s3db.js 13.5.1 → 13.6.0

package/src/resource.class.js

@@ -1,7 +1,6 @@
 import { join } from "path";
 import { createHash } from "crypto";
 import AsyncEventEmitter from "./concerns/async-event-emitter.js";
-import { customAlphabet, urlAlphabet } from 'nanoid';
 import jsonStableStringify from "json-stable-stringify";
 import { PromisePool } from "@supercharge/promise-pool";
 import { chunk, cloneDeep, merge, isEmpty, isObject } from "lodash-es";
@@ -12,7 +11,7 @@ import { streamToString } from "./stream/index.js";
 import tryFn, { tryFnSync } from "./concerns/try-fn.js";
 import { ResourceReader, ResourceWriter } from "./stream/index.js"
 import { getBehavior, DEFAULT_BEHAVIOR } from "./behaviors/index.js";
-import { idGenerator as defaultIdGenerator } from "./concerns/id.js";
+import { idGenerator as defaultIdGenerator, createCustomGenerator, getUrlAlphabet } from "./concerns/id.js";
 import { calculateTotalSize, calculateEffectiveLimit } from "./concerns/calculator.js";
 import { mapAwsError, InvalidResourceItem, ResourceError, PartitionError, ValidationError } from "./errors.js";
 
@@ -26,7 +25,8 @@ export class Resource extends AsyncEventEmitter {
    * @param {string} [config.version='v1'] - Resource version
    * @param {Object} [config.attributes={}] - Resource attributes schema
    * @param {string} [config.behavior='user-managed'] - Resource behavior strategy
-   * @param {string} [config.passphrase='secret'] - Encryption passphrase
+   * @param {string} [config.passphrase='secret'] - Encryption passphrase (for 'secret' type)
+   * @param {number} [config.bcryptRounds=10] - Bcrypt rounds (for 'password' type)
    * @param {number} [config.parallelism=10] - Parallelism for bulk operations
    * @param {Array} [config.observers=[]] - Observer instances
    * @param {boolean} [config.cache=false] - Enable caching
@@ -123,6 +123,7 @@ export class Resource extends AsyncEventEmitter {
       attributes = {},
       behavior = DEFAULT_BEHAVIOR,
       passphrase = 'secret',
+      bcryptRounds = 10,
       parallelism = 10,
       observers = [],
       cache = false,
@@ -140,7 +141,8 @@ export class Resource extends AsyncEventEmitter {
       asyncEvents = true,
       asyncPartitions = true,
       strictPartitions = false,
-      createdBy = 'user'
+      createdBy = 'user',
+      guard
     } = config;
 
     // Set instance properties
@@ -151,6 +153,7 @@ export class Resource extends AsyncEventEmitter {
     this.observers = observers;
     this.parallelism = parallelism;
     this.passphrase = passphrase ?? 'secret';
+    this.bcryptRounds = bcryptRounds;
     this.versioningEnabled = versioningEnabled;
     this.strictValidation = strictValidation;
     
@@ -281,6 +284,10 @@ export class Resource extends AsyncEventEmitter {
       }
     }
 
+    // --- GUARDS SYSTEM ---
+    // Normalize and store guards (framework-agnostic authorization)
+    this.guard = this._normalizeGuard(guard);
+
     // --- MIDDLEWARE SYSTEM ---
     this._initMiddleware();
     // Debug: print method names and typeof update at construction
@@ -303,11 +310,11 @@ export class Resource extends AsyncEventEmitter {
     }
     // If customIdGenerator is a number (size), create a generator with that size
     if (typeof customIdGenerator === 'number' && customIdGenerator > 0) {
-      return customAlphabet(urlAlphabet, customIdGenerator);
+      return createCustomGenerator(getUrlAlphabet(), customIdGenerator);
     }
     // If idSize is provided, create a generator with that size
     if (typeof idSize === 'number' && idSize > 0 && idSize !== 22) {
-      return customAlphabet(urlAlphabet, idSize);
+      return createCustomGenerator(getUrlAlphabet(), idSize);
     }
     // Default to the standard idGenerator (22 chars)
     return defaultIdGenerator;
@@ -400,6 +407,7 @@ export class Resource extends AsyncEventEmitter {
       name: this.name,
       attributes: this.attributes,
       passphrase: this.passphrase,
+      bcryptRounds: this.bcryptRounds,
       version: this.version,
       options: {
         autoDecrypt: this.config.autoDecrypt,
@@ -1060,9 +1068,7 @@ export class Resource extends AsyncEventEmitter {
    * });
    */
   async insert({ id, ...attributes }) {
-    const exists = await this.exists(id);
-    if (exists) throw new Error(`Resource with id '${id}' already exists`);
-    const keyDebug = this.getResourceKey(id || '(auto)');
+    const providedId = id !== undefined && id !== null && String(id).trim() !== '';
     if (this.config.timestamps) {
       attributes.createdAt = new Date().toISOString();
       attributes.updatedAt = new Date().toISOString();
@@ -1086,11 +1092,12 @@ export class Resource extends AsyncEventEmitter {
     const extraData = {};
     for (const k of extraProps) extraData[k] = preProcessedData[k];
 
+    const shouldValidateId = preProcessedData.id !== undefined && preProcessedData.id !== null;
     const {
       errors,
       isValid,
       data: validated,
-    } = await this.validate(preProcessedData, { includeId: true });
+    } = await this.validate(preProcessedData, { includeId: shouldValidateId });
 
     if (!isValid) {
       const errorMsg = (errors && errors.length && errors[0].message) ? errors[0].message : 'Insert failed';
@@ -1109,7 +1116,7 @@ export class Resource extends AsyncEventEmitter {
     Object.assign(validatedAttributes, extraData);
     
     // Generate ID with fallback for empty generators
-    let finalId = validatedId || id;
+    let finalId = validatedId || preProcessedData.id || id;
     if (!finalId) {
       finalId = this.idGenerator();
       // Fallback to default generator if custom generator returns empty
@@ -1133,6 +1140,31 @@ export class Resource extends AsyncEventEmitter {
 
     // Add version metadata (required for all objects)
     const finalMetadata = processedMetadata;
+
+    if (!finalId || String(finalId).trim() === '') {
+      throw new InvalidResourceItem({
+        bucket: this.client.config.bucket,
+        resourceName: this.name,
+        attributes: preProcessedData,
+        validation: [{ message: 'Generated ID is invalid', field: 'id' }],
+        message: 'Generated ID is invalid'
+      });
+    }
+
+    const shouldCheckExists = providedId || shouldValidateId || validatedId !== undefined;
+    if (shouldCheckExists) {
+      const alreadyExists = await this.exists(finalId);
+      if (alreadyExists) {
+        throw new InvalidResourceItem({
+          bucket: this.client.config.bucket,
+          resourceName: this.name,
+          attributes: preProcessedData,
+          validation: [{ message: `Resource with id '${finalId}' already exists`, field: 'id' }],
+          message: `Resource with id '${finalId}' already exists`
+        });
+      }
+    }
+
     const key = this.getResourceKey(finalId);
     // Determine content type based on body content
     let contentType = undefined;
@@ -3653,6 +3685,102 @@ export class Resource extends AsyncEventEmitter {
     return filtered;
   }
 
+  // --- GUARDS SYSTEM ---
+  /**
+   * Normalize guard configuration
+   * @param {Object|Array|undefined} guard - Guard configuration
+   * @returns {Object|null} Normalized guard config
+   * @private
+   */
+  _normalizeGuard(guard) {
+    if (!guard) return null;
+
+    // String array simples → aplica para todas as operações
+    if (Array.isArray(guard)) {
+      return { '*': guard };
+    }
+
+    return guard;
+  }
+
+  /**
+   * Execute guard for operation
+   * @param {string} operation - Operation name (list, get, insert, update, etc)
+   * @param {Object} context - Framework-agnostic context
+   * @param {Object} context.user - Decoded JWT token
+   * @param {Object} context.params - Route params
+   * @param {Object} context.body - Request body
+   * @param {Object} context.query - Query string
+   * @param {Object} context.headers - Request headers
+   * @param {Function} context.setPartition - Helper to set partition
+   * @param {Object} [resource] - Resource record (for get/update/delete)
+   * @returns {Promise<boolean>} True if allowed, false if denied
+   */
+  async executeGuard(operation, context, resource = null) {
+    if (!this.guard) return true;  // No guard = allow
+
+    // 1. Try operation-specific guard
+    let guardFn = this.guard[operation];
+
+    // 2. Fallback to wildcard
+    if (!guardFn) {
+      guardFn = this.guard['*'];
+    }
+
+    // 3. No guard = allow
+    if (!guardFn) return true;
+
+    // 4. Boolean simple
+    if (typeof guardFn === 'boolean') {
+      return guardFn;
+    }
+
+    // 5. Array of roles/scopes
+    if (Array.isArray(guardFn)) {
+      return this._checkRolesScopes(guardFn, context.user);
+    }
+
+    // 6. Custom function
+    if (typeof guardFn === 'function') {
+      try {
+        const result = await guardFn(context, resource);
+        return result === true;  // Force boolean
+      } catch (err) {
+        // Guard error = deny access
+        console.error(`Guard error for ${operation}:`, err);
+        return false;
+      }
+    }
+
+    return false;  // Default: deny
+  }
+
+  /**
+   * Check if user has required roles or scopes
+   * @param {Array<string>} requiredRolesScopes - Required roles/scopes
+   * @param {Object} user - User from JWT token
+   * @returns {boolean} True if user has any of required roles/scopes
+   * @private
+   */
+  _checkRolesScopes(requiredRolesScopes, user) {
+    if (!user) return false;
+
+    // User scopes (OpenID scope claim)
+    const userScopes = user.scope?.split(' ') || [];
+
+    // User roles - support multiple formats (Keycloak, Azure AD)
+    const clientId = user.azp || process.env.CLIENT_ID || 'default';
+    const clientRoles = user.resource_access?.[clientId]?.roles || [];
+    const realmRoles = user.realm_access?.roles || [];
+    const azureRoles = user.roles || [];
+    const userRoles = [...clientRoles, ...realmRoles, ...azureRoles];
+
+    // Check if user has any of required
+    return requiredRolesScopes.some(required => {
+      return userScopes.includes(required) || userRoles.includes(required);
+    });
+  }
+
   // --- MIDDLEWARE SYSTEM ---
   _initMiddleware() {
     // Map of methodName -> array of middleware functions
@@ -4012,4 +4140,4 @@ function validateResourceConfig(config) {
   };
 }
 
-export default Resource;
+export default Resource;

package/src/schema.class.js

@@ -13,6 +13,7 @@ import {
 } from "lodash-es";
 
 import { encrypt, decrypt } from "./concerns/crypto.js";
+import { hashPassword, compactHash } from "./concerns/password-hashing.js";
 import { ValidatorManager } from "./validator.class.js";
 import { tryFn, tryFnSync } from "./concerns/try-fn.js";
 import { SchemaError } from "./errors.js";
@@ -121,6 +122,16 @@ export const SchemaActions = {
     return raw;
   },
 
+  hashPassword: async (value, { bcryptRounds = 10 }) => {
+    if (value === null || value === undefined) return value;
+    // Hash with bcrypt
+    const [okHash, errHash, hash] = await tryFn(() => hashPassword(String(value), bcryptRounds));
+    if (!okHash) return value; // Return original on error
+    // Compact hash to save space (60 → 53 bytes)
+    const [okCompact, errCompact, compacted] = tryFnSync(() => compactHash(hash));
+    return okCompact ? compacted : hash; // Return compacted or fallback to full hash
+  },
+
   toString: (value) => value == null ? value : String(value),
 
   fromArray: (value, { separator }) => {
@@ -535,6 +546,7 @@ export class Schema {
       name,
       attributes,
       passphrase,
+      bcryptRounds,
       version = 1,
       options = {},
       _pluginAttributeMetadata,
@@ -545,6 +557,7 @@ export class Schema {
     this.version = version;
     this.attributes = attributes || {};
     this.passphrase = passphrase ?? "secret";
+    this.bcryptRounds = bcryptRounds ?? 10;
     this.options = merge({}, this.defaultOptions(), options);
     this.allNestedObjectsOptional = this.options.allNestedObjectsOptional ?? false;
 
@@ -555,7 +568,11 @@ export class Schema {
     // Preprocess attributes to handle nested objects for validator compilation
     const processedAttributes = this.preprocessAttributesForValidation(this.attributes);
 
-    this.validator = new ValidatorManager({ autoEncrypt: false }).compile(merge(
+    this.validator = new ValidatorManager({
+      autoEncrypt: false,
+      passphrase: this.passphrase,
+      bcryptRounds: this.bcryptRounds
+    }).compile(merge(
       { $$async: true, $$strict: false },
       processedAttributes,
     ))
@@ -824,6 +841,16 @@ export class Schema {
         continue;
       }
 
+      // Handle passwords
+      if (defStr.includes("password") || defType === 'password') {
+        if (this.options.autoEncrypt) {
+          this.addHook("beforeMap", name, "hashPassword");
+        }
+        // No afterUnmap hook - passwords are one-way hashed
+        // Skip other processing for passwords
+        continue;
+      }
+
       // Handle ip4 type
       if (defStr.includes("ip4") || defType === 'ip4') {
         this.addHook("beforeMap", name, "encodeIPv4");
@@ -1067,6 +1094,7 @@ export class Schema {
         if (value !== undefined && typeof SchemaActions[actionName] === 'function') {
           set(cloned, attribute, await SchemaActions[actionName](value, {
             passphrase: this.passphrase,
+            bcryptRounds: this.bcryptRounds,
             separator: this.options.arraySeparator,
             ...actionParams  // Merge custom parameters (currency, precision, etc.)
           }))
@@ -1181,6 +1209,7 @@ export class Schema {
           if (typeof SchemaActions[actionName] === 'function') {
             parsedValue = await SchemaActions[actionName](parsedValue, {
               passphrase: this.passphrase,
+              bcryptRounds: this.bcryptRounds,
               separator: this.options.arraySeparator,
               ...actionParams  // Merge custom parameters (currency, precision, etc.)
             });

package/src/validator.class.js

@@ -2,10 +2,11 @@ import { merge, isString } from "lodash-es";
 import FastestValidator from "fastest-validator";
 
 import { encrypt } from "./concerns/crypto.js";
+import { hashPassword, hashPasswordSync, compactHash } from "./concerns/password-hashing.js";
 import tryFn, { tryFnSync } from "./concerns/try-fn.js";
 import { ValidationError } from "./errors.js";
 
-async function secretHandler (actual, errors, schema) {
+function secretHandler (actual, errors, schema) {
   if (!this.passphrase) {
     errors.push(new ValidationError("Missing configuration for secrets encryption.", {
       actual,
@@ -15,7 +16,7 @@ async function secretHandler (actual, errors, schema) {
     return actual;
   }
 
-  const [ok, err, res] = await tryFn(() => encrypt(String(actual), this.passphrase));
+  const [ok, err, res] = tryFnSync(() => encrypt(String(actual), this.passphrase));
   if (ok) return res;
   errors.push(new ValidationError("Problem encrypting secret.", {
     actual,
@@ -26,7 +27,44 @@ async function secretHandler (actual, errors, schema) {
   return actual;
 }
 
-async function jsonHandler (actual, errors, schema) {
+function passwordHandler (actual, errors, schema) {
+  if (!this.bcryptRounds) {
+    errors.push(new ValidationError("Missing bcrypt rounds configuration.", {
+      actual,
+      type: "bcryptRoundsMissing",
+      suggestion: "Provide bcryptRounds in database configuration."
+    }));
+    return actual;
+  }
+
+  // Hash password with bcrypt (synchronous)
+  const [okHash, errHash, hash] = tryFnSync(() => hashPasswordSync(String(actual), this.bcryptRounds));
+  if (!okHash) {
+    errors.push(new ValidationError("Problem hashing password.", {
+      actual,
+      type: "passwordHashingProblem",
+      error: errHash,
+      suggestion: "Check the bcryptRounds configuration and password value."
+    }));
+    return actual;
+  }
+
+  // Compact hash to save space (60 bytes → 53 bytes)
+  const [okCompact, errCompact, compacted] = tryFnSync(() => compactHash(hash));
+  if (!okCompact) {
+    errors.push(new ValidationError("Problem compacting password hash.", {
+      actual,
+      type: "hashCompactionProblem",
+      error: errCompact,
+      suggestion: "Bcrypt hash format may be invalid."
+    }));
+    return hash; // Return uncompacted as fallback
+  }
+
+  return compacted;
+}
+
+function jsonHandler (actual, errors, schema) {
   if (isString(actual)) return actual;
   const [ok, err, json] = tryFnSync(() => JSON.stringify(actual));
   if (!ok) throw new ValidationError("Failed to stringify JSON", { original: err, input: actual });
@@ -34,13 +72,15 @@ async function jsonHandler (actual, errors, schema) {
 }
 
 export class Validator extends FastestValidator {
-  constructor({ options, passphrase, autoEncrypt = true } = {}) {
+  constructor({ options, passphrase, bcryptRounds = 10, autoEncrypt = true, autoHash = true } = {}) {
     super(merge({}, {
       useNewCustomCheckerFunction: true,
 
       messages: {
         encryptionKeyMissing: "Missing configuration for secrets encryption.",
         encryptionProblem: "Problem encrypting secret. Actual: {actual}. Error: {error}",
+        bcryptRoundsMissing: "Missing bcrypt rounds configuration for password hashing.",
+        passwordHashingProblem: "Problem hashing password. Error: {error}",
       },
 
       defaults: {
@@ -57,7 +97,9 @@ export class Validator extends FastestValidator {
     }, options))
 
     this.passphrase = passphrase;
-    this.autoEncrypt = autoEncrypt;
+    this.bcryptRounds = bcryptRounds;
+    this.autoEncrypt = autoEncrypt; // Controls automatic encryption of 'secret' type fields
+    this.autoHash = autoHash; // Controls automatic hashing of 'password' type fields
 
     this.alias('secret', {
       type: "string",
@@ -73,11 +115,20 @@ export class Validator extends FastestValidator {
       custom: this.autoEncrypt ? secretHandler : undefined,
     })
 
-    this.alias('secretNumber', { 
+    this.alias('secretNumber', {
       type: "number",
       custom: this.autoEncrypt ? secretHandler : undefined,
     })
 
+    this.alias('password', {
+      type: "string",
+      custom: this.autoHash ? passwordHandler : undefined,
+      messages: {
+        string: "The '{field}' field must be a string.",
+        stringMin: "This password '{field}' field length must be at least {expected} long.",
+      },
+    })
+
     this.alias('json', {
       type: "any",
       custom: this.autoEncrypt ? jsonHandler : undefined,