s3db.js 13.5.1 → 13.6.1

package/src/plugins/api/middlewares/security-headers.js

@@ -0,0 +1,120 @@
+/**
+ * Security Headers Middleware
+ *
+ * Adds standard security headers to all responses for enhanced protection.
+ * Helps prevent common web vulnerabilities like XSS, clickjacking, and MIME sniffing.
+ *
+ * Headers included:
+ * - Content-Security-Policy (CSP): Prevents XSS and data injection attacks
+ * - Strict-Transport-Security (HSTS): Forces HTTPS connections
+ * - X-Frame-Options: Prevents clickjacking
+ * - X-Content-Type-Options: Prevents MIME sniffing
+ * - Referrer-Policy: Controls referer information
+ * - X-XSS-Protection: Legacy XSS protection (for older browsers)
+ *
+ * @example
+ * import { createSecurityHeadersMiddleware } from './middlewares/security-headers.js';
+ *
+ * const middleware = createSecurityHeadersMiddleware({
+ *   headers: {
+ *     csp: "default-src 'self'; script-src 'self' 'unsafe-inline'",
+ *     hsts: { maxAge: 31536000, includeSubDomains: true },
+ *     xFrameOptions: 'DENY'
+ *   }
+ * });
+ *
+ * app.use('*', middleware);
+ */
+
+/**
+ * Create security headers middleware
+ *
+ * @param {Object} config - Security configuration
+ * @param {Object} config.headers - Header configuration
+ * @param {string} config.headers.csp - Content Security Policy
+ * @param {Object} config.headers.hsts - HSTS configuration
+ * @param {number} config.headers.hsts.maxAge - HSTS max age in seconds
+ * @param {boolean} config.headers.hsts.includeSubDomains - Include subdomains
+ * @param {boolean} config.headers.hsts.preload - Enable HSTS preload
+ * @param {string} config.headers.xFrameOptions - X-Frame-Options value (DENY, SAMEORIGIN, ALLOW-FROM)
+ * @param {string} config.headers.xContentTypeOptions - X-Content-Type-Options (nosniff)
+ * @param {string} config.headers.referrerPolicy - Referrer-Policy value
+ * @param {string} config.headers.xssProtection - X-XSS-Protection value
+ * @returns {Function} Hono middleware
+ */
+export function createSecurityHeadersMiddleware(config = {}) {
+  const defaults = {
+    csp: "default-src 'self'",
+    hsts: { maxAge: 31536000, includeSubDomains: true, preload: false },
+    xFrameOptions: 'DENY',
+    xContentTypeOptions: 'nosniff',
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    xssProtection: '1; mode=block',
+    permissionsPolicy: 'geolocation=(), microphone=(), camera=()'
+  };
+
+  const settings = {
+    ...defaults,
+    ...(config.headers || {})
+  };
+
+  // Merge HSTS settings
+  if (config.headers?.hsts && typeof config.headers.hsts === 'object') {
+    settings.hsts = {
+      ...defaults.hsts,
+      ...config.headers.hsts
+    };
+  }
+
+  return async (c, next) => {
+    // Content Security Policy
+    if (settings.csp) {
+      c.header('Content-Security-Policy', settings.csp);
+    }
+
+    // HTTP Strict Transport Security
+    if (settings.hsts) {
+      const hsts = settings.hsts;
+      let hstsValue = `max-age=${hsts.maxAge}`;
+
+      if (hsts.includeSubDomains) {
+        hstsValue += '; includeSubDomains';
+      }
+
+      if (hsts.preload) {
+        hstsValue += '; preload';
+      }
+
+      c.header('Strict-Transport-Security', hstsValue);
+    }
+
+    // X-Frame-Options
+    if (settings.xFrameOptions) {
+      c.header('X-Frame-Options', settings.xFrameOptions);
+    }
+
+    // X-Content-Type-Options
+    if (settings.xContentTypeOptions) {
+      c.header('X-Content-Type-Options', settings.xContentTypeOptions);
+    }
+
+    // Referrer-Policy
+    if (settings.referrerPolicy) {
+      c.header('Referrer-Policy', settings.referrerPolicy);
+    }
+
+    // X-XSS-Protection (legacy, but still useful for older browsers)
+    if (settings.xssProtection) {
+      c.header('X-XSS-Protection', settings.xssProtection);
+    }
+
+    // Permissions-Policy (formerly Feature-Policy)
+    if (settings.permissionsPolicy) {
+      c.header('Permissions-Policy', settings.permissionsPolicy);
+    }
+
+    await next();
+  };
+}
+
+export default createSecurityHeadersMiddleware;

package/src/plugins/api/middlewares/session-tracking.js

@@ -0,0 +1,194 @@
+/**
+ * Session Tracking Middleware
+ *
+ * Tracks user sessions for analytics and monitoring purposes.
+ * Creates persistent session IDs stored in encrypted cookies.
+ *
+ * Features:
+ * - Encrypted session IDs (AES-256-GCM)
+ * - Optional database storage
+ * - Auto-update on each request
+ * - Custom session enrichment
+ * - IP, User-Agent, Referer tracking
+ *
+ * @example
+ * import { createSessionTrackingMiddleware } from './middlewares/session-tracking.js';
+ *
+ * const middleware = createSessionTrackingMiddleware({
+ *   enabled: true,
+ *   resource: 'sessions',
+ *   cookieName: 'session_id',
+ *   passphrase: process.env.SESSION_SECRET,
+ *   updateOnRequest: true,
+ *   enrichSession: async ({ session, context }) => ({
+ *     userAgent: context.req.header('user-agent'),
+ *     ip: context.req.header('x-forwarded-for')
+ *   })
+ * }, db);
+ *
+ * app.use('*', middleware);
+ *
+ * // In route handlers:
+ * app.get('/r/:id', async (c) => {
+ *   const sessionId = c.get('sessionId');
+ *   const session = c.get('session');
+ *   console.log('Session:', sessionId);
+ * });
+ */
+
+import { encrypt, decrypt } from '../../../concerns/crypto.js';
+import { idGenerator } from '../../../concerns/id.js';
+
+/**
+ * Create session tracking middleware
+ *
+ * @param {Object} config - Session configuration
+ * @param {boolean} config.enabled - Enable session tracking (default: false)
+ * @param {string} config.resource - Resource name for DB storage (optional)
+ * @param {string} config.cookieName - Cookie name (default: 'session_id')
+ * @param {number} config.cookieMaxAge - Cookie max age in ms (default: 30 days)
+ * @param {boolean} config.cookieSecure - Secure flag (default: production mode)
+ * @param {string} config.cookieSameSite - SameSite policy (default: 'Strict')
+ * @param {boolean} config.updateOnRequest - Update session on each request (default: true)
+ * @param {string} config.passphrase - Encryption passphrase (required)
+ * @param {Function} config.enrichSession - Custom session enrichment function
+ * @param {Object} db - Database instance
+ * @returns {Function} Hono middleware
+ */
+export function createSessionTrackingMiddleware(config = {}, db) {
+  const {
+    enabled = false,
+    resource = null,
+    cookieName = 'session_id',
+    cookieMaxAge = 2592000000, // 30 days
+    cookieSecure = process.env.NODE_ENV === 'production',
+    cookieSameSite = 'Strict',
+    updateOnRequest = true,
+    passphrase = null,
+    enrichSession = null
+  } = config;
+
+  // If disabled, return no-op middleware
+  if (!enabled) {
+    return async (c, next) => await next();
+  }
+
+  // Validate required config
+  if (!passphrase) {
+    throw new Error('sessionTracking.passphrase is required when sessionTracking.enabled = true');
+  }
+
+  // Get sessions resource if configured
+  const sessionsResource = resource && db ? db.resources[resource] : null;
+
+  return async (c, next) => {
+    let session = null;
+    let sessionId = null;
+    let isNewSession = false;
+
+    // 1. Check if session cookie exists
+    const sessionCookie = c.req.cookie(cookieName);
+
+    if (sessionCookie) {
+      try {
+        // Decrypt session ID
+        sessionId = await decrypt(sessionCookie, passphrase);
+
+        // Load from DB if resource configured
+        if (sessionsResource) {
+          const exists = await sessionsResource.exists(sessionId);
+          if (exists) {
+            session = await sessionsResource.get(sessionId);
+          }
+        } else {
+          // No DB storage - create minimal session object
+          session = { id: sessionId };
+        }
+      } catch (err) {
+        console.error('[SessionTracking] Failed to decrypt cookie:', err.message);
+        // Will create new session below
+      }
+    }
+
+    // 2. Create new session if needed
+    if (!session) {
+      isNewSession = true;
+      sessionId = idGenerator();
+
+      const sessionData = {
+        id: sessionId,
+        userAgent: c.req.header('user-agent') || null,
+        ip: c.req.header('x-forwarded-for') || c.req.header('x-real-ip') || null,
+        referer: c.req.header('referer') || null,
+        createdAt: new Date().toISOString(),
+        lastSeenAt: new Date().toISOString()
+      };
+
+      // Enrich with custom data
+      if (enrichSession && typeof enrichSession === 'function') {
+        try {
+          const enriched = await enrichSession({ session: sessionData, context: c });
+          if (enriched && typeof enriched === 'object') {
+            Object.assign(sessionData, enriched);
+          }
+        } catch (enrichErr) {
+          console.error('[SessionTracking] enrichSession failed:', enrichErr.message);
+        }
+      }
+
+      // Save to DB if resource configured
+      if (sessionsResource) {
+        try {
+          session = await sessionsResource.insert(sessionData);
+        } catch (insertErr) {
+          console.error('[SessionTracking] Failed to insert session:', insertErr.message);
+          session = sessionData; // Use in-memory fallback
+        }
+      } else {
+        session = sessionData;
+      }
+    }
+
+    // 3. Update session on each request (if enabled and not new)
+    else if (updateOnRequest && !isNewSession && sessionsResource) {
+      const updates = {
+        lastSeenAt: new Date().toISOString(),
+        lastUserAgent: c.req.header('user-agent') || null,
+        lastIp: c.req.header('x-forwarded-for') || c.req.header('x-real-ip') || null
+      };
+
+      // Fire-and-forget update (don't block request)
+      sessionsResource.update(sessionId, updates).catch((updateErr) => {
+        console.error('[SessionTracking] Failed to update session:', updateErr.message);
+      });
+
+      // Update local copy
+      Object.assign(session, updates);
+    }
+
+    // 4. Set/refresh cookie
+    try {
+      const encryptedSessionId = await encrypt(sessionId, passphrase);
+
+      c.header(
+        'Set-Cookie',
+        `${cookieName}=${encryptedSessionId}; ` +
+        `Max-Age=${Math.floor(cookieMaxAge / 1000)}; ` +
+        `Path=/; ` +
+        `HttpOnly; ` +
+        (cookieSecure ? 'Secure; ' : '') +
+        `SameSite=${cookieSameSite}`
+      );
+    } catch (encryptErr) {
+      console.error('[SessionTracking] Failed to encrypt session ID:', encryptErr.message);
+    }
+
+    // 5. Expose to context
+    c.set('sessionId', sessionId);
+    c.set('session', session);
+
+    await next();
+  };
+}
+
+export default createSessionTrackingMiddleware;

package/src/plugins/api/routes/auth-routes.js

@@ -67,8 +67,9 @@ export function createAuthRoutes(authResource, config = {}) {
 
       // Create user with dynamic fields
       // Only include fields from request + required auth fields
+      const { id, ...dataWithoutId } = data; // Exclude id from request data
       const userData = {
-        ...data, // Include all fields from request first
+        ...dataWithoutId, // Include all fields from request except id
         [usernameField]: username, // Override to ensure correct value
         [passwordField]: password // Will be auto-encrypted by schema (secret field)
       };
@@ -139,8 +140,27 @@ export function createAuthRoutes(authResource, config = {}) {
       }
 
       // Verify password (compare with password field)
-      // Schema handles encryption/decryption for 'secret' field types
-      const isValid = user[passwordField] === password;
+      // For 'password' field type (bcrypt hash), use verifyPassword
+      // For 'secret' field type (AES encryption), compare directly
+      let isValid = false;
+
+      const storedPassword = user[passwordField];
+      if (!storedPassword) {
+        const response = formatter.unauthorized('Invalid credentials');
+        return c.json(response, response._status);
+      }
+
+      // Check if it's a bcrypt hash (starts with $ or is compacted 53 chars)
+      const isBcryptHash = storedPassword.startsWith('$') || (storedPassword.length === 53 && !storedPassword.includes(':'));
+
+      if (isBcryptHash) {
+        // Import verifyPassword for bcrypt hashes
+        const { verifyPassword } = await import('../../../concerns/password-hashing.js');
+        isValid = await verifyPassword(password, storedPassword);
+      } else {
+        // For encrypted/secret fields, direct comparison
+        isValid = storedPassword === password;
+      }
 
       if (!isValid) {
         const response = formatter.unauthorized('Invalid credentials');

package/src/plugins/api/routes/resource-routes.js

@@ -6,6 +6,7 @@
 
 import { asyncHandler } from '../utils/error-handler.js';
 import * as formatter from '../utils/response-formatter.js';
+import { guardMiddleware } from '../utils/guards.js';
 
 /**
  * Parse custom route definition (e.g., "GET /healthcheck" or "async POST /custom")
@@ -59,12 +60,16 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
     methods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
     customMiddleware = [],
     enableValidation = true,
-    versionPrefix = '' // Empty string by default (calculated in server.js)
+    versionPrefix = '', // Empty string by default (calculated in server.js)
+    events = null // Event emitter for lifecycle hooks
   } = config;
 
   const resourceName = resource.name;
   const basePath = versionPrefix ? `/${versionPrefix}/${resourceName}` : `/${resourceName}`;
 
+  // Get guards configuration from resource config
+  const guards = resource.config?.guards || null;
+
   // Apply custom middleware
   customMiddleware.forEach(middleware => {
     app.use('*', middleware);
@@ -112,7 +117,7 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
   // LIST - GET /{version}/{resource}
   if (methods.includes('GET')) {
-    app.get('/', asyncHandler(async (c) => {
+    app.get('/', guardMiddleware(guards, 'list'), asyncHandler(async (c) => {
       const query = c.req.query();
       const limit = parseInt(query.limit) || 100;
       const offset = parseInt(query.offset) || 0;
@@ -141,22 +146,23 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
       // Use query if filters are present
       if (Object.keys(filters).length > 0) {
-        items = await resource.query(filters, { limit: limit + offset });
-        items = items.slice(offset, offset + limit);
+        // Query with native offset support (efficient!)
+        items = await resource.query(filters, { limit, offset });
+        // Note: total is approximate (length of returned items)
+        // For exact total count with filters, would need separate count query
         total = items.length;
       } else if (partition && partitionValues) {
         // Query specific partition
         items = await resource.listPartition({
           partition,
           partitionValues,
-          limit: limit + offset
+          limit,
+          offset
         });
-        items = items.slice(offset, offset + limit);
         total = items.length;
       } else {
         // Regular list
-        items = await resource.list({ limit: limit + offset });
-        items = items.slice(offset, offset + limit);
+        items = await resource.list({ limit, offset });
         total = items.length;
       }
 
@@ -177,7 +183,7 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
   // GET ONE - GET /{version}/{resource}/:id
   if (methods.includes('GET')) {
-    app.get('/:id', asyncHandler(async (c) => {
+    app.get('/:id', guardMiddleware(guards, 'get'), asyncHandler(async (c) => {
       const id = c.req.param('id');
       const query = c.req.query();
       const partition = query.partition;
@@ -211,12 +217,22 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
   // CREATE - POST /{version}/{resource}
   if (methods.includes('POST')) {
-    app.post('/', asyncHandler(async (c) => {
+    app.post('/', guardMiddleware(guards, 'create'), asyncHandler(async (c) => {
       const data = await c.req.json();
 
       // Validation middleware will run if enabled
       const item = await resource.insert(data);
 
+      // Emit resource:created event
+      if (events) {
+        events.emitResourceEvent('created', {
+          resource: resourceName,
+          id: item.id,
+          data: item,
+          user: c.get('user')
+        });
+      }
+
       const location = `${basePath}/${item.id}`;
       const response = formatter.created(item, location);
 
@@ -227,7 +243,7 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
   // UPDATE (full) - PUT /{version}/{resource}/:id
   if (methods.includes('PUT')) {
-    app.put('/:id', asyncHandler(async (c) => {
+    app.put('/:id', guardMiddleware(guards, 'update'), asyncHandler(async (c) => {
       const id = c.req.param('id');
       const data = await c.req.json();
 
@@ -241,6 +257,17 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
       // Full update
       const updated = await resource.update(id, data);
 
+      // Emit resource:updated event
+      if (events) {
+        events.emitResourceEvent('updated', {
+          resource: resourceName,
+          id: updated.id,
+          data: updated,
+          previous: existing,
+          user: c.get('user')
+        });
+      }
+
       const response = formatter.success(updated);
       return c.json(response, response._status);
     }));
@@ -248,7 +275,7 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
   // UPDATE (partial) - PATCH /{version}/{resource}/:id
   if (methods.includes('PATCH')) {
-    app.patch('/:id', asyncHandler(async (c) => {
+    app.patch('/:id', guardMiddleware(guards, 'update'), asyncHandler(async (c) => {
       const id = c.req.param('id');
       const data = await c.req.json();
 
@@ -263,6 +290,18 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
       const merged = { ...existing, ...data, id };
       const updated = await resource.update(id, merged);
 
+      // Emit resource:updated event
+      if (events) {
+        events.emitResourceEvent('updated', {
+          resource: resourceName,
+          id: updated.id,
+          data: updated,
+          previous: existing,
+          partial: true,
+          user: c.get('user')
+        });
+      }
+
       const response = formatter.success(updated);
       return c.json(response, response._status);
     }));
@@ -270,7 +309,7 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
   // DELETE - DELETE /{version}/{resource}/:id
   if (methods.includes('DELETE')) {
-    app.delete('/:id', asyncHandler(async (c) => {
+    app.delete('/:id', guardMiddleware(guards, 'delete'), asyncHandler(async (c) => {
       const id = c.req.param('id');
 
       // Check if exists
@@ -282,6 +321,16 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
 
       await resource.delete(id);
 
+      // Emit resource:deleted event
+      if (events) {
+        events.emitResourceEvent('deleted', {
+          resource: resourceName,
+          id,
+          previous: existing,
+          user: c.get('user')
+        });
+      }
+
       const response = formatter.noContent();
       return c.json(response, response._status);
     }));
@@ -292,22 +341,11 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
     app.on('HEAD', '/', asyncHandler(async (c) => {
       // Get statistics
       const total = await resource.count();
+      const version = resource.config?.currentVersion || resource.version || 'v1';
 
-      // Get all items to calculate stats (for small datasets)
-      // For large datasets, this might need optimization
-      const allItems = await resource.list({ limit: 1000 });
-
-      // Calculate statistics
-      const stats = {
-        total,
-        version: resource.config?.currentVersion || resource.version || 'v1'
-      };
-
-      // Add resource-specific stats
+      // Set resource metadata headers
       c.header('X-Total-Count', total.toString());
-      c.header('X-Resource-Version', stats.version);
-
-      // Add schema info
+      c.header('X-Resource-Version', version);
       c.header('X-Schema-Fields', Object.keys(resource.config?.attributes || {}).length.toString());
 
       return c.body(null, 200);
@@ -393,8 +431,12 @@ export function createRelationalRoutes(sourceResource, relationName, relationCon
 
   // GET /{version}/{resource}/:id/{relation}
   // Examples: GET /v1/users/user123/posts, GET /v1/users/user123/profile
-  app.get('/:id', asyncHandler(async (c) => {
-    const id = c.req.param('id');
+  // Note: The :id param comes from parent route mounting (see server.js:469)
+  app.get('/', asyncHandler(async (c) => {
+    // Get parent route's :id param
+    const pathParts = c.req.path.split('/');
+    const relationNameIndex = pathParts.lastIndexOf(relationName);
+    const id = pathParts[relationNameIndex - 1];
     const query = c.req.query();
 
     // Check if source resource exists