rxdb-server 17.1.0 → 17.2.0

package/dist/types/plugins/server/performance-test.d.ts

@@ -0,0 +1,43 @@
+/**
+ * A reusable performance test suite for RxDB server adapters.
+ * This function can be exported and used by consumers who
+ * create custom adapters to verify their performance characteristics.
+ */
+import type { RxDatabase } from 'rxdb/plugins/core';
+import type { RxServerAdapter } from './types.ts';
+export type PerformanceTestResult = {
+    /** Name of the test case */
+    name: string;
+    /** Total time in milliseconds */
+    timeMs: number;
+    /** Number of operations performed */
+    opsCount: number;
+    /** Calculated operations per second */
+    opsPerSecond: number;
+};
+export type PerformanceTestOptions<ServerAppType> = {
+    adapter: RxServerAdapter<ServerAppType, any, any>;
+    /**
+     * Function that creates a fresh RxDatabase instance.
+     * Must return a database that can be closed after each test.
+     */
+    createDatabase: () => Promise<RxDatabase>;
+    /**
+     * Function that resolves an available port for the server.
+     */
+    getPort: () => Promise<number>;
+    /**
+     * Number of documents to use for each test.
+     * [default=30]
+     */
+    batchSize?: number;
+};
+/**
+ * Runs a set of performance tests against the given adapter.
+ * Each test creates its own server and collection, measures
+ * the time for the operations, and tears down afterwards.
+ *
+ * Returns an array of results that callers can assert against
+ * or log for comparison purposes.
+ */
+export declare function performanceTest<ServerAppType>(options: PerformanceTestOptions<ServerAppType>): Promise<PerformanceTestResult[]>;

package/orga/changelog/README.md

@@ -0,0 +1,18 @@
+## Changelog Entries
+
+Add one file per changelog entry to this folder. Each file should contain one or more changelog lines starting with `-`.
+
+**File naming**: Use a descriptive filename ending in `.md`, for example:
+
+- `fix-count-query-with-limit.md`
+- `add-supabase-attachment-support.md`
+
+**File content example**:
+
+```
+- FIX some bug that caused incorrect results
+```
+
+On rxdb release, all `.md` files in this folder (except this README) are read out from rxdb-server and merged into the changelog at rxdb core.
+
+This approach prevents merge conflicts in `CHANGELOG.md` when multiple PRs are open at the same time.

package/orga/changelog/fix-cors-wildcard-with-credentials.md

@@ -0,0 +1 @@
+- FIX invalid CORS response when the server is configured with the default `cors: '*'`. The express adapter always sends `Access-Control-Allow-Credentials: true`, but combining that with `Access-Control-Allow-Origin: *` is rejected by browsers per the CORS spec, so credentialed (cookie/auth-header) requests from any cross-origin client would fail. The adapter now reflects the request `Origin` back when `cors` is `'*'`, keeping the "allow from anywhere" semantics while staying compatible with credentials.

package/orga/changelog/fix-false-conflicts-missing-server-only-field.md

@@ -0,0 +1 @@
+- FIX false conflicts during replication push when a `serverOnlyField` is absent from the stored server document (e.g. because the field is optional and was never set). `mergeServerDocumentFieldsMonad` previously wrote a `null` value for the missing field onto the merged `assumedMasterState`, so the extra key caused `masterWrite`'s `isEqual` check to report a conflict that did not actually exist, silently reverting the client's update. The helper now deletes the property in that case so the merged row matches the stored master state.

package/orga/changelog/fix-replication-pull-url-encode-checkpoint.md

@@ -0,0 +1 @@
+- FIX replication pull URL not URL-encoding the checkpoint `id`. When a document's primary key contained URL-reserved characters (for example `&`, `#`, `=`), the URL was parsed incorrectly on the server, causing the checkpoint to be truncated. With `batchSize: 1` this could make the pull loop never advance past such a document. The client now encodes the `id` with `encodeURIComponent`.

package/orga/changelog/fix-replication-push-new-doc-server-only-fields-strip.md

@@ -0,0 +1 @@
+- FIX replication `/push` endpoint allowing clients to populate `serverOnlyFields` when inserting NEW documents. `mergeServerDocumentFieldsMonad` returned the client document unchanged when no server-side document existed yet, so a client-supplied value for a server-only field was passed through to `replicationHandler.masterWrite()` and persisted on the server. The merge now strips server-only fields from the client document when the server has no prior state for it, matching the documented contract that clients cannot do writes where one of the `serverOnlyFields` is set. The REST `/set` endpoint already stripped these fields explicitly, so it was unaffected.

package/orga/changelog/fix-replication-push-new-doc-server-only-fields.md

@@ -0,0 +1 @@
+- FIX conflict handling for new documents pushed via replication when `serverOnlyFields` are configured. `mergeServerDocumentFieldsMonad` incorrectly transformed a falsy `assumedMasterState` (used for new document inserts) into an object and set server-only fields to `null` on `newDocumentState`, causing schema validation failures and false conflicts.

package/orga/changelog/fix-replication-push-server-only-fields-insert.md

@@ -0,0 +1 @@
+- FIX replication `/push` endpoint allowing clients to populate `serverOnlyFields` when inserting NEW documents. Updates of existing documents already preserved the stored server value via `mergeServerDocumentFields`, but inserts (no `assumedMasterState` / no existing serverDoc) passed the client document straight into `masterWrite`, so any value the client sent for a server-only field was persisted. The handler now strips server-only fields from the new document state on insert, matching the behavior of the REST `/set` endpoint and the documented contract that clients cannot do writes where one of the `serverOnlyFields` is set.

package/orga/changelog/fix-rest-client-missing-await.md

@@ -0,0 +1 @@
+- FIX missing `await` in `RxRestClient.get()`, `RxRestClient.set()`, and `RxRestClient.delete()` methods. The `postRequest()` call was not awaited before calling `handleError()`, which caused server errors (e.g. 403 Forbidden from `changeValidator`) to be silently swallowed instead of thrown to the caller.

package/orga/changelog/fix-rest-client-observe-query-url-encode-base64.md

@@ -0,0 +1 @@
+- FIX REST client `observeQuery` not URL-encoding the base64 query string. Standard base64 contains `+` and `/`; in a URL query parameter `+` is decoded by the server as a space, so the server's `atob` rejected the corrupted string with `Invalid character` and the SSE handler crashed silently after the response headers were already sent. Any query whose base64 contained `+` or `/` (for example, queries that filtered by a unicode value such as `firstName: { $eq: 'ûÿþ' }`) would never deliver a document and the client just hung. The base64 is now passed through `encodeURIComponent` before being appended to the URL.

package/orga/changelog/fix-rest-delete-server-only-fields-validator.md

@@ -0,0 +1 @@
+- FIX REST `/delete` endpoint returning 403 Forbidden when `serverOnlyFields` is configured. The delete handler passed full documents (including server-only fields) to the `changeValidator`, which always rejected them because the wrapper checks for the presence of server-only fields. Now the server-only fields are stripped before validation, consistent with the `/set` endpoint behavior.

package/orga/changelog/fix-rest-query-observe-regex-rejection.md

@@ -0,0 +1 @@
+- FIX REST `/query/observe` endpoint not rejecting `$regex` queries with a proper 400 response. The `queryModifier` wrapper throws on `$regex` selectors to prevent DOS attacks (matching the `/query` behavior), but the observe handler called the wrapped modifier AFTER `setSSEHeaders` had already committed a 200 OK SSE response, and without a `try/catch`. A client that sent a `$regex` query therefore observed a successful 200 status with an empty stream that the server then dropped, instead of the same 400 Bad Request that `/query` returns. The handler now runs the queryModifier (and the JSON/base64 query parsing) inside a `try/catch` BEFORE setting the SSE headers, so a bad request is answered with a proper 400 response.

package/orga/changelog/fix-rest-set-change-validator-new-doc.md

@@ -0,0 +1 @@
+- FIX REST `/set` endpoint not running the `changeValidator` for inserts of NEW documents. The handler only invoked the validator on the update path (when an existing document was found by primary key), so a `changeValidator` that returned `false` had no effect when the client sent a document whose primary key did not yet exist on the server. The handler now runs the validator for inserts as well, with `assumedMasterState` set to `undefined`, matching the behavior of the replication `/push` endpoint and the documented contract that the validator gates all writes.

package/orga/changelog/fix-rest-set-document-ownership-check.md

@@ -0,0 +1 @@
+- FIX REST `/set` endpoint allowing a client to overwrite documents they do not own. When a `queryModifier` was configured, the handler only validated that the client-provided (new) document state matched the modifier but never checked the existing server document. An authenticated user could therefore take over a foreign document by sending a write whose new state matched the modifier while targeting another user's primary key. The handler now also runs the query matcher against the existing server document and rejects the request with 403 Forbidden if it does not match, aligning the behavior with the replication `/push` endpoint.

package/orga/changelog/fix-rest-set-server-only-fields-insert.md

@@ -0,0 +1 @@
+- FIX REST endpoint `/set` allowing clients to populate `serverOnlyFields` when inserting NEW documents. Updates to existing documents already stripped client-supplied values for these fields, but the insert path passed the client document straight to `RxCollection.insert()`, so a client could persist arbitrary values into fields that are documented as server-only. The handler now strips server-only fields from the client document before inserting, matching the documented contract that clients cannot do writes where one of the `serverOnlyFields` is set.

package/orga/changelog/fix-rest-set-server-only-fields-overwrite.md

@@ -0,0 +1 @@
+- FIX REST endpoint `/set` not protecting `serverOnlyFields` from client overwrites. Clients could include server-only fields in write requests to `/set`, and those values would be stored directly instead of being ignored. The handler now uses `mergeServerDocumentFields` (consistent with the replication endpoint) to ensure server-only field values are always preserved from the server-side document, not taken from client input.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rxdb-server",
-  "version": "17.1.0",
+  "version": "17.2.0",
   "description": "RxDB Server Plugin",
   "license": "SSPL",
   "author": "pubkey",
@@ -73,72 +73,39 @@
     "test:integration:mongodb": "(cd test-integration && npm run transpile && npm run test:node:mongodb)"
   },
   "peerDependencies": {
-    "rxdb": "*",
+    "rxdb": "17.2.0",
     "rxjs": "*"
   },
   "dependencies": {
+    "@types/cors": "2.8.19",
     "@types/express": "5.0.6",
-    "array-push-at-sort-position": "5.0.0",
     "async-test-util": "2.5.0",
     "cors": "2.8.6",
-    "eth-crypto": "4.0.0",
-    "eventsource": "4.1.0",
-    "percom": "1.1.3",
-    "web-locks": "0.0.9",
-    "web-worker": "1.5.0"
+    "eventsource": "4.1.0"
   },
   "devDependencies": {
     "@babel/cli": "7.28.6",
     "@babel/core": "7.29.0",
-    "@babel/plugin-external-helpers": "7.27.1",
-    "@babel/plugin-proposal-class-properties": "7.18.6",
-    "@babel/plugin-proposal-object-rest-spread": "7.20.7",
     "@babel/plugin-transform-literals": "7.27.1",
-    "@babel/plugin-transform-member-expression-literals": "7.27.1",
     "@babel/plugin-transform-modules-commonjs": "7.28.6",
     "@babel/plugin-transform-react-jsx": "7.28.6",
-    "@babel/plugin-transform-property-literals": "7.27.1",
     "@babel/plugin-transform-runtime": "7.29.0",
-    "@babel/plugin-transform-spread": "7.28.6",
     "@babel/plugin-transform-template-literals": "7.27.1",
     "@babel/plugin-transform-typescript": "7.28.6",
-    "@babel/polyfill": "7.12.1",
     "@babel/preset-env": "7.29.2",
     "@babel/preset-typescript": "7.28.5",
-    "@babel/types": "7.29.0",
-    "@faker-js/faker": "10.4.0",
     "@types/mocha": "10.0.10",
-    "@types/node": "24.12.0",
-    "@types/websql": "0.0.30",
-    "babel-loader": "10.1.1",
+    "@types/node": "24.12.2",
     "babel-plugin-transform-class-properties": "6.24.1",
     "concurrently": "9.2.1",
     "cross-env": "10.1.0",
-    "detect-browser": "5.3.0",
     "express": "5.2.1",
     "get-port": "5.1.1",
-    "http-server": "14.1.1",
-    "karma": "6.4.4",
-    "karma-chrome-launcher": "3.2.0",
-    "karma-detect-browsers": "2.3.3",
-    "karma-firefox-launcher": "2.1.3",
-    "karma-mocha": "2.0.1",
-    "karma-sourcemap-loader": "0.4.0",
-    "karma-spec-reporter": "0.0.36",
-    "karma-typescript": "5.5.4",
-    "karma-webpack": "5.0.1",
-    "mini-css-extract-plugin": "2.10.2",
-    "minify-all-js": "0.1.9",
     "mocha": "11.7.5",
     "rimraf": "6.1.3",
-    "rxdb": "17.1.0",
+    "rxdb": "https://github.com/pubkey/rxdb/archive/1ad97a93e4589aaf634e0d7c8ead0d75c4325017.tar.gz",
     "rxjs": "7.8.2",
-    "ts-loader": "9.5.4",
     "ts-node": "10.9.2",
-    "typescript": "5.9.3",
-    "webpack": "5.105.4",
-    "webpack-bundle-analyzer": "5.3.0",
-    "webpack-cli": "7.0.2",
-    "webpack-dev-server": "5.2.3"
+    "typescript": "5.9.3"
   }
 }