odac 1.4.0 → 1.4.1

package/src/Database.js

@@ -1,5 +1,5 @@
 'use strict'
-const knex = require('knex')
+const {buildConnections} = require('./Database/ConnectionFactory')
 
 class DatabaseManager {
   constructor() {
@@ -9,41 +9,9 @@ class DatabaseManager {
   async init() {
     if (!Odac.Config.database) return
 
-    let multiple = typeof Odac.Config.database[Object.keys(Odac.Config.database)[0]] === 'object'
-    let dbs = multiple ? Odac.Config.database : {default: Odac.Config.database}
-
-    for (let key of Object.keys(dbs)) {
-      let db = dbs[key]
-      let client = 'mysql2'
-      if (db.type === 'postgres' || db.type === 'pg' || db.type === 'postgresql') client = 'pg'
-      if (db.type === 'sqlite' || db.type === 'sqlite3') client = 'sqlite3'
-
-      let connectionConfig
-
-      if (client === 'sqlite3') {
-        connectionConfig = {
-          filename: db.filename || db.database || './dev.sqlite3'
-        }
-      } else {
-        connectionConfig = {
-          host: db.host || '127.0.0.1',
-          user: db.user,
-          password: db.password,
-          database: db.database,
-          port: db.port
-        }
-      }
-
-      this.connections[key] = knex({
-        client: client,
-        connection: connectionConfig,
-        pool: {
-          min: 0,
-          max: db.connectionLimit || 10
-        },
-        useNullAsDefault: true // For sqlite
-      })
+    this.connections = buildConnections(Odac.Config.database)
 
+    for (const key of Object.keys(this.connections)) {
       // Test connection
       try {
         await this.connections[key].raw('SELECT 1')
@@ -52,6 +20,38 @@ class DatabaseManager {
         console.error(e.message)
       }
     }
+
+    // Auto-migrate: sync schema/ files with the database on every startup.
+    // Why: Zero-config philosophy — deploy and forget. The app always starts with the correct DB state.
+    await this._autoMigrate()
+  }
+
+  /**
+   * Runs the schema-first migration engine against all active connections.
+   * CLUSTER SAFETY: Only runs on the primary process to prevent race conditions.
+   * Workers are forked AFTER Server.init(), which happens after Database.init(),
+   * so migrations are guaranteed to complete before any worker touches the DB.
+   * Silently skips if no schema/ directory exists (no-op for projects without migrations).
+   */
+  async _autoMigrate() {
+    const cluster = require('node:cluster')
+    if (!cluster.isPrimary) return
+
+    const fs = require('node:fs')
+    const path = require('node:path')
+    const schemaDir = path.join(global.__dir, 'schema')
+
+    if (!fs.existsSync(schemaDir)) return
+    if (Object.keys(this.connections).length === 0) return
+
+    const Migration = require('./Database/Migration')
+    Migration.init(global.__dir, this.connections)
+
+    try {
+      await Migration.migrate()
+    } catch (e) {
+      throw new Error(`Odac Migration Error: ${e.message}`, {cause: e})
+    }
   }
 
   nanoid(size = 21) {

package/template/schema/users.js

@@ -0,0 +1,23 @@
+// Schema definition for 'users' — example schema file
+// This is the single source of truth for the 'users' table.
+// AI agents read this file to understand the final database state.
+'use strict'
+
+module.exports = {
+  columns: {
+    id: {type: 'increments'},
+    name: {type: 'string', length: 255, nullable: false},
+    email: {type: 'string', length: 255, nullable: false},
+    password: {type: 'string', length: 255, nullable: false},
+    role: {type: 'enum', values: ['admin', 'user'], default: 'user'},
+    is_active: {type: 'boolean', default: true},
+    timestamps: {type: 'timestamps'}
+  },
+
+  indexes: [{columns: ['email'], unique: true}, {columns: ['role', 'is_active']}],
+
+  // Seed data — idempotent, runs on every migrate.
+  // seedKey determines the uniqueness check for upsert.
+  seed: [{name: 'Admin', email: 'admin@example.com', password: 'changeme', role: 'admin'}],
+  seedKey: 'email'
+}

package/test/Auth.test.js

@@ -137,11 +137,19 @@ describe('Auth - Refresh Token Rotation', () => {
     // New cookie values must differ from old ones
     expect(xSet[1]).not.toBe('old_x')
     expect(ySet[1]).not.toBe('old_y')
+    // Cookie max-age must use proper HTTP attribute name (hyphenated, not camelCase)
+    expect(xSet[2]['max-age']).toBeDefined()
+    expect(xSet[2].maxAge).toBeUndefined()
   })
 
-  it('should NOT rotate a token already marked as rotated (Epoch Date marker)', async () => {
+  it('should NOT rotate a recently-rotated token still within 5s threshold', async () => {
+    // Simulate a rotated token where active was set to give ~60s grace period
+    // and the rotation JUST happened (< 5 seconds ago)
+    const maxAge = 30 * 24 * 60 * 60 * 1000
+    const rotatedActiveDate = new Date(Date.now() - maxAge + 60000) // Grace period: ~60s left
+
     const mockRecord = {
-      active: new Date(), // Still within maxAge
+      active: rotatedActiveDate,
       browser: 'TestBrowser',
       date: new Date(0), // Epoch marker = already rotated
       id: 'token_2',
@@ -158,11 +166,64 @@ describe('Auth - Refresh Token Rotation', () => {
     const result = await authInstance.check()
 
     expect(result).toBe(true)
-    // No rotation should occur
+    // No rotation should occur (timeSinceRotation < 5000)
     expect(dbMock.insert).not.toHaveBeenCalled()
     expect(dbMock.tracker.updateCalls.length).toBe(0)
   })
 
+  it('should recovery-rotate and DELETE old token when client lost cookies (rotated token > 5s)', async () => {
+    // Simulate a rotated token where 10 seconds have passed since original rotation
+    // Client still has old cookies → recovery rotation should trigger
+    const maxAge = 30 * 24 * 60 * 60 * 1000
+    const timeSinceRotation = 10000 // 10 seconds since original rotation
+    // active was set to: rotationTime - maxAge + 60000
+    // So: inactiveAge = now - active = now - (rotationTime - maxAge + 60000) = timeSinceRotation + maxAge - 60000
+    // timeSinceRotation formula: inactiveAge - maxAge + 60000 = timeSinceRotation = 10000
+    const rotatedActiveDate = new Date(Date.now() - maxAge + 60000 - timeSinceRotation)
+
+    const mockRecord = {
+      active: rotatedActiveDate,
+      browser: 'TestBrowser',
+      date: new Date(0), // Epoch marker = rotated
+      id: 'token_recovery',
+      ip: '127.0.0.1',
+      token_x: 'old_x',
+      token_y: 'hashed_old_y',
+      user: 'user_10'
+    }
+
+    const dbMock = createDbMock([mockRecord])
+    global.Odac.DB.user_tokens = dbMock
+    global.Odac.DB.users = dbMock
+
+    const result = await authInstance.check()
+
+    expect(result).toBe(true)
+
+    // Should insert a new token (recovery rotation)
+    expect(dbMock.insert).toHaveBeenCalledTimes(1)
+    const inserted = dbMock.tracker.insertCalls[0]
+    expect(inserted.user).toBe('user_10')
+    expect(inserted.token_x).toBeDefined()
+
+    // Old token should be DELETED, not updated (prevents token multiplication)
+    expect(dbMock.tracker.deleteCalls.length).toBe(1)
+    expect(dbMock.tracker.updateCalls.length).toBe(0)
+
+    // New cookies should be issued
+    const setCalls = reqMock.cookie.mock.calls.filter(c => c.length >= 2)
+    const xSet = setCalls.find(c => c[0] === 'odac_x' && c[2]?.httpOnly === true)
+    const ySet = setCalls.find(c => c[0] === 'odac_y' && c[2]?.httpOnly === true)
+    expect(xSet).toBeDefined()
+    expect(ySet).toBeDefined()
+    expect(xSet[1]).not.toBe('old_x')
+    expect(ySet[1]).not.toBe('old_y')
+
+    // Cookie max-age attribute should use proper HTTP naming (hyphenated)
+    expect(xSet[2]['max-age']).toBeDefined()
+    expect(xSet[2].maxAge).toBeUndefined()
+  })
+
   it('should NOT rotate when tokenAge is within rotationAge threshold', async () => {
     const recentDate = Date.now() - 5 * 60 * 1000 // 5 mins ago -> within 15 min rotationAge
 

package/test/Config.test.js

@@ -77,6 +77,13 @@ describe('Config', () => {
       expect(result).toBe('hello-bar')
     })
 
+    it('should replace ${VAR} when variable name includes hyphen', () => {
+      process.env['MY-VAR'] = 'hyphen-value'
+      const result = Config._interpolate('hello-${MY-VAR}')
+      expect(result).toBe('hello-hyphen-value')
+      delete process.env['MY-VAR']
+    })
+
     it('should replace ${odac} with client path', () => {
       // __dirname in Config.js is /.../src, so it replaces /src with /client
       const result = Config._interpolate('path-${odac}')

package/test/Database/ConnectionFactory.test.js

@@ -0,0 +1,80 @@
+const mockKnex = jest.fn()
+
+jest.mock(
+  'knex',
+  () =>
+    (...args) =>
+      mockKnex(...args)
+)
+
+const {buildConnections, buildConnectionConfig, resolveClient} = require('../../src/Database/ConnectionFactory')
+
+describe('Database ConnectionFactory', () => {
+  beforeEach(() => {
+    mockKnex.mockReset()
+    mockKnex.mockImplementation(options => ({
+      options,
+      raw: jest.fn()
+    }))
+  })
+
+  it('resolveClient should map known database aliases', () => {
+    expect(resolveClient('postgres')).toBe('pg')
+    expect(resolveClient('postgresql')).toBe('pg')
+    expect(resolveClient('pg')).toBe('pg')
+    expect(resolveClient('sqlite')).toBe('sqlite3')
+    expect(resolveClient('sqlite3')).toBe('sqlite3')
+    expect(resolveClient('mysql')).toBe('mysql2')
+  })
+
+  it('buildConnectionConfig should create sqlite filename config', () => {
+    const config = buildConnectionConfig({database: 'db.sqlite3'}, 'sqlite3')
+    expect(config).toEqual({filename: 'db.sqlite3'})
+  })
+
+  it('buildConnectionConfig should create host based config for non-sqlite', () => {
+    const config = buildConnectionConfig(
+      {
+        user: 'root',
+        password: 'secret',
+        database: 'app',
+        port: 3306
+      },
+      'mysql2'
+    )
+
+    expect(config).toEqual({
+      host: '127.0.0.1',
+      user: 'root',
+      password: 'secret',
+      database: 'app',
+      port: 3306
+    })
+  })
+
+  it('buildConnections should support single database config', () => {
+    const connections = buildConnections({
+      type: 'mysql',
+      user: 'root',
+      database: 'app'
+    })
+
+    expect(Object.keys(connections)).toEqual(['default'])
+    expect(mockKnex).toHaveBeenCalledTimes(1)
+    expect(mockKnex.mock.calls[0][0]).toMatchObject({
+      client: 'mysql2',
+      pool: {min: 0, max: 10},
+      useNullAsDefault: true
+    })
+  })
+
+  it('buildConnections should support multi database config', () => {
+    const connections = buildConnections({
+      analytics: {type: 'postgres', user: 'u', database: 'a'},
+      default: {type: 'sqlite', filename: './dev.sqlite3'}
+    })
+
+    expect(Object.keys(connections).sort()).toEqual(['analytics', 'default'])
+    expect(mockKnex).toHaveBeenCalledTimes(2)
+  })
+})