odac 1.4.2 → 1.4.4

package/src/View.js

@@ -3,6 +3,7 @@ const fs = require('fs')
 const fsPromises = fs.promises
 const Form = require('./View/Form')
 const EarlyHints = require('./View/EarlyHints')
+const Image = require('./View/Image')
 
 const TITLE_REGEX = /<title[^>]*>([^<]*)<\/title>/i
 
@@ -119,7 +120,9 @@ class View {
       this.#earlyHints = global.Odac.View.EarlyHints
     }
     global.Odac.View.Form = Form
+    global.Odac.View.Image = Image
     this.Form = Form
+    this.Image = Image
   }
 
   all(name) {
@@ -404,6 +407,7 @@ class View {
 
     if (content !== null) {
       content = Form.parse(content, this.#odac)
+      content = Image.parse(content)
 
       const jsBlocks = []
       content = content.replace(/<script:odac([^>]*)>([\s\S]*?)<\/script:odac>/g, (match, attrs, jsContent) => {

package/test/Auth/verifyMagicLink.test.js

@@ -0,0 +1,281 @@
+describe('Auth.verifyMagicLink()', () => {
+  let Auth
+  let reqMock
+  let authInstance
+
+  /**
+   * Why: Builds a chainable DB mock simulating Knex's query builder pattern.
+   * Tracks all insert/update/delete calls for assertion.
+   * Supports orWhere, columnInfo, and schema — required by check(), register(), and migration helpers.
+   *
+   * @param {Array} rows - The rows the query should resolve to.
+   * @returns {object} Mock with chainable query builder and call tracker.
+   */
+  const createDbMock = (rows = []) => {
+    const tracker = {
+      deleteCalls: [],
+      firstResult: rows[0] || null,
+      insertCalls: [],
+      updateCalls: []
+    }
+
+    const chainable = () => ({
+      delete: jest.fn((...args) => {
+        tracker.deleteCalls.push(args)
+        return Promise.resolve(true)
+      }),
+      first: jest.fn(() => Promise.resolve(tracker.firstResult)),
+      insert: jest.fn(payload => {
+        tracker.insertCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      orWhere: jest.fn(() => chainable()),
+      then: cb => cb(rows),
+      update: jest.fn(payload => {
+        tracker.updateCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      where: jest.fn(() => chainable())
+    })
+
+    return {
+      // columnInfo: used by register() to detect PK column type
+      columnInfo: jest.fn(() => Promise.resolve({type: 'string'})),
+      insert: jest.fn(payload => {
+        tracker.insertCalls.push(payload)
+        return Promise.resolve(true)
+      }),
+      // orWhere: entry point used by check(where) before chaining
+      orWhere: jest.fn(() => chainable()),
+      // schema: used by migration helpers (#ensureUserTableV2, #ensureTokenTableV2)
+      schema: jest.fn(() => Promise.resolve()),
+      tracker,
+      where: jest.fn(() => chainable())
+    }
+  }
+
+  /**
+   * Why: Builds a minimal magic link record for DB mock responses.
+   *
+   * @param {object} overrides - Fields to override on the default record.
+   * @returns {object} Magic link record.
+   */
+  const createMagicRecord = (overrides = {}) => ({
+    browser: 'TestBrowser',
+    email: 'test@example.com',
+    expires_at: new Date(Date.now() + 15 * 60 * 1000),
+    id: 1,
+    ip: '127.0.0.1',
+    token_hash: 'hashed_token',
+    ...overrides
+  })
+
+  beforeEach(() => {
+    // Isolate module per test to reset the static #migrationCache Set on Auth class
+    jest.isolateModules(() => {
+      Auth = require('../../src/Auth.js')
+    })
+
+    reqMock = {
+      cookie: jest.fn((name, value) => {
+        if (value !== undefined) return
+        return null
+      }),
+      header: jest.fn(() => 'TestBrowser'),
+      host: 'example.com',
+      ip: '127.0.0.1',
+      res: {},
+      session: jest.fn(() => null),
+      ssl: false
+    }
+
+    authInstance = new Auth(reqMock)
+
+    global.Odac = {
+      Config: {
+        auth: {
+          key: 'id',
+          magicTable: 'odac_magic',
+          table: 'users',
+          token: 'odac_auth'
+        }
+      },
+      DB: {
+        fn: {now: () => new Date()},
+        nanoid: () => 'nano_' + Date.now()
+      },
+      Var: jest.fn(() => ({
+        hash: jest.fn(() => 'hashed_value'),
+        hashCheck: jest.fn(() => true),
+        is: jest.fn(() => false),
+        md5: jest.fn(() => 'md5_value')
+      }))
+    }
+  })
+
+  afterEach(() => {
+    delete global.Odac
+  })
+
+  // ─── EXISTING USER SCENARIOS ──────────────────────────────────────────────
+
+  it('should log in an existing user and return success', async () => {
+    const existingUser = {email: 'test@example.com', id: 'user_1', name: 'Test'}
+    const magicDbMock = createDbMock([createMagicRecord()])
+    // rows array is consumed by check(where) candidate query via .then()
+    const usersDbMock = createDbMock([existingUser])
+    usersDbMock.tracker.firstResult = existingUser
+    const authDbMock = createDbMock()
+
+    global.Odac.DB.odac_magic = magicDbMock
+    global.Odac.DB.users = usersDbMock
+    global.Odac.DB.odac_auth = authDbMock
+
+    const result = await authInstance.verifyMagicLink('raw_token', 'test@example.com')
+
+    expect(result.success).toBe(true)
+    expect(result.user).toEqual(existingUser)
+    // Exactly one login token must be inserted — no duplicate
+    expect(authDbMock.tracker.insertCalls.length).toBe(1)
+  })
+
+  it('should consume (delete) all magic tokens for the email after successful verification', async () => {
+    const existingUser = {email: 'test@example.com', id: 'user_1'}
+    const magicDbMock = createDbMock([createMagicRecord()])
+    const usersDbMock = createDbMock([existingUser])
+    usersDbMock.tracker.firstResult = existingUser
+
+    global.Odac.DB.odac_magic = magicDbMock
+    global.Odac.DB.users = usersDbMock
+    global.Odac.DB.odac_auth = createDbMock()
+
+    await authInstance.verifyMagicLink('raw_token', 'test@example.com')
+
+    // All magic tokens for this email must be deleted to prevent reuse
+    expect(magicDbMock.tracker.deleteCalls.length).toBe(1)
+  })
+
+  // ─── NEW USER (AUTO-REGISTER) SCENARIOS ───────────────────────────────────
+
+  it('should NOT create duplicate odac_auth tokens when auto-registering a new user', async () => {
+    // Regression test: verifyMagicLink must not call login() a second time
+    // when register() already performed auto-login internally.
+    const newUser = {email: 'new@example.com', id: 'nano_new'}
+    const magicDbMock = createDbMock([createMagicRecord({email: 'new@example.com'})])
+
+    // Query path breakdown:
+    //   first() calls → (1) verifyMagicLink existence check: null
+    //                   (2) register unique field check: null
+    //                   (3) register post-insert retrieval: newUser
+    //   then() calls  → check(where) candidate query (used by login): always [newUser]
+    let usersFirstCallCount = 0
+    const usersDbMock = createDbMock()
+    const usersChainable = () => ({
+      delete: jest.fn(() => Promise.resolve(true)),
+      first: jest.fn(() => {
+        usersFirstCallCount++
+        return Promise.resolve(usersFirstCallCount < 3 ? null : newUser)
+      }),
+      orWhere: jest.fn(() => usersChainable()),
+      then: cb => cb([newUser]),
+      update: jest.fn(() => Promise.resolve(true)),
+      where: jest.fn(() => usersChainable())
+    })
+    usersDbMock.where = jest.fn(() => usersChainable())
+    usersDbMock.orWhere = jest.fn(() => usersChainable())
+
+    const authDbMock = createDbMock()
+
+    global.Odac.DB.odac_magic = magicDbMock
+    global.Odac.DB.users = usersDbMock
+    global.Odac.DB.odac_auth = authDbMock
+
+    const result = await authInstance.verifyMagicLink('raw_token', 'new@example.com')
+
+    expect(result.success).toBe(true)
+    // THE CRITICAL ASSERTION: register() auto-login + verifyMagicLink must produce exactly 1 token
+    expect(authDbMock.tracker.insertCalls.length).toBe(1)
+  })
+
+  it('should return the newly registered user on success', async () => {
+    const newUser = {email: 'new@example.com', id: 'nano_new'}
+    const magicDbMock = createDbMock([createMagicRecord({email: 'new@example.com'})])
+
+    let usersFirstCallCount = 0
+    const usersDbMock = createDbMock()
+    const usersChainable = () => ({
+      delete: jest.fn(() => Promise.resolve(true)),
+      first: jest.fn(() => {
+        usersFirstCallCount++
+        return Promise.resolve(usersFirstCallCount < 3 ? null : newUser)
+      }),
+      orWhere: jest.fn(() => usersChainable()),
+      then: cb => cb([newUser]),
+      update: jest.fn(() => Promise.resolve(true)),
+      where: jest.fn(() => usersChainable())
+    })
+    usersDbMock.where = jest.fn(() => usersChainable())
+    usersDbMock.orWhere = jest.fn(() => usersChainable())
+
+    global.Odac.DB.odac_magic = magicDbMock
+    global.Odac.DB.users = usersDbMock
+    global.Odac.DB.odac_auth = createDbMock()
+
+    const result = await authInstance.verifyMagicLink('raw_token', 'new@example.com')
+
+    expect(result.success).toBe(true)
+    expect(result.user).toBeDefined()
+    expect(result.user.email).toBe('new@example.com')
+  })
+
+  // ─── FAILURE SCENARIOS ────────────────────────────────────────────────────
+
+  it('should return error when tokenRaw is missing', async () => {
+    const result = await authInstance.verifyMagicLink(null, 'test@example.com')
+    expect(result.success).toBe(false)
+    expect(result.error).toBe('Invalid link')
+  })
+
+  it('should return error when email is missing', async () => {
+    const result = await authInstance.verifyMagicLink('raw_token', null)
+    expect(result.success).toBe(false)
+    expect(result.error).toBe('Invalid link')
+  })
+
+  it('should return error when no valid (non-expired) magic records exist', async () => {
+    global.Odac.DB.odac_magic = createDbMock([])
+
+    const result = await authInstance.verifyMagicLink('raw_token', 'test@example.com')
+
+    expect(result.success).toBe(false)
+    expect(result.error).toBe('Link expired or invalid')
+  })
+
+  it('should return error when token hash does not match', async () => {
+    global.Odac.Var = jest.fn(() => ({
+      hash: jest.fn(() => 'hashed_value'),
+      hashCheck: jest.fn(() => false),
+      is: jest.fn(() => false)
+    }))
+    global.Odac.DB.odac_magic = createDbMock([createMagicRecord()])
+
+    const result = await authInstance.verifyMagicLink('wrong_token', 'test@example.com')
+
+    expect(result.success).toBe(false)
+    expect(result.error).toBe('Invalid token')
+  })
+
+  it('should NOT delete magic tokens when token hash does not match', async () => {
+    global.Odac.Var = jest.fn(() => ({
+      hash: jest.fn(() => 'hashed_value'),
+      hashCheck: jest.fn(() => false),
+      is: jest.fn(() => false)
+    }))
+    const magicDbMock = createDbMock([createMagicRecord()])
+    global.Odac.DB.odac_magic = magicDbMock
+
+    await authInstance.verifyMagicLink('wrong_token', 'test@example.com')
+
+    expect(magicDbMock.tracker.deleteCalls.length).toBe(0)
+  })
+})

package/test/Client/ws.test.js

@@ -83,4 +83,36 @@ describe('Odac.ws()', () => {
     socketInstance.onopen()
     expect(openHandler).toHaveBeenCalled()
   })
+
+  test('should use fresh token on reconnect', () => {
+    let tokenCounter = 0
+    mockXhr.response = JSON.stringify({token: 'initial-token'})
+    mockXhr.responseText = JSON.stringify({token: 'initial-token'})
+    mockXhr.onload = null
+    mockXhr.send = jest.fn(function () {
+      tokenCounter++
+      this.response = JSON.stringify({token: `token-${tokenCounter}`})
+      this.responseText = this.response
+      if (this.onload) this.onload()
+    })
+    mockDocument.cookie = 'odac_client=test-client'
+
+    window.Odac.ws('/test-ws', {token: true, autoReconnect: true, reconnectDelay: 100})
+    const firstCall = WebSocket.mock.calls[0]
+    expect(firstCall[1]).toEqual(expect.arrayContaining([expect.stringMatching(/^odac-token-/)]))
+    const firstToken = firstCall[1][0]
+
+    const socketInstance = WebSocket.mock.results[0].value
+    socketInstance.onopen()
+
+    global.setTimeout = jest.fn(fn => fn())
+    socketInstance.readyState = 3
+    socketInstance.onclose({code: 1006})
+
+    expect(WebSocket.mock.calls.length).toBeGreaterThan(1)
+    const secondCall = WebSocket.mock.calls[1]
+    expect(secondCall[1]).toEqual(expect.arrayContaining([expect.stringMatching(/^odac-token-/)]))
+    const secondToken = secondCall[1][0]
+    expect(secondToken).not.toBe(firstToken)
+  })
 })

package/test/Lang/get.test.js

@@ -1,7 +1,17 @@
-const fs = require('fs')
+const fs = require('node:fs')
 const Lang = require('../../src/Lang')
 
-jest.mock('fs')
+jest.mock('node:fs', () => ({
+  promises: {
+    mkdir: jest.fn(),
+    writeFile: jest.fn(),
+    access: jest.fn()
+  },
+  existsSync: jest.fn(),
+  mkdirSync: jest.fn(),
+  writeFileSync: jest.fn(),
+  readFileSync: jest.fn()
+}))
 
 describe('Lang.get()', () => {
   let mockOdac
@@ -22,8 +32,8 @@ describe('Lang.get()', () => {
     }
 
     fs.existsSync.mockReturnValue(false)
-    fs.mkdirSync.mockImplementation(() => {})
-    fs.writeFileSync.mockImplementation(() => {})
+    fs.promises.mkdir.mockResolvedValue()
+    fs.promises.writeFile.mockResolvedValue()
     fs.readFileSync.mockImplementation(() => {
       throw new Error('ENOENT')
     })
@@ -31,7 +41,7 @@ describe('Lang.get()', () => {
     lang = new Lang(mockOdac)
   })
 
-  it('should return matching string and support placeholders', () => {
+  it('should return matching string and support placeholders', async () => {
     fs.existsSync.mockImplementation(path => path.includes('/tr.json'))
     fs.readFileSync.mockReturnValue(
       JSON.stringify({
@@ -40,10 +50,10 @@ describe('Lang.get()', () => {
     )
 
     lang.set('tr')
-    expect(lang.get('welcome', 'Emre')).toBe('Merhaba Emre!')
+    expect(await lang.get('welcome', 'Emre')).toBe('Merhaba Emre!')
   })
 
-  it('should support numbered placeholders', () => {
+  it('should support numbered placeholders', async () => {
     fs.existsSync.mockImplementation(path => path.includes('/en.json'))
     fs.readFileSync.mockReturnValue(
       JSON.stringify({
@@ -52,14 +62,30 @@ describe('Lang.get()', () => {
     )
 
     lang.set('en')
-    expect(lang.get('order', 'A', 'B')).toBe('First: A, Second: B')
+    expect(await lang.get('order', 'A', 'B')).toBe('First: A, Second: B')
   })
 
-  it('should auto-save new keys', () => {
+  it('should auto-save new keys', async () => {
     lang.set('en')
-    const result = lang.get('new_key')
+    const result = await lang.get('new_key')
 
     expect(result).toBe('new_key')
-    expect(fs.writeFileSync).toHaveBeenCalledWith(expect.stringContaining('/en.json'), expect.stringContaining('"new_key": "new_key"'))
+    expect(fs.promises.writeFile).toHaveBeenCalledWith(expect.stringContaining('/en.json'), expect.stringContaining('"new_key": "new_key"'))
+  })
+
+  it('should set language from ACCEPT-LANGUAGE header', () => {
+    mockOdac.Request.header.mockImplementation(name => {
+      if (name === 'ACCEPT-LANGUAGE') return 'tr-TR,tr;q=0.9'
+      return null
+    })
+
+    lang.set()
+    // We check internal #lang via side effect or just trust the logic if we can't access private field easily.
+    // But we can check if it tries to read tr.json
+    fs.existsSync.mockImplementation(path => path.includes('/tr.json'))
+    fs.readFileSync.mockReturnValue('{}')
+
+    lang.set()
+    expect(fs.readFileSync).toHaveBeenCalledWith(expect.stringContaining('/tr.json'), 'utf8')
   })
 })

package/test/Odac/image.test.js

@@ -0,0 +1,61 @@
+const Odac = require('../../src/Odac')
+
+describe('Odac.image()', () => {
+  let mockOdac
+
+  beforeEach(() => {
+    mockOdac = {
+      Config: {request: {timeout: 1000}},
+      DB: {init: jest.fn(), close: jest.fn()},
+      Route: {
+        init: jest.fn(),
+        routes: {www: {}}
+      },
+      Storage: {get: jest.fn(), put: jest.fn()},
+      Env: {get: jest.fn()}
+    }
+    global.Odac = mockOdac
+    global.__dir = '/mock'
+  })
+
+  afterEach(() => {
+    delete global.Odac
+    delete global.__dir
+  })
+
+  test('should be available on instance without req/res (cron context)', () => {
+    const ctx = Odac.instance(null, 'cron')
+    expect(typeof ctx.image).toBe('function')
+  })
+
+  test('should be available on instance with req/res (controller context)', () => {
+    const mockReq = {
+      method: 'GET',
+      url: '/',
+      headers: {host: 'www.example.com'},
+      connection: {remoteAddress: '127.0.0.1'},
+      on: jest.fn()
+    }
+    const mockRes = {on: jest.fn()}
+    const ctx = Odac.instance('id', mockReq, mockRes)
+    expect(typeof ctx.image).toBe('function')
+  })
+
+  test('should return a promise', () => {
+    const ctx = Odac.instance(null, 'cron')
+    const result = ctx.image('/images/test.jpg', {width: 300})
+    expect(result).toBeInstanceOf(Promise)
+  })
+
+  test('should return original src when sharp is unavailable', async () => {
+    const ctx = Odac.instance(null, 'cron')
+    const result = await ctx.image('/images/test.jpg')
+    // sharp not installed in test env → returns original src
+    expect(result).toBe('/images/test.jpg')
+  })
+
+  test('should return empty string for empty src', async () => {
+    const ctx = Odac.instance(null, 'cron')
+    expect(await ctx.image('')).toBe('')
+  })
+})

package/test/Route/check.test.js

@@ -308,4 +308,105 @@ describe('Route.check()', () => {
       expect(paramHandler).not.toHaveBeenCalled()
     })
   })
+
+  describe('public static file serving', () => {
+    const fs = require('fs')
+    const path = require('path')
+
+    const createMockOdac = url => ({
+      Auth: {check: jest.fn().mockResolvedValue(true)},
+      Config: {debug: true},
+      Request: {
+        url,
+        method: 'get',
+        route: 'test_route',
+        header: jest.fn(),
+        cookie: jest.fn(() => null),
+        abort: jest.fn(),
+        setSession: jest.fn(),
+        data: {url: {}}
+      },
+      request: jest.fn().mockResolvedValue(null)
+    })
+
+    beforeEach(() => {
+      global.__dir = '/app'
+    })
+
+    afterEach(() => {
+      jest.restoreAllMocks()
+    })
+
+    it('should serve a public static file successfully', async () => {
+      const mockStat = jest.spyOn(fs.promises, 'stat').mockResolvedValue({isFile: () => true, size: 1024})
+      const mockStream = {pipe: jest.fn()}
+      const mockCreateReadStream = jest.spyOn(fs, 'createReadStream').mockReturnValue(mockStream)
+      const expectedPath = path.normalize('/app/public/style.css')
+
+      const mockOdac = createMockOdac('/style.css')
+      const result = await route.check(mockOdac)
+
+      expect(mockStat).toHaveBeenCalledWith(expectedPath)
+      expect(mockOdac.Request.header).toHaveBeenCalledWith('Content-Type', 'text/css')
+      expect(mockOdac.Request.header).toHaveBeenCalledWith('Content-Length', 1024)
+      expect(mockCreateReadStream).toHaveBeenCalledWith(expectedPath)
+      expect(result).toBe(mockStream)
+    })
+
+    it('should prevent path traversal attacks', async () => {
+      const mockStat = jest.spyOn(fs.promises, 'stat')
+
+      const mockOdac = createMockOdac('/../secrets.txt')
+      const result = await route.check(mockOdac)
+
+      expect(mockStat).not.toHaveBeenCalled()
+      expect(result).toBeUndefined() // Falls through if blocked
+    })
+
+    it('should prevent null byte injection attacks', async () => {
+      const mockStat = jest.spyOn(fs.promises, 'stat')
+
+      const mockOdac = createMockOdac('/style%00.css')
+      const result = await route.check(mockOdac)
+
+      expect(mockStat).not.toHaveBeenCalled()
+      expect(result).toBeUndefined()
+    })
+
+    it('should handle invalid URI encoding gracefully', async () => {
+      const mockStat = jest.spyOn(fs.promises, 'stat')
+
+      const mockOdac = createMockOdac('/%E0%A4%A') // Invalid URL encoded string
+      const result = await route.check(mockOdac)
+
+      expect(mockStat).not.toHaveBeenCalled()
+      expect(result).toBeUndefined()
+    })
+
+    it('should cache metadata in production mode', async () => {
+      jest.spyOn(fs.promises, 'stat').mockResolvedValue({isFile: () => true, size: 2048})
+      const mockCreateReadStream = jest.spyOn(fs, 'createReadStream').mockReturnValue('mock_stream')
+
+      const mockOdac = createMockOdac('/script.js')
+      mockOdac.Config.debug = false // prod mode
+
+      // first call (cache miss -> set cache)
+      await route.check(mockOdac)
+      expect(fs.promises.stat).toHaveBeenCalledTimes(1)
+      expect(mockOdac.Request.header).toHaveBeenCalledWith('Content-Type', 'text/javascript')
+
+      // reset mock tracking (cache hit -> no stat)
+      jest.clearAllMocks()
+      jest.spyOn(fs, 'createReadStream').mockReturnValue('mock_stream_2')
+
+      // second call
+      const result2 = await route.check(mockOdac)
+
+      expect(fs.promises.stat).not.toHaveBeenCalled() // Not called because metadata is cached
+      expect(mockOdac.Request.header).toHaveBeenCalledWith('Content-Type', 'text/javascript')
+      expect(mockOdac.Request.header).toHaveBeenCalledWith('Content-Length', 2048)
+      expect(mockCreateReadStream).toHaveBeenCalledWith(path.normalize('/app/public/script.js'))
+      expect(result2).toBe('mock_stream_2')
+    })
+  })
 })