tina4-nodejs 3.10.76 → 3.10.84

package/CLAUDE.md

@@ -121,7 +121,7 @@ The HTTP foundation. Handles request/response lifecycle, route matching, middlew
 - `auth.ts` — Authentication helpers
 - `cache.ts` — In-memory caching
 - `session.ts` — Session management with pluggable handlers. `TINA4_SESSION_SAMESITE` env var (default: Lax)
-- `websocket.ts` — WebSocket support with backplane for scaling via Redis pub/sub (`TINA4_WS_BACKPLANE`, `TINA4_WS_BACKPLANE_URL`)
+- `websocket.ts` — WebSocket support with backplane for scaling via Redis pub/sub (`TINA4_WS_BACKPLANE`, `TINA4_WS_BACKPLANE_URL`). Rooms API: `wss.joinRoom(clientId, room)`, `wss.leaveRoom(clientId, room)`, `wss.broadcastToRoom(room, msg, excludeIds?)`, `wss.getRoomConnections(room)`, `wss.roomCount(room)`, `wss.getClientRooms(clientId)`
 - `queue.ts` — Queue system with pluggable backends
 - `graphql.ts` — GraphQL engine
 - `i18n.ts` — Internationalization / localization

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tina4-nodejs",
-  "version": "3.10.76",
+  "version": "3.10.84",
   "type": "module",
   "description": "Tina4 for Node.js/TypeScript — 54 built-in features, zero dependencies",
   "keywords": ["tina4", "framework", "web", "api", "orm", "graphql", "websocket", "typescript"],

package/packages/core/src/auth.ts

@@ -32,31 +32,29 @@ function base64urlDecode(str: string): Buffer {
 /**
  * Create a signed JWT token.
  *
- * @param payload  - Claims to encode (e.g. `{ userId: 1, role: "admin" }`)
- * @param secret   - HMAC secret (HS256) or PEM private key (RS256)
+ * Secret is always read from `process.env.SECRET`.
+ * Algorithm is read from `process.env.TINA4_JWT_ALGORITHM` (default "HS256").
+ *
+ * @param payload   - Claims to encode (e.g. `{ userId: 1, role: "admin" }`)
  * @param expiresIn - Lifetime in seconds (default 3600)
- * @param algorithm - "HS256" or "RS256" (default "HS256")
  * @returns Signed JWT string: header.payload.signature
  */
 export function getToken(
   payload: Record<string, unknown>,
-  secret?: string,
-  expiresIn: number = 60,
-  algorithm: string = "HS256",
+  expiresIn: number = 3600,
 ): string {
+  const secret = process.env.SECRET ?? "";
   if (!secret) {
-    secret = process.env.SECRET ?? "";
-    if (!secret) {
-      console.warn("Auth: SECRET not set in .env — using blank secret (insecure)");
-    }
+    console.warn("Auth: SECRET not set in .env — using blank secret (insecure)");
   }
+  const algorithm = process.env.TINA4_JWT_ALGORITHM ?? "HS256";
 
   const header = { alg: algorithm, typ: "JWT" };
   const now = Math.floor(Date.now() / 1000);
 
   const claims: Record<string, unknown> = { ...payload, iat: now };
   if (expiresIn !== 0) {
-    claims.exp = now + Math.floor(expiresIn * 60);
+    claims.exp = now + expiresIn;
   }
 
   const h = base64urlEncode(Buffer.from(JSON.stringify(header)));
@@ -68,39 +66,37 @@ export function getToken(
 }
 
 /**
- * Validate a JWT token and return the decoded payload, or null if invalid/expired.
+ * Validate a JWT token and return the decoded payload, or false if invalid/expired.
+ *
+ * Secret is always read from `process.env.SECRET`.
+ * Algorithm is read from `process.env.TINA4_JWT_ALGORITHM` (default "HS256").
  */
-export function validToken(
-  token: string,
-  secret?: string,
-  algorithm: string = "HS256",
-): Record<string, unknown> | null {
+export function validToken(token: string): boolean {
+  const secret = process.env.SECRET ?? "";
   if (!secret) {
-    secret = process.env.SECRET ?? "";
-    if (!secret) {
-      console.warn("Auth: SECRET not set in .env — using blank secret (insecure)");
-    }
+    console.warn("Auth: SECRET not set in .env — using blank secret (insecure)");
   }
+  const algorithm = process.env.TINA4_JWT_ALGORITHM ?? "HS256";
   try {
     const parts = token.split(".");
-    if (parts.length !== 3) return null;
+    if (parts.length !== 3) return false;
 
     const [h, p, sig] = parts;
     const signingInput = `${h}.${p}`;
 
-    if (!verifySignature(signingInput, sig, secret, algorithm)) {
-      return null;
+    if (!verifySignature(signingInput, sig, secret as string, algorithm)) {
+      return false;
     }
 
     const payload = JSON.parse(base64urlDecode(p).toString()) as Record<string, unknown>;
 
     if (typeof payload.exp === "number" && Date.now() / 1000 > payload.exp) {
-      return null;
+      return false;
     }
 
-    return payload;
+    return true;
   } catch {
-    return null;
+    return false;
   }
 }
 
@@ -205,7 +201,7 @@ export function checkPassword(password: string, hash: string): boolean {
  * Authorization header. On success, attaches the decoded payload to
  * `(request as any).auth`. On failure, sends a 401 JSON response.
  */
-export function authMiddleware(secret: string, algorithm: string = "HS256"): Middleware {
+export function authMiddleware(secret?: string, algorithm: string = "HS256"): Middleware {
   return (req: Tina4Request, res: Tina4Response, next: () => void): void => {
     const authHeader = req.headers.authorization ?? "";
 
@@ -215,14 +211,12 @@ export function authMiddleware(secret: string, algorithm: string = "HS256"): Mid
     }
 
     const token = authHeader.slice(7);
-    const payload = validToken(token, secret, algorithm);
-
-    if (payload === null) {
+    if (!validToken(token)) {
       res({ error: "Unauthorized" }, 401);
       return;
     }
 
-    (req as any).auth = payload;
+    (req as any).auth = getPayload(token);
     next();
   };
 }
@@ -233,24 +227,24 @@ export function authMiddleware(secret: string, algorithm: string = "HS256"): Mid
  * Refresh a JWT token — validate the existing token then re-sign
  * with a fresh expiry.
  *
+ * Secret is always read from `process.env.SECRET`.
+ *
  * @param token     - Existing JWT to refresh
- * @param secret    - HMAC secret or PEM key
  * @param expiresIn - New lifetime in seconds (default 3600)
- * @param algorithm - "HS256" or "RS256" (default "HS256")
  * @returns New signed JWT string, or null if the input token is invalid/expired
  */
 export function refreshToken(
   token: string,
-  secret?: string,
-  expiresIn: number = 60,
-  algorithm: string = "HS256",
+  expiresIn: number = 3600,
 ): string | null {
-  const payload = validToken(token, secret, algorithm);
-  if (payload === null) return null;
+  if (!validToken(token)) return null;
+
+  const payload = getPayload(token);
+  if (!payload) return null;
 
   // Strip standard timing claims so getToken sets fresh ones
   const { iat: _iat, exp: _exp, ...claims } = payload;
-  return getToken(claims, secret, expiresIn, algorithm);
+  return getToken(claims, expiresIn);
 }
 
 // ── Request Authentication ───────────────────────────────────────
@@ -275,9 +269,8 @@ export function authenticateRequest(
 
   const token = authHeader.slice(7);
 
-  // Try JWT first
-  const payload = validToken(token, secret, algorithm);
-  if (payload !== null) return payload;
+  // Try JWT first (secret/algorithm params kept for backward compat but validToken reads from env)
+  if (validToken(token)) return getPayload(token);
 
   // Fallback: treat Bearer value as API key
   if (validateApiKey(token)) {
@@ -287,14 +280,6 @@ export function authenticateRequest(
   return null;
 }
 
-// ── Backward-Compatible Aliases ──────────────────────────────────
-
-/** Alias for getToken() — kept for backward compatibility. */
-export const createToken = getToken;
-
-/** Alias for validToken() — kept for backward compatibility. */
-export const validateToken = validToken;
-
 // ── API Key Validation ───────────────────────────────────────────
 
 /**
@@ -341,7 +326,4 @@ export class Auth {
   static refreshToken = refreshToken;
   static authenticateRequest = authenticateRequest;
   static validateApiKey = validateApiKey;
-  // Legacy aliases
-  static createToken = getToken;
-  static validateToken = validToken;
 }

package/packages/core/src/index.ts

@@ -38,7 +38,7 @@ export {
   APPLICATION_OCTET, TEXT_HTML, TEXT_PLAIN, TEXT_CSV, TEXT_XML,
 } from "./constants.js";
 export {
-  getToken, validToken, createToken, validateToken, getPayload,
+  getToken, validToken, getPayload,
   hashPassword, checkPassword,
   authMiddleware,
   refreshToken, authenticateRequest, validateApiKey,
@@ -52,6 +52,8 @@ export { ScssCompiler } from "./scss.js";
 export type { ScssConfig } from "./scss.js";
 export { Queue } from "./queue.js";
 export type { QueueConfig, QueueJob, ProcessOptions } from "./queue.js";
+export { createJob } from "./job.js";
+export type { JobData, JobQueueBridge } from "./job.js";
 export { GraphQL, ParseError } from "./graphql.js";
 export type { GraphQLField, ResolverFn, GraphQLResult } from "./graphql.js";
 export {
@@ -79,6 +81,7 @@ export { renderErrorOverlay, renderProductionError, isDebugMode } from "./errorO
 export { AI_TOOLS, isInstalled, showMenu, installSelected, installAll, generateContext } from "./ai.js";
 export type { AiTool } from "./ai.js";
 export type { ImapMessage, ImapFullMessage } from "./messenger.js";
+export { LiteBackend } from "./queueBackends/liteBackend.js";
 export { RabbitMQBackend } from "./queueBackends/rabbitmqBackend.js";
 export type { RabbitMQConfig } from "./queueBackends/rabbitmqBackend.js";
 export { KafkaBackend } from "./queueBackends/kafkaBackend.js";

package/packages/core/src/job.ts

@@ -0,0 +1,86 @@
+/**
+ * Tina4 Queue Job — a single queue job with lifecycle methods.
+ */
+
+// ── Types ────────────────────────────────────────────────────
+
+export interface JobData {
+  id: string;
+  payload: unknown;
+  status: "pending" | "reserved" | "failed" | "dead" | "completed";
+  createdAt: string;
+  attempts: number;
+  delayUntil: string | null;
+  priority: number;
+  topic: string;
+  error?: string;
+}
+
+export interface JobLifecycle {
+  /** Mark this job as completed. */
+  complete(): void;
+  /** Mark this job as failed with a reason. */
+  fail(reason?: string): void;
+  /** Reject this job with a reason. Alias for fail(). */
+  reject(reason?: string): void;
+  /** Re-queue this job with incremented attempts and optional delay. */
+  retry(delaySeconds?: number): void;
+  /** Return job fields as a flat array of values. */
+  toArray(): unknown[];
+  /** Return job as a plain object. */
+  toHash(): Record<string, unknown>;
+  /** Return job as a JSON string. */
+  toJson(): string;
+}
+
+export type QueueJob = JobData & JobLifecycle;
+
+// ── Job factory ──────────────────────────────────────────────
+
+export interface JobQueueBridge {
+  _failJob(topic: string, job: QueueJob, reason: string, maxRetries: number): void;
+  _retryJob(topic: string, job: QueueJob, delaySeconds?: number): void;
+  getMaxRetries(): number;
+}
+
+/** Create a QueueJob with lifecycle methods bound to a Queue instance. */
+export function createJob(data: JobData, queue: JobQueueBridge): QueueJob {
+  const job: QueueJob = {
+    ...data,
+    complete() {
+      job.status = "completed";
+    },
+    fail(reason = "") {
+      job.status = "failed";
+      job.error = reason;
+      job.attempts = (job.attempts || 0) + 1;
+      queue._failJob(job.topic, job, reason, queue.getMaxRetries());
+    },
+    reject(reason = "") {
+      job.fail(reason);
+    },
+    retry(delaySeconds?: number) {
+      queue._retryJob(job.topic, job, delaySeconds);
+    },
+    toArray() {
+      return [job.id, job.topic, job.payload, job.priority, job.attempts];
+    },
+    toHash() {
+      return {
+        id: job.id,
+        topic: job.topic,
+        payload: job.payload,
+        priority: job.priority,
+        attempts: job.attempts,
+        status: job.status,
+        createdAt: job.createdAt,
+        delayUntil: job.delayUntil,
+        error: job.error,
+      };
+    },
+    toJson() {
+      return JSON.stringify(job.toHash());
+    },
+  };
+  return job;
+}

package/packages/core/src/middleware.ts

@@ -1,5 +1,5 @@
 import type { Tina4Request, Tina4Response, Middleware } from "./types.js";
-import { validToken } from "./auth.js";
+import { validToken, getPayload } from "./auth.js";
 
 export class MiddlewareChain {
   private middlewares: Middleware[] = [];
@@ -455,9 +455,7 @@ export class CsrfMiddleware {
     if (authHeader.startsWith("Bearer ")) {
       const bearerToken = authHeader.slice(7).trim();
       if (bearerToken) {
-        const secret = process.env.SECRET || "tina4-default-secret";
-        const payload = validToken(bearerToken, secret);
-        if (payload !== null) {
+        if (validToken(bearerToken)) {
           return [req, res];
         }
       }
@@ -494,10 +492,7 @@ export class CsrfMiddleware {
     }
 
     // Validate the token
-    const secret = process.env.SECRET || "tina4-default-secret";
-    const payload = validToken(token, secret);
-
-    if (payload === null) {
+    if (!validToken(token)) {
       res({
         error: "CSRF_INVALID",
         message: "Invalid or missing form token",
@@ -505,6 +500,8 @@ export class CsrfMiddleware {
       return [req, res];
     }
 
+    const payload = getPayload(token) ?? {};
+
     // Session binding — if token has session_id, verify it matches
     const tokenSessionId = payload.session_id as string | undefined;
     if (tokenSessionId) {