npm - s3db.js - Versions diffs - 13.4.0 → 13.6.0 - Mend

s3db.js 13.4.0 → 13.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

package/README.md +25 -10
package/dist/{s3db.cjs.js → s3db.cjs} +38801 -32446
package/dist/s3db.cjs.map +1 -0
package/dist/s3db.es.js +38653 -32291
package/dist/s3db.es.js.map +1 -1
package/package.json +218 -22
package/src/concerns/id.js +90 -6
package/src/concerns/index.js +2 -1
package/src/concerns/password-hashing.js +150 -0
package/src/database.class.js +6 -2
package/src/plugins/api/auth/basic-auth.js +40 -10
package/src/plugins/api/auth/index.js +49 -3
package/src/plugins/api/auth/oauth2-auth.js +171 -0
package/src/plugins/api/auth/oidc-auth.js +789 -0
package/src/plugins/api/auth/oidc-client.js +462 -0
package/src/plugins/api/auth/path-auth-matcher.js +284 -0
package/src/plugins/api/concerns/event-emitter.js +134 -0
package/src/plugins/api/concerns/failban-manager.js +651 -0
package/src/plugins/api/concerns/guards-helpers.js +402 -0
package/src/plugins/api/concerns/metrics-collector.js +346 -0
package/src/plugins/api/index.js +510 -57
package/src/plugins/api/middlewares/failban.js +305 -0
package/src/plugins/api/middlewares/rate-limit.js +301 -0
package/src/plugins/api/middlewares/request-id.js +74 -0
package/src/plugins/api/middlewares/security-headers.js +120 -0
package/src/plugins/api/middlewares/session-tracking.js +194 -0
package/src/plugins/api/routes/auth-routes.js +119 -78
package/src/plugins/api/routes/resource-routes.js +73 -30
package/src/plugins/api/server.js +1139 -45
package/src/plugins/api/utils/custom-routes.js +102 -0
package/src/plugins/api/utils/guards.js +213 -0
package/src/plugins/api/utils/mime-types.js +154 -0
package/src/plugins/api/utils/openapi-generator.js +91 -12
package/src/plugins/api/utils/path-matcher.js +173 -0
package/src/plugins/api/utils/static-filesystem.js +262 -0
package/src/plugins/api/utils/static-s3.js +231 -0
package/src/plugins/api/utils/template-engine.js +188 -0
package/src/plugins/cloud-inventory/drivers/alibaba-driver.js +853 -0
package/src/plugins/cloud-inventory/drivers/aws-driver.js +2554 -0
package/src/plugins/cloud-inventory/drivers/azure-driver.js +637 -0
package/src/plugins/cloud-inventory/drivers/base-driver.js +99 -0
package/src/plugins/cloud-inventory/drivers/cloudflare-driver.js +620 -0
package/src/plugins/cloud-inventory/drivers/digitalocean-driver.js +698 -0
package/src/plugins/cloud-inventory/drivers/gcp-driver.js +645 -0
package/src/plugins/cloud-inventory/drivers/hetzner-driver.js +559 -0
package/src/plugins/cloud-inventory/drivers/linode-driver.js +614 -0
package/src/plugins/cloud-inventory/drivers/mock-drivers.js +449 -0
package/src/plugins/cloud-inventory/drivers/mongodb-atlas-driver.js +771 -0
package/src/plugins/cloud-inventory/drivers/oracle-driver.js +768 -0
package/src/plugins/cloud-inventory/drivers/vultr-driver.js +636 -0
package/src/plugins/cloud-inventory/index.js +20 -0
package/src/plugins/cloud-inventory/registry.js +146 -0
package/src/plugins/cloud-inventory/terraform-exporter.js +362 -0
package/src/plugins/cloud-inventory.plugin.js +1333 -0
package/src/plugins/concerns/plugin-dependencies.js +62 -2
package/src/plugins/eventual-consistency/analytics.js +1 -0
package/src/plugins/eventual-consistency/consolidation.js +2 -2
package/src/plugins/eventual-consistency/garbage-collection.js +2 -2
package/src/plugins/eventual-consistency/install.js +2 -2
package/src/plugins/identity/README.md +335 -0
package/src/plugins/identity/concerns/mfa-manager.js +204 -0
package/src/plugins/identity/concerns/password.js +138 -0
package/src/plugins/identity/concerns/resource-schemas.js +273 -0
package/src/plugins/identity/concerns/token-generator.js +172 -0
package/src/plugins/identity/email-service.js +422 -0
package/src/plugins/identity/index.js +1052 -0
package/src/plugins/identity/oauth2-server.js +1033 -0
package/src/plugins/identity/oidc-discovery.js +285 -0
package/src/plugins/identity/rsa-keys.js +323 -0
package/src/plugins/identity/server.js +500 -0
package/src/plugins/identity/session-manager.js +453 -0
package/src/plugins/identity/ui/layouts/base.js +251 -0
package/src/plugins/identity/ui/middleware.js +135 -0
package/src/plugins/identity/ui/pages/admin/client-form.js +247 -0
package/src/plugins/identity/ui/pages/admin/clients.js +179 -0
package/src/plugins/identity/ui/pages/admin/dashboard.js +181 -0
package/src/plugins/identity/ui/pages/admin/user-form.js +283 -0
package/src/plugins/identity/ui/pages/admin/users.js +263 -0
package/src/plugins/identity/ui/pages/consent.js +262 -0
package/src/plugins/identity/ui/pages/forgot-password.js +104 -0
package/src/plugins/identity/ui/pages/login.js +144 -0
package/src/plugins/identity/ui/pages/mfa-backup-codes.js +180 -0
package/src/plugins/identity/ui/pages/mfa-enrollment.js +187 -0
package/src/plugins/identity/ui/pages/mfa-verification.js +178 -0
package/src/plugins/identity/ui/pages/oauth-error.js +225 -0
package/src/plugins/identity/ui/pages/profile.js +361 -0
package/src/plugins/identity/ui/pages/register.js +226 -0
package/src/plugins/identity/ui/pages/reset-password.js +128 -0
package/src/plugins/identity/ui/pages/verify-email.js +172 -0
package/src/plugins/identity/ui/routes.js +2541 -0
package/src/plugins/identity/ui/styles/main.css +465 -0
package/src/plugins/index.js +4 -1
package/src/plugins/ml/base-model.class.js +65 -16
package/src/plugins/ml/classification-model.class.js +1 -1
package/src/plugins/ml/timeseries-model.class.js +3 -1
package/src/plugins/ml.plugin.js +584 -31
package/src/plugins/shared/error-handler.js +147 -0
package/src/plugins/shared/index.js +9 -0
package/src/plugins/shared/middlewares/compression.js +117 -0
package/src/plugins/shared/middlewares/cors.js +49 -0
package/src/plugins/shared/middlewares/index.js +11 -0
package/src/plugins/shared/middlewares/logging.js +54 -0
package/src/plugins/shared/middlewares/rate-limit.js +73 -0
package/src/plugins/shared/middlewares/security.js +158 -0
package/src/plugins/shared/response-formatter.js +264 -0
package/src/plugins/state-machine.plugin.js +57 -2
package/src/resource.class.js +140 -12
package/src/schema.class.js +30 -1
package/src/validator.class.js +57 -6
package/dist/s3db.cjs.js.map +0 -1

package/src/plugins/api/concerns/guards-helpers.js ADDED Viewed

@@ -0,0 +1,402 @@
+/**
+ * Guards Helpers - Framework-agnostic context creation
+ *
+ * Creates GuardContext from different web frameworks (Express, Hono, Fastify)
+ */
+/**
+ * Create framework-agnostic GuardContext from Express request
+ * @param {Object} req - Express request
+ * @returns {Object} GuardContext
+ */
+export function createExpressContext(req) {
+  const context = {
+    user: req.user || {},
+    params: req.params || {},
+    body: req.body || {},
+    query: req.query || {},
+    headers: req.headers || {},
+    // Internal state
+    partitionName: null,
+    partitionValues: {},
+    tenantId: null,
+    userId: null,
+    // Helper to set partition
+    setPartition(name, values) {
+      this.partitionName = name;
+      this.partitionValues = values;
+    },
+    // Framework raw (for advanced use)
+    raw: { req }
+  };
+  return context;
+}
+/**
+ * Create framework-agnostic GuardContext from Hono context
+ * @param {Object} c - Hono context
+ * @returns {Promise<Object>} GuardContext
+ */
+export async function createHonoContext(c) {
+  const context = {
+    user: c.get('user') || {},
+    params: c.req.param(),
+    body: await c.req.json().catch(() => ({})),
+    query: c.req.query(),
+    headers: Object.fromEntries(c.req.raw.headers.entries()),
+    // Internal state
+    partitionName: null,
+    partitionValues: {},
+    tenantId: null,
+    userId: null,
+    // Helper to set partition
+    setPartition(name, values) {
+      this.partitionName = name;
+      this.partitionValues = values;
+    },
+    // Framework raw
+    raw: { c }
+  };
+  return context;
+}
+/**
+ * Create framework-agnostic GuardContext from Fastify request
+ * @param {Object} request - Fastify request
+ * @returns {Object} GuardContext
+ */
+export function createFastifyContext(request) {
+  const context = {
+    user: request.user || {},
+    params: request.params || {},
+    body: request.body || {},
+    query: request.query || {},
+    headers: request.headers || {},
+    // Internal state
+    partitionName: null,
+    partitionValues: {},
+    tenantId: null,
+    userId: null,
+    // Helper to set partition
+    setPartition(name, values) {
+      this.partitionName = name;
+      this.partitionValues = values;
+    },
+    // Framework raw
+    raw: { request }
+  };
+  return context;
+}
+/**
+ * Execute guards and apply results to list options
+ * @param {Resource} resource - Resource instance
+ * @param {Object} context - GuardContext
+ * @param {Object} options - List options
+ * @returns {Promise<Object>} Modified options
+ */
+export async function applyGuardsToList(resource, context, options = {}) {
+  // Execute list guard
+  const allowed = await resource.executeGuard('list', context);
+  if (!allowed) {
+    throw new Error('Forbidden: Guard denied access to list');
+  }
+  // Apply partition from guard if set
+  if (context.partitionName) {
+    options.partition = context.partitionName;
+    options.partitionValues = context.partitionValues || {};
+  }
+  return options;
+}
+/**
+ * Execute guards for get operation
+ * @param {Resource} resource - Resource instance
+ * @param {Object} context - GuardContext
+ * @param {Object} record - Record to check
+ * @returns {Promise<Object|null>} Record if allowed, null if denied
+ */
+export async function applyGuardsToGet(resource, context, record) {
+  if (!record) return null;
+  // Execute get guard
+  const allowed = await resource.executeGuard('get', context, record);
+  if (!allowed) {
+    // Return null instead of error (404 instead of 403)
+    return null;
+  }
+  return record;
+}
+/**
+ * Execute guards for insert operation
+ * @param {Resource} resource - Resource instance
+ * @param {Object} context - GuardContext
+ * @param {Object} data - Data to insert
+ * @returns {Promise<Object>} Modified data
+ */
+export async function applyGuardsToInsert(resource, context, data) {
+  // Execute insert guard
+  const allowed = await resource.executeGuard('insert', context);
+  if (!allowed) {
+    throw new Error('Forbidden: Guard denied access to insert');
+  }
+  // Guard may have modified context.body (e.g., force tenantId/userId)
+  if (context.body && typeof context.body === 'object') {
+    // Merge guard modifications into data
+    return { ...data, ...context.body };
+  }
+  return data;
+}
+/**
+ * Execute guards for update operation
+ * @param {Resource} resource - Resource instance
+ * @param {Object} context - GuardContext
+ * @param {Object} record - Current record
+ * @returns {Promise<boolean>} True if allowed
+ */
+export async function applyGuardsToUpdate(resource, context, record) {
+  if (!record) {
+    throw new Error('Resource not found');
+  }
+  // Execute update guard
+  const allowed = await resource.executeGuard('update', context, record);
+  if (!allowed) {
+    throw new Error('Forbidden: Guard denied access to update');
+  }
+  return true;
+}
+/**
+ * Execute guards for delete operation
+ * @param {Resource} resource - Resource instance
+ * @param {Object} context - GuardContext
+ * @param {Object} record - Record to delete
+ * @returns {Promise<boolean>} True if allowed
+ */
+export async function applyGuardsToDelete(resource, context, record) {
+  if (!record) {
+    throw new Error('Resource not found');
+  }
+  // Execute delete guard
+  const allowed = await resource.executeGuard('delete', context, record);
+  if (!allowed) {
+    throw new Error('Forbidden: Guard denied access to delete');
+  }
+  return true;
+}
+/**
+ * Check if user has required scopes
+ *
+ * @param {Array<string>} requiredScopes - Required scopes
+ * @param {string} mode - 'any' or 'all' (default: 'any')
+ * @returns {Function} Guard function
+ *
+ * @example
+ * // Require admin scope
+ * guard: {
+ *   delete: requireScopes(['admin'])
+ * }
+ *
+ * @example
+ * // Require ANY of multiple scopes
+ * guard: {
+ *   update: requireScopes(['admin', 'moderator'], 'any')
+ * }
+ *
+ * @example
+ * // Require ALL scopes
+ * guard: {
+ *   create: requireScopes(['write:urls', 'verified'], 'all')
+ * }
+ */
+export function requireScopes(requiredScopes, mode = 'any') {
+  if (!Array.isArray(requiredScopes)) {
+    requiredScopes = [requiredScopes];
+  }
+  return (ctx) => {
+    const userScopes = ctx.user?.scopes || [];
+    if (mode === 'all') {
+      // User must have ALL required scopes
+      return requiredScopes.every(scope => userScopes.includes(scope));
+    }
+    // mode === 'any': User must have AT LEAST ONE required scope
+    return requiredScopes.some(scope => userScopes.includes(scope));
+  };
+}
+/**
+ * Check if user has required role
+ *
+ * @param {string|Array<string>} role - Required role(s)
+ * @returns {Function} Guard function
+ *
+ * @example
+ * guard: {
+ *   delete: requireRole('admin')
+ * }
+ *
+ * @example
+ * // Multiple roles (any)
+ * guard: {
+ *   update: requireRole(['admin', 'moderator'])
+ * }
+ */
+export function requireRole(role) {
+  const roles = Array.isArray(role) ? role : [role];
+  return (ctx) => {
+    const userRole = ctx.user?.role;
+    const userRoles = ctx.user?.roles || [];
+    // Check single role field
+    if (userRole && roles.includes(userRole)) {
+      return true;
+    }
+    // Check roles array
+    return roles.some(r => userRoles.includes(r));
+  };
+}
+/**
+ * Require admin scope (shorthand for requireScopes(['admin']))
+ *
+ * @returns {Function} Guard function
+ *
+ * @example
+ * guard: {
+ *   delete: requireAdmin()
+ * }
+ */
+export function requireAdmin() {
+  return requireScopes(['admin']);
+}
+/**
+ * Check ownership (record.userId === ctx.user.sub)
+ *
+ * @param {string} field - Field to check (default: 'userId')
+ * @returns {Function} Guard function
+ *
+ * @example
+ * guard: {
+ *   update: requireOwnership(),
+ *   delete: requireOwnership('createdBy')
+ * }
+ */
+export function requireOwnership(field = 'userId') {
+  return (ctx, resource) => {
+    if (!resource) return false;
+    const userId = ctx.user?.sub || ctx.user?.id;
+    if (!userId) return false;
+    return resource[field] === userId;
+  };
+}
+/**
+ * Combine guards with OR logic (any guard passes = allowed)
+ *
+ * @param {...Function} guards - Guard functions
+ * @returns {Function} Combined guard function
+ *
+ * @example
+ * guard: {
+ *   delete: anyOf(
+ *     requireAdmin(),
+ *     requireOwnership()
+ *   )
+ * }
+ */
+export function anyOf(...guards) {
+  return async (ctx, resource) => {
+    for (const guard of guards) {
+      const result = await guard(ctx, resource);
+      if (result) return true;
+    }
+    return false;
+  };
+}
+/**
+ * Combine guards with AND logic (all guards must pass)
+ *
+ * @param {...Function} guards - Guard functions
+ * @returns {Function} Combined guard function
+ *
+ * @example
+ * guard: {
+ *   create: allOf(
+ *     requireScopes(['write:urls']),
+ *     (ctx) => ctx.user.verified === true
+ *   )
+ * }
+ */
+export function allOf(...guards) {
+  return async (ctx, resource) => {
+    for (const guard of guards) {
+      const result = await guard(ctx, resource);
+      if (!result) return false;
+    }
+    return true;
+  };
+}
+/**
+ * Check if user belongs to specific tenant
+ *
+ * @param {string} tenantField - Field name in resource (default: 'tenantId')
+ * @returns {Function} Guard function
+ *
+ * @example
+ * guard: {
+ *   '*': (ctx) => {
+ *     ctx.tenantId = ctx.user.tenantId || ctx.user.tid;
+ *     return !!ctx.tenantId;
+ *   },
+ *   update: requireTenant()
+ * }
+ */
+export function requireTenant(tenantField = 'tenantId') {
+  return (ctx, resource) => {
+    if (!resource) return true; // Let wildcard/insert guards handle
+    const userTenantId = ctx.tenantId || ctx.user?.tenantId || ctx.user?.tid;
+    if (!userTenantId) return false;
+    return resource[tenantField] === userTenantId;
+  };
+}