underpost 2.8.878 → 2.8.882

package/src/server/auth.js

@@ -306,6 +306,61 @@ const validatePasswordMiddleware = (req) => {
 };
 
 // ---------- Session & Refresh token management ----------
+
+/**
+ * Creates cookie options for the refresh token.
+ * @param {import('express').Request} req The Express request object.
+ * @returns {object} Cookie options.
+ * @memberof Auth
+ */
+const cookieOptionsFactory = (req) => {
+  const isProduction = process.env.NODE_ENV === 'production';
+
+  // Determine hostname safely:
+  // Prefer origin header if present (it contains protocol + host)
+  let candidateHost = undefined;
+  try {
+    if (req.headers && req.headers.origin) {
+      candidateHost = new URL(req.headers.origin).hostname;
+    }
+  } catch (e) {
+    /* ignore parse error */
+    logger.error(e);
+  }
+
+  // fallback to req.hostname (Express sets this; ensure trust proxy if behind proxy)
+  if (!candidateHost) candidateHost = (req.hostname || '').split(':')[0];
+
+  candidateHost = (candidateHost || '').trim().replace(/^www\./i, '');
+
+  // Do not set domain for localhost, 127.x.x.x, or plain IPs
+  const isIpOrLocal = /^(localhost|127(?:\.\d+){0,2}\.\d+|\[::1\]|\d+\.\d+\.\d+\.\d+)$/i.test(candidateHost);
+  const domain = isProduction && candidateHost && !isIpOrLocal ? `.${candidateHost}` : undefined;
+
+  // Determine if request is secure: respect X-Forwarded-Proto when behind proxy
+  const forwardedProto = (req.headers && req.headers['x-forwarded-proto']) || '';
+  const reqIsSecure = Boolean(req.secure || forwardedProto.split(',')[0] === 'https');
+
+  // secure must be true for SameSite=None to work across sites
+  const secure = isProduction ? reqIsSecure : false;
+  const sameSite = secure ? 'None' : 'Lax';
+
+  // Safe parse of maxAge minutes
+  const minutes = Number.parseInt(process.env.REFRESH_EXPIRE_MINUTES, 10);
+  const maxAge = Number.isFinite(minutes) && minutes > 0 ? minutes * 60 * 1000 : undefined;
+
+  const opts = {
+    httpOnly: true,
+    secure,
+    sameSite,
+    path: '/',
+  };
+  if (typeof maxAge !== 'undefined') opts.maxAge = maxAge;
+  if (domain) opts.domain = domain;
+
+  return opts;
+};
+
 /**
  * Create session and set refresh cookie. Rotating and hashed stored token.
  * @param {object} user The user object.
@@ -339,13 +394,7 @@ async function createSessionAndUserToken(user, User, req, res, options = { host:
   const jwtid = session._id.toString();
 
   // Secure cookie settings
-  res.cookie('refreshToken', refreshToken, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'Lax',
-    maxAge: parseInt(process.env.REFRESH_EXPIRE_MINUTES) * 60 * 1000,
-    path: '/',
-  });
+  res.cookie('refreshToken', refreshToken, cookieOptionsFactory(req));
 
   return { jwtid };
 }
@@ -439,13 +488,7 @@ async function refreshSessionAndToken(req, res, User, options = { host: '', path
 
   logger.warn('Refreshed session for user ' + user.email);
 
-  res.cookie('refreshToken', refreshToken, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'Lax',
-    maxAge: parseInt(process.env.REFRESH_EXPIRE_MINUTES) * 60 * 1000,
-    path: '/',
-  });
+  res.cookie('refreshToken', refreshToken, cookieOptionsFactory(req));
 
   return jwtSign(
     UserDto.auth.payload(user, session._id.toString(), req.ip, req.headers['user-agent'], options.host, options.path),
@@ -533,14 +576,22 @@ function applySecurity(app, opts = {}) {
         blockAllMixedContent: [],
         fontSrc: ["'self'", httpDirective, 'data:'],
         frameAncestors: frameAncestors,
-        imgSrc: ["'self'", 'data:', httpDirective],
+        imgSrc: ["'self'", 'data:', httpDirective, 'https:', 'blob:'],
         objectSrc: ["'none'"],
         // script-src and script-src-elem include dynamic nonce
-        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
+        scriptSrc: [
+          "'self'",
+          (req, res) => `'nonce-${res.locals.nonce}'`,
+          (req, res) => (res.locals.isSwagger ? "'unsafe-inline'" : ''),
+        ],
         scriptSrcElem: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
         // style-src: avoid 'unsafe-inline' when possible; if you must inline styles,
         // use a nonce for them too (or hash).
-        styleSrc: ["'self'", httpDirective, (req, res) => `'nonce-${res.locals.nonce}'`],
+        styleSrc: [
+          "'self'",
+          httpDirective,
+          (req, res) => (res.locals.isSwagger ? "'unsafe-inline'" : `'nonce-${res.locals.nonce}'`),
+        ],
         // deny plugins
         objectSrc: ["'none'"],
       },

package/src/server/client-build.js

@@ -1,14 +1,12 @@
 'use strict';
 
 import fs from 'fs-extra';
-import { srcFormatted, componentFormatted, viewFormatted, ssrFactory, JSONweb } from './client-formatted.js';
+import { srcFormatted, componentFormatted, viewFormatted, JSONweb } from './client-formatted.js';
 import { loggerFactory } from './logger.js';
 import {
-  cap,
   getCapVariableName,
   newInstance,
   orderArrayFromAttrInt,
-  titleFormatted,
   uniqueArray,
 } from '../client/components/core/CommonJs.js';
 import UglifyJS from 'uglify-js';
@@ -22,6 +20,7 @@ import { Readable } from 'stream';
 import { buildIcons } from './client-icons.js';
 import Underpost from '../index.js';
 import { buildDocs } from './client-build-docs.js';
+import { ssrFactory } from './ssr.js';
 
 dotenv.config();
 

package/src/server/client-formatted.js

@@ -1,9 +1,17 @@
-'use strict';
+/**
+ * Module for formatting client-side code
+ * @module src/server/client-formatted.js
+ * @namespace clientFormatted
+ */
 
-import fs from 'fs-extra';
-import vm from 'node:vm';
-import Underpost from '../index.js';
+'use strict';
 
+/**
+ * Formats a source code string by removing 'html`' and 'css`' tags from template literals.
+ * @param {string} src - The source code string.
+ * @returns {string} The formatted source code.
+ * @memberof clientFormatted
+ */
 const srcFormatted = (src) =>
   src
     .replaceAll(' html`', '`')
@@ -15,8 +23,26 @@ const srcFormatted = (src) =>
     .replaceAll('[html`', '[`')
     .replaceAll('[css`', '[`');
 
+/**
+ * Converts a JavaScript object into a string that can be embedded in client-side code
+ * and parsed back into an object (e.g., 'JSON.parse(`{...}`)').
+ * @param {*} data - The data to be stringified.
+ * @returns {string} A string representing the code to parse the JSON data.
+ * @memberof clientFormatted
+ */
 const JSONweb = (data) => 'JSON.parse(`' + JSON.stringify(data) + '`)';
 
+/**
+ * Formats a component's source code by rewriting its import paths to be absolute for browser consumption.
+ * @param {string} src - The source code of the component.
+ * @param {string} module - The name of the module/component.
+ * @param {Array<object>} dists - An array of distribution objects with import names.
+ * @param {string} proxyPath - The proxy path for the application.
+ * @param {string} [componentBasePath=''] - The base path for components.
+ * @param {string} [baseHost=''] - The base host URL.
+ * @returns {string} The formatted source code with updated import paths.
+ * @memberof clientFormatted
+ */
 const componentFormatted = (src, module, dists, proxyPath, componentBasePath = '', baseHost = '') => {
   dists.map(
     (dist) =>
@@ -40,6 +66,15 @@ const componentFormatted = (src, module, dists, proxyPath, componentBasePath = '
     );
 };
 
+/**
+ * Formats a view's source code by rewriting its import paths.
+ * @param {string} src - The source code of the view.
+ * @param {Array<object>} dists - An array of distribution objects with import names.
+ * @param {string} proxyPath - The proxy path for the application.
+ * @param {string} [baseHost=''] - The base host URL.
+ * @returns {string} The formatted source code with updated import paths.
+ * @memberof clientFormatted
+ */
 const viewFormatted = (src, dists, proxyPath, baseHost = '') => {
   dists.map(
     (dist) =>
@@ -49,11 +84,4 @@ const viewFormatted = (src, dists, proxyPath, baseHost = '') => {
   return src.replaceAll(`from './`, componentFromFormatted).replaceAll(`from '../`, componentFromFormatted);
 };
 
-const ssrFactory = async (componentPath = `./src/client/ssr/Render.js`) => {
-  const context = { SrrComponent: () => {}, npm_package_version: Underpost.version };
-  vm.createContext(context);
-  vm.runInContext(await srcFormatted(fs.readFileSync(componentPath, 'utf8')), context);
-  return context.SrrComponent;
-};
-
-export { srcFormatted, JSONweb, componentFormatted, viewFormatted, ssrFactory };
+export { srcFormatted, JSONweb, componentFormatted, viewFormatted };

package/src/server/conf.js

@@ -77,6 +77,10 @@ const Config = {
         'utf8',
       );
       shellExec(`node bin/deploy update-default-conf ${deployId}`);
+
+      if (!fs.existsSync(`./engine-private/deploy/dd.router`))
+        fs.writeFileSync(`./engine-private/deploy/dd.router`, '', 'utf8');
+
       fs.writeFileSync(
         `./engine-private/deploy/dd.router`,
         fs.readFileSync(`./engine-private/deploy/dd.router`, 'utf8').trim() + `,${deployId}`,
@@ -692,7 +696,7 @@ const validateTemplatePath = (absolutePath = '') => {
   const confServer = DefaultConf.server[host][path];
   const confClient = DefaultConf.client[client];
   const confSsr = DefaultConf.ssr[ssr];
-  const clients = Object.keys(confClient).concat(['core', 'test', 'default', 'user']);
+  const clients = DefaultConf.client.default.services;
 
   if (absolutePath.match('src/api') && !confServer.apis.find((p) => absolutePath.match(`src/api/${p}/`))) {
     return false;

package/src/server/crypto.js

@@ -1,91 +1,210 @@
+/**
+ * Module for managing crypto operations
+ * @module src/server/crypto.js
+ * @namespace Crypto
+ */
+
 import crypto from 'crypto';
-import fs from 'fs-extra';
-
-const CryptoBuilder = {
-  symmetric: {
-    instance: function (options = { iv: '', encryptionKey: '' }) {
-      // Generate a random 32-byte encryption key
-      const encryptionKey = option?.encryptionKey ? options.encryptionKey : crypto.randomBytes(32);
-      const iv = option?.iv ? options.iv : crypto.randomBytes(16); // Generate a new Initialization Vector (IV) for each encryption
-
-      // Function to encrypt data
-      function encryptData(plaintext = '') {
-        const cipher = crypto.createCipheriv('aes-256-cbc', encryptionKey, iv);
-        let encrypted = cipher.update(plaintext, 'utf8', 'hex');
-        encrypted += cipher.final('hex');
-        return `${iv.toString('hex')}:${encrypted}`;
+
+/* ----------------------------- SymmetricCrypto ----------------------------- */
+
+class SymmetricCrypto {
+  #encryptionKey;
+
+  /**
+   * @param {object} [options]
+   * @param {Buffer | string} [options.encryptionKey] - 32-byte key as Buffer or hex string. If not provided, a new random key is generated.
+   */
+  /** @memberof Crypto */
+  constructor(options = {}) {
+    const { encryptionKey } = options;
+
+    if (encryptionKey) {
+      this.#encryptionKey = typeof encryptionKey === 'string' ? Buffer.from(encryptionKey, 'hex') : encryptionKey;
+    } else {
+      this.#encryptionKey = crypto.randomBytes(32);
+    }
+
+    if (!Buffer.isBuffer(this.#encryptionKey) || this.#encryptionKey.length !== 32) {
+      throw new Error('Encryption key must be a 32-byte Buffer or 64-length hex string.');
+    }
+
+    // Provide a compatibility IV property expected by some test suites / legacy code.
+    // This IV is not reused for each encryption operation (encryptData will generate its own IV).
+    // It exists so tests that expect an ivHex on the instance (16 bytes) continue to work.
+    this.ivHex = crypto.randomBytes(16).toString('hex'); // 16 bytes -> 32 hex chars
+  }
+
+  /** Returns encryption key as hex. */
+  /** @memberof Crypto */
+  get encryptionKeyHex() {
+    return this.#encryptionKey.toString('hex');
+  }
+
+  /**
+   * Encrypts plaintext using AES-256-GCM and returns `iv_hex:ciphertext_hex:authTag_hex`.
+   *
+   * @param {string} [plaintext='']
+   * @returns {string}
+   * @memberof Crypto
+   */
+  encryptData(plaintext = '') {
+    // GCM recommended IV size is 12 bytes
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', this.#encryptionKey, iv);
+
+    const encryptedPart = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+
+    return `${iv.toString('hex')}:${encryptedPart.toString('hex')}:${authTag.toString('hex')}`;
+  }
+
+  /**
+   * Decrypts data. Supports two formats:
+   *  - AES-256-GCM: `iv_hex:ciphertext_hex:authTag_hex` (preferred)
+   *  - Legacy AES-256-CBC: `iv_hex:ciphertext_hex` (fallback for backward compatibility)
+   *
+   * @param {string} [ciphertext='']
+   * @returns {string} plaintext
+   * @throws {Error} Generic error on failure (to avoid leaking details).
+   * @memberof Crypto
+   */
+  decryptData(ciphertext = '') {
+    try {
+      const parts = ciphertext.split(':');
+
+      if (parts.length === 3) {
+        // AES-256-GCM
+        const [ivHex, encryptedHex, tagHex] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const encrypted = Buffer.from(encryptedHex, 'hex');
+        const authTag = Buffer.from(tagHex, 'hex');
+
+        const decipher = crypto.createDecipheriv('aes-256-gcm', this.#encryptionKey, iv);
+        decipher.setAuthTag(authTag);
+
+        const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+        return decrypted.toString('utf8');
       }
 
-      // Function to decrypt data
-      function decryptData(ciphertext = '') {
-        const [ivHex, encrypted] = ciphertext.split(':');
-        const _iv = Buffer.from(ivHex, 'hex');
-        const decipher = crypto.createDecipheriv('aes-256-cbc', encryptionKey, _iv);
+      if (parts.length === 2) {
+        // Legacy: AES-256-CBC (no authentication). Provided for compatibility only.
+        const [ivHex, encryptedHex] = parts;
+        const iv = Buffer.from(ivHex, 'hex');
+        const encrypted = encryptedHex;
+
+        const decipher = crypto.createDecipheriv('aes-256-cbc', this.#encryptionKey, iv);
         let decrypted = decipher.update(encrypted, 'hex', 'utf8');
         decrypted += decipher.final('utf8');
         return decrypted;
       }
 
-      return {
-        encryptionKey,
-        iv,
-        encryptData,
-        decryptData,
-      };
-    },
-  },
-  asymmetric: {
-    instance: function (
-      options = {
-        publicKey: '', // fs.readFileSync('./key.pem', 'utf8')
-        privateKey: '', // fs.readFileSync('./key.pem', 'utf8')
-      },
-    ) {
-      // Generate a new key pair
-      const { privateKey, publicKey } = options
-        ? options
-        : crypto.generateKeyPairSync('rsa', {
-            modulusLength: 2048, // Key size in bits
-            publicKeyEncoding: {
-              type: 'spki',
-              format: 'pem',
-            },
-            privateKeyEncoding: {
-              type: 'pkcs8',
-              format: 'pem',
-            },
-          });
-
-      // Function to encrypt data
-      function encryptData(plaintext) {
-        const buffer = Buffer.from(plaintext, 'utf8');
-        const encrypted = crypto.publicEncrypt(publicKey, buffer);
-        return encrypted.toString('hex');
-      }
+      throw new Error('Invalid ciphertext format.');
+    } catch (err) {
+      // Do not leak internal error details (stack, key material, etc.).
+      // Optional: instrument monitoring/logging but avoid logging sensitive inputs.
+      throw new Error('Decryption failed. Check key, IV, or ciphertext integrity.');
+    }
+  }
+}
 
-      // Function to decrypt data
-      function decryptData(ciphertext) {
-        const buffer = Buffer.from(ciphertext, 'hex');
-        const decrypted = crypto.privateDecrypt(privateKey, buffer);
-        return decrypted.toString('utf8');
+/* ---------------------------- AsymmetricCrypto ---------------------------- */
+
+class AsymmetricCrypto {
+  #publicKey;
+  #privateKey;
+  #modulusLength;
+
+  /**
+   * @param {object} [options]
+   * @param {string|Buffer} [options.publicKey] - PEM-formatted public key
+   * @param {string|Buffer} [options.privateKey] - PEM-formatted private key
+   * @param {number} [options.modulusLength=2048] - If keys are not provided, generates a new key pair of this size (bits). Consider 3072 for long-lived keys.
+   */
+  /** @memberof Crypto */
+  constructor(options = {}) {
+    const { publicKey, privateKey } = options;
+    this.#modulusLength = options.modulusLength || 2048;
+
+    if (!publicKey || !privateKey) {
+      // Generate an in-memory key pair. No file I/O; keys remain in process memory only.
+      const { publicKey: pub, privateKey: priv } = crypto.generateKeyPairSync('rsa', {
+        modulusLength: this.#modulusLength,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+      });
+      this.#publicKey = pub;
+      this.#privateKey = priv;
+    } else {
+      // Accept provided keys (string or Buffer)
+      this.#publicKey = typeof publicKey === 'string' || Buffer.isBuffer(publicKey) ? publicKey : String(publicKey);
+      this.#privateKey =
+        typeof privateKey === 'string' || Buffer.isBuffer(privateKey) ? privateKey : String(privateKey);
+
+      // Basic validation: ensure PEM headers exist. This is intentionally lightweight.
+      const pubStr = String(this.#publicKey);
+      const privStr = String(this.#privateKey);
+      if (!pubStr.includes('BEGIN PUBLIC KEY') || !privStr.includes('BEGIN')) {
+        throw new Error('Provided keys do not appear to be valid PEM-formatted keys.');
       }
+    }
+  }
 
-      fs.writeFileSync('./public.pem', publicKey);
-      fs.writeFileSync('./private.pem', privateKey);
+  /** @memberof Crypto */
+  get publicKey() {
+    return this.#publicKey;
+  }
+
+  /** @memberof Crypto */
+  get privateKey() {
+    return this.#privateKey;
+  }
+
+  /**
+   * Encrypts plaintext using RSA-OAEP with SHA-256. Returns hex-encoded ciphertext.
+   * Note: RSA encryption is intended for small payloads. For larger data use hybrid encryption (encrypt a symmetric key and then use AES-GCM).
+   * @param {string} plaintext
+   * @returns {string} hex ciphertext
+   * @memberof Crypto
+   */
+  encryptData(plaintext) {
+    const buffer = Buffer.from(plaintext, 'utf8');
+    const encrypted = crypto.publicEncrypt(
+      {
+        key: this.#publicKey,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+        oaepHash: 'sha256',
+      },
+      buffer,
+    );
 
-      const result = {
-        privateKey: fs.readFileSync('./public.pem', 'utf8'),
-        publicKey: fs.readFileSync('./private.pem', 'utf8'),
-        encryptData,
-        decryptData,
-      };
+    return encrypted.toString('hex');
+  }
 
-      fs.removeSync('./public.pem');
-      fs.removeSync('./private.pem');
+  /**
+   * Decrypts RSA-OAEP hex ciphertext and returns utf8 plaintext.
+   * @param {string} ciphertextHex
+   * @returns {string}
+   * @memberof Crypto
+   */
+  decryptData(ciphertextHex) {
+    try {
+      const buffer = Buffer.from(ciphertextHex, 'hex');
+      const decrypted = crypto.privateDecrypt(
+        {
+          key: this.#privateKey,
+          padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+          oaepHash: 'sha256',
+        },
+        buffer,
+      );
 
-      return result;
-    },
-  },
-};
+      return decrypted.toString('utf8');
+    } catch (err) {
+      // Avoid leaking details about keys or ciphertext
+      throw new Error('Decryption failed. Check private key or ciphertext integrity.');
+    }
+  }
+}
 
-export { CryptoBuilder };
+export { SymmetricCrypto, AsymmetricCrypto };