odac 1.3.0 → 1.4.0

package/src/View/Form.js

@@ -3,6 +3,18 @@ const nodeCrypto = require('crypto')
 class Form {
   static FORM_TYPES = ['register', 'login', 'magic-login', 'form']
 
+  static escapeHtml(value) {
+    if (value === null || value === undefined) return ''
+    const map = {
+      '&': '&',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      "'": '&#39;'
+    }
+    return String(value).replace(/[&<>"']/g, ch => map[ch])
+  }
+
   static parse(content, Odac) {
     for (const type of this.FORM_TYPES) {
       content = this.parseFormType(content, Odac, type)
@@ -14,8 +26,14 @@ class Form {
     const regex = new RegExp(`<odac:${type}[\\s\\S]*?<\\/odac:${type}>`, 'g')
     return content.replace(regex, match => {
       const formConfig = this.extractConfig(match, null, type)
-      const configStr = JSON.stringify(formConfig)
-      const matchStr = JSON.stringify(match)
+      let configStr = JSON.stringify(formConfig)
+      let matchStr = JSON.stringify(match)
+
+      // Unquote dynamic variables to make them live JS expressions in the compiled view
+      // We avoid {{ }} here because View engine would turn them into ${ } which is invalid in naked JS
+      configStr = configStr.replace(/"\{\{([\s\S]*?)\}\}"/g, '(await $1)')
+      matchStr = matchStr.replace(/\{\{([\s\S]*?)\}\}/g, '" + (await Odac.Var(await $1).html()) + "')
+
       return `<script:odac>html += await Odac.View.Form.runtime(Odac, '${type}', ${configStr}, ${matchStr});</script:odac>`
     })
   }
@@ -91,7 +109,7 @@ class Form {
     if (redirectMatch) config.redirect = redirectMatch[1]
     if (autologinMatch) config.autologin = autologinMatch[1] !== 'false'
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -145,22 +163,25 @@ class Form {
       id: null,
       unique: false,
       skip: false,
+      value: null,
       validations: []
     }
 
-    const typeMatch = fieldTag.match(/type=["']([^"']+)["']/)
-    const placeholderMatch = fieldTag.match(/placeholder=["']([^"']+)["']/)
-    const labelMatch = fieldTag.match(/label=["']([^"']+)["']/)
-    const classMatch = fieldTag.match(/class=["']([^"']+)["']/)
-    const idMatch = fieldTag.match(/id=["']([^"']+)["']/)
+    const typeMatch = fieldTag.match(/type=(["'])(.*?)\1/)
+    const placeholderMatch = fieldTag.match(/placeholder=(["'])(.*?)\1/)
+    const labelMatch = fieldTag.match(/label=(["'])(.*?)\1/)
+    const classMatch = fieldTag.match(/class=(["'])(.*?)\1/)
+    const idMatch = fieldTag.match(/id=(["'])(.*?)\1/)
+    const valueMatch = fieldTag.match(/value=(["'])(.*?)\1/)
     const uniqueMatch = fieldTag.match(/unique=["']([^"']+)["']/) || fieldTag.match(/\sunique[\s/>]/)
     const skipMatch = fieldTag.match(/skip=["']([^"']+)["']/) || fieldTag.match(/\sskip[\s/>]/)
 
-    if (typeMatch) field.type = typeMatch[1]
-    if (placeholderMatch) field.placeholder = placeholderMatch[1]
-    if (labelMatch) field.label = labelMatch[1]
-    if (classMatch) field.class = classMatch[1]
-    if (idMatch) field.id = idMatch[1]
+    if (typeMatch) field.type = typeMatch[2]
+    if (placeholderMatch) field.placeholder = placeholderMatch[2]
+    if (labelMatch) field.label = labelMatch[2]
+    if (classMatch) field.class = classMatch[2]
+    if (idMatch) field.id = idMatch[2]
+    if (valueMatch) field.value = valueMatch[2]
     if (uniqueMatch) field.unique = uniqueMatch[1] !== 'false'
     if (skipMatch) field.skip = skipMatch[1] !== 'false'
 
@@ -181,7 +202,7 @@ class Form {
 
     // Capture generic attributes
     const extraAttrs = {}
-    const knownAttrs = ['name', 'type', 'placeholder', 'label', 'class', 'id', 'unique', 'skip']
+    const knownAttrs = ['name', 'type', 'placeholder', 'label', 'class', 'id', 'unique', 'skip', 'value']
     const attrRegex = /(\w+)(?:=(["'])((?:(?!\2).)*)\2|=([^\s>]+))?/g
     let attrMatch
     // Clean tag to just attributes part for safer regex matching if needed,
@@ -203,11 +224,11 @@ class Form {
   }
 
   static parseSet(html) {
-    const nameMatch = html.match(/name=["']([^"']+)["']/)
+    const nameMatch = html.match(/name=(["'])(.*?)\1/)
     if (!nameMatch) return null
 
     const set = {
-      name: nameMatch[1],
+      name: nameMatch[2],
       value: null,
       compute: null,
       callback: null,
@@ -215,14 +236,14 @@ class Form {
     }
 
     const valueMatch = html.match(/value=(["'])(.*?)\1/)
-    const computeMatch = html.match(/compute=["']([^"']+)["']/)
-    const callbackMatch = html.match(/callback=["']([^"']+)["']/)
-    const ifEmptyMatch = html.match(/if-empty=["']([^"']+)["']/) || html.match(/\sif-empty[\s/>]/)
+    const computeMatch = html.match(/compute=(["'])(.*?)\1/)
+    const callbackMatch = html.match(/callback=(["'])(.*?)\1/)
+    const ifEmptyMatch = html.match(/if-empty=(["'])(.*?)\1/) || html.match(/\sif-empty[\s/>]/)
 
     if (valueMatch) set.value = valueMatch[2]
-    if (computeMatch) set.compute = computeMatch[1]
-    if (callbackMatch) set.callback = callbackMatch[1]
-    if (ifEmptyMatch) set.ifEmpty = ifEmptyMatch[1] !== 'false'
+    if (computeMatch) set.compute = computeMatch[2]
+    if (callbackMatch) set.callback = callbackMatch[2]
+    if (ifEmptyMatch) set.ifEmpty = ifEmptyMatch[2] !== 'false'
 
     return set
   }
@@ -253,6 +274,9 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
@@ -279,31 +303,38 @@ class Form {
 
   static generateFieldHtml(field) {
     let html = ''
+    const escapedName = this.escapeHtml(field.name)
+    const escapedType = this.escapeHtml(field.type)
+    const escapedPlaceholder = this.escapeHtml(field.placeholder)
 
     if (field.label && field.type !== 'checkbox') {
-      const fieldId = field.id || `odac-${field.name}`
-      html += `<label for="${fieldId}">${field.label}</label>\n`
+      const fieldId = this.escapeHtml(field.id || `odac-${field.name}`)
+      html += `<label for="${fieldId}">${this.escapeHtml(field.label)}</label>\n`
     }
 
-    const classAttr = field.class ? ` class="${field.class}"` : ''
-    const idAttr = field.id ? ` id="${field.id}"` : ` id="odac-${field.name}"`
+    const classAttr = field.class ? ` class="${this.escapeHtml(field.class)}"` : ''
+    const idAttr = field.id ? ` id="${this.escapeHtml(field.id)}"` : ` id="${this.escapeHtml(`odac-${field.name}`)}"`
+    const valueAttr = field.value !== null ? ` value="${this.escapeHtml(field.value)}"` : ''
 
     if (field.type === 'checkbox') {
       const attrs = this.buildHtml5Attributes(field)
+      const checkedAttr = field.value === '1' || field.value === true || field.value === 'true' ? ' checked' : ''
       if (field.label) {
         html += `<label>\n`
-        html += `  <input type="checkbox"${idAttr} name="${field.name}" value="1"${classAttr}${attrs}>\n`
-        html += `  ${field.label}\n`
+        html += `  <input type="checkbox"${idAttr} name="${escapedName}" value="1"${classAttr}${checkedAttr}${attrs}>\n`
+        html += `  ${this.escapeHtml(field.label)}\n`
         html += `</label>\n`
       } else {
-        html += `<input type="checkbox"${idAttr} name="${field.name}" value="1"${classAttr}${attrs}>\n`
+        html += `<input type="checkbox"${idAttr} name="${escapedName}" value="1"${classAttr}${checkedAttr}${attrs}>\n`
       }
     } else if (field.type === 'textarea') {
       const attrs = this.buildHtml5Attributes(field)
-      html += `<textarea${idAttr} name="${field.name}" placeholder="${field.placeholder}"${classAttr}${attrs}></textarea>\n`
+      html += `<textarea${idAttr} name="${escapedName}" placeholder="${escapedPlaceholder}"${classAttr}${attrs}>${this.escapeHtml(
+        field.value || ''
+      )}</textarea>\n`
     } else {
       const attrs = this.buildHtml5Attributes(field)
-      html += `<input type="${field.type}"${idAttr} name="${field.name}" placeholder="${field.placeholder}"${classAttr}${attrs}>\n`
+      html += `<input type="${escapedType}"${idAttr} name="${escapedName}"${valueAttr} placeholder="${escapedPlaceholder}"${classAttr}${attrs}>\n`
     }
 
     return html
@@ -319,7 +350,7 @@ class Form {
         if (val === '') {
           attrs += ` ${key}`
         } else {
-          attrs += ` ${key}="${val.replace(/"/g, '&quot;')}"`
+          attrs += ` ${key}="${this.escapeHtml(val)}"`
         }
       }
     }
@@ -406,11 +437,11 @@ class Form {
     if (html5Rules.max) attrs += ` max="${html5Rules.max}"`
     if (html5Rules.pattern) attrs += ` pattern="${html5Rules.pattern}"`
 
-    if (errorMessages.required) attrs += ` data-error-required="${errorMessages.required.replace(/"/g, '&quot;')}"`
-    if (errorMessages.minlength) attrs += ` data-error-minlength="${errorMessages.minlength.replace(/"/g, '&quot;')}"`
-    if (errorMessages.maxlength) attrs += ` data-error-maxlength="${errorMessages.maxlength.replace(/"/g, '&quot;')}"`
-    if (errorMessages.pattern) attrs += ` data-error-pattern="${errorMessages.pattern.replace(/"/g, '&quot;')}"`
-    if (errorMessages.email) attrs += ` data-error-email="${errorMessages.email.replace(/"/g, '&quot;')}"`
+    if (errorMessages.required) attrs += ` data-error-required="${this.escapeHtml(errorMessages.required)}"`
+    if (errorMessages.minlength) attrs += ` data-error-minlength="${this.escapeHtml(errorMessages.minlength)}"`
+    if (errorMessages.maxlength) attrs += ` data-error-maxlength="${this.escapeHtml(errorMessages.maxlength)}"`
+    if (errorMessages.pattern) attrs += ` data-error-pattern="${this.escapeHtml(errorMessages.pattern)}"`
+    if (errorMessages.email) attrs += ` data-error-email="${this.escapeHtml(errorMessages.email)}"`
 
     attrs = this.appendExtraAttributes(attrs, field)
 
@@ -434,7 +465,7 @@ class Form {
 
     if (redirectMatch) config.redirect = redirectMatch[1]
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -489,6 +520,9 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
@@ -551,8 +585,10 @@ class Form {
     if (tableMatch) config.table = tableMatch
     if (redirectMatch) config.redirect = redirectMatch
     if (successMatch) config.successMessage = successMatch
+    const clearMatch = extractAttr('clear')
+    if (clearMatch !== null) config.clear = clearMatch === 'true' || clearMatch === ''
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -618,29 +654,30 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
-    const escapeHtml = str =>
-      String(str).replace(/[&<>"']/g, m => ({'&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'})[m])
-
     const submitMatch = innerContent.match(/<odac:submit[\s\S]*?(?:<\/odac:submit>|\/?>)/)
     if (submitMatch) {
-      let submitAttrs = `type="submit" data-submit-text="${escapeHtml(submitText)}" data-loading-text="${escapeHtml(submitLoading)}"`
-      if (config.submitClass) submitAttrs += ` class="${escapeHtml(config.submitClass)}"`
-      if (config.submitStyle) submitAttrs += ` style="${escapeHtml(config.submitStyle)}"`
-      if (config.submitId) submitAttrs += ` id="${escapeHtml(config.submitId)}"`
-      const submitButton = `<button ${submitAttrs}>${escapeHtml(submitText)}</button>`
+      let submitAttrs = `type="submit" data-submit-text="${this.escapeHtml(submitText)}" data-loading-text="${this.escapeHtml(submitLoading)}"`
+      if (config.submitClass) submitAttrs += ` class="${this.escapeHtml(config.submitClass)}"`
+      if (config.submitStyle) submitAttrs += ` style="${this.escapeHtml(config.submitStyle)}"`
+      if (config.submitId) submitAttrs += ` id="${this.escapeHtml(config.submitId)}"`
+      const submitButton = `<button ${submitAttrs}>${this.escapeHtml(submitText)}</button>`
       innerContent = innerContent.replace(submitMatch[0], submitButton)
     }
 
     innerContent = innerContent.replace(/<odac:set[^>]*\/?>/g, '')
 
-    let formAttrs = `class="odac-custom-form${config.class ? ' ' + escapeHtml(config.class) : ''}" data-odac-form="${escapeHtml(formToken)}" method="${escapeHtml(method)}" action="${escapeHtml(formAction)}" novalidate`
-    if (config.id) formAttrs += ` id="${escapeHtml(config.id)}"`
+    let formAttrs = `class="odac-custom-form${config.class ? ' ' + this.escapeHtml(config.class) : ''}" data-odac-form="${this.escapeHtml(formToken)}" method="${this.escapeHtml(method)}" action="${this.escapeHtml(formAction)}" novalidate`
+    if (config.id) formAttrs += ` id="${this.escapeHtml(config.id)}"`
+    if (config.clear !== undefined) formAttrs += ` clear="${config.clear}"`
 
     let html = `<form ${formAttrs}>\n`
-    html += `  <input type="hidden" name="_odac_form_token" value="${escapeHtml(formToken)}">\n`
+    html += `  <input type="hidden" name="_odac_form_token" value="${this.escapeHtml(formToken)}">\n`
     html += innerContent
     html += `\n  <span class="odac-form-success" style="display:none;"></span>\n`
     html += `</form>`
@@ -693,7 +730,7 @@ class Form {
       })
     }
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -751,6 +788,9 @@ class Form {
       innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
         const field = this.parseInput(fieldMatch)
         if (!field) return fieldMatch
+        // Sync with resolved config value if available
+        const configField = config.fields.find(f => f.name === field.name)
+        if (configField) field.value = configField.value
         return this.generateFieldHtml(field)
       })
     }

package/src/View.js

@@ -58,6 +58,7 @@ class View {
       function: '{ let _arr = $constructor; for(let $key in _arr){ let $value = _arr[$key];',
       end: '}}',
       arguments: {
+        in: null,
         var: null,
         get: null,
         key: 'key',
@@ -83,6 +84,7 @@ class View {
     },
     list: {
       arguments: {
+        in: null,
         var: null,
         get: null,
         key: 'key',
@@ -453,12 +455,15 @@ class View {
           let fun = func.function
 
           if (key === 'for' || key === 'list') {
-            if (!vars.var && !vars.get) {
-              console.error(`"var" or "get" is required for "${match}"\n  in "${file}"`)
+            if (!vars.var && !vars.get && !vars.in) {
+              console.error(`"var", "get" or "in" is required for "${match}"\n  in "${file}"`)
               continue
             }
             let constructor
-            if (vars.var) {
+            if (vars.in) {
+              constructor = `await ${vars.in}`
+              delete vars.in
+            } else if (vars.var) {
               constructor = `await ${vars.var}`
               delete vars.var
             } else if (vars.get) {

package/test/Auth.test.js

@@ -0,0 +1,249 @@
+const Auth = require('../src/Auth.js')
+
+describe('Auth - Refresh Token Rotation', () => {
+  let reqMock
+  let authInstance
+
+  /**
+   * Why: Builds a chainable DB mock that resolves query results via .then() (thenable).
+   * This simulates Knex's chainable query builder pattern.
+   *
+   * @param {Array} rows - The rows the query should resolve to.
+   * @returns {object} Mock object with insert, update, delete, first, where tracking.
+   */
+  const createDbMock = rows => {
+    const tracker = {
+      deleteCalls: [],
+      firstCalls: 0,
+      insertCalls: [],
+      updateCalls: []
+    }
+
+    const chainable = () => ({
+      delete: jest.fn((...args) => {
+        tracker.deleteCalls.push(args)
+        return Promise.resolve(true)
+      }),
+      first: jest.fn(() => {
+        tracker.firstCalls++
+        return Promise.resolve(rows[0] ? {id: rows[0].user, name: 'TestUser'} : null)
+      }),
+      update: jest.fn(payload => {
+        tracker.updateCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      then: cb => cb(rows),
+      where: jest.fn(() => chainable())
+    })
+
+    return {
+      chainable,
+      insert: jest.fn(payload => {
+        tracker.insertCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      tracker,
+      where: jest.fn(() => chainable())
+    }
+  }
+
+  beforeEach(() => {
+    // Cookie storage to separate get/set behavior
+    const cookieStore = {
+      odac_x: 'old_x',
+      odac_y: 'old_y'
+    }
+
+    reqMock = {
+      cookie: jest.fn((name, value, options) => {
+        // Setter mode: 2+ arguments
+        if (value !== undefined) {
+          cookieStore[name] = value
+          return
+        }
+        // Getter mode: 1 argument
+        return cookieStore[name] || null
+      }),
+      header: jest.fn(() => 'TestBrowser'),
+      ip: '127.0.0.1'
+    }
+
+    authInstance = new Auth(reqMock)
+
+    global.Odac = {
+      Config: {
+        auth: {
+          key: 'id',
+          rotationAge: 15 * 60 * 1000,
+          table: 'users',
+          token: 'user_tokens'
+        }
+      },
+      DB: {
+        fn: {now: () => new Date()},
+        nanoid: () => 'nano_' + Date.now()
+      },
+      Var: jest.fn(() => ({
+        hash: jest.fn(() => 'hashed_value'),
+        hashCheck: jest.fn(() => true)
+      }))
+    }
+  })
+
+  afterEach(() => {
+    delete global.Odac
+  })
+
+  it('should rotate token when tokenAge exceeds rotationAge and set Epoch Date marker', async () => {
+    const createdAt = Date.now() - 20 * 60 * 1000 // 20 mins ago -> exceeds 15 min rotationAge
+
+    const mockRecord = {
+      active: new Date(),
+      browser: 'TestBrowser',
+      date: new Date(createdAt),
+      id: 'token_1',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+
+    // Verify new token was inserted
+    expect(dbMock.insert).toHaveBeenCalledTimes(1)
+    const inserted = dbMock.tracker.insertCalls[0]
+    expect(inserted.user).toBe('user_10')
+    expect(inserted.token_x).toBeDefined()
+    expect(inserted.token_y).toBe('hashed_value')
+
+    // Verify old token was marked with Epoch Date
+    expect(dbMock.tracker.updateCalls.length).toBe(1)
+    const updatePayload = dbMock.tracker.updateCalls[0]
+    expect(updatePayload.date.getTime()).toBe(0) // Epoch
+
+    // Verify new cookies were issued (setter calls)
+    const setCalls = reqMock.cookie.mock.calls.filter(c => c.length >= 2)
+    const xSet = setCalls.find(c => c[0] === 'odac_x' && c[2]?.httpOnly === true)
+    const ySet = setCalls.find(c => c[0] === 'odac_y' && c[2]?.httpOnly === true)
+    expect(xSet).toBeDefined()
+    expect(ySet).toBeDefined()
+    // New cookie values must differ from old ones
+    expect(xSet[1]).not.toBe('old_x')
+    expect(ySet[1]).not.toBe('old_y')
+  })
+
+  it('should NOT rotate a token already marked as rotated (Epoch Date marker)', async () => {
+    const mockRecord = {
+      active: new Date(), // Still within maxAge
+      browser: 'TestBrowser',
+      date: new Date(0), // Epoch marker = already rotated
+      id: 'token_2',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+    // No rotation should occur
+    expect(dbMock.insert).not.toHaveBeenCalled()
+    expect(dbMock.tracker.updateCalls.length).toBe(0)
+  })
+
+  it('should NOT rotate when tokenAge is within rotationAge threshold', async () => {
+    const recentDate = Date.now() - 5 * 60 * 1000 // 5 mins ago -> within 15 min rotationAge
+
+    const mockRecord = {
+      active: new Date(),
+      browser: 'TestBrowser',
+      date: new Date(recentDate),
+      id: 'token_3',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+    expect(dbMock.insert).not.toHaveBeenCalled()
+    expect(dbMock.tracker.updateCalls.length).toBe(0)
+  })
+
+  it('should delete token and return false when inactiveAge exceeds maxAge', async () => {
+    const staleActive = Date.now() - 31 * 24 * 60 * 60 * 1000 // 31 days ago -> exceeds 30 day maxAge
+
+    const mockRecord = {
+      active: new Date(staleActive),
+      browser: 'TestBrowser',
+      date: new Date(),
+      id: 'token_4',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(false)
+    // Token should be deleted
+    expect(dbMock.tracker.deleteCalls.length).toBe(1)
+    // No rotation should occur
+    expect(dbMock.insert).not.toHaveBeenCalled()
+  })
+
+  it('should update active timestamp when inactiveAge exceeds updateAge but tokenAge is within rotationAge', async () => {
+    const staleActive = Date.now() - 25 * 60 * 60 * 1000 // 25 hours ago -> exceeds 24h updateAge
+    const recentDate = Date.now() - 5 * 60 * 1000 // 5 mins ago -> within rotationAge
+
+    const mockRecord = {
+      active: new Date(staleActive),
+      browser: 'TestBrowser',
+      date: new Date(recentDate),
+      id: 'token_5',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+    // Should NOT rotate (tokenAge within threshold)
+    expect(dbMock.insert).not.toHaveBeenCalled()
+    // Should update active timestamp (fallback path)
+    expect(dbMock.tracker.updateCalls.length).toBe(1)
+    const updatePayload = dbMock.tracker.updateCalls[0]
+    expect(updatePayload.active).toBeInstanceOf(Date)
+    // Should NOT have Epoch marker
+    expect(updatePayload.date).toBeUndefined()
+  })
+})

package/test/Client.test.js

@@ -151,6 +151,35 @@ describe('Client (odac.js)', () => {
     })
   })
 
+  describe('get()', () => {
+    test('should automatically parse JSON if Content-Type is application/json', () => {
+      const mockCallback = jest.fn()
+      const mockData = {success: true}
+
+      mockXhr.open.mockClear()
+      mockXhr.send.mockClear()
+
+      // Mock token() to avoid side effects and XHR calls
+      jest.spyOn(window.Odac, 'token').mockReturnValue('mock-token')
+
+      // Setup response for the get request
+      mockXhr.responseText = JSON.stringify(mockData)
+      mockXhr.status = 200
+      mockXhr.statusText = 'OK'
+      mockXhr.getResponseHeader.mockImplementation(header => {
+        if (header === 'Content-Type') return 'application/json'
+        return null
+      })
+
+      window.Odac.get('/api/test', mockCallback)
+
+      // Trigger the completion of the get request
+      if (mockXhr.onload) mockXhr.onload()
+
+      expect(mockCallback).toHaveBeenCalledWith(mockData, expect.anything(), expect.anything())
+    })
+  })
+
   describe('OdacWebSocket', () => {
     test('should connect to WebSocket and handle events', () => {
       const ws = window.Odac.ws('/test-ws', {token: false})

package/test/View/Form.test.js

@@ -0,0 +1,37 @@
+const Form = require('../../src/View/Form')
+
+describe('Form HTML escaping', () => {
+  test('should escape textarea content to prevent tag breakout XSS', () => {
+    const html = Form.generateFieldHtml({
+      name: 'bio',
+      type: 'textarea',
+      placeholder: 'About me',
+      label: null,
+      class: '',
+      id: null,
+      value: '</textarea><script>alert(1)</script>',
+      validations: [],
+      extraAttributes: {}
+    })
+
+    expect(html).toContain('&lt;/textarea&gt;&lt;script&gt;alert(1)&lt;/script&gt;')
+    expect(html).not.toContain('</textarea><script>alert(1)</script>')
+  })
+
+  test('should escape full HTML entities in input value attributes', () => {
+    const html = Form.generateFieldHtml({
+      name: 'displayName',
+      type: 'text',
+      placeholder: 'Name',
+      label: null,
+      class: '',
+      id: null,
+      value: 'a&b"c<d>e\'f',
+      validations: [],
+      extraAttributes: {}
+    })
+
+    expect(html).toContain('value="a&amp;b&quot;c&lt;d&gt;e&#39;f"')
+    expect(html).not.toContain('value="a&b"c<d>e\'f"')
+  })
+})