITICAL FIX: Generate ETag for caching (based on file stats)
+                    // ETag format: "size-mtime" (weak ETag for better performance)
+                    const fileStats = stats.isDirectory() ? fs.statSync(finalPath) : stats;
+                    const etag = `W/"${fileStats.size}-${fileStats.mtime.getTime()}"`;
+
+                    // CRITICAL FIX: Check If-None-Match header for 304 Not Modified
+                    const clientETag = ctx.request.headers['if-none-match'];
+                    if (clientETag === etag) {
+                        // File hasn't changed, return 304 Not Modified
+                        logger.debug({
+                            code: 'MC_STATIC_304',
+                            message: 'Returning 304 Not Modified',
+                            path: finalPath,
+                            etag: etag
+                        });
+                        ctx.response.statusCode = 304;
+                        ctx.response.setHeader('ETag', etag);
+                        ctx.response.end();
+                        return;
+                    }
+
+                    // Set common headers for both streaming and buffered responses
+                    ctx.response.setHeader('Content-Type', mimeType || 'application/octet-stream');
+                    ctx.response.setHeader('X-Content-Type-Options', 'nosniff');
+                    ctx.response.setHeader('Content-Length', fileSize);
+
+                    // CRITICAL FIX: Add caching headers
+                    ctx.response.setHeader('ETag', etag);
+                    ctx.response.setHeader('Last-Modified', fileStats.mtime.toUTCString());
+
+                    // Cache-Control based on file type
+                    const cacheableExtensions = ['.js', '.css', '.jpg', '.jpeg', '.png', '.gif', '.svg', '.woff', '.woff2', '.ttf', '.eot', '.ico'];
+                    const isCacheable = cacheableExtensions.includes(ext.toLowerCase());
+
+                    if (isCacheable) {
+                        // PERFORMANCE: Cache static assets for 1 year (immutable pattern)
+                        // Use versioned URLs (e.g., app.v123.js) for cache-busting
+                        ctx.response.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+                    } else {
+                        // SECURITY: Dynamic content should revalidate
+                        ctx.response.setHeader('Cache-Control', 'public, max-age=0, must-revalidate');
+                    }
+
+                    if (fileSize > STREAM_THRESHOLD) {
+                        // PERFORMANCE: Stream large files (>1MB) to avoid memory issues
+                        logger.debug({
+                            code: 'MC_STATIC_STREAMING',
+                            message: 'Streaming large static file',
+                            path: finalPath,
+                            size: fileSize
+                        });
+
+                        const readStream = fs.createReadStream(finalPath);
+
+                        readStream.on('error', (err) => {
                             logger.error({
-                                code: 'MC_ERR_FILE_READ',
-                                message: 'Error reading static file',
+                                code: 'MC_ERR_STREAM_READ',
+                                message: 'Error streaming static file',
                                 path: finalPath,
                                 error: err.message
                             });
-                            ctx.response.statusCode = 500;
-                            ctx.response.setHeader('Content-Type', 'text/plain');
-                            ctx.response.end('Internal Server Error');
-                        } else {
-                            const ext = path.extname(finalPath);
-                            const mimeType = $that.router.findMimeType(ext);
-                            ctx.response.setHeader('Content-Type', mimeType || 'application/octet-stream');
-                            ctx.response.setHeader('X-Content-Type-Options', 'nosniff');
-                            ctx.response.end(data);
-                        }
-                    });
+
+                            // Only send error if headers not sent
+                            if (!ctx.response.headersSent) {
+                                ctx.response.statusCode = 500;
+                                ctx.response.setHeader('Content-Type', 'text/plain');
+                                ctx.response.end('Internal Server Error');
+                            } else {
+                                // Connection already started, just close it
+                                ctx.response.end();
+                            }
+                        });
+
+                        // Pipe the file stream to the response
+                        readStream.pipe(ctx.response);
+
+                    } else {
+                        // PERFORMANCE: Small files (<1MB) can be buffered for better caching
+                        fs.readFile(finalPath, function(err, data) {
+                            if (err) {
+                                logger.error({
+                                    code: 'MC_ERR_FILE_READ',
+                                    message: 'Error reading static file',
+                                    path: finalPath,
+                                    error: err.message
+                                });
+                                ctx.response.statusCode = 500;
+                                ctx.response.setHeader('Content-Type', 'text/plain');
+                                ctx.response.end('Internal Server Error');
+                            } else {
+                                ctx.response.end(data);
+                            }
+                        });
+                    }
                 });
 
                 return; // Terminal - don't call next()
@@ -734,9 +912,14 @@ class MasterControl {
         });
 
         // 4. Load Scoped Services (per request - always needed)
+        // Cache keys for performance (computed once, not on every request)
+        const scopedKeys = Object.keys($that._scopedList);
+
         $that.pipeline.use(async (ctx, next) => {
-            for (var key in $that._scopedList) {
-                var className = $that._scopedList[key];
+            // Fixed: Use cached keys with direct array iteration (faster & safer)
+            for (let i = 0; i < scopedKeys.length; i++) {
+                const key = scopedKeys[i];
+                const className = $that._scopedList[key];
                 $that.requestList[key] = new className();
             }
             await next();