tina4-nodejs 3.9.0 → 3.9.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tina4-nodejs",
-  "version": "3.9.0",
+  "version": "3.9.1",
   "type": "module",
   "description": "This is not a framework. Tina4 for Node.js/TypeScript — zero deps, 38 built-in features.",
   "keywords": ["tina4", "framework", "web", "api", "orm", "graphql", "websocket", "typescript"],

package/packages/cli/src/commands/init.ts

@@ -91,6 +91,45 @@ data/
 `
   );
 
+  // Dockerfile
+  if (!existsSync(join(targetDir, "Dockerfile"))) {
+    writeFileSync(
+      join(targetDir, "Dockerfile"),
+      `# Build stage
+FROM node:22-alpine AS build
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --production
+COPY . .
+
+# Runtime stage
+FROM node:22-alpine
+WORKDIR /app
+COPY --from=build /app .
+ENV HOST=0.0.0.0
+ENV PORT=7148
+EXPOSE 7148
+CMD ["npx", "tsx", "app.ts"]
+`
+    );
+  }
+
+  // .dockerignore
+  if (!existsSync(join(targetDir, ".dockerignore"))) {
+    writeFileSync(
+      join(targetDir, ".dockerignore"),
+      `node_modules
+dist
+.git
+.claude
+.env
+*.log
+test
+tmp
+`
+    );
+  }
+
   // Sample route: GET /api/hello
   writeFileSync(
     join(targetDir, "src/routes/api/hello/get.ts"),

package/packages/core/src/index.ts

@@ -17,7 +17,7 @@ export { Router, RouteGroup, RouteRef, defaultRouter, runRouteMiddlewares } from
 export { get, post, put, patch, del, any, websocket, del as delete } from "./router.js";
 export type { RouteInfo } from "./router.js";
 export { discoverRoutes } from "./routeDiscovery.js";
-export { MiddlewareChain, MiddlewareRunner, cors, requestLogger, CorsMiddleware, RateLimiterMiddleware, RequestLogger, SecurityHeadersMiddleware } from "./middleware.js";
+export { MiddlewareChain, MiddlewareRunner, cors, requestLogger, CorsMiddleware, RateLimiterMiddleware, RequestLogger, SecurityHeadersMiddleware, CsrfMiddleware } from "./middleware.js";
 export type { CorsConfig } from "./middleware.js";
 export { createRequest, parseBody } from "./request.js";
 export { createResponse, errorResponse } from "./response.js";

package/packages/core/src/middleware.ts

@@ -1,4 +1,5 @@
 import type { Tina4Request, Tina4Response, Middleware } from "./types.js";
+import { validToken } from "./auth.js";
 
 export class MiddlewareChain {
   private middlewares: Middleware[] = [];
@@ -146,7 +147,7 @@ export function cors(config?: CorsConfig): Middleware {
 
   const headersRaw = config?.headers
     ?? process.env.TINA4_CORS_HEADERS
-    ?? "Content-Type, Authorization";
+    ?? "Content-Type,Authorization,X-Request-ID";
   const allowedHeaders = Array.isArray(headersRaw)
     ? headersRaw.join(", ")
     : headersRaw;
@@ -205,7 +206,9 @@ export class CorsMiddleware {
       ?? "GET, POST, PUT, DELETE, PATCH, OPTIONS";
 
     const allowedHeaders = process.env.TINA4_CORS_HEADERS
-      ?? "Content-Type, Authorization";
+      ?? "Content-Type,Authorization,X-Request-ID";
+
+    const credentials = process.env.TINA4_CORS_CREDENTIALS ?? "true";
 
     const maxAge = process.env.TINA4_CORS_MAX_AGE
       ? parseInt(process.env.TINA4_CORS_MAX_AGE, 10)
@@ -226,6 +229,11 @@ export class CorsMiddleware {
       res.header("Access-Control-Allow-Methods", allowedMethods);
       res.header("Access-Control-Allow-Headers", allowedHeaders);
 
+      // Add credentials header when enabled and origin is not wildcard
+      if (credentials === "true" && originHeader !== "*") {
+        res.header("Access-Control-Allow-Credentials", "true");
+      }
+
       if (req.method === "OPTIONS") {
         res.header("Access-Control-Max-Age", String(maxAge));
         res(null, 204);
@@ -402,6 +410,126 @@ export class SecurityHeadersMiddleware {
   }
 }
 
+/**
+ * Class-based CSRF middleware using the before/after convention.
+ * Validates form tokens on state-changing requests (POST, PUT, PATCH, DELETE).
+ *
+ * Off by default — only active when TINA4_CSRF=true in .env or when
+ * registered explicitly via Router.use(CsrfMiddleware).
+ *
+ * Behaviour:
+ *   - Skips GET, HEAD, OPTIONS requests.
+ *   - Skips routes marked .noAuth().
+ *   - Skips requests with a valid Authorization: Bearer header (API clients).
+ *   - Checks request body formToken then X-Form-Token header.
+ *   - Rejects if token found in query string formToken (log warning, 403).
+ *   - Validates token with validToken using SECRET env var.
+ *   - If token payload has session_id, verifies it matches request session.
+ *   - Returns 403 on failure.
+ *
+ * Usage:
+ *   Router.use(CsrfMiddleware);
+ */
+export class CsrfMiddleware {
+  static beforeCsrf(req: Tina4Request, res: Tina4Response): [Tina4Request, Tina4Response] {
+    // Skip CSRF validation entirely if disabled via env
+    const csrfEnv = process.env.TINA4_CSRF;
+    if (csrfEnv === "false" || csrfEnv === "0" || csrfEnv === "no") {
+      return [req, res];
+    }
+
+    // Skip safe HTTP methods
+    const method = (req.method ?? "GET").toUpperCase();
+    if (method === "GET" || method === "HEAD" || method === "OPTIONS") {
+      return [req, res];
+    }
+
+    // Skip routes marked noAuth
+    const route = (req as any)._route ?? (req as any).route;
+    if (route?.noAuth) {
+      return [req, res];
+    }
+
+    // Skip requests with valid Bearer token (API clients)
+    const authHeader = req.headers.authorization ?? "";
+    if (authHeader.startsWith("Bearer ")) {
+      const bearerToken = authHeader.slice(7).trim();
+      if (bearerToken) {
+        const secret = process.env.SECRET || "tina4-default-secret";
+        const payload = validToken(bearerToken, secret);
+        if (payload !== null) {
+          return [req, res];
+        }
+      }
+    }
+
+    // Reject if token is in query string (security risk)
+    const query = (req as any).query ?? {};
+    if (query.formToken) {
+      console.warn("[Tina4 CSRF] Token found in query string — rejected for security");
+      res({
+        error: "CSRF_INVALID",
+        message: "Form token must not be sent in the URL query string",
+      }, 403);
+      return [req, res];
+    }
+
+    // Extract token: body first, then header
+    let token: string | undefined;
+    const body = (req as any).body;
+    if (body && typeof body === "object" && body.formToken) {
+      token = String(body.formToken);
+    }
+
+    if (!token) {
+      token = (req.headers["x-form-token"] as string) ?? "";
+    }
+
+    if (!token) {
+      res({
+        error: "CSRF_INVALID",
+        message: "Invalid or missing form token",
+      }, 403);
+      return [req, res];
+    }
+
+    // Validate the token
+    const secret = process.env.SECRET || "tina4-default-secret";
+    const payload = validToken(token, secret);
+
+    if (payload === null) {
+      res({
+        error: "CSRF_INVALID",
+        message: "Invalid or missing form token",
+      }, 403);
+      return [req, res];
+    }
+
+    // Session binding — if token has session_id, verify it matches
+    const tokenSessionId = payload.session_id as string | undefined;
+    if (tokenSessionId) {
+      const session = (req as any).session;
+      let currentSessionId: string | undefined;
+      if (session) {
+        currentSessionId = session.session_id ?? session.sessionId ?? session.id;
+        if (typeof currentSessionId === "function") {
+          currentSessionId = undefined;
+        }
+      }
+
+      if (currentSessionId && tokenSessionId !== currentSessionId) {
+        res({
+          error: "CSRF_INVALID",
+          message: "Invalid or missing form token",
+        }, 403);
+        return [req, res];
+      }
+    }
+
+    return [req, res];
+  }
+}
+
 // Built-in request logger middleware (function form — kept for backwards compat)
 export function requestLogger(): Middleware {
   return (req, res, next) => {

package/packages/core/src/queue.ts

@@ -48,6 +48,8 @@ export interface QueueJob {
   createdAt: string;
   attempts: number;
   delayUntil: string | null;
+  priority: number;
+  topic: string;
   error?: string;
   /** Mark this job as completed. */
   complete(): void;
@@ -55,12 +57,15 @@ export interface QueueJob {
   fail(reason?: string): void;
   /** Reject this job with a reason. Alias for fail(). */
   reject(reason?: string): void;
+  /** Re-queue this job with incremented attempts and optional delay. */
+  retry(delaySeconds?: number): void;
 }
 
 /** Create a QueueJob with lifecycle methods bound to a Queue instance. */
-function createJob(data: Omit<QueueJob, "complete" | "fail" | "reject">, queue: Queue, topic: string): QueueJob {
+function createJob(data: Omit<QueueJob, "complete" | "fail" | "reject" | "retry">, queue: Queue, topic: string): QueueJob {
   const job: QueueJob = {
     ...data,
+    topic,
     complete() {
       job.status = "completed";
     },
@@ -73,6 +78,9 @@ function createJob(data: Omit<QueueJob, "complete" | "fail" | "reject">, queue:
     reject(reason = "") {
       job.fail(reason);
     },
+    retry(delaySeconds?: number) {
+      queue._retryJob(topic, job, delaySeconds);
+    },
   };
   return job;
 }
@@ -160,25 +168,32 @@ export class Queue {
    * Add a job to the queue. Returns job ID.
    *
    * Can be called as:
-   *   queue.push(payload)                 — uses constructor topic
-   *   queue.push(payload, delay)          — uses constructor topic with delay
-   *   queue.push("queueName", payload)    — legacy: explicit queue name
+   *   queue.push(payload)                          — uses constructor topic
+   *   queue.push(payload, delay)                   — uses constructor topic with delay
+   *   queue.push(payload, delay, priority)         — uses constructor topic with delay and priority
+   *   queue.push("queueName", payload)             — legacy: explicit queue name
+   *   queue.push("queueName", payload, delay)      — legacy with delay
+   *
+   * @param priority — Higher value = higher priority. Default 0.
    */
-  push(queueOrPayload: string | unknown, payloadOrDelay?: unknown, delay?: number): string {
+  push(queueOrPayload: string | unknown, payloadOrDelay?: unknown, delay?: number, priority?: number): string {
     let queue: string;
     let payload: unknown;
     let actualDelay: number | undefined;
+    let actualPriority: number;
 
     if (typeof queueOrPayload === "string" && payloadOrDelay !== undefined && typeof payloadOrDelay !== "number") {
-      // Legacy: push("queueName", payload, delay?)
+      // Legacy: push("queueName", payload, delay?, priority?)
       queue = queueOrPayload;
       payload = payloadOrDelay;
       actualDelay = delay;
+      actualPriority = priority ?? 0;
     } else {
-      // Unified: push(payload) or push(payload, delay)
+      // Unified: push(payload) or push(payload, delay) or push(payload, delay, priority)
       queue = this.topic;
       payload = queueOrPayload;
       actualDelay = typeof payloadOrDelay === "number" ? payloadOrDelay : delay;
+      actualPriority = typeof payloadOrDelay === "number" ? (delay ?? 0) : (priority ?? 0);
     }
 
     if (this.externalBackend) {
@@ -189,13 +204,14 @@ export class Queue {
     const now = new Date().toISOString();
     this.seq++;
 
-    const job: QueueJob = {
+    const job = {
       id,
       payload,
-      status: "pending",
+      status: "pending" as const,
       createdAt: now,
       attempts: 0,
       delayUntil: actualDelay ? new Date(Date.now() + actualDelay * 1000).toISOString() : null,
+      priority: actualPriority,
     };
 
     const prefix = `${Date.now()}-${String(this.seq).padStart(6, "0")}`;
@@ -240,6 +256,8 @@ export class Queue {
       if (job.delayUntil && job.delayUntil > now) continue;
 
       job.status = "reserved";
+      job.topic = q;
+      job.priority = job.priority ?? 0;
       writeFileSync(filePath, JSON.stringify(job, null, 2));
 
       try {
@@ -248,7 +266,7 @@ export class Queue {
         // Already consumed by another worker
       }
 
-      return job;
+      return createJob(job as any, this, q);
     }
 
     return null;
@@ -302,14 +320,29 @@ export class Queue {
   }
 
   /**
-   * Count pending jobs in a queue.
+   * Count jobs in a queue filtered by status.
+   *
+   * @param queue  — Queue/topic name (defaults to constructor topic)
+   * @param status — Job status to count: "pending" (default) or "failed"
    */
-  size(queue?: string): number {
+  size(queue?: string, status: string = "pending"): number {
     const q = queue ?? this.topic;
 
     if (this.externalBackend) {
       return this.externalBackend.size(q);
     }
+
+    if (status === "failed") {
+      const failedDir = this.ensureFailedDir(q);
+      let files: string[];
+      try {
+        files = readdirSync(failedDir).filter(f => f.endsWith(".queue-data"));
+      } catch {
+        return 0;
+      }
+      return files.length;
+    }
+
     const dir = this.ensureDir(q);
     let files: string[];
     try {
@@ -321,8 +354,8 @@ export class Queue {
     let count = 0;
     for (const file of files) {
       try {
-        const job: QueueJob = JSON.parse(readFileSync(join(dir, file), "utf-8"));
-        if (job.status === "pending") count++;
+        const job = JSON.parse(readFileSync(join(dir, file), "utf-8"));
+        if (job.status === status) count++;
       } catch {
         // skip corrupt files
       }
@@ -660,4 +693,19 @@ export class Queue {
 
     writeFileSync(join(failedDir, `${job.id}.queue-data`), JSON.stringify(job, null, 2));
   }
+
+  /**
+   * Re-queue a job back to the main queue directory with incremented attempts.
+   */
+  _retryJob(queue: string, job: QueueJob, delaySeconds?: number): void {
+    const dir = this.ensureDir(queue);
+    job.status = "pending";
+    job.attempts = (job.attempts || 0) + 1;
+    job.error = undefined;
+    job.delayUntil = delaySeconds ? new Date(Date.now() + delaySeconds * 1000).toISOString() : null;
+
+    this.seq++;
+    const prefix = `${Date.now()}-${String(this.seq).padStart(6, "0")}`;
+    writeFileSync(join(dir, `${prefix}_${job.id}.queue-data`), JSON.stringify(job, null, 2));
+  }
 }

package/packages/core/src/router.ts

@@ -9,6 +9,7 @@ interface MatchResult {
   template?: string;
   secure?: boolean;
   cached?: boolean;
+  noAuth?: boolean;
 }
 
 interface CompiledRoute {
@@ -21,6 +22,7 @@ interface CompiledRoute {
   middlewares?: Middleware[];
   secure?: boolean;
   cached?: boolean;
+  noAuth?: boolean;
   cacheStore?: Map<string, { data: unknown; expires: number }>;
   cacheTtl?: number;
   template?: string;
@@ -41,6 +43,12 @@ export class RouteRef {
     return this;
   }
 
+  /** Opt out of secure-by-default auth (for public write routes). */
+  noAuth(): this {
+    this.route.noAuth = true;
+    return this;
+  }
+
   /** Mark this route's response as cacheable. */
   cache(): this {
     this.route.cached = true;
@@ -105,6 +113,11 @@ export class Router {
       routes.splice(existingIndex, 1);
     }
 
+    // Write methods (POST/PUT/PATCH/DELETE) are secure by default
+    const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+    const isWrite = WRITE_METHODS.has(method);
+    const secureDefault = isWrite ? (definition.secure ?? true) : definition.secure;
+
     const compiled: CompiledRoute = {
       pattern: definition.pattern,
       regex,
@@ -113,8 +126,9 @@ export class Router {
       meta: definition.meta,
       filePath: definition.filePath,
       middlewares: definition.middlewares,
-      secure: definition.secure,
+      secure: secureDefault,
       cached: definition.cached,
+      noAuth: definition.noAuth,
       template: definition.template,
     };
     routes.push(compiled);
@@ -201,6 +215,7 @@ export class Router {
           template: route.template,
           secure: route.secure,
           cached: route.cached,
+          noAuth: route.noAuth,
         };
       }
     }
@@ -225,6 +240,7 @@ export class Router {
           template: route.template,
           secure: route.secure,
           cached: route.cached,
+          noAuth: route.noAuth,
         });
       }
     }

package/packages/core/src/server.ts

@@ -7,6 +7,7 @@ import cluster from "node:cluster";
 import os from "node:os";
 import type { Tina4Config, Tina4Request, Tina4Response } from "./types.js";
 import { Router, defaultRouter, runRouteMiddlewares } from "./router.js";
+import { validToken } from "./auth.js";
 import { discoverRoutes } from "./routeDiscovery.js";
 import { createRequest, parseBody } from "./request.js";
 import { createResponse } from "./response.js";
@@ -683,6 +684,21 @@ ${reset}
           if (!proceed || res.raw.writableEnded) return;
         }
 
+        // Auth enforcement: secure routes require a valid Bearer token
+        if (match.secure === true && match.noAuth !== true) {
+          const authHeader = req.headers.authorization ?? "";
+          const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : "";
+          const secret = process.env.SECRET || "";
+          const payload = token ? validToken(token, secret) : null;
+
+          if (!payload) {
+            res.raw.writeHead(401, { "Content-Type": "application/json" });
+            res.raw.end(JSON.stringify({ error: "Unauthorized" }));
+            return;
+          }
+          req.user = payload;
+        }
+
         // Inject path params by name into handler arguments, then request/response
         let result: unknown;
         const routeParams = req.params || {};

package/packages/core/src/service.ts

@@ -128,10 +128,11 @@ async function executeHandler(svc: RegisteredService): Promise<void> {
 }
 
 function startCronService(svc: RegisteredService): void {
-  const checkIntervalMs = parseInt(
-    process.env.TINA4_SERVICE_INTERVAL ?? "1000",
+  const sleepSeconds = parseInt(
+    process.env.TINA4_SERVICE_SLEEP ?? "5",
     10,
   );
+  const checkIntervalMs = sleepSeconds * 1000;
   let lastMinuteRun = -1;
 
   svc.timerId = setInterval(() => {

package/packages/core/src/types.ts

@@ -24,6 +24,7 @@ export interface Tina4Request extends IncomingMessage {
   ip: string;
   files: UploadedFile[];
   session: Tina4Session;
+  user?: Record<string, unknown>;
 }
 
 export interface CookieOptions {
@@ -84,6 +85,8 @@ export interface RouteDefinition {
   secure?: boolean;
   /** Whether this route's response should be cached */
   cached?: boolean;
+  /** Opt out of secure-by-default auth on write routes */
+  noAuth?: boolean;
 }
 
 export interface RouteMeta {

package/packages/frond/src/engine.ts

@@ -802,9 +802,22 @@ function _b64url(data: Buffer): string {
  *
  * @returns `<input type="hidden" name="formToken" value="TOKEN">`
  */
+/**
+ * Module-level session ID holder — set by the server before rendering
+ * templates so that form_token() can bind tokens to the current session.
+ */
+let _formTokenSessionId: string = "";
+
+/**
+ * Set the session ID used by formToken() / form_token() for CSRF session binding.
+ */
+export function setFormTokenSessionId(sessionId: string): void {
+  _formTokenSessionId = sessionId || "";
+}
+
 function _generateFormToken(descriptor: string = ""): SafeString {
   const secret = process.env.SECRET || "tina4-default-secret";
-  const ttlMinutes = parseInt(process.env.TINA4_TOKEN_LIMIT || "30", 10);
+  const ttlMinutes = parseInt(process.env.TINA4_TOKEN_LIMIT || "60", 10);
 
   const header = { alg: "HS256", typ: "JWT" };
   const now = Math.floor(Date.now() / 1000);
@@ -820,6 +833,11 @@ function _generateFormToken(descriptor: string = ""): SafeString {
     }
   }
 
+  // Include session_id for CSRF session binding
+  if (_formTokenSessionId) {
+    payload.session_id = _formTokenSessionId;
+  }
+
   const h = _b64url(Buffer.from(JSON.stringify(header)));
   const p = _b64url(Buffer.from(JSON.stringify(payload)));
   const sigInput = `${h}.${p}`;

package/packages/orm/src/database.ts

@@ -205,6 +205,9 @@ export class Database {
   /** Factory for creating new adapters (used by pool) */
   private adapterFactory: (() => Promise<DatabaseAdapter>) | null = null;
 
+  /** Whether to automatically commit after each write operation */
+  private autoCommit: boolean = process.env.TINA4_AUTOCOMMIT === "true";
+
   /**
    * Create a Database wrapping an existing adapter.
    * For creating a Database from a URL, use the async static factories:
@@ -305,22 +308,42 @@ export class Database {
 
   /** Execute a statement (INSERT, UPDATE, DELETE, DDL). */
   execute(sql: string, params?: unknown[]): unknown {
-    return this.getNextAdapter().execute(sql, params);
+    const adapter = this.getNextAdapter();
+    const result = adapter.execute(sql, params);
+    if (this.autoCommit) {
+      try { adapter.commit(); } catch { /* no active transaction */ }
+    }
+    return result;
   }
 
   /** Insert a row into a table. */
   insert(table: string, data: Record<string, unknown>): DatabaseWriteResult {
-    return this.getNextAdapter().insert(table, data);
+    const adapter = this.getNextAdapter();
+    const result = adapter.insert(table, data);
+    if (this.autoCommit) {
+      try { adapter.commit(); } catch { /* no active transaction */ }
+    }
+    return result;
   }
 
   /** Update rows in a table matching filter. */
   update(table: string, data: Record<string, unknown>, filter?: Record<string, unknown>): DatabaseWriteResult {
-    return this.getNextAdapter().update(table, data, filter ?? {});
+    const adapter = this.getNextAdapter();
+    const result = adapter.update(table, data, filter ?? {});
+    if (this.autoCommit) {
+      try { adapter.commit(); } catch { /* no active transaction */ }
+    }
+    return result;
   }
 
   /** Delete rows from a table matching filter. */
   delete(table: string, filter?: Record<string, unknown>): DatabaseWriteResult {
-    return this.getNextAdapter().delete(table, filter ?? {});
+    const adapter = this.getNextAdapter();
+    const result = adapter.delete(table, filter ?? {});
+    if (this.autoCommit) {
+      try { adapter.commit(); } catch { /* no active transaction */ }
+    }
+    return result;
   }
 
   /** Close all database connections (pool or single). */

package/packages/swagger/src/generator.ts

@@ -15,7 +15,7 @@ export function generateOpenAPISpec(
   const spec: OpenAPISpec = {
     openapi: "3.0.3",
     info: {
-      title: "Tina4 API",
+      title: process.env.SWAGGER_TITLE ?? "Tina4 API",
       version: "0.0.1",
       description: "Auto-generated API documentation",
     },