odac 1.1.0 → 1.2.0

package/src/Storage.js

@@ -22,6 +22,10 @@ class OdacStorage {
       this.db = open({
         path: dbPath,
         compression: true
+        // CLUSTER SAFETY NOTE:
+        // LMDB uses memory-mapped files with OS-level locking logic.
+        // Multiple workers can safely read/write to this DB simultaneously.
+        // Data committed by Worker A is immediately visible to Worker B.
       })
       this.ready = true
     } catch (error) {

package/src/Token.js

@@ -1,6 +1,9 @@
 const nodeCrypto = require('crypto')
 
 class Token {
+  // CLUSTER SAFETY NOTE:
+  // This is a request-scoped local cache (debounce) for performance.
+  // Valid tokens represent state persisted in Session (LMDB), shared across all workers.
   confirmed = []
 
   constructor(Request) {
@@ -22,10 +25,9 @@ class Token {
 
   // - GENERATE TOKEN
   generate() {
-    let token = nodeCrypto
-      .createHash('md5')
-      .update(this.Request.id + Date.now().toString() + Math.random().toString())
-      .digest('hex')
+    // Enterprise Standard: Use CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
+    // Replaced weak MD5(Math.random) with randomBytes(32)
+    let token = nodeCrypto.randomBytes(32).toString('hex')
     let tokens = this.Request.session('_token') || []
     tokens.push(token)
     if (tokens.length > 50) tokens = tokens.slice(-50)

package/src/Validator.js

@@ -278,7 +278,7 @@ class Validator {
                       error = true
                     } else {
                       const userData = Odac.Auth.user(vars[1])
-                      if (Odac.Var(userData).is('bcrypt')) {
+                      if (Odac.Var(userData).is('hash')) {
                         error = !Odac.Var(userData).hashCheck(value)
                       } else {
                         error = value !== userData

package/src/Var.js

@@ -1,6 +1,5 @@
 const fs = require('fs')
 const nodeCrypto = require('crypto')
-const bcrypt = require('bcrypt')
 
 class Var {
   #value = null
@@ -79,17 +78,34 @@ class Var {
     return encrypted.toString('base64')
   }
 
-  hash(salt = 10) {
-    return bcrypt.hashSync(this.#value, bcrypt.genSaltSync(salt))
+  hash() {
+    const salt = nodeCrypto.randomBytes(16).toString('hex')
+    const derivedKey = nodeCrypto.scryptSync(this.#value, salt, 64)
+    return `$scrypt$${salt}$${derivedKey.toString('hex')}`
   }
 
   hashCheck(check) {
-    return bcrypt.compareSync(check, this.#value)
+    if (!this.#value.startsWith('$scrypt$')) return false
+    const parts = this.#value.split('$')
+    if (parts.length < 4) return false
+
+    const salt = parts[2]
+    const originalHash = Buffer.from(parts[3], 'hex')
+
+    const derivedKey = nodeCrypto.scryptSync(check, salt, 64)
+    return nodeCrypto.timingSafeEqual(originalHash, derivedKey)
   }
 
   html() {
     if (this.#value === null || this.#value === undefined) return ''
-    return String(this.#value).replace(/</g, '&lt;').replace(/>/g, '&gt;')
+    const map = {
+      '&': '&amp;',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      "'": '&#39;'
+    }
+    return String(this.#value).replace(/[&<>"']/g, m => map[m])
   }
 
   is(...args) {
@@ -102,7 +118,7 @@ class Var {
     if (args.includes('alphaspace')) result = (result || any) && ((any && result) || /^[A-Za-z\s]+$/.test(this.#value))
     if (args.includes('alphanumeric')) result = (result || any) && ((any && result) || /^[A-Za-z0-9]+$/.test(this.#value))
     if (args.includes('alphanumericspace')) result = (result || any) && ((any && result) || /^[A-Za-z0-9\s]+$/.test(this.#value))
-    if (args.includes('bcrypt')) result = (result || any) && ((any && result) || /^\$2[ayb]\$.{56}$/.test(this.#value))
+    if (args.includes('hash')) result = (result || any) && ((any && result) || /^\$scrypt\$[a-f0-9]+\$[a-f0-9]+$/.test(this.#value))
     if (args.includes('date')) result = (result || any) && ((any && result) || !isNaN(Date.parse(this.#value)))
     if (args.includes('domain')) result = (result || any) && ((any && result) || /^([a-z0-9-]+\.){1,2}[a-z]{2,6}$/i.test(this.#value))
     if (args.includes('email'))

package/src/View/EarlyHints.js

@@ -1,4 +1,4 @@
-const fs = require('fs')
+const fs = require('fs').promises
 const path = require('path')
 
 class EarlyHints {
@@ -15,61 +15,71 @@ class EarlyHints {
     }
   }
 
-  init() {
+  async init() {
     if (this.#initialized) return
     this.#initialized = true
 
     if (!this.#config.enabled) return
 
-    this.#buildManifest()
+    await this.#buildManifest()
   }
 
-  #buildManifest() {
+  async #buildManifest() {
     const viewDir = path.join(process.cwd(), 'view')
     const skeletonDir = path.join(process.cwd(), 'skeleton')
 
     try {
-      if (fs.existsSync(viewDir)) {
-        const files = this.#getAllViewFiles(viewDir)
-        for (const file of files) {
-          const html = fs.readFileSync(file, 'utf8')
-          const resources = this.#extractResources(html)
-
-          const relativePath = path.relative(viewDir, file)
-          const viewName = 'view/' + relativePath.replace(/\.html$/, '').replace(/\\/g, '/')
-
-          if (resources.length > 0) {
-            this.#manifest[viewName] = resources
-          }
-        }
+      try {
+        await fs.access(viewDir)
+        const files = await this.#getAllViewFiles(viewDir)
+        await Promise.all(
+          files.map(async file => {
+            const html = await fs.readFile(file, 'utf8')
+            const resources = this.#extractResources(html)
+
+            const relativePath = path.relative(viewDir, file)
+            const viewName = 'view/' + relativePath.replace(/\.html$/, '').replace(/\\/g, '/')
+
+            if (resources.length > 0) {
+              this.#manifest[viewName] = resources
+            }
+          })
+        )
+      } catch {
+        // viewDir might not exist
       }
 
-      if (fs.existsSync(skeletonDir)) {
-        const files = this.#getAllViewFiles(skeletonDir)
-        for (const file of files) {
-          const html = fs.readFileSync(file, 'utf8')
-          const resources = this.#extractResources(html)
-
-          const relativePath = path.relative(skeletonDir, file)
-          const viewName = 'skeleton/' + relativePath.replace(/\.html$/, '').replace(/\\/g, '/')
-
-          if (resources.length > 0) {
-            this.#manifest[viewName] = resources
-          }
-        }
+      try {
+        await fs.access(skeletonDir)
+        const files = await this.#getAllViewFiles(skeletonDir)
+        await Promise.all(
+          files.map(async file => {
+            const html = await fs.readFile(file, 'utf8')
+            const resources = this.#extractResources(html)
+
+            const relativePath = path.relative(skeletonDir, file)
+            const viewName = 'skeleton/' + relativePath.replace(/\.html$/, '').replace(/\\/g, '/')
+
+            if (resources.length > 0) {
+              this.#manifest[viewName] = resources
+            }
+          })
+        )
+      } catch {
+        // skeletonDir might not exist
       }
     } catch {
       // Silently fail, manifest building is optional
     }
   }
 
-  #getAllViewFiles(dir, files = []) {
-    const entries = fs.readdirSync(dir, {withFileTypes: true})
+  async #getAllViewFiles(dir, files = []) {
+    const entries = await fs.readdir(dir, {withFileTypes: true})
 
     for (const entry of entries) {
       const fullPath = path.join(dir, entry.name)
       if (entry.isDirectory()) {
-        this.#getAllViewFiles(fullPath, files)
+        await this.#getAllViewFiles(fullPath, files)
       } else if (entry.isFile() && entry.name.endsWith('.html')) {
         files.push(fullPath)
       }

package/src/View/Form.js

@@ -12,20 +12,26 @@ class Form {
 
   static parseFormType(content, Odac, type) {
     const regex = new RegExp(`<odac:${type}[\\s\\S]*?<\\/odac:${type}>`, 'g')
-    const matches = content.match(regex)
-    if (!matches) return content
+    return content.replace(regex, match => {
+      const formConfig = this.extractConfig(match, null, type)
+      const configStr = JSON.stringify(formConfig)
+      const matchStr = JSON.stringify(match)
+      return `<script:odac>html += await Odac.View.Form.runtime(Odac, '${type}', ${configStr}, ${matchStr});</script:odac>`
+    })
+  }
 
-    for (const match of matches) {
-      const formToken = nodeCrypto.randomBytes(32).toString('hex')
-      const formConfig = this.extractConfig(match, formToken, type)
+  /**
+   * Generates the form at runtime to ensure a fresh token is created and stored
+   * in the current session for every request. This prevents "session expired"
+   * errors caused by caching the form token in the compiled view.
+   */
+  static async runtime(Odac, type, config, originalHtml) {
+    const token = nodeCrypto.randomBytes(32).toString('hex')
+    config.token = token
 
-      this.storeConfig(formToken, formConfig, Odac, type)
+    this.storeConfig(token, config, Odac, type)
 
-      const generatedForm = this.generateForm(match, formConfig, formToken, type)
-      content = content.replace(match, generatedForm)
-    }
-
-    return content
+    return this.generateForm(originalHtml, config, token, type)
   }
 
   static extractConfig(html, formToken, type) {

package/src/View.js

@@ -1,5 +1,6 @@
 const nodeCrypto = require('crypto')
 const fs = require('fs')
+const fsPromises = fs.promises
 const Form = require('./View/Form')
 const EarlyHints = require('./View/EarlyHints')
 
@@ -8,7 +9,6 @@ const TITLE_REGEX = /<title[^>]*>([^<]*)<\/title>/i
 const CACHE_DIR = './storage/.cache'
 
 class View {
-  #cache = {}
   #earlyHints = null
   #functions = {
     '{!!': {
@@ -116,6 +116,8 @@ class View {
     } else {
       this.#earlyHints = global.Odac.View.EarlyHints
     }
+    global.Odac.View.Form = Form
+    this.Form = Form
   }
 
   all(name) {
@@ -205,8 +207,8 @@ class View {
 
     // Normal page rendering
     let result = ''
-    if (this.#part.skeleton && fs.existsSync(`./skeleton/${this.#part.skeleton}.html`)) {
-      result = fs.readFileSync(`./skeleton/${this.#part.skeleton}.html`, 'utf8')
+    if (this.#part.skeleton && (await this.#exists(`./skeleton/${this.#part.skeleton}.html`))) {
+      result = await this.#readSkeleton(`./skeleton/${this.#part.skeleton}.html`)
 
       // Add data-odac-navigate to content wrapper for auto-navigation
       result = this.#addNavigateAttribute(result)
@@ -363,10 +365,42 @@ class View {
   }
 
   async #render(file) {
-    let mtime = fs.statSync(file).mtimeMs
-    let content = fs.readFileSync(file, 'utf8')
+    if (!global.Odac.View) global.Odac.View = {}
+    if (!global.Odac.View.cache) global.Odac.View.cache = {}
+
+    // Performance: In Production, skip stat check if cached
+    if (!this.#odac.Config?.debug && global.Odac.View.cache[file]) {
+      try {
+        return await require(`${__dir}/${CACHE_DIR}/${global.Odac.View.cache[file].cache}`)(
+          this.#odac,
+          key => this.#odac.Request.get(key),
+          (...args) => this.#odac.Lang.get(...args)
+        )
+      } catch {
+        // Fallback if cache file missing
+      }
+    }
+
+    let mtime = 0
+    let content = null
+
+    try {
+      const handle = await fsPromises.open(file, 'r')
+      try {
+        const stats = await handle.stat()
+        mtime = stats.mtimeMs
+
+        if (global.Odac.View.cache[file]?.mtime !== mtime) {
+          content = await handle.readFile('utf8')
+        }
+      } finally {
+        await handle.close()
+      }
+    } catch {
+      return ''
+    }
 
-    if (this.#cache[file]?.mtime !== mtime) {
+    if (content !== null) {
       content = Form.parse(content, this.#odac)
 
       const jsBlocks = []
@@ -550,6 +584,28 @@ class View {
       this.#odac.Request.setEarlyHints(hints)
     }
   }
+
+  async #exists(path) {
+    try {
+      await fsPromises.access(path)
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  async #readSkeleton(path) {
+    if (!global.Odac.View.skeletons) global.Odac.View.skeletons = {}
+
+    // In production (debug=false), cache logic
+    if (!this.#odac.Config?.debug && global.Odac.View.skeletons[path]) {
+      return global.Odac.View.skeletons[path]
+    }
+
+    const content = await fsPromises.readFile(path, 'utf8')
+    global.Odac.View.skeletons[path] = content
+    return content
+  }
 }
 
 module.exports = View

package/template/package.json

@@ -3,7 +3,9 @@
   "version": "1.0.0",
   "description": "Website for {{domain_original}}",
   "scripts": {
-    "dev": "odac dev"
+    "dev": "odac dev",
+    "build": "odac build",
+    "start": "odac start"
   },
   "dependencies": {
     "odac": "*"

package/template/view/content/home.html

@@ -60,9 +60,9 @@
 
       <div class="structure-item">
         <div class="structure-icon">⚙️</div>
-        <h3 class="structure-title">config.json</h3>
+        <h3 class="structure-title">odac.json</h3>
         <p class="structure-description">Configuration file for database, routes, and other settings.</p>
-        <code class="structure-path">config.json</code>
+        <code class="structure-path">odac.json</code>
       </div>
     </div>
   </div>
@@ -156,7 +156,7 @@
         <div class="feature-icon">🗄️</div>
         <div class="feature-content">
           <h3>Database Ready</h3>
-          <p>MySQL and SQLite support built-in. Configure in <code>config.json</code></p>
+          <p>MySQL and SQLite support built-in. Configure in <code>odac.json</code></p>
         </div>
       </div>
 

package/template/view/head/main.html

@@ -1,5 +1,5 @@
 <meta charset="UTF-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-<title>Odac</title>
+<title>ODAC</title>
 <meta name="description" content="A next-generation server and framework toolkit for modern web development" />
-<link rel="stylesheet" href="/assets/css/style.css" />
+<link rel="stylesheet" href="/assets/css/app.css" />

package/test/Client.test.js

@@ -0,0 +1,168 @@
+describe('Client (odac.js)', () => {
+  let mockXhr
+
+  beforeEach(() => {
+    jest.resetModules()
+
+    mockXhr = {
+      open: jest.fn(),
+      setRequestHeader: jest.fn(),
+      send: jest.fn(),
+      getResponseHeader: jest.fn(),
+      status: 200,
+      responseText: '{}',
+      response: '{}',
+      onload: null,
+      onerror: null
+    }
+
+    const mockDocument = {
+      getElementById: jest.fn(),
+      querySelectorAll: jest.fn(() => []),
+      querySelector: jest.fn(),
+      addEventListener: jest.fn(),
+      removeEventListener: jest.fn(),
+      dispatchEvent: jest.fn(),
+      documentElement: {dataset: {}},
+      cookie: '',
+      readyState: 'complete',
+      createElement: jest.fn(() => ({
+        setAttribute: jest.fn(),
+        style: {},
+        appendChild: jest.fn(),
+        parentNode: {insertBefore: jest.fn()}
+      }))
+    }
+
+    const mockWindow = {
+      location: {
+        protocol: 'http:',
+        host: 'localhost',
+        href: 'http://localhost/'
+      },
+      history: {
+        pushState: jest.fn()
+      },
+      scrollTo: jest.fn(),
+      addEventListener: jest.fn(),
+      XMLHttpRequest: jest.fn(() => mockXhr),
+      localStorage: {
+        getItem: jest.fn(),
+        setItem: jest.fn(),
+        removeItem: jest.fn()
+      },
+      CustomEvent: jest.fn((name, detail) => ({name, detail})),
+      setTimeout: jest.fn(),
+      clearTimeout: jest.fn(),
+      requestAnimationFrame: jest.fn(cb => cb(Date.now())),
+      WebSocket: jest.fn(() => ({
+        send: jest.fn(),
+        close: jest.fn(),
+        readyState: 1 // OPEN
+      })),
+      FormData: jest.fn()
+    }
+
+    mockWindow.window = mockWindow
+    mockWindow.document = mockDocument
+    mockWindow.WebSocket.OPEN = 1
+    mockWindow.WebSocket.CLOSED = 3
+
+    global.window = mockWindow
+    global.document = mockDocument
+    global.location = mockWindow.location
+    global.XMLHttpRequest = mockWindow.XMLHttpRequest
+    global.localStorage = mockWindow.localStorage
+    global.CustomEvent = mockWindow.CustomEvent
+    global.WebSocket = mockWindow.WebSocket
+    global.setTimeout = mockWindow.setTimeout
+    global.clearTimeout = mockWindow.clearTimeout
+    global.requestAnimationFrame = mockWindow.requestAnimationFrame
+    global.FormData = mockWindow.FormData
+
+    delete require.cache[require.resolve('../client/odac.js')]
+    require('../client/odac.js')
+  })
+
+  afterEach(() => {
+    delete global.window
+    delete global.document
+    delete global.location
+    delete global.XMLHttpRequest
+    delete global.localStorage
+    delete global.CustomEvent
+    delete global.WebSocket
+    delete global.setTimeout
+    delete global.clearTimeout
+    delete global.requestAnimationFrame
+    delete global.FormData
+    delete global.Odac
+  })
+
+  test('Odac should be initialized on window', () => {
+    expect(window.Odac).toBeDefined()
+  })
+
+  describe('data()', () => {
+    test('should retrieve data from odac-data script tag', () => {
+      const mockData = {user: 'emre'}
+      document.getElementById.mockReturnValue({
+        textContent: JSON.stringify(mockData)
+      })
+
+      const result = window.Odac.data()
+      expect(result).toEqual(mockData)
+      expect(document.getElementById).toHaveBeenCalledWith('odac-data')
+    })
+
+    test('should return specific key from data', () => {
+      const mockData = {user: 'emre', role: 'admin'}
+      document.getElementById.mockReturnValue({
+        textContent: JSON.stringify(mockData)
+      })
+
+      expect(window.Odac.data('user')).toBe('emre')
+      expect(window.Odac.data('role')).toBe('admin')
+    })
+  })
+
+  describe('storage()', () => {
+    test('should get item from localStorage', () => {
+      localStorage.getItem.mockReturnValue('val')
+      expect(window.Odac.storage('key')).toBe('val')
+      expect(localStorage.getItem).toHaveBeenCalledWith('key')
+    })
+
+    test('should set item in localStorage', () => {
+      window.Odac.storage('key', 'val')
+      expect(localStorage.setItem).toHaveBeenCalledWith('key', 'val')
+    })
+  })
+
+  describe('token()', () => {
+    test('should fetch token via sync XHR if hash is empty', () => {
+      mockXhr.response = JSON.stringify({token: 'new-token'})
+      document.cookie = 'odac_client=abc'
+
+      const token = window.Odac.token()
+
+      expect(window.XMLHttpRequest).toHaveBeenCalled()
+      expect(token).toBe('new-token')
+    })
+  })
+
+  describe('OdacWebSocket', () => {
+    test('should connect to WebSocket and handle events', () => {
+      const ws = window.Odac.ws('/test-ws', {token: false})
+      expect(window.WebSocket).toHaveBeenCalled()
+
+      const openHandler = jest.fn()
+      ws.on('open', openHandler)
+
+      const socketInstance = WebSocket.mock.results[0].value
+      socketInstance.onopen()
+
+      expect(openHandler).toHaveBeenCalled()
+    })
+  })
+})

package/test/Config.test.js

@@ -0,0 +1,112 @@
+const fs = require('fs')
+const os = require('os')
+
+const Config = require('../src/Config')
+
+jest.mock('fs')
+jest.mock('os')
+
+describe('Config', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+    // Reset global.__dir which is used in Config.js
+    global.__dir = '/mock/project'
+
+    // Reset Config properties to defaults before each test
+    Config.system = undefined
+    Config.encrypt.key = 'odac'
+  })
+
+  describe('init', () => {
+    it('should load system config from home directory', () => {
+      os.homedir.mockReturnValue('/home/user')
+      fs.readFileSync.mockImplementation(path => {
+        if (path === '/home/user/.odac/config.json') {
+          return JSON.stringify({deviceId: '123'})
+        }
+        return '{}'
+      })
+      fs.existsSync.mockReturnValue(false)
+
+      Config.init()
+
+      expect(Config.system).toEqual({deviceId: '123'})
+      expect(fs.readFileSync).toHaveBeenCalledWith('/home/user/.odac/config.json')
+    })
+
+    it('should load project config and merge it', () => {
+      os.homedir.mockReturnValue('/home/user')
+      fs.existsSync.mockImplementation(path => {
+        if (path === '/mock/project/odac.json') return true
+        return false
+      })
+      fs.readFileSync.mockImplementation(path => {
+        if (path === '/mock/project/odac.json') {
+          return JSON.stringify({encrypt: {key: 'secret'}})
+        }
+        return '{}'
+      })
+
+      Config.init()
+
+      // The key gets hashed in init(), so it won't be 'secret' anymore
+      expect(Config.encrypt.key).not.toBe('secret')
+      expect(Config.encrypt.key).toBeInstanceOf(Buffer)
+    })
+
+    it('should interpolate variables in config', () => {
+      process.env.TEST_VAR = 'env_value'
+      os.homedir.mockReturnValue('/home/user')
+      fs.existsSync.mockReturnValue(true)
+      fs.readFileSync.mockReturnValue(
+        JSON.stringify({
+          custom: 'value-${TEST_VAR}'
+        })
+      )
+
+      Config.init()
+
+      expect(Config.custom).toBe('value-env_value')
+    })
+  })
+
+  describe('_interpolate', () => {
+    it('should replace ${VAR} with environment variables', () => {
+      process.env.FOO = 'bar'
+      const result = Config._interpolate('hello-${FOO}')
+      expect(result).toBe('hello-bar')
+    })
+
+    it('should replace ${odac} with client path', () => {
+      // __dirname in Config.js is /.../src, so it replaces /src with /client
+      const result = Config._interpolate('path-${odac}')
+      expect(result).toMatch(/\/client$/)
+    })
+
+    it('should handle nested objects and arrays', () => {
+      process.env.VAR = 'x'
+      const obj = {
+        a: ['${VAR}'],
+        b: {c: '${VAR}'}
+      }
+      const result = Config._interpolate(obj)
+      expect(result).toEqual({
+        a: ['x'],
+        b: {c: 'x'}
+      })
+    })
+  })
+
+  describe('_deepMerge', () => {
+    it('should merge objects deeply', () => {
+      const target = {a: {b: 1}, c: 2}
+      const source = {a: {d: 3}, e: 4}
+      Config._deepMerge(target, source)
+      expect(target).toEqual({
+        a: {b: 1, d: 3},
+        c: 2,
+        e: 4
+      })
+    })
+  })
+})