odac 1.3.0 → 1.4.1

package/src/View.js

@@ -58,6 +58,7 @@ class View {
       function: '{ let _arr = $constructor; for(let $key in _arr){ let $value = _arr[$key];',
       end: '}}',
       arguments: {
+        in: null,
         var: null,
         get: null,
         key: 'key',
@@ -83,6 +84,7 @@ class View {
     },
     list: {
       arguments: {
+        in: null,
         var: null,
         get: null,
         key: 'key',
@@ -453,12 +455,15 @@ class View {
           let fun = func.function
 
           if (key === 'for' || key === 'list') {
-            if (!vars.var && !vars.get) {
-              console.error(`"var" or "get" is required for "${match}"\n  in "${file}"`)
+            if (!vars.var && !vars.get && !vars.in) {
+              console.error(`"var", "get" or "in" is required for "${match}"\n  in "${file}"`)
               continue
             }
             let constructor
-            if (vars.var) {
+            if (vars.in) {
+              constructor = `await ${vars.in}`
+              delete vars.in
+            } else if (vars.var) {
               constructor = `await ${vars.var}`
               delete vars.var
             } else if (vars.get) {

package/template/schema/users.js

@@ -0,0 +1,23 @@
+// Schema definition for 'users' — example schema file
+// This is the single source of truth for the 'users' table.
+// AI agents read this file to understand the final database state.
+'use strict'
+
+module.exports = {
+  columns: {
+    id: {type: 'increments'},
+    name: {type: 'string', length: 255, nullable: false},
+    email: {type: 'string', length: 255, nullable: false},
+    password: {type: 'string', length: 255, nullable: false},
+    role: {type: 'enum', values: ['admin', 'user'], default: 'user'},
+    is_active: {type: 'boolean', default: true},
+    timestamps: {type: 'timestamps'}
+  },
+
+  indexes: [{columns: ['email'], unique: true}, {columns: ['role', 'is_active']}],
+
+  // Seed data — idempotent, runs on every migrate.
+  // seedKey determines the uniqueness check for upsert.
+  seed: [{name: 'Admin', email: 'admin@example.com', password: 'changeme', role: 'admin'}],
+  seedKey: 'email'
+}

package/test/Auth.test.js

@@ -0,0 +1,310 @@
+const Auth = require('../src/Auth.js')
+
+describe('Auth - Refresh Token Rotation', () => {
+  let reqMock
+  let authInstance
+
+  /**
+   * Why: Builds a chainable DB mock that resolves query results via .then() (thenable).
+   * This simulates Knex's chainable query builder pattern.
+   *
+   * @param {Array} rows - The rows the query should resolve to.
+   * @returns {object} Mock object with insert, update, delete, first, where tracking.
+   */
+  const createDbMock = rows => {
+    const tracker = {
+      deleteCalls: [],
+      firstCalls: 0,
+      insertCalls: [],
+      updateCalls: []
+    }
+
+    const chainable = () => ({
+      delete: jest.fn((...args) => {
+        tracker.deleteCalls.push(args)
+        return Promise.resolve(true)
+      }),
+      first: jest.fn(() => {
+        tracker.firstCalls++
+        return Promise.resolve(rows[0] ? {id: rows[0].user, name: 'TestUser'} : null)
+      }),
+      update: jest.fn(payload => {
+        tracker.updateCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      then: cb => cb(rows),
+      where: jest.fn(() => chainable())
+    })
+
+    return {
+      chainable,
+      insert: jest.fn(payload => {
+        tracker.insertCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      tracker,
+      where: jest.fn(() => chainable())
+    }
+  }
+
+  beforeEach(() => {
+    // Cookie storage to separate get/set behavior
+    const cookieStore = {
+      odac_x: 'old_x',
+      odac_y: 'old_y'
+    }
+
+    reqMock = {
+      cookie: jest.fn((name, value, options) => {
+        // Setter mode: 2+ arguments
+        if (value !== undefined) {
+          cookieStore[name] = value
+          return
+        }
+        // Getter mode: 1 argument
+        return cookieStore[name] || null
+      }),
+      header: jest.fn(() => 'TestBrowser'),
+      ip: '127.0.0.1'
+    }
+
+    authInstance = new Auth(reqMock)
+
+    global.Odac = {
+      Config: {
+        auth: {
+          key: 'id',
+          rotationAge: 15 * 60 * 1000,
+          table: 'users',
+          token: 'user_tokens'
+        }
+      },
+      DB: {
+        fn: {now: () => new Date()},
+        nanoid: () => 'nano_' + Date.now()
+      },
+      Var: jest.fn(() => ({
+        hash: jest.fn(() => 'hashed_value'),
+        hashCheck: jest.fn(() => true)
+      }))
+    }
+  })
+
+  afterEach(() => {
+    delete global.Odac
+  })
+
+  it('should rotate token when tokenAge exceeds rotationAge and set Epoch Date marker', async () => {
+    const createdAt = Date.now() - 20 * 60 * 1000 // 20 mins ago -> exceeds 15 min rotationAge
+
+    const mockRecord = {
+      active: new Date(),
+      browser: 'TestBrowser',
+      date: new Date(createdAt),
+      id: 'token_1',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+
+    // Verify new token was inserted
+    expect(dbMock.insert).toHaveBeenCalledTimes(1)
+    const inserted = dbMock.tracker.insertCalls[0]
+    expect(inserted.user).toBe('user_10')
+    expect(inserted.token_x).toBeDefined()
+    expect(inserted.token_y).toBe('hashed_value')
+
+    // Verify old token was marked with Epoch Date
+    expect(dbMock.tracker.updateCalls.length).toBe(1)
+    const updatePayload = dbMock.tracker.updateCalls[0]
+    expect(updatePayload.date.getTime()).toBe(0) // Epoch
+
+    // Verify new cookies were issued (setter calls)
+    const setCalls = reqMock.cookie.mock.calls.filter(c => c.length >= 2)
+    const xSet = setCalls.find(c => c[0] === 'odac_x' && c[2]?.httpOnly === true)
+    const ySet = setCalls.find(c => c[0] === 'odac_y' && c[2]?.httpOnly === true)
+    expect(xSet).toBeDefined()
+    expect(ySet).toBeDefined()
+    // New cookie values must differ from old ones
+    expect(xSet[1]).not.toBe('old_x')
+    expect(ySet[1]).not.toBe('old_y')
+    // Cookie max-age must use proper HTTP attribute name (hyphenated, not camelCase)
+    expect(xSet[2]['max-age']).toBeDefined()
+    expect(xSet[2].maxAge).toBeUndefined()
+  })
+
+  it('should NOT rotate a recently-rotated token still within 5s threshold', async () => {
+    // Simulate a rotated token where active was set to give ~60s grace period
+    // and the rotation JUST happened (< 5 seconds ago)
+    const maxAge = 30 * 24 * 60 * 60 * 1000
+    const rotatedActiveDate = new Date(Date.now() - maxAge + 60000) // Grace period: ~60s left
+
+    const mockRecord = {
+      active: rotatedActiveDate,
+      browser: 'TestBrowser',
+      date: new Date(0), // Epoch marker = already rotated
+      id: 'token_2',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+    // No rotation should occur (timeSinceRotation < 5000)
+    expect(dbMock.insert).not.toHaveBeenCalled()
+    expect(dbMock.tracker.updateCalls.length).toBe(0)
+  })
+
+  it('should recovery-rotate and DELETE old token when client lost cookies (rotated token > 5s)', async () => {
+    // Simulate a rotated token where 10 seconds have passed since original rotation
+    // Client still has old cookies → recovery rotation should trigger
+    const maxAge = 30 * 24 * 60 * 60 * 1000
+    const timeSinceRotation = 10000 // 10 seconds since original rotation
+    // active was set to: rotationTime - maxAge + 60000
+    // So: inactiveAge = now - active = now - (rotationTime - maxAge + 60000) = timeSinceRotation + maxAge - 60000
+    // timeSinceRotation formula: inactiveAge - maxAge + 60000 = timeSinceRotation = 10000
+    const rotatedActiveDate = new Date(Date.now() - maxAge + 60000 - timeSinceRotation)
+
+    const mockRecord = {
+      active: rotatedActiveDate,
+      browser: 'TestBrowser',
+      date: new Date(0), // Epoch marker = rotated
+      id: 'token_recovery',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+
+    // Should insert a new token (recovery rotation)
+    expect(dbMock.insert).toHaveBeenCalledTimes(1)
+    const inserted = dbMock.tracker.insertCalls[0]
+    expect(inserted.user).toBe('user_10')
+    expect(inserted.token_x).toBeDefined()
+
+    // Old token should be DELETED, not updated (prevents token multiplication)
+    expect(dbMock.tracker.deleteCalls.length).toBe(1)
+    expect(dbMock.tracker.updateCalls.length).toBe(0)
+
+    // New cookies should be issued
+    const setCalls = reqMock.cookie.mock.calls.filter(c => c.length >= 2)
+    const xSet = setCalls.find(c => c[0] === 'odac_x' && c[2]?.httpOnly === true)
+    const ySet = setCalls.find(c => c[0] === 'odac_y' && c[2]?.httpOnly === true)
+    expect(xSet).toBeDefined()
+    expect(ySet).toBeDefined()
+    expect(xSet[1]).not.toBe('old_x')
+    expect(ySet[1]).not.toBe('old_y')
+
+    // Cookie max-age attribute should use proper HTTP naming (hyphenated)
+    expect(xSet[2]['max-age']).toBeDefined()
+    expect(xSet[2].maxAge).toBeUndefined()
+  })
+
+  it('should NOT rotate when tokenAge is within rotationAge threshold', async () => {
+    const recentDate = Date.now() - 5 * 60 * 1000 // 5 mins ago -> within 15 min rotationAge
+
+    const mockRecord = {
+      active: new Date(),
+      browser: 'TestBrowser',
+      date: new Date(recentDate),
+      id: 'token_3',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+    expect(dbMock.insert).not.toHaveBeenCalled()
+    expect(dbMock.tracker.updateCalls.length).toBe(0)
+  })
+
+  it('should delete token and return false when inactiveAge exceeds maxAge', async () => {
+    const staleActive = Date.now() - 31 * 24 * 60 * 60 * 1000 // 31 days ago -> exceeds 30 day maxAge
+
+    const mockRecord = {
+      active: new Date(staleActive),
+      browser: 'TestBrowser',
+      date: new Date(),
+      id: 'token_4',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(false)
+    // Token should be deleted
+    expect(dbMock.tracker.deleteCalls.length).toBe(1)
+    // No rotation should occur
+    expect(dbMock.insert).not.toHaveBeenCalled()
+  })
+
+  it('should update active timestamp when inactiveAge exceeds updateAge but tokenAge is within rotationAge', async () => {
+    const staleActive = Date.now() - 25 * 60 * 60 * 1000 // 25 hours ago -> exceeds 24h updateAge
+    const recentDate = Date.now() - 5 * 60 * 1000 // 5 mins ago -> within rotationAge
+
+    const mockRecord = {
+      active: new Date(staleActive),
+      browser: 'TestBrowser',
+      date: new Date(recentDate),
+      id: 'token_5',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+    // Should NOT rotate (tokenAge within threshold)
+    expect(dbMock.insert).not.toHaveBeenCalled()
+    // Should update active timestamp (fallback path)
+    expect(dbMock.tracker.updateCalls.length).toBe(1)
+    const updatePayload = dbMock.tracker.updateCalls[0]
+    expect(updatePayload.active).toBeInstanceOf(Date)
+    // Should NOT have Epoch marker
+    expect(updatePayload.date).toBeUndefined()
+  })
+})

package/test/Client.test.js

@@ -151,6 +151,35 @@ describe('Client (odac.js)', () => {
     })
   })
 
+  describe('get()', () => {
+    test('should automatically parse JSON if Content-Type is application/json', () => {
+      const mockCallback = jest.fn()
+      const mockData = {success: true}
+
+      mockXhr.open.mockClear()
+      mockXhr.send.mockClear()
+
+      // Mock token() to avoid side effects and XHR calls
+      jest.spyOn(window.Odac, 'token').mockReturnValue('mock-token')
+
+      // Setup response for the get request
+      mockXhr.responseText = JSON.stringify(mockData)
+      mockXhr.status = 200
+      mockXhr.statusText = 'OK'
+      mockXhr.getResponseHeader.mockImplementation(header => {
+        if (header === 'Content-Type') return 'application/json'
+        return null
+      })
+
+      window.Odac.get('/api/test', mockCallback)
+
+      // Trigger the completion of the get request
+      if (mockXhr.onload) mockXhr.onload()
+
+      expect(mockCallback).toHaveBeenCalledWith(mockData, expect.anything(), expect.anything())
+    })
+  })
+
   describe('OdacWebSocket', () => {
     test('should connect to WebSocket and handle events', () => {
       const ws = window.Odac.ws('/test-ws', {token: false})

package/test/Config.test.js

@@ -77,6 +77,13 @@ describe('Config', () => {
       expect(result).toBe('hello-bar')
     })
 
+    it('should replace ${VAR} when variable name includes hyphen', () => {
+      process.env['MY-VAR'] = 'hyphen-value'
+      const result = Config._interpolate('hello-${MY-VAR}')
+      expect(result).toBe('hello-hyphen-value')
+      delete process.env['MY-VAR']
+    })
+
     it('should replace ${odac} with client path', () => {
       // __dirname in Config.js is /.../src, so it replaces /src with /client
       const result = Config._interpolate('path-${odac}')

package/test/Database/ConnectionFactory.test.js

@@ -0,0 +1,80 @@
+const mockKnex = jest.fn()
+
+jest.mock(
+  'knex',
+  () =>
+    (...args) =>
+      mockKnex(...args)
+)
+
+const {buildConnections, buildConnectionConfig, resolveClient} = require('../../src/Database/ConnectionFactory')
+
+describe('Database ConnectionFactory', () => {
+  beforeEach(() => {
+    mockKnex.mockReset()
+    mockKnex.mockImplementation(options => ({
+      options,
+      raw: jest.fn()
+    }))
+  })
+
+  it('resolveClient should map known database aliases', () => {
+    expect(resolveClient('postgres')).toBe('pg')
+    expect(resolveClient('postgresql')).toBe('pg')
+    expect(resolveClient('pg')).toBe('pg')
+    expect(resolveClient('sqlite')).toBe('sqlite3')
+    expect(resolveClient('sqlite3')).toBe('sqlite3')
+    expect(resolveClient('mysql')).toBe('mysql2')
+  })
+
+  it('buildConnectionConfig should create sqlite filename config', () => {
+    const config = buildConnectionConfig({database: 'db.sqlite3'}, 'sqlite3')
+    expect(config).toEqual({filename: 'db.sqlite3'})
+  })
+
+  it('buildConnectionConfig should create host based config for non-sqlite', () => {
+    const config = buildConnectionConfig(
+      {
+        user: 'root',
+        password: 'secret',
+        database: 'app',
+        port: 3306
+      },
+      'mysql2'
+    )
+
+    expect(config).toEqual({
+      host: '127.0.0.1',
+      user: 'root',
+      password: 'secret',
+      database: 'app',
+      port: 3306
+    })
+  })
+
+  it('buildConnections should support single database config', () => {
+    const connections = buildConnections({
+      type: 'mysql',
+      user: 'root',
+      database: 'app'
+    })
+
+    expect(Object.keys(connections)).toEqual(['default'])
+    expect(mockKnex).toHaveBeenCalledTimes(1)
+    expect(mockKnex.mock.calls[0][0]).toMatchObject({
+      client: 'mysql2',
+      pool: {min: 0, max: 10},
+      useNullAsDefault: true
+    })
+  })
+
+  it('buildConnections should support multi database config', () => {
+    const connections = buildConnections({
+      analytics: {type: 'postgres', user: 'u', database: 'a'},
+      default: {type: 'sqlite', filename: './dev.sqlite3'}
+    })
+
+    expect(Object.keys(connections).sort()).toEqual(['analytics', 'default'])
+    expect(mockKnex).toHaveBeenCalledTimes(2)
+  })
+})