s3db.js 13.6.1 → 14.0.2

package/src/plugins/api/index.js

@@ -37,6 +37,7 @@ import { requirePluginDependency } from '../concerns/plugin-dependencies.js';
 import tryFn from '../../concerns/try-fn.js';
 import { ApiServer } from './server.js';
 import { idGenerator } from '../../concerns/id.js';
+import { resolveResourceName } from '../concerns/resource-names.js';
 
 const AUTH_DRIVER_KEYS = ['jwt', 'apiKey', 'basic', 'oidc', 'oauth2'];
 
@@ -61,9 +62,10 @@ function normalizeAuthConfig(authOptions = {}) {
     pathAuth: authOptions.pathAuth,
     strategy: authOptions.strategy || 'any',
     priorities: authOptions.priorities || {},
-    resource: authOptions.resource || 'users',
+    resource: authOptions.resource,
     usernameField: authOptions.usernameField || 'email',
-    passwordField: authOptions.passwordField || 'password'
+    passwordField: authOptions.passwordField || 'password',
+    createResource: authOptions.createResource !== false
   };
 
   const seen = new Set();
@@ -130,7 +132,29 @@ export class ApiPlugin extends Plugin {
   constructor(options = {}) {
     super(options);
 
+    const resourceNamesOption = options.resourceNames || {};
+    this._usersResourceDescriptor = {
+      defaultName: 'plg_api_users',
+      override: resourceNamesOption.authUsers || options.auth?.resource
+    };
     const normalizedAuth = normalizeAuthConfig(options.auth);
+    normalizedAuth.registration = {
+      enabled: options.auth?.registration?.enabled === true,
+      allowedFields: Array.isArray(options.auth?.registration?.allowedFields)
+        ? options.auth.registration.allowedFields
+        : [],
+      defaultRole: options.auth?.registration?.defaultRole || 'user'
+    };
+    normalizedAuth.loginThrottle = {
+      enabled: options.auth?.loginThrottle?.enabled !== false,
+      maxAttempts: options.auth?.loginThrottle?.maxAttempts || 5,
+      windowMs: options.auth?.loginThrottle?.windowMs || 60_000,
+      blockDurationMs: options.auth?.loginThrottle?.blockDurationMs || 300_000,
+      maxEntries: options.auth?.loginThrottle?.maxEntries || 10_000
+    };
+    this.usersResourceName = this._resolveUsersResourceName();
+    normalizedAuth.resource = this.usersResourceName;
+    normalizedAuth.createResource = options.auth?.createResource !== false;
 
     this.config = {
       // Server configuration
@@ -182,7 +206,8 @@ export class ApiPlugin extends Plugin {
         enabled: options.rateLimit?.enabled || false,
         windowMs: options.rateLimit?.windowMs || 60000, // 1 minute
         maxRequests: options.rateLimit?.maxRequests || 100,
-        keyGenerator: options.rateLimit?.keyGenerator || null
+        keyGenerator: options.rateLimit?.keyGenerator || null,
+        maxUniqueKeys: options.rateLimit?.maxUniqueKeys || 1000
       },
 
       // Logging configuration
@@ -288,7 +313,22 @@ export class ApiPlugin extends Plugin {
       },
 
       // Custom global middlewares
-      middlewares: options.middlewares || []
+      middlewares: options.middlewares || [],
+
+      requestId: options.requestId || { enabled: false },
+      sessionTracking: options.sessionTracking || { enabled: false },
+      events: options.events || { enabled: false },
+      metrics: options.metrics || { enabled: false },
+      failban: {
+        ...(options.failban || {}),
+        enabled: options.failban?.enabled === true,
+        resourceNames: resourceNamesOption.failban || options.failban?.resourceNames || {}
+      },
+      static: Array.isArray(options.static) ? options.static : [],
+      health: typeof options.health === 'object'
+        ? options.health
+        : { enabled: options.health !== false },
+      maxBodySize: options.maxBodySize || 10 * 1024 * 1024
     };
 
     this.config.resources = this._normalizeResourcesConfig(options.resources);
@@ -410,18 +450,43 @@ export class ApiPlugin extends Plugin {
    * @private
    */
   async _createUsersResource() {
+    const existingResource = this._findExistingUsersResource();
+
+    if (!this.config.auth.createResource) {
+      if (!existingResource) {
+        throw new Error(
+          `[API Plugin] Auth resource "${this.usersResourceName}" not found and auth.createResource is false`
+        );
+      }
+      this.usersResource = existingResource;
+      this.config.auth.resource = existingResource.name;
+      if (this.config.verbose) {
+        console.log(`[API Plugin] Using existing ${existingResource.name} resource for authentication`);
+      }
+      return;
+    }
+
+    if (existingResource) {
+      this.usersResource = existingResource;
+      this.config.auth.resource = existingResource.name;
+      if (this.config.verbose) {
+        console.log(`[API Plugin] Reusing existing ${existingResource.name} resource for authentication`);
+      }
+      return;
+    }
+
     const [ok, err, resource] = await tryFn(() =>
       this.database.createResource({
-        name: 'plg_users',
+        name: this.usersResourceName,
         attributes: {
           id: 'string|required',
           username: 'string|required|minlength:3',
-          email: 'string|required|email',  // Required to support email-based auth
+          email: 'string|required|email',
           password: 'secret|required|minlength:8',
           apiKey: 'string|optional',
           jwtSecret: 'string|optional',
           role: 'string|default:user',
-          scopes: 'array|items:string|optional',  // Authorization scopes (e.g., ['read:users', 'write:cars'])
+          scopes: 'array|items:string|optional',
           active: 'boolean|default:true',
           createdAt: 'string|optional',
           lastLoginAt: 'string|optional',
@@ -433,20 +498,40 @@ export class ApiPlugin extends Plugin {
       })
     );
 
-    if (ok) {
-      this.usersResource = resource;
-      if (this.config.verbose) {
-        console.log('[API Plugin] Created plg_users resource for authentication');
+    if (!ok) {
+      throw err;
+    }
+
+    this.usersResource = resource;
+    this.config.auth.resource = resource.name;
+    if (this.config.verbose) {
+      console.log(`[API Plugin] Created ${this.usersResourceName} resource for authentication`);
+    }
+  }
+
+  _findExistingUsersResource() {
+    const candidates = new Set([this.usersResourceName]);
+
+    const identityPlugin = this.database?.plugins?.identity || this.database?.plugins?.Identity;
+    if (identityPlugin) {
+      const identityNames = [
+        identityPlugin.usersResource?.name,
+        identityPlugin.config?.resources?.users?.mergedConfig?.name,
+        identityPlugin.config?.resources?.users?.userConfig?.name
+      ].filter(Boolean);
+      for (const name of identityNames) {
+        candidates.add(name);
       }
-    } else if (this.database.resources.plg_users) {
-      // Resource already exists
-      this.usersResource = this.database.resources.plg_users;
-      if (this.config.verbose) {
-        console.log('[API Plugin] Using existing plg_users resource');
+    }
+
+    for (const name of candidates) {
+      if (!name) continue;
+      const resource = this.database.resources?.[name];
+      if (resource) {
+        return resource;
       }
-    } else {
-      throw err;
     }
+    return null;
   }
   /**
    * Setup middlewares
@@ -584,25 +669,41 @@ export class ApiPlugin extends Plugin {
    */
   async _createRateLimitMiddleware() {
     const requests = new Map();
-    const { windowMs, maxRequests, keyGenerator } = this.config.rateLimit;
+    const { windowMs, maxRequests, keyGenerator, maxUniqueKeys } = this.config.rateLimit;
+
+    const getClientIp = (c) => {
+      const forwarded = c.req.header('x-forwarded-for');
+      if (forwarded) {
+        return forwarded.split(',')[0].trim();
+      }
+      const cfConnecting = c.req.header('cf-connecting-ip');
+      if (cfConnecting) {
+        return cfConnecting;
+      }
+      return c.req.raw?.socket?.remoteAddress || 'unknown';
+    };
 
     return async (c, next) => {
       // Generate key (IP or custom)
-      const key = keyGenerator
-        ? keyGenerator(c)
-        : c.req.header('x-forwarded-for') || c.req.header('cf-connecting-ip') || 'unknown';
+      const key = keyGenerator ? keyGenerator(c) : getClientIp(c) || 'unknown';
 
-      // Get or create request count
-      if (!requests.has(key)) {
-        requests.set(key, { count: 0, resetAt: Date.now() + windowMs });
-      }
+      let record = requests.get(key);
 
-      const record = requests.get(key);
+      // Reset expired records to prevent unbounded memory growth
+      if (record && Date.now() > record.resetAt) {
+        requests.delete(key);
+        record = null;
+      }
 
-      // Reset if window expired
-      if (Date.now() > record.resetAt) {
-        record.count = 0;
-        record.resetAt = Date.now() + windowMs;
+      if (!record) {
+        record = { count: 0, resetAt: Date.now() + windowMs };
+        requests.set(key, record);
+        if (requests.size > maxUniqueKeys) {
+          const oldestKey = requests.keys().next().value;
+          if (oldestKey) {
+            requests.delete(oldestKey);
+          }
+        }
       }
 
       // Check limit
@@ -706,14 +807,15 @@ export class ApiPlugin extends Plugin {
         return;
       }
 
-      // Skip if already compressed
-      if (c.res.headers.has('content-encoding')) {
+      // Skip if already compressed or body consumed
+      if (c.res.headers.has('content-encoding') || c.res.bodyUsed) {
         return;
       }
 
       // Skip if content-type should not be compressed
       const contentType = c.res.headers.get('content-type') || '';
-      if (skipContentTypes.some(type => contentType.startsWith(type))) {
+      const isTextLike = contentType.startsWith('text/') || contentType.includes('json');
+      if (skipContentTypes.some(type => contentType.startsWith(type)) || !isTextLike) {
         return;
       }
 
@@ -909,11 +1011,22 @@ export class ApiPlugin extends Plugin {
       port: this.config.port,
       host: this.config.host,
       database: this.database,
+      namespace: this.namespace,
       versionPrefix: this.config.versionPrefix,
       resources: this.config.resources,
       routes: this.config.routes,
       templates: this.config.templates,
       middlewares: this.compiledMiddlewares,
+      cors: this.config.cors,
+      security: this.config.security,
+      requestId: this.config.requestId,
+      sessionTracking: this.config.sessionTracking,
+      events: this.config.events,
+      metrics: this.config.metrics,
+      failban: this.config.failban,
+      static: this.config.static,
+      health: this.config.health,
+      maxBodySize: this.config.maxBodySize,
       verbose: this.config.verbose,
       auth: this.config.auth,
       docsEnabled: this.config.docs.enabled,
@@ -942,10 +1055,24 @@ export class ApiPlugin extends Plugin {
 
     if (this.server) {
       await this.server.stop();
-      this.server = null;
     }
+    this.server = null;
+  }
+
+  _resolveUsersResourceName() {
+    return resolveResourceName('api', this._usersResourceDescriptor, {
+      namespace: this.namespace
+    });
+  }
 
-    this.emit('plugin.stopped');
+  onNamespaceChanged() {
+    this.usersResourceName = this._resolveUsersResourceName();
+    if (this.config?.auth) {
+      this.config.auth.resource = this.usersResourceName;
+    }
+    if (this.server?.failban) {
+      this.server.failban.setNamespace(this.namespace);
+    }
   }
 
   /**
@@ -959,11 +1086,9 @@ export class ApiPlugin extends Plugin {
 
     // Optionally delete users resource
     if (purgeData && this.usersResource) {
-      // Delete all users (plugin data cleanup happens automatically via base Plugin class)
-      const [ok] = await tryFn(() => this.database.deleteResource('plg_users'));
-
+      const [ok] = await tryFn(() => this.database.deleteResource(this.usersResourceName));
       if (ok && this.config.verbose) {
-        console.log('[API Plugin] Deleted plg_users resource');
+        console.log(`[API Plugin] Deleted ${this.usersResourceName} resource`);
       }
     }
 
@@ -1006,3 +1131,6 @@ export {
   createNotificationStateMachine,
   createAttemptStateMachine
 } from './concerns/state-machine.js';
+
+// Export route context utilities (NEW!)
+export { RouteContext, withContext } from './concerns/route-context.js';

package/src/plugins/api/routes/auth-routes.js

@@ -9,8 +9,8 @@ import { asyncHandler } from '../utils/error-handler.js';
 import * as formatter from '../utils/response-formatter.js';
 import { createToken } from '../auth/jwt-auth.js';
 import { generateApiKey } from '../auth/api-key-auth.js';
-import { encrypt } from '../../../concerns/crypto.js';
 import tryFn from '../../../concerns/try-fn.js';
+import { hashPassword } from '../../../concerns/password-hashing.js';
 
 /**
  * Create authentication routes
@@ -27,16 +27,133 @@ export function createAuthRoutes(authResource, config = {}) {
     jwtSecret,
     jwtExpiresIn = '7d',
     passphrase = 'secret',
-    allowRegistration = true
+    registration = {},
+    loginThrottle = {}
   } = config;
 
+  const registrationConfig = {
+    enabled: registration.enabled === true,
+    allowedFields: Array.isArray(registration.allowedFields) ? registration.allowedFields : [],
+    defaultRole: registration.defaultRole || 'user'
+  };
+
+  const schemaAttributes = authResource.schema?.attributes || {};
+  const passwordAttribute = schemaAttributes?.[passwordField];
+  const isPasswordType = typeof passwordAttribute === 'string'
+    ? passwordAttribute.includes('password')
+    : passwordAttribute?.type === 'password';
+
+  const allowedRegistrationFields = new Set([usernameField, passwordField]);
+  for (const field of registrationConfig.allowedFields) {
+    if (typeof field === 'string' && field && field !== passwordField) {
+      allowedRegistrationFields.add(field);
+    }
+  }
+
+  const blockedRegistrationFields = new Set([
+    'role',
+    'active',
+    'apiKey',
+    'jwtSecret',
+    'scopes',
+    'createdAt',
+    'updatedAt',
+    'metadata',
+    'id'
+  ]);
+
+  const loginThrottleConfig = {
+    enabled: loginThrottle?.enabled !== false,
+    maxAttempts: loginThrottle?.maxAttempts ?? 5,
+    windowMs: loginThrottle?.windowMs ?? 60_000,
+    blockDurationMs: loginThrottle?.blockDurationMs ?? 300_000,
+    maxEntries: loginThrottle?.maxEntries ?? 10_000
+  };
+
+  const loginAttempts = new Map();
+
+  const getClientIp = (c) => {
+    const forwarded = c.req.header('x-forwarded-for');
+    if (forwarded) {
+      return forwarded.split(',')[0].trim();
+    }
+    const cfConnecting = c.req.header('cf-connecting-ip');
+    if (cfConnecting) {
+      return cfConnecting;
+    }
+    return c.req.raw?.socket?.remoteAddress || 'unknown';
+  };
+
+  const cleanupLoginAttempts = () => {
+    if (loginAttempts.size <= loginThrottleConfig.maxEntries) {
+      return;
+    }
+    const oldestKey = loginAttempts.keys().next().value;
+    if (oldestKey) {
+      loginAttempts.delete(oldestKey);
+    }
+  };
+
+  const getThrottleRecord = (key, now) => {
+    if (!loginThrottleConfig.enabled) return null;
+    let record = loginAttempts.get(key);
+    if (record && record.blockedUntil && now > record.blockedUntil) {
+      loginAttempts.delete(key);
+      record = null;
+    }
+    if (!record || now - record.firstAttemptAt > loginThrottleConfig.windowMs) {
+      record = { attempts: 0, firstAttemptAt: now, blockedUntil: null };
+      loginAttempts.set(key, record);
+      cleanupLoginAttempts();
+    }
+    return record;
+  };
+
+  const registerFailedAttempt = (record, now) => {
+    if (!loginThrottleConfig.enabled || !record) {
+      return { blocked: false };
+    }
+    record.attempts += 1;
+    record.lastAttemptAt = now;
+    if (record.attempts >= loginThrottleConfig.maxAttempts) {
+      record.blockedUntil = now + loginThrottleConfig.blockDurationMs;
+      const retryAfter = Math.ceil((record.blockedUntil - now) / 1000);
+      return { blocked: true, retryAfter };
+    }
+    return { blocked: false };
+  };
+
+  const buildPublicUser = (user) => {
+    const publicUser = { id: user.id };
+    const identifier = user[usernameField] ?? user.email ?? user.username;
+    if (identifier !== undefined) {
+      publicUser[usernameField] = identifier;
+    }
+
+    for (const field of allowedRegistrationFields) {
+      if (field === usernameField || field === passwordField) continue;
+      if (user[field] !== undefined) {
+        publicUser[field] = user[field];
+      }
+    }
+
+    if (schemaAttributes.role !== undefined && user.role !== undefined) {
+      publicUser.role = user.role;
+    }
+
+    if (schemaAttributes.active !== undefined && user.active !== undefined) {
+      publicUser.active = user.active;
+    }
+
+    return publicUser;
+  };
+
   // POST /auth/register - Register new user
-  if (allowRegistration) {
+  if (registrationConfig.enabled) {
     app.post('/register', asyncHandler(async (c) => {
       const data = await c.req.json();
       const username = data[usernameField];
       const password = data[passwordField];
-      const role = data.role || 'user';
 
       // Validate input
       if (!username || !password) {
@@ -68,17 +185,28 @@ export function createAuthRoutes(authResource, config = {}) {
       // Create user with dynamic fields
       // Only include fields from request + required auth fields
       const { id, ...dataWithoutId } = data; // Exclude id from request data
-      const userData = {
-        ...dataWithoutId, // Include all fields from request except id
-        [usernameField]: username, // Override to ensure correct value
-        [passwordField]: password // Will be auto-encrypted by schema (secret field)
-      };
-
-      // Add optional fields only if not provided
-      if (!userData.role) {
-        userData.role = role;
+      const userData = {};
+
+      for (const [key, value] of Object.entries(dataWithoutId)) {
+        if (!allowedRegistrationFields.has(key)) continue;
+        if (blockedRegistrationFields.has(key)) continue;
+        if (key === usernameField || key === passwordField) continue;
+        userData[key] = value;
       }
-      if (userData.active === undefined) {
+
+      userData[usernameField] = username;
+
+      if (isPasswordType) {
+        userData[passwordField] = password;
+      } else {
+        userData[passwordField] = await hashPassword(password);
+      }
+
+      if (schemaAttributes.role !== undefined) {
+        userData.role = registrationConfig.defaultRole;
+      }
+
+      if (schemaAttributes.active !== undefined) {
         userData.active = true;
       }
 
@@ -98,11 +226,8 @@ export function createAuthRoutes(authResource, config = {}) {
         );
       }
 
-      // Remove sensitive data from response
-      const { [passwordField]: _, ...userWithoutPassword } = user;
-
       const response = formatter.created({
-        user: userWithoutPassword,
+        user: buildPublicUser(user),
         ...(token && { token }) // Only include token if JWT driver
       }, `/auth/users/${user.id}`);
 
@@ -127,6 +252,25 @@ export function createAuthRoutes(authResource, config = {}) {
       const queryFilter = { [usernameField]: username };
       const users = await authResource.query(queryFilter);
       if (!users || users.length === 0) {
+        const now = Date.now();
+        let throttleRecord = null;
+        let throttleKey = null;
+        if (loginThrottleConfig.enabled) {
+          const ip = getClientIp(c);
+          throttleKey = `${ip}:${username}`;
+          throttleRecord = getThrottleRecord(throttleKey, now);
+          const throttleResult = registerFailedAttempt(throttleRecord, now);
+          if (throttleResult.blocked) {
+            c.header('Retry-After', throttleResult.retryAfter.toString());
+            const response = formatter.error('Too many login attempts. Try again later.', {
+              status: 429,
+              code: 'TOO_MANY_ATTEMPTS',
+              details: { retryAfter: throttleResult.retryAfter }
+            });
+            return c.json(response, response._status);
+          }
+        }
+
         const response = formatter.unauthorized('Invalid credentials');
         return c.json(response, response._status);
       }
@@ -139,6 +283,25 @@ export function createAuthRoutes(authResource, config = {}) {
         return c.json(response, response._status);
       }
 
+      const now = Date.now();
+      let throttleRecord = null;
+      let throttleKey = null;
+      if (loginThrottleConfig.enabled) {
+        const ip = getClientIp(c);
+        throttleKey = `${ip}:${username}`;
+        throttleRecord = getThrottleRecord(throttleKey, now);
+        if (throttleRecord && throttleRecord.blockedUntil && now < throttleRecord.blockedUntil) {
+          const retryAfter = Math.ceil((throttleRecord.blockedUntil - now) / 1000);
+          c.header('Retry-After', retryAfter.toString());
+          const response = formatter.error('Too many login attempts. Try again later.', {
+            status: 429,
+            code: 'TOO_MANY_ATTEMPTS',
+            details: { retryAfter }
+          });
+          return c.json(response, response._status);
+        }
+      }
+
       // Verify password (compare with password field)
       // For 'password' field type (bcrypt hash), use verifyPassword
       // For 'secret' field type (AES encryption), compare directly
@@ -163,6 +326,17 @@ export function createAuthRoutes(authResource, config = {}) {
       }
 
       if (!isValid) {
+        const throttleResult = registerFailedAttempt(throttleRecord, now);
+        if (throttleResult.blocked) {
+          c.header('Retry-After', throttleResult.retryAfter.toString());
+          const response = formatter.error('Too many login attempts. Try again later.', {
+            status: 429,
+            code: 'TOO_MANY_ATTEMPTS',
+            details: { retryAfter: throttleResult.retryAfter }
+          });
+          return c.json(response, response._status);
+        }
+
         const response = formatter.unauthorized('Invalid credentials');
         return c.json(response, response._status);
       }
@@ -189,10 +363,12 @@ export function createAuthRoutes(authResource, config = {}) {
       }
 
       // Remove sensitive data from response
-      const { [passwordField]: _, ...userWithoutPassword } = user;
+      if (loginThrottleConfig.enabled && throttleKey) {
+        loginAttempts.delete(throttleKey);
+      }
 
       const response = formatter.success({
-        user: userWithoutPassword,
+        user: buildPublicUser(user),
         token,
         expiresIn: jwtExpiresIn
       });
@@ -237,15 +413,7 @@ export function createAuthRoutes(authResource, config = {}) {
     }
 
     // If user is from JWT payload (no password field), return as is
-    if (!user.password) {
-      const response = formatter.success(user);
-      return c.json(response, response._status);
-    }
-
-    // Remove sensitive data
-    const { password: _, ...userWithoutPassword } = user;
-
-    const response = formatter.success(userWithoutPassword);
+    const response = formatter.success(buildPublicUser(user));
     return c.json(response, response._status);
   }));
 
@@ -262,7 +430,7 @@ export function createAuthRoutes(authResource, config = {}) {
     const newApiKey = generateApiKey();
 
     // Update user
-    await usersResource.update(user.id, {
+    await authResource.update(user.id, {
       apiKey: newApiKey
     });
 

package/src/plugins/api/routes/resource-routes.js

@@ -141,17 +141,30 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
         }
       }
 
+      // ✅ NEW: Check for partition filters from guards (set via ctx.setPartition())
+      const guardPartitionFilters = c.get('partitionFilters') || [];
+
       let items;
       let total;
 
-      // Use query if filters are present
-      if (Object.keys(filters).length > 0) {
+      // ✅ Priority 1: Partition filters from guards (tenant isolation)
+      if (guardPartitionFilters.length > 0) {
+        const { partitionName, partitionFields } = guardPartitionFilters[0];
+
+        // Use partition query for O(1) tenant isolation
+        items = await resource.listPartition(partitionName, partitionFields, { limit, offset });
+        total = items.length;
+      }
+      // Priority 2: Use query if filters are present
+      else if (Object.keys(filters).length > 0) {
         // Query with native offset support (efficient!)
         items = await resource.query(filters, { limit, offset });
         // Note: total is approximate (length of returned items)
         // For exact total count with filters, would need separate count query
         total = items.length;
-      } else if (partition && partitionValues) {
+      }
+      // Priority 3: Partition from query params
+      else if (partition && partitionValues) {
         // Query specific partition
         items = await resource.listPartition({
           partition,
@@ -160,7 +173,9 @@ export function createResourceRoutes(resource, version, config = {}, Hono) {
           offset
         });
         total = items.length;
-      } else {
+      }
+      // Priority 4: Regular list (full scan)
+      else {
         // Regular list
         items = await resource.list({ limit, offset });
         total = items.length;