s3db.js 13.6.0 → 14.0.2

package/src/plugins/api/routes/auth-routes.js

@@ -9,8 +9,8 @@ import { asyncHandler } from '../utils/error-handler.js';
 import * as formatter from '../utils/response-formatter.js';
 import { createToken } from '../auth/jwt-auth.js';
 import { generateApiKey } from '../auth/api-key-auth.js';
-import { encrypt } from '../../../concerns/crypto.js';
 import tryFn from '../../../concerns/try-fn.js';
+import { hashPassword } from '../../../concerns/password-hashing.js';
 
 /**
  * Create authentication routes
@@ -27,16 +27,133 @@ export function createAuthRoutes(authResource, config = {}) {
     jwtSecret,
     jwtExpiresIn = '7d',
     passphrase = 'secret',
-    allowRegistration = true
+    registration = {},
+    loginThrottle = {}
   } = config;
 
+  const registrationConfig = {
+    enabled: registration.enabled === true,
+    allowedFields: Array.isArray(registration.allowedFields) ? registration.allowedFields : [],
+    defaultRole: registration.defaultRole || 'user'
+  };
+
+  const schemaAttributes = authResource.schema?.attributes || {};
+  const passwordAttribute = schemaAttributes?.[passwordField];
+  const isPasswordType = typeof passwordAttribute === 'string'
+    ? passwordAttribute.includes('password')
+    : passwordAttribute?.type === 'password';
+
+  const allowedRegistrationFields = new Set([usernameField, passwordField]);
+  for (const field of registrationConfig.allowedFields) {
+    if (typeof field === 'string' && field && field !== passwordField) {
+      allowedRegistrationFields.add(field);
+    }
+  }
+
+  const blockedRegistrationFields = new Set([
+    'role',
+    'active',
+    'apiKey',
+    'jwtSecret',
+    'scopes',
+    'createdAt',
+    'updatedAt',
+    'metadata',
+    'id'
+  ]);
+
+  const loginThrottleConfig = {
+    enabled: loginThrottle?.enabled !== false,
+    maxAttempts: loginThrottle?.maxAttempts ?? 5,
+    windowMs: loginThrottle?.windowMs ?? 60_000,
+    blockDurationMs: loginThrottle?.blockDurationMs ?? 300_000,
+    maxEntries: loginThrottle?.maxEntries ?? 10_000
+  };
+
+  const loginAttempts = new Map();
+
+  const getClientIp = (c) => {
+    const forwarded = c.req.header('x-forwarded-for');
+    if (forwarded) {
+      return forwarded.split(',')[0].trim();
+    }
+    const cfConnecting = c.req.header('cf-connecting-ip');
+    if (cfConnecting) {
+      return cfConnecting;
+    }
+    return c.req.raw?.socket?.remoteAddress || 'unknown';
+  };
+
+  const cleanupLoginAttempts = () => {
+    if (loginAttempts.size <= loginThrottleConfig.maxEntries) {
+      return;
+    }
+    const oldestKey = loginAttempts.keys().next().value;
+    if (oldestKey) {
+      loginAttempts.delete(oldestKey);
+    }
+  };
+
+  const getThrottleRecord = (key, now) => {
+    if (!loginThrottleConfig.enabled) return null;
+    let record = loginAttempts.get(key);
+    if (record && record.blockedUntil && now > record.blockedUntil) {
+      loginAttempts.delete(key);
+      record = null;
+    }
+    if (!record || now - record.firstAttemptAt > loginThrottleConfig.windowMs) {
+      record = { attempts: 0, firstAttemptAt: now, blockedUntil: null };
+      loginAttempts.set(key, record);
+      cleanupLoginAttempts();
+    }
+    return record;
+  };
+
+  const registerFailedAttempt = (record, now) => {
+    if (!loginThrottleConfig.enabled || !record) {
+      return { blocked: false };
+    }
+    record.attempts += 1;
+    record.lastAttemptAt = now;
+    if (record.attempts >= loginThrottleConfig.maxAttempts) {
+      record.blockedUntil = now + loginThrottleConfig.blockDurationMs;
+      const retryAfter = Math.ceil((record.blockedUntil - now) / 1000);
+      return { blocked: true, retryAfter };
+    }
+    return { blocked: false };
+  };
+
+  const buildPublicUser = (user) => {
+    const publicUser = { id: user.id };
+    const identifier = user[usernameField] ?? user.email ?? user.username;
+    if (identifier !== undefined) {
+      publicUser[usernameField] = identifier;
+    }
+
+    for (const field of allowedRegistrationFields) {
+      if (field === usernameField || field === passwordField) continue;
+      if (user[field] !== undefined) {
+        publicUser[field] = user[field];
+      }
+    }
+
+    if (schemaAttributes.role !== undefined && user.role !== undefined) {
+      publicUser.role = user.role;
+    }
+
+    if (schemaAttributes.active !== undefined && user.active !== undefined) {
+      publicUser.active = user.active;
+    }
+
+    return publicUser;
+  };
+
   // POST /auth/register - Register new user
-  if (allowRegistration) {
+  if (registrationConfig.enabled) {
     app.post('/register', asyncHandler(async (c) => {
       const data = await c.req.json();
       const username = data[usernameField];
       const password = data[passwordField];
-      const role = data.role || 'user';
 
       // Validate input
       if (!username || !password) {
@@ -68,17 +185,28 @@ export function createAuthRoutes(authResource, config = {}) {
       // Create user with dynamic fields
       // Only include fields from request + required auth fields
       const { id, ...dataWithoutId } = data; // Exclude id from request data
-      const userData = {
-        ...dataWithoutId, // Include all fields from request except id
-        [usernameField]: username, // Override to ensure correct value
-        [passwordField]: password // Will be auto-encrypted by schema (secret field)
-      };
-
-      // Add optional fields only if not provided
-      if (!userData.role) {
-        userData.role = role;
+      const userData = {};
+
+      for (const [key, value] of Object.entries(dataWithoutId)) {
+        if (!allowedRegistrationFields.has(key)) continue;
+        if (blockedRegistrationFields.has(key)) continue;
+        if (key === usernameField || key === passwordField) continue;
+        userData[key] = value;
       }
-      if (userData.active === undefined) {
+
+      userData[usernameField] = username;
+
+      if (isPasswordType) {
+        userData[passwordField] = password;
+      } else {
+        userData[passwordField] = await hashPassword(password);
+      }
+
+      if (schemaAttributes.role !== undefined) {
+        userData.role = registrationConfig.defaultRole;
+      }
+
+      if (schemaAttributes.active !== undefined) {
         userData.active = true;
       }
 
@@ -98,11 +226,8 @@ export function createAuthRoutes(authResource, config = {}) {
         );
       }
 
-      // Remove sensitive data from response
-      const { [passwordField]: _, ...userWithoutPassword } = user;
-
       const response = formatter.created({
-        user: userWithoutPassword,
+        user: buildPublicUser(user),
         ...(token && { token }) // Only include token if JWT driver
       }, `/auth/users/${user.id}`);
 
@@ -127,6 +252,25 @@ export function createAuthRoutes(authResource, config = {}) {
       const queryFilter = { [usernameField]: username };
       const users = await authResource.query(queryFilter);
       if (!users || users.length === 0) {
+        const now = Date.now();
+        let throttleRecord = null;
+        let throttleKey = null;
+        if (loginThrottleConfig.enabled) {
+          const ip = getClientIp(c);
+          throttleKey = `${ip}:${username}`;
+          throttleRecord = getThrottleRecord(throttleKey, now);
+          const throttleResult = registerFailedAttempt(throttleRecord, now);
+          if (throttleResult.blocked) {
+            c.header('Retry-After', throttleResult.retryAfter.toString());
+            const response = formatter.error('Too many login attempts. Try again later.', {
+              status: 429,
+              code: 'TOO_MANY_ATTEMPTS',
+              details: { retryAfter: throttleResult.retryAfter }
+            });
+            return c.json(response, response._status);
+          }
+        }
+
         const response = formatter.unauthorized('Invalid credentials');
         return c.json(response, response._status);
       }
@@ -139,6 +283,25 @@ export function createAuthRoutes(authResource, config = {}) {
         return c.json(response, response._status);
       }
 
+      const now = Date.now();
+      let throttleRecord = null;
+      let throttleKey = null;
+      if (loginThrottleConfig.enabled) {
+        const ip = getClientIp(c);
+        throttleKey = `${ip}:${username}`;
+        throttleRecord = getThrottleRecord(throttleKey, now);
+        if (throttleRecord && throttleRecord.blockedUntil && now < throttleRecord.blockedUntil) {
+          const retryAfter = Math.ceil((throttleRecord.blockedUntil - now) / 1000);
+          c.header('Retry-After', retryAfter.toString());
+          const response = formatter.error('Too many login attempts. Try again later.', {
+            status: 429,
+            code: 'TOO_MANY_ATTEMPTS',
+            details: { retryAfter }
+          });
+          return c.json(response, response._status);
+        }
+      }
+
       // Verify password (compare with password field)
       // For 'password' field type (bcrypt hash), use verifyPassword
       // For 'secret' field type (AES encryption), compare directly
@@ -163,6 +326,17 @@ export function createAuthRoutes(authResource, config = {}) {
       }
 
       if (!isValid) {
+        const throttleResult = registerFailedAttempt(throttleRecord, now);
+        if (throttleResult.blocked) {
+          c.header('Retry-After', throttleResult.retryAfter.toString());
+          const response = formatter.error('Too many login attempts. Try again later.', {
+            status: 429,
+            code: 'TOO_MANY_ATTEMPTS',
+            details: { retryAfter: throttleResult.retryAfter }
+          });
+          return c.json(response, response._status);
+        }
+
         const response = formatter.unauthorized('Invalid credentials');
         return c.json(response, response._status);
       }
@@ -189,10 +363,12 @@ export function createAuthRoutes(authResource, config = {}) {
       }
 
       // Remove sensitive data from response
-      const { [passwordField]: _, ...userWithoutPassword } = user;
+      if (loginThrottleConfig.enabled && throttleKey) {
+        loginAttempts.delete(throttleKey);
+      }
 
       const response = formatter.success({
-        user: userWithoutPassword,
+        user: buildPublicUser(user),
         token,
         expiresIn: jwtExpiresIn
       });
@@ -237,15 +413,7 @@ export function createAuthRoutes(authResource, config = {}) {
     }
 
     // If user is from JWT payload (no password field), return as is
-    if (!user.password) {
-      const response = formatter.success(user);
-      return c.json(response, response._status);
-    }
-
-    // Remove sensitive data
-    const { password: _, ...userWithoutPassword } = user;
-
-    const response = formatter.success(userWithoutPassword);
+    const response = formatter.success(buildPublicUser(user));
     return c.json(response, response._status);
   }));
 
@@ -262,7 +430,7 @@ export function createAuthRoutes(authResource, config = {}) {
     const newApiKey = generateApiKey();
 
     // Update user
-    await usersResource.update(user.id, {
+    await authResource.update(user.id, {
       apiKey: newApiKey
     });
 

package/src/plugins/api/routes/resource-routes.js

@@ -141,17 +141,30 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
         }
       }
 
+      // ✅ NEW: Check for partition filters from guards (set via ctx.setPartition())
+      const guardPartitionFilters = c.get('partitionFilters') || [];
+
       let items;
       let total;
 
-      // Use query if filters are present
-      if (Object.keys(filters).length > 0) {
+      // ✅ Priority 1: Partition filters from guards (tenant isolation)
+      if (guardPartitionFilters.length > 0) {
+        const { partitionName, partitionFields } = guardPartitionFilters[0];
+
+        // Use partition query for O(1) tenant isolation
+        items = await resource.listPartition(partitionName, partitionFields, { limit, offset });
+        total = items.length;
+      }
+      // Priority 2: Use query if filters are present
+      else if (Object.keys(filters).length > 0) {
         // Query with native offset support (efficient!)
         items = await resource.query(filters, { limit, offset });
         // Note: total is approximate (length of returned items)
         // For exact total count with filters, would need separate count query
         total = items.length;
-      } else if (partition && partitionValues) {
+      }
+      // Priority 3: Partition from query params
+      else if (partition && partitionValues) {
         // Query specific partition
         items = await resource.listPartition({
           partition,
@@ -160,7 +173,9 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
           offset
         });
         total = items.length;
-      } else {
+      }
+      // Priority 4: Regular list (full scan)
+      else {
         // Regular list
         items = await resource.list({ limit, offset });
         total = items.length;

package/src/plugins/api/server/health-manager.class.js

@@ -0,0 +1,163 @@
+/**
+ * HealthManager - Manages health check endpoints
+ *
+ * Provides Kubernetes-compatible health endpoints:
+ * - /health - Generic health check
+ * - /health/live - Liveness probe (is app alive?)
+ * - /health/ready - Readiness probe (is app ready for traffic?)
+ *
+ * Supports custom health checks for external dependencies (database, redis, etc.)
+ */
+
+import * as formatter from '../../shared/response-formatter.js';
+
+export class HealthManager {
+  constructor({ database, healthConfig, verbose }) {
+    this.database = database;
+    this.healthConfig = healthConfig || {};
+    this.verbose = verbose;
+  }
+
+  /**
+   * Register all health endpoints on Hono app
+   * @param {Hono} app - Hono application instance
+   */
+  register(app) {
+    // Liveness probe
+    app.get('/health/live', (c) => this.livenessProbe(c));
+
+    // Readiness probe
+    app.get('/health/ready', (c) => this.readinessProbe(c));
+
+    // Generic health
+    app.get('/health', (c) => this.genericHealth(c));
+
+    if (this.verbose) {
+      console.log('[HealthManager] Health endpoints registered:');
+      console.log('[HealthManager]   GET /health');
+      console.log('[HealthManager]   GET /health/live');
+      console.log('[HealthManager]   GET /health/ready');
+    }
+  }
+
+  /**
+   * Liveness probe - checks if app is alive
+   * If this fails, Kubernetes will restart the pod
+   * @private
+   */
+  livenessProbe(c) {
+    const response = formatter.success({
+      status: 'alive',
+      timestamp: new Date().toISOString()
+    });
+    return c.json(response);
+  }
+
+  /**
+   * Readiness probe - checks if app is ready to receive traffic
+   * If this fails, Kubernetes will remove pod from service endpoints
+   * @private
+   */
+  async readinessProbe(c) {
+    const checks = {};
+    let isHealthy = true;
+
+    // Get custom checks configuration
+    const customChecks = this.healthConfig.readiness?.checks || [];
+
+    // Built-in: Database check
+    try {
+      const startTime = Date.now();
+      const isDbReady = this.database &&
+                       this.database.connected &&
+                       Object.keys(this.database.resources).length > 0;
+      const latency = Date.now() - startTime;
+
+      if (isDbReady) {
+        checks.s3db = {
+          status: 'healthy',
+          latency_ms: latency,
+          resources: Object.keys(this.database.resources).length
+        };
+      } else {
+        checks.s3db = {
+          status: 'unhealthy',
+          connected: this.database?.connected || false,
+          resources: Object.keys(this.database?.resources || {}).length
+        };
+        isHealthy = false;
+      }
+    } catch (err) {
+      checks.s3db = {
+        status: 'unhealthy',
+        error: err.message
+      };
+      isHealthy = false;
+    }
+
+    // Execute custom checks
+    for (const check of customChecks) {
+      try {
+        const startTime = Date.now();
+        const timeout = check.timeout || 5000;
+
+        // Run check with timeout
+        const result = await Promise.race([
+          check.check(),
+          new Promise((_, reject) =>
+            setTimeout(() => reject(new Error('Timeout')), timeout)
+          )
+        ]);
+
+        const latency = Date.now() - startTime;
+
+        checks[check.name] = {
+          status: result.healthy ? 'healthy' : 'unhealthy',
+          latency_ms: latency,
+          ...result
+        };
+
+        // Only mark as unhealthy if check is not optional
+        if (!result.healthy && !check.optional) {
+          isHealthy = false;
+        }
+      } catch (err) {
+        checks[check.name] = {
+          status: 'unhealthy',
+          error: err.message
+        };
+
+        // Only mark as unhealthy if check is not optional
+        if (!check.optional) {
+          isHealthy = false;
+        }
+      }
+    }
+
+    const status = isHealthy ? 200 : 503;
+
+    return c.json({
+      status: isHealthy ? 'healthy' : 'unhealthy',
+      timestamp: new Date().toISOString(),
+      uptime: process.uptime(),
+      checks
+    }, status);
+  }
+
+  /**
+   * Generic health check
+   * @private
+   */
+  genericHealth(c) {
+    const response = formatter.success({
+      status: 'ok',
+      uptime: process.uptime(),
+      timestamp: new Date().toISOString(),
+      checks: {
+        liveness: '/health/live',
+        readiness: '/health/ready'
+      }
+    });
+    return c.json(response);
+  }
+}