underpost 2.8.883 → 2.8.884

package/README.md

@@ -68,13 +68,15 @@
 
 
 
+
+
 
 
 
 <!-- badges -->
 
 
-[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/2.8.883)](https://socket.dev/npm/package/underpost/overview/2.8.883) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
+[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/2.8.884)](https://socket.dev/npm/package/underpost/overview/2.8.884) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
 
 
 <!-- end-badges -->
@@ -131,6 +133,8 @@
 
 
 
+
+
 
 
 
@@ -178,7 +182,7 @@ Run dev client server
 npm run dev
 ```
 <!-- -->
-## underpost ci/cd cli v2.8.883
+## underpost ci/cd cli v2.8.884
 
 ### Usage: `underpost [options] [command]`
   ```

package/cli.md

@@ -1,4 +1,4 @@
-## underpost ci/cd cli v2.8.883
+## underpost ci/cd cli v2.8.884
 
 ### Usage: `underpost [options] [command]`
   ```

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: localhost/rockylinux9-underpost:v2.8.883
+          image: localhost/rockylinux9-underpost:v2.8.884
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -100,7 +100,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: localhost/rockylinux9-underpost:v2.8.883
+          image: localhost/rockylinux9-underpost:v2.8.884
           #          resources:
           #            requests:
           #              memory: "124Ki"

package/manifests/deployment/dd-test-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-blue
-          image: localhost/rockylinux9-underpost:v2.8.883
+          image: localhost/rockylinux9-underpost:v2.8.884
 #          resources:
 #            requests:
 #              memory: "96294Ki"
@@ -104,7 +104,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-green
-          image: localhost/rockylinux9-underpost:v2.8.883
+          image: localhost/rockylinux9-underpost:v2.8.884
 #          resources:
 #            requests:
 #              memory: "96294Ki"

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "2.8.883",
+    "version": "2.8.884",
     "description": "pwa api rest template",
     "scripts": {
         "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",

package/src/api/user/user.service.js

@@ -6,7 +6,7 @@ import {
   createSessionAndUserToken,
   createUserAndSession,
   refreshSessionAndToken,
-  hashToken,
+  logoutSession,
   jwtSign,
   getBearerToken,
   validatePasswordMiddleware,
@@ -382,15 +382,8 @@ const UserService = {
     const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
 
     if (req.params.id === 'logout') {
-      const refreshToken = req.cookies?.refreshToken;
-      if (refreshToken) {
-        const hashedToken = hashToken(refreshToken);
-        await User.updateOne(
-          { 'activeSessions.tokenHash': hashedToken },
-          { $pull: { activeSessions: { tokenHash: hashedToken } } },
-        );
-      }
-      res.clearCookie('refreshToken');
+      const result = await logoutSession(User, req, res);
+      if (!result) throw new Error('Logout failed');
       return { message: 'Logged out successfully' };
     }
 

package/src/client/components/core/Modal.js

@@ -2191,14 +2191,13 @@ const Modal = {
       : { ...Modal.subMenuBtnClass, _: { btnSelector, labelSelector } };
 
     for (const keyDataBtn of Object.keys(_data)) {
-      const { btnSelector, labelSelector, open, top } = _data[keyDataBtn];
+      const { labelSelector, top } = _data[keyDataBtn];
       if (top)
         setTimeout(() => {
           top();
         });
-      if (open) continue;
       sa(labelSelector).forEach((el) => {
-        el.classList.add('hide');
+        if (!el.classList.contains('hide')) el.classList.add('hide');
         el.style.transition = null;
       });
 
@@ -2425,9 +2424,6 @@ const subMenuRender = async (subMenuId) => {
 
   if (!menuBtn || !menuContainer || !arrow) return;
 
-  // if (Modal.subMenuBtnClass[subMenuId] && !(isSubMenuOpen(subMenuId) && Modal.subMenuBtnClass[subMenuId].open === true))
-  //   Modal.subMenuBtnClass[subMenuId].open = false;
-
   const top = () => {
     menuContainer.style.top = menuBtn.offsetTop + Modal.Data['modal-menu'].options.heightTopBar + 'px';
   };
@@ -2442,8 +2438,7 @@ const subMenuRender = async (subMenuId) => {
   menuBtn.style.transition = '.3s';
   arrow.style.transition = '.3s';
 
-  if (Modal.subMenuBtnClass[subMenuId].open) {
-    Modal.subMenuBtnClass[subMenuId].open = false;
+  if (isSubMenuOpen(subMenuId)) {
     // Close animation
     menuContainer.style.overflow = 'hidden';
     menuContainer.style.height = '0px';
@@ -2453,8 +2448,12 @@ const subMenuRender = async (subMenuId) => {
       arrow.style.rotate = '0deg';
     });
   } else {
-    Modal.menuTextLabelAnimation('modal-menu', subMenuId);
-    Modal.subMenuBtnClass[subMenuId].open = true;
+    sa(`.menu-label-text-${subMenuId}`).forEach((el) => {
+      if (!el.classList.contains('hide')) el.classList.add('hide');
+    });
+    setTimeout(() => {
+      Modal.menuTextLabelAnimation('modal-menu', subMenuId);
+    });
     // Open animation
     setTimeout(top, 360);
     menuContainer.style.width = '320px';

package/src/index.js

@@ -35,7 +35,7 @@ class Underpost {
    * @type {String}
    * @memberof Underpost
    */
-  static version = 'v2.8.883';
+  static version = 'v2.8.884';
   /**
    * Repository cli API
    * @static

package/src/runtime/express/Express.js

@@ -0,0 +1,262 @@
+/**
+ * A service dedicated to creating and configuring an Express.js application
+ * instance based on server configuration data.
+ * @module src/runtime/express/Express.js
+ * @namespace ExpressService
+ */
+
+import fs from 'fs-extra';
+import express from 'express';
+import fileUpload from 'express-fileupload';
+import swaggerUi from 'swagger-ui-express';
+import compression from 'compression';
+import { createServer } from 'http';
+
+import UnderpostStartUp from '../../server/start.js';
+import { loggerFactory, loggerMiddleware } from '../../server/logger.js';
+import { getCapVariableName, newInstance } from '../../client/components/core/CommonJs.js';
+import { MailerProvider } from '../../mailer/MailerProvider.js';
+import { DataBaseProvider } from '../../db/DataBaseProvider.js';
+import { createPeerServer } from '../../server/peer.js';
+import { createValkeyConnection } from '../../server/valkey.js';
+import { applySecurity, authMiddlewareFactory } from '../../server/auth.js';
+import { ssrMiddlewareFactory } from '../../server/ssr.js';
+
+const logger = loggerFactory(import.meta);
+
+/**
+ * @class ExpressService
+ * @description A service dedicated to creating and configuring an Express.js application
+ * instance based on server configuration data.
+ * @memberof ExpressService
+ */
+class ExpressService {
+  /**
+   * Creates and configures a complete Express application instance for a specific host/path configuration.
+   *
+   * @method createApp
+   * @memberof ExpressService
+   * @param {string} config.host - The host name for the instance (e.g., 'www.example.com').
+   * @param {string} config.path - The URL path for the instance (e.g., '/', '/api/v1').
+   * @param {number} config.port - The primary listening port for the instance.
+   * @param {string} config.client - The client associated with the instance (used for SSR/Mailer configuration lookup).
+   * @param {string[]} [config.apis] - A list of API names to load and attach routers for.
+   * @param {string[]} config.origins - Allowed origins for CORS.
+   * @param {string} [config.directory] - The directory for static files (if overriding default).
+   * @param {string} [config.ws] - The WebSocket server name to use.
+   * @param {object} [config.mailer] - Mailer configuration.
+   * @param {object} [config.db] - Database configuration.
+   * @param {string} [config.redirect] - URL or flag to indicate an HTTP redirect should be configured.
+   * @param {boolean} [config.peer] - Whether to enable the peer server.
+   * @param {object} [config.valkey] - Valkey connection configuration.
+   * @param {string} [config.apiBaseHost] - Base host for the API (if running separate API).
+   * @param {number} [config.devApiPort] - The dynamically calculated development API port used for CORS in dev mode.
+   * @param {string} config.redirectTarget - The full target URL for redirection (used if `redirect` is true).
+   * @param {string} config.rootHostPath - The root path for public host assets (e.g., `/public/hostname`).
+   * @param {object} config.confSSR - The SSR configuration object, used to look up Mailer templates.
+   * @param {import('prom-client').Counter<string>} config.promRequestCounter - Prometheus request counter instance.
+   * @param {import('prom-client').Registry} config.promRegister - Prometheus register instance for metrics.
+   * @returns {Promise<{portsUsed: number}>} An object indicating how many additional ports were used (e.g., for PeerServer).
+   */
+  async createApp({
+    host,
+    path,
+    port,
+    client,
+    apis,
+    origins,
+    directory,
+    ws,
+    mailer,
+    db,
+    redirect,
+    peer,
+    valkey,
+    apiBaseHost,
+    devApiPort, // New parameter for dev environment CORS
+    redirectTarget,
+    rootHostPath,
+    confSSR,
+    promRequestCounter,
+    promRegister,
+  }) {
+    let portsUsed = 0;
+    const runningData = {
+      host,
+      path,
+      runtime: 'nodejs',
+      client,
+      meta: import.meta,
+      apis,
+    };
+
+    const app = express();
+
+    if (process.env.NODE_ENV === 'production') app.set('trust proxy', true);
+
+    app.use((req, res, next) => {
+      res.on('finish', () => {
+        promRequestCounter.inc({
+          instance: `${host}:${port}${path}`,
+          method: req.method,
+          status_code: res.statusCode,
+        });
+      });
+      return next();
+    });
+
+    // Metrics endpoint
+    app.get(`${path === '/' ? '' : path}/metrics`, async (req, res) => {
+      res.set('Content-Type', promRegister.contentType);
+      return res.end(await promRegister.metrics());
+    });
+
+    // Logging, Compression, and Body Parsers
+    app.use(loggerMiddleware(import.meta));
+    // Compression filter logic is correctly inlined here
+    app.use(compression({ filter: (req, res) => !req.headers['x-no-compression'] && compression.filter(req, res) }));
+    app.use(express.json({ limit: '100MB' }));
+    app.use(express.urlencoded({ extended: true, limit: '20MB' }));
+    app.use(fileUpload());
+
+    if (process.env.NODE_ENV === 'development') app.set('json spaces', 2);
+
+    // Language handling middleware
+    app.use((req, res, next) => {
+      const lang = req.headers['accept-language'] || 'en';
+      req.lang = typeof lang === 'string' && lang.toLowerCase().match('es') ? 'es' : 'en';
+      return next();
+    });
+
+    // Static file serving
+    app.use('/', express.static(directory ? directory : `.${rootHostPath}`));
+
+    // Swagger path definition
+    const swaggerJsonPath = `./public/${host}${path === '/' ? path : `${path}/`}swagger-output.json`;
+    const swaggerPath = `${path === '/' ? `/api-docs` : `${path}/api-docs`}`;
+
+    // Flag swagger requests before security middleware
+    if (fs.existsSync(swaggerJsonPath)) {
+      app.use(swaggerPath, (req, res, next) => {
+        res.locals.isSwagger = true;
+        next();
+      });
+    }
+
+    // Security and CORS
+    applySecurity(app, {
+      origin: (origin, callback) => {
+        // Use devApiPort if provided to calculate the allowed development CORS origin
+        const devOrigin =
+          apis && process.env.NODE_ENV === 'development' && devApiPort ? [`http://localhost:${devApiPort}`] : [];
+
+        const allowedOrigins = origins.concat(devOrigin);
+
+        if (!origin || allowedOrigins.includes(origin)) {
+          callback(null, true);
+        } else {
+          callback(new Error('Not allowed by CORS'));
+        }
+      },
+    });
+
+    // Handle redirection-only instances
+    if (redirect) {
+      app.use((req, res, next) => {
+        if (process.env.NODE_ENV === 'production' && !req.url.startsWith(`/.well-known/acme-challenge`)) {
+          return res.status(302).redirect(redirectTarget + req.url);
+        }
+        return next();
+      });
+      await UnderpostStartUp.API.listenPortController(app, port, runningData);
+      return { portsUsed };
+    }
+
+    // Create HTTP server for regular instances (required for WebSockets)
+    const server = createServer({}, app);
+    if (peer) portsUsed++; // Peer server uses one additional port
+
+    if (!apiBaseHost) {
+      // Swagger UI setup
+      if (fs.existsSync(swaggerJsonPath)) {
+        const swaggerDoc = JSON.parse(fs.readFileSync(swaggerJsonPath, 'utf8'));
+        // Reusing swaggerPath defined outside, removing unnecessary redeclaration
+        app.use(swaggerPath, swaggerUi.serve, swaggerUi.setup(swaggerDoc));
+      }
+
+      // Database and Valkey connections
+      if (db && apis) await DataBaseProvider.load({ apis, host, path, db });
+      if (valkey) await createValkeyConnection({ host, path }, valkey);
+
+      // Mailer setup
+      if (mailer) {
+        const mailerSsrConf = confSSR[getCapVariableName(client)];
+        await MailerProvider.load({
+          id: `${host}${path}`,
+          meta: `mailer-${host}${path}`,
+          host,
+          path,
+          ...mailer,
+          templates: mailerSsrConf ? mailerSsrConf.mailer : {},
+        });
+      }
+
+      // API router loading
+      if (apis && apis.length > 0) {
+        const authMiddleware = authMiddlewareFactory({ host, path });
+        const apiPath = `${path === '/' ? '' : path}/${process.env.BASE_API}`;
+        for (const api of apis) {
+          logger.info(`Build api server`, `${host}${apiPath}/${api}`);
+          const { ApiRouter } = await import(`../../api/${api}/${api}.router.js`);
+          const router = ApiRouter({ host, path, apiPath, mailer, db, authMiddleware, origins });
+          app.use(`${apiPath}/${api}`, router);
+        }
+      }
+
+      // WebSocket server setup
+      if (ws) {
+        const { createIoServer } = await import(`../../ws/${ws}/${ws}.ws.server.js`);
+        const { options, meta } = await createIoServer(server, { host, path, db, port, origins });
+
+        // Listen on the main port for the WS server
+        await UnderpostStartUp.API.listenPortController(UnderpostStartUp.API.listenServerFactory(), port, {
+          runtime: 'nodejs',
+          client: null,
+          host,
+          path: options.path,
+          meta,
+        });
+      }
+
+      // Peer server setup
+      if (peer) {
+        const peerPort = newInstance(port + portsUsed); // portsUsed is 1 here
+        const { options, meta, peerServer } = await createPeerServer({
+          port: peerPort,
+          devPort: port,
+          origins,
+          host,
+          path,
+        });
+        await UnderpostStartUp.API.listenPortController(peerServer, peerPort, {
+          runtime: 'nodejs',
+          client: null,
+          host,
+          path: options.path,
+          meta,
+        });
+      }
+    }
+
+    // SSR middleware loading
+    const ssr = await ssrMiddlewareFactory({ app, directory, rootHostPath, path });
+    for (const [_, ssrMiddleware] of Object.entries(ssr)) app.use(ssrMiddleware);
+
+    // Start listening on the main port
+    await UnderpostStartUp.API.listenPortController(server, port, runningData);
+
+    return { portsUsed };
+  }
+}
+
+export default new ExpressService();

package/src/runtime/lampp/Lampp.js

@@ -1,3 +1,10 @@
+/**
+ * Exported singleton instance of the LamppService class.
+ * This object is used to interact with the Lampp configuration and service.
+ * @module src/runtime/lampp/Lampp.js
+ * @namespace LamppService
+ */
+
 import fs from 'fs-extra';
 import { getRootDirectory, shellCd, shellExec } from '../../server/process.js';
 import { loggerFactory } from '../../server/logger.js';
@@ -9,12 +16,14 @@ const logger = loggerFactory(import.meta);
  * @description Provides utilities for managing the XAMPP (Lampp) service on Linux,
  * including initialization, router configuration, and virtual host creation.
  * It manages the server's configuration files and controls the service process.
+ * @memberof LamppService
  */
 class LamppService {
   /**
    * @private
    * @type {string | undefined}
    * @description Stores the accumulated Apache virtual host configuration (router definition).
+   * @memberof LamppService
    */
   router;
 
@@ -22,12 +31,15 @@ class LamppService {
    * @public
    * @type {number[]}
    * @description A list of ports currently configured and listened to by the Lampp service.
+   * @memberof LamppService
    */
   ports;
 
   /**
    * Creates an instance of LamppService.
    * Initializes the router configuration and ports list.
+   * @method constructor
+   * @memberof LamppService
    */
   constructor() {
     this.router = undefined;
@@ -37,8 +49,11 @@ class LamppService {
   /**
    * Checks if the XAMPP (Lampp) service appears to be installed based on the presence of its main configuration file.
    *
+   * @method enabled
    * @memberof LamppService
    * @returns {boolean} True if the configuration file exists, indicating Lampp is likely installed.
+   * @throws {Error} If the configuration file does not exist.
+   * @memberof LamppService
    */
   enabled() {
     return fs.existsSync('/opt/lampp/etc/httpd.conf');
@@ -49,10 +64,11 @@ class LamppService {
    * This method configures virtual hosts, disables default ports (80/443) in the main config
    * to avoid conflicts, and starts or stops the service using shell commands.
    *
-   * @memberof LamppService.prototype
+   * @method initService
    * @param {object} [options={daemon: false}] - Options for service initialization.
    * @param {boolean} [options.daemon=false] - Flag to indicate if the service should be run as a daemon (currently unused in logic).
    * @returns {Promise<void>}
+   * @memberof LamppService
    */
   async initService(options = { daemon: false }) {
     let cmd;
@@ -117,9 +133,10 @@ class LamppService {
    * Appends new Apache VirtualHost configuration content to the internal router string.
    * If a router config file exists from a previous run, it loads it first.
    *
-   * @memberof LamppService.prototype
+   * @method appendRouter
    * @param {string} render - The new VirtualHost configuration string to append.
    * @returns {string} The complete, updated router configuration string.
+   * @memberof LamppService
    */
   appendRouter(render) {
     if (!this.router) {
@@ -135,7 +152,7 @@ class LamppService {
   /**
    * Resets the internal router configuration and removes the temporary configuration file.
    *
-   * @memberof LamppService.prototype
+   * @memberof LamppService
    * @returns {void}
    */
   removeRouter() {
@@ -148,8 +165,9 @@ class LamppService {
    * This includes downloading the installer, running it, and setting up initial configurations.
    * Only runs on the 'linux' platform.
    *
-   * @memberof LamppService.prototype
+   * @method install
    * @returns {Promise<void>}
+   * @memberof LamppService
    */
   async install() {
     if (process.platform === 'linux') {
@@ -199,7 +217,7 @@ class LamppService {
    * Creates and appends a new Apache VirtualHost entry to the router configuration for a web application.
    * The router is then applied by calling {@link LamppService#initService}.
    *
-   * @memberof LamppService.prototype
+   * @method createApp
    * @param {object} options - Configuration options for the new web application.
    * @param {number} options.port - The port the VirtualHost should listen on.
    * @param {string} options.host - The ServerName/host for the VirtualHost.
@@ -210,6 +228,7 @@ class LamppService {
    * @param {string} [options.redirectTarget] - The target URL for redirection.
    * @param {boolean} [options.resetRouter] - If true, clears the existing router configuration before appending the new one.
    * @returns {{disabled: boolean}} An object indicating if the service is disabled.
+   * @memberof LamppService
    */
   createApp({ port, host, path, directory, rootHostPath, redirect, redirectTarget, resetRouter }) {
     if (!this.enabled()) return { disabled: true };
@@ -262,13 +281,15 @@ Listen ${port}
 }
 
 /**
- * @namespace LamppService
  * @description Exported singleton instance of the LamppService class.
  * This object is used to interact with the Lampp configuration and service.
+ * @memberof LamppService
  * @type {LamppService}
  */
 const Lampp = new LamppService();
 
+export { Lampp };
+
 // -- helper info --
 
 // ERR too many redirects:
@@ -320,5 +341,3 @@ const Lampp = new LamppService();
 // RewriteCond %{HTTP_HOST} ^www\. [NC]
 // RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
 // RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
-
-export { Lampp };

package/src/server/auth.js

@@ -110,16 +110,22 @@ function jwtIssuerAudienceFactory(options = { host: '', path: '' }) {
  * @param {object} [options={}] Additional JWT sign options.
  * @param {string} options.host The host name.
  * @param {string} options.path The path name.
- * @param {number} expireMinutes The token expiration in minutes.
+ * @param {number} accessExpireMinutes The access token expiration in minutes.
+ * @param {number} refreshExpireMinutes The refresh token expiration in minutes.
  * @returns {string} The signed JWT.
  * @throws {Error} If JWT key is not configured.
  * @memberof Auth
  */
-function jwtSign(payload, options = { host: '', path: '' }, expireMinutes = process.env.ACCESS_EXPIRE_MINUTES) {
+function jwtSign(
+  payload,
+  options = { host: '', path: '' },
+  accessExpireMinutes = process.env.ACCESS_EXPIRE_MINUTES,
+  refreshExpireMinutes = process.env.REFRESH_EXPIRE_MINUTES,
+) {
   const { issuer, audience } = jwtIssuerAudienceFactory(options);
   const signOptions = {
     algorithm: config.jwtAlgorithm,
-    expiresIn: `${expireMinutes}m`,
+    expiresIn: `${accessExpireMinutes}m`,
     issuer,
     audience,
   };
@@ -128,7 +134,11 @@ function jwtSign(payload, options = { host: '', path: '' }, expireMinutes = proc
 
   if (!process.env.JWT_SECRET) throw new Error('JWT key not configured');
 
-  logger.info('JWT signed', { payload, signOptions, expireMinutes });
+  // Add refreshExpiresAt to the payload, which is the same as the token's own expiry.
+  const now = Date.now();
+  payload.refreshExpiresAt = now + refreshExpireMinutes * 60 * 1000;
+
+  logger.info('JWT signed', { payload, signOptions, accessExpireMinutes, refreshExpireMinutes });
 
   return jwt.sign(payload, process.env.JWT_SECRET, signOptions);
 }
@@ -170,6 +180,14 @@ const getBearerToken = (req) => {
   return '';
 };
 
+/**
+ * Checks if the request is a refresh token request.
+ * @param {import('express').Request} req The Express request object.
+ * @returns {boolean} True if the request is a refresh token request, false otherwise.
+ * @memberof Auth
+ */
+const isRefreshTokenReq = (req) => req.method === 'GET' && req.params.id === 'auth';
+
 // ---------- Middleware ----------
 /**
  * Creates a middleware to authenticate requests using a JWT Bearer token.
@@ -237,10 +255,7 @@ const authMiddlewareFactory = (options = { host: '', path: '' }) => {
           return res.status(401).json({ status: 'error', message: 'unauthorized: host or path mismatch' });
         }
 
-        // check session expiresAt
-        const isRefreshTokenReq = req.method === 'GET' && req.params.id === 'auth';
-
-        if (!isRefreshTokenReq && session.expiresAt < new Date()) {
+        if (!isRefreshTokenReq(req) && session.expiresAt < new Date()) {
           return res.status(401).json({ status: 'error', message: 'unauthorized: session expired' });
         }
       }
@@ -342,11 +357,11 @@ const cookieOptionsFactory = (req) => {
   const reqIsSecure = Boolean(req.secure || forwardedProto.split(',')[0] === 'https');
 
   // secure must be true for SameSite=None to work across sites
-  const secure = isProduction ? reqIsSecure : false;
+  const secure = isProduction ? reqIsSecure : req.protocol === 'https';
   const sameSite = secure ? 'None' : 'Lax';
 
   // Safe parse of maxAge minutes
-  const minutes = Number.parseInt(process.env.REFRESH_EXPIRE_MINUTES, 10);
+  const minutes = Number.parseInt(process.env.ACCESS_EXPIRE_MINUTES, 10);
   const maxAge = Number.isFinite(minutes) && minutes > 0 ? minutes * 60 * 1000 : undefined;
 
   const opts = {
@@ -399,6 +414,48 @@ async function createSessionAndUserToken(user, User, req, res, options = { host:
   return { jwtid };
 }
 
+/**
+ * Removes a session by its ID for a given user.
+ * @param {import('mongoose').Model} User The Mongoose User model.
+ * @param {string} userId The ID of the user.
+ * @param {string} sessionId The ID of the session to remove.
+ * @returns {Promise<void>}
+ * @memberof Auth
+ */
+async function removeSession(User, userId, sessionId) {
+  return await User.updateOne({ _id: userId }, { $pull: { activeSessions: { _id: sessionId } } });
+}
+
+/**
+ * Logs out a user session by removing it from the database and clearing the refresh token cookie.
+ * @param {import('mongoose').Model} User The Mongoose User model.
+ * @param {import('express').Request} req The Express request object.
+ * @param {import('express').Response} res The Express response object.
+ * @returns {Promise<boolean>} True if a session was found and removed, false otherwise.
+ * @memberof Auth
+ */
+async function logoutSession(User, req, res) {
+  const refreshToken = req.cookies?.refreshToken;
+
+  if (!refreshToken) {
+    return false;
+  }
+
+  const user = await User.findOne({ 'activeSessions.tokenHash': refreshToken });
+
+  if (!user) {
+    return false;
+  }
+
+  const session = user.activeSessions.find((s) => s.tokenHash === refreshToken);
+
+  const result = await removeSession(User, user._id, session._id);
+
+  res.clearCookie('refreshToken', { path: '/' });
+
+  return result.modifiedCount > 0;
+}
+
 /**
  * Create user and immediate session + access token
  * @param {import('express').Request} req The Express request object.
@@ -470,12 +527,10 @@ async function refreshSessionAndToken(req, res, User, options = { host: '', path
   }
 
   // Check expiry
-  if (session.expiresAt && session.expiresAt < new Date()) {
-    // remove expired session
-    user.activeSessions.id(session._id).remove();
-    await user.save({ validateBeforeSave: false });
-    res.clearCookie('refreshToken', { path: '/' });
-    throw new Error('Refresh token expired');
+  if (!isRefreshTokenReq(req) && session.expiresAt && session.expiresAt < new Date()) {
+    const result = await removeSession(User, user._id, session._id);
+    if (result) throw new Error('Refresh token expired');
+    else throw new Error('Session not found');
   }
 
   // Rotate: generate new token, update stored hash and metadata
@@ -646,5 +701,8 @@ export {
   createSessionAndUserToken,
   createUserAndSession,
   refreshSessionAndToken,
+  logoutSession,
+  removeSession,
   applySecurity,
+  isRefreshTokenReq,
 };

package/src/server/runtime.js

@@ -1,31 +1,37 @@
+/**
+ * @namespace Runtime
+ * @description The main runtime orchestrator responsible for reading configuration,
+ * initializing services (Prometheus, Ports, DB, Mailer), and building the
+ * specific server runtime for each host/path (e.g., nodejs, lampp).
+ */
+
 import fs from 'fs-extra';
-import express from 'express';
 import dotenv from 'dotenv';
-import fileUpload from 'express-fileupload';
-import swaggerUi from 'swagger-ui-express';
 import * as promClient from 'prom-client';
-import compression from 'compression';
 
 import UnderpostStartUp from './start.js';
-import { createServer } from 'http';
-import { loggerFactory, loggerMiddleware } from './logger.js';
-import { getCapVariableName, newInstance } from '../client/components/core/CommonJs.js';
-import { MailerProvider } from '../mailer/MailerProvider.js';
-import { DataBaseProvider } from '../db/DataBaseProvider.js';
-import { createPeerServer } from './peer.js';
+import { loggerFactory } from './logger.js';
+import { newInstance } from '../client/components/core/CommonJs.js';
 import { Lampp } from '../runtime/lampp/Lampp.js';
-import { createValkeyConnection } from './valkey.js';
-import { applySecurity, authMiddlewareFactory } from './auth.js';
 import { getInstanceContext } from './conf.js';
-import { ssrMiddlewareFactory } from './ssr.js';
+
+import ExpressService from '../runtime/express/Express.js';
 
 dotenv.config();
 
 const logger = loggerFactory(import.meta);
 
+/**
+ * Reads server configurations, sets up Prometheus metrics, and iterates through
+ * all defined hosts and paths to build and start the corresponding runtime instances.
+ *
+ * @memberof Runtime
+ * @returns {Promise<void>}
+ */
 const buildRuntime = async () => {
   const deployId = process.env.DEPLOY_ID;
 
+  // 1. Initialize Prometheus Metrics
   const collectDefaultMetrics = promClient.collectDefaultMetrics;
   collectDefaultMetrics();
 
@@ -38,12 +44,17 @@ const buildRuntime = async () => {
   const requestCounter = new promClient.Counter(promCounterOption);
   const initPort = parseInt(process.env.PORT) + 1;
   let currentPort = initPort;
+
+  // 2. Load Configuration
   const confServer = JSON.parse(fs.readFileSync(`./conf/conf.server.json`, 'utf8'));
   const confSSR = JSON.parse(fs.readFileSync(`./conf/conf.ssr.json`, 'utf8'));
   const singleReplicaHosts = [];
+
+  // 3. Iterate through hosts and paths
   for (const host of Object.keys(confServer)) {
     if (singleReplicaHosts.length > 0)
       currentPort += singleReplicaHosts.reduce((accumulator, currentValue) => accumulator + currentValue.replicas, 0);
+
     const rootHostPath = `/public/${host}`;
     for (const path of Object.keys(confServer[host])) {
       confServer[host][path].port = newInstance(currentPort);
@@ -65,6 +76,7 @@ const buildRuntime = async () => {
         apiBaseHost,
       } = confServer[host][path];
 
+      // Calculate context data
       const { redirectTarget, singleReplicaHost } = await getInstanceContext({
         redirect,
         singleReplicaHosts,
@@ -91,203 +103,37 @@ const buildRuntime = async () => {
 
       switch (runtime) {
         case 'nodejs':
-          const app = express();
-
-          app.use((req, res, next) => {
-            // const info = `${req.headers.host}${req.url}`;
-            return next();
-          });
-
-          if (process.env.NODE_ENV === 'production') app.set('trust proxy', true);
-
-          app.use((req, res, next) => {
-            requestCounter.inc({
-              instance: `${host}:${port}${path}`,
-              method: req.method,
-              status_code: res.statusCode,
-            });
-            // decodeURIComponent(req.url)
-            return next();
-          });
-
-          app.get(`${path === '/' ? '' : path}/metrics`, async (req, res) => {
-            res.set('Content-Type', promClient.register.contentType);
-            return res.end(await promClient.register.metrics());
-          });
-
-          // set logger
-          app.use(loggerMiddleware(import.meta));
-
-          // js src compression
-          app.use(compression({ filter: shouldCompress }));
-          function shouldCompress(req, res) {
-            if (req.headers['x-no-compression']) {
-              // don't compress responses with this request header
-              return false;
-            }
-
-            // fallback to standard filter function
-            return compression.filter(req, res);
-          }
-
-          // parse requests of content-type - application/json
-          app.use(express.json({ limit: '100MB' }));
-
-          // parse requests of content-type - application/x-www-form-urlencoded
-          app.use(express.urlencoded({ extended: true, limit: '20MB' }));
-
-          // file upload middleware
-          app.use(fileUpload());
-
-          // json formatted response
-          if (process.env.NODE_ENV === 'development') app.set('json spaces', 2);
-
-          // lang handling middleware
-          app.use(function (req, res, next) {
-            const lang = req.headers['accept-language'] || 'en';
-            if (typeof lang === 'string' && lang.toLowerCase().match('es')) {
-              req.lang = 'es';
-            } else req.lang = 'en';
-            return next();
+          // The devApiPort is used for development CORS origin calculation
+          // It needs to account for the current port and potential peer server increment
+          const devApiPort = currentPort + (peer ? 2 : 1);
+
+          logger.info('Build nodejs server runtime', `${host}${path}:${port}`);
+
+          const { portsUsed } = await ExpressService.createApp({
+            host,
+            path,
+            port,
+            client,
+            apis,
+            origins,
+            directory,
+            ws,
+            mailer,
+            db,
+            redirect,
+            peer,
+            valkey,
+            apiBaseHost,
+            devApiPort, // Pass the dynamically calculated dev API port
+            redirectTarget,
+            rootHostPath,
+            confSSR,
+            promRequestCounter: requestCounter,
+            promRegister: promClient.register,
           });
 
-          // instance public static
-          app.use('/', express.static(directory ? directory : `.${rootHostPath}`));
-          if (process.argv.includes('static')) {
-            logger.info('Build static server runtime', `${host}${path}`);
-            currentPort += 2;
-            const staticPort = newInstance(currentPort);
-            await UnderpostStartUp.API.listenPortController(app, staticPort, runningData);
-            currentPort++;
-            continue;
-          }
-
-          // Flag swagger requests before security middleware is applied
-          const swaggerJsonPath = `./public/${host}${path === '/' ? path : `${path}/`}swagger-output.json`;
-          const swaggerPath = `${path === '/' ? `/api-docs` : `${path}/api-docs`}`;
-          if (fs.existsSync(swaggerJsonPath))
-            app.use(swaggerPath, (req, res, next) => {
-              res.locals.isSwagger = true;
-              next();
-            });
-
-          // security
-          applySecurity(app, {
-            origin: origins.concat(
-              apis && process.env.NODE_ENV === 'development' ? [`http://localhost:${currentPort + 2}`] : [],
-            ),
-          });
-
-          if (redirect) {
-            app.use(function (req = express.Request, res = express.Response, next = express.NextFunction) {
-              if (process.env.NODE_ENV === 'production' && !req.url.startsWith(`/.well-known/acme-challenge`))
-                return res.status(302).redirect(redirectTarget + req.url);
-              // if (!req.url.startsWith(`/.well-known/acme-challenge`)) return res.status(302).redirect(redirect);
-              return next();
-            });
-            // app.use(
-            //   '*',
-            //   createProxyMiddleware({
-            //     target: redirect,
-            //     changeOrigin: true,
-            //   }),
-            // );
-
-            await UnderpostStartUp.API.listenPortController(app, port, runningData);
-            break;
-          }
-          // instance server
-          const server = createServer({}, app);
-          if (peer) currentPort++;
-
-          if (!apiBaseHost) {
-            if (fs.existsSync(swaggerJsonPath)) {
-              const swaggerInstance =
-                (swaggerDoc) =>
-                (...args) =>
-                  swaggerUi.setup(swaggerDoc)(...args);
-              const swaggerDoc = JSON.parse(fs.readFileSync(swaggerJsonPath, 'utf8'));
-              const swaggerPath = `${path === '/' ? `/api-docs` : `${path}/api-docs`}`;
-              app.use(swaggerPath, swaggerUi.serve, swaggerInstance(swaggerDoc));
-            }
-
-            if (db && apis) await DataBaseProvider.load({ apis, host, path, db });
-
-            // valkey server
-            if (valkey) await createValkeyConnection({ host, path }, valkey);
-
-            if (mailer) {
-              const mailerSsrConf = confSSR[getCapVariableName(client)];
-              await MailerProvider.load({
-                id: `${host}${path}`,
-                meta: `mailer-${host}${path}`,
-                host,
-                path,
-                ...mailer,
-                templates: mailerSsrConf ? mailerSsrConf.mailer : {},
-              });
-            }
-            if (apis && apis.length > 0) {
-              const authMiddleware = authMiddlewareFactory({ host, path });
-              const apiPath = `${path === '/' ? '' : path}/${process.env.BASE_API}`;
-              for (const api of apis)
-                await (async () => {
-                  logger.info(`Build api server`, `${host}${apiPath}/${api}`);
-                  const { ApiRouter } = await import(`../api/${api}/${api}.router.js`);
-                  const router = ApiRouter({ host, path, apiPath, mailer, db, authMiddleware, origins });
-                  // router.use(cors({ origin: origins }));
-                  // logger.info('Load api router', { host, path: apiPath, api });
-                  app.use(`${apiPath}/${api}`, router);
-                })();
-            }
-
-            if (ws)
-              await (async () => {
-                const { createIoServer } = await import(`../ws/${ws}/${ws}.ws.server.js`);
-                // logger.info('Load socket.io ws router', { host, ws });
-                // start socket.io
-                const { options, meta } = await createIoServer(server, {
-                  host,
-                  path,
-                  db,
-                  port,
-                  origins,
-                });
-                await UnderpostStartUp.API.listenPortController(UnderpostStartUp.API.listenServerFactory(), port, {
-                  runtime: 'nodejs',
-                  client: null,
-                  host,
-                  path: options.path,
-                  meta,
-                });
-              })();
-
-            if (peer) {
-              const peerPort = newInstance(currentPort);
-              const { options, meta, peerServer } = await createPeerServer({
-                port: peerPort,
-                devPort: port,
-                origins,
-                host,
-                path,
-              });
-
-              await UnderpostStartUp.API.listenPortController(peerServer, peerPort, {
-                runtime: 'nodejs',
-                client: null,
-                host,
-                path: options.path,
-                meta,
-              });
-            }
-          }
-
-          // load ssr
-          const ssr = await ssrMiddlewareFactory({ app, directory, rootHostPath, path });
-          for (const [_, ssrMiddleware] of Object.entries(ssr)) app.use(ssrMiddleware);
-
-          await UnderpostStartUp.API.listenPortController(server, port, runningData);
-
+          // Increment currentPort by any additional ports used by the service (e.g., PeerServer port)
+          currentPort += portsUsed;
           break;
 
         case 'lampp':

package/src/runtime/nginx/Nginx.js

@@ -1,3 +0,0 @@
-const Nginx = {};
-
-export { Nginx };