underpost 3.0.3 → 3.1.0

package/manifests/deployment/dd-test-development/deployment.yaml

@@ -18,13 +18,13 @@ spec:
     spec:
       containers:
         - name: dd-test-development-blue
-          image: localhost/rockylinux9-underpost:v3.0.3
+          image: localhost/rockylinux9-underpost:v3.1.0
 
           command:
             - /bin/sh
             - -c
             - >
-              npm install -g npm@11.2.0 && npm install -g underpost && underpost secret underpost --create-from-file /etc/config/.env.development && underpost start --build --run --underpost-quickly-install dd-test development
+              npm install -g npm@11.2.0 && npm install -g underpost && underpost secret underpost --create-from-file /etc/config/.env.development && underpost start --build --run dd-test development
 
     
           volumeMounts:
@@ -47,41 +47,41 @@ spec:
   selector:
     app: dd-test-development-blue
   ports:
-    - name: 'tcp-4030'
+    - name: 'tcp-4038'
       protocol: TCP
-      port: 4030
-      targetPort: 4030
-    - name: 'udp-4030'
+      port: 4038
+      targetPort: 4038
+    - name: 'udp-4038'
       protocol: UDP
-      port: 4030
-      targetPort: 4030
+      port: 4038
+      targetPort: 4038
 
-    - name: 'tcp-4031'
+    - name: 'tcp-4039'
       protocol: TCP
-      port: 4031
-      targetPort: 4031
-    - name: 'udp-4031'
+      port: 4039
+      targetPort: 4039
+    - name: 'udp-4039'
       protocol: UDP
-      port: 4031
-      targetPort: 4031
+      port: 4039
+      targetPort: 4039
 
-    - name: 'tcp-4032'
+    - name: 'tcp-4040'
       protocol: TCP
-      port: 4032
-      targetPort: 4032
-    - name: 'udp-4032'
+      port: 4040
+      targetPort: 4040
+    - name: 'udp-4040'
       protocol: UDP
-      port: 4032
-      targetPort: 4032
+      port: 4040
+      targetPort: 4040
 
-    - name: 'tcp-4033'
+    - name: 'tcp-4041'
       protocol: TCP
-      port: 4033
-      targetPort: 4033
-    - name: 'udp-4033'
+      port: 4041
+      targetPort: 4041
+    - name: 'udp-4041'
       protocol: UDP
-      port: 4033
-      targetPort: 4033
+      port: 4041
+      targetPort: 4041
   type: LoadBalancer
 ---
 apiVersion: apps/v1
@@ -103,13 +103,13 @@ spec:
     spec:
       containers:
         - name: dd-test-development-green
-          image: localhost/rockylinux9-underpost:v3.0.3
+          image: localhost/rockylinux9-underpost:v3.1.0
 
           command:
             - /bin/sh
             - -c
             - >
-              npm install -g npm@11.2.0 && npm install -g underpost && underpost secret underpost --create-from-file /etc/config/.env.development && underpost start --build --run --underpost-quickly-install dd-test development
+              npm install -g npm@11.2.0 && npm install -g underpost && underpost secret underpost --create-from-file /etc/config/.env.development && underpost start --build --run dd-test development
 
     
           volumeMounts:
@@ -132,39 +132,39 @@ spec:
   selector:
     app: dd-test-development-green
   ports:
-    - name: 'tcp-4030'
+    - name: 'tcp-4038'
       protocol: TCP
-      port: 4030
-      targetPort: 4030
-    - name: 'udp-4030'
+      port: 4038
+      targetPort: 4038
+    - name: 'udp-4038'
       protocol: UDP
-      port: 4030
-      targetPort: 4030
+      port: 4038
+      targetPort: 4038
 
-    - name: 'tcp-4031'
+    - name: 'tcp-4039'
       protocol: TCP
-      port: 4031
-      targetPort: 4031
-    - name: 'udp-4031'
+      port: 4039
+      targetPort: 4039
+    - name: 'udp-4039'
       protocol: UDP
-      port: 4031
-      targetPort: 4031
+      port: 4039
+      targetPort: 4039
 
-    - name: 'tcp-4032'
+    - name: 'tcp-4040'
       protocol: TCP
-      port: 4032
-      targetPort: 4032
-    - name: 'udp-4032'
+      port: 4040
+      targetPort: 4040
+    - name: 'udp-4040'
       protocol: UDP
-      port: 4032
-      targetPort: 4032
+      port: 4040
+      targetPort: 4040
 
-    - name: 'tcp-4033'
+    - name: 'tcp-4041'
       protocol: TCP
-      port: 4033
-      targetPort: 4033
-    - name: 'udp-4033'
+      port: 4041
+      targetPort: 4041
+    - name: 'udp-4041'
       protocol: UDP
-      port: 4033
-      targetPort: 4033
+      port: 4041
+      targetPort: 4041
   type: LoadBalancer

package/manifests/deployment/dd-test-development/proxy.yaml

@@ -15,7 +15,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-test-development-blue-service
-          port: 4030
+          port: 4038
           weight: 100
     
     - conditions:
@@ -24,7 +24,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-test-development-blue-service
-          port: 4031
+          port: 4039
           weight: 100
     
 ---
@@ -43,7 +43,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-test-development-blue-service
-          port: 4032
+          port: 4040
           weight: 100
     
     - conditions:
@@ -52,6 +52,6 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-test-development-blue-service
-          port: 4033
+          port: 4041
           weight: 100
     

package/manifests/pv-pvc-dd.yaml

@@ -31,4 +31,4 @@ spec:
   storageClassName: manual
   resources:
     requests:
-      storage: 1Gi
+      storage: 5Gi

package/package.json

@@ -2,25 +2,30 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "3.0.3",
+    "version": "3.1.0",
     "description": "pwa api rest template",
     "scripts": {
-        "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",
-        "build": "node bin/deploy build-full-client",
-        "test": "env-cmd -f .env.test c8 mocha",
-        "dev": "env-cmd -f .env.development nodemon src/server",
-        "dev-img": "env-cmd -f .env.development node src/server",
-        "prod-img": "env-cmd -f .env.production node src/server",
-        "dev-api": "env-cmd -f .env.development nodemon --watch src --ignore src/client src/api",
-        "dev-client": "env-cmd -f .env.development node src/client.dev",
-        "dev-proxy": "env-cmd -f .env.development node src/proxy proxy",
+        "start": "node --max-old-space-size=8192 src/server",
+        "build": "node bin client",
+        "test": "NODE_ENV=test c8 mocha",
+        "dev": "NODE_ENV=development nodemon src/server",
+        "dev:container": "NODE_ENV=development node src/server",
+        "prod:container": "NODE_ENV=production node src/server",
+        "dev:api": "NODE_ENV=development nodemon --watch src --ignore src/client src/api",
+        "dev:client": "NODE_ENV=development node src/client.dev",
+        "dev:proxy": "NODE_ENV=development node src/proxy proxy",
         "docs": "jsdoc -c jsdoc.json",
-        "install-global": "npm install -g jsdoc && npm install -g prettier && npm install -g env-cmd",
-        "install-test": "npm install -g mocha && npm install -g c8 && npm install -g coveralls",
-        "install": "npm run install-global && npm run install-test",
+        "install:global": "npm install -g jsdoc && npm install -g prettier",
+        "install:test": "npm install -g mocha && npm install -g c8 && npm install -g coveralls",
+        "install": "npm run install:global && npm run install:test",
         "prettier": "prettier --write .",
         "fix": "npm audit fix --force && npm audit",
-        "baremetal": "node bin baremetal --dev --commission --ls --create-machine"
+        "baremetal": "node bin baremetal --dev --commission --ls --create-machine",
+        "security:secrets": "gitleaks detect --source . --config .gitleaks.toml --report-path ./gitleaks-report.json --report-format json --redact=0",
+        "security:secrets:ci": "gitleaks detect --source . --config .gitleaks.toml --redact=1",
+        "security:deps": "npm audit",
+        "security": "npm run security:secrets:ci && npm run security:deps",
+        "clean": "node bin env clean && node bin run clean"
     },
     "bin": {
         "underpost": "bin/index.js"
@@ -46,63 +51,63 @@
     },
     "homepage": "https://github.com/underpostnet/pwa-microservices-template#readme",
     "dependencies": {
-        "@fortawesome/fontawesome-free": "^6.4.2",
-        "@fullcalendar/rrule": "^6.1.15",
-        "@neodrag/vanilla": "^2.0.3",
+        "@fortawesome/fontawesome-free": "^7.2.0",
+        "@fullcalendar/rrule": "^6.1.20",
+        "@neodrag/vanilla": "^2.3.1",
         "adm-zip": "^0.5.10",
-        "ag-grid-community": "^31.3.4",
-        "axios": "^1.5.1",
-        "chai": "^5.1.0",
+        "ag-grid-community": "^35.1.0",
+        "axios": "^1.13.6",
+        "chai": "^6.2.2",
         "clean-jsdoc-theme": "^4.3.0",
-        "clipboardy": "^4.0.0",
+        "clipboardy": "^5.3.1",
         "cloudinary": "^2.5.1",
         "colors": "^1.4.0",
-        "commander": "^12.1.0",
+        "commander": "^14.0.3",
         "compression": "^1.7.4",
         "cookie-parser": "^1.4.7",
-        "cors": "^2.8.5",
+        "cors": "^2.8.6",
         "d3": "^7.9.0",
-        "dotenv": "^16.3.1",
+        "dotenv": "^17.3.1",
         "easymde": "^2.18.0",
-        "env-cmd": "^10.1.0",
-        "express": "^4.18.2",
+        "escape-string-regexp": "^5.0.0",
+        "express": "^5.2.1",
         "express-fileupload": "^1.4.3",
-        "express-rate-limit": "^8.1.0",
-        "express-slow-down": "^3.0.0",
+        "express-rate-limit": "^8.3.1",
+        "express-slow-down": "^3.1.0",
         "fast-json-stable-stringify": "^2.1.0",
         "favicons": "^7.2.0",
-        "fs-extra": "^11.1.1",
+        "fs-extra": "^11.3.4",
         "fullcalendar": "^6.1.15",
         "helmet": "^8.1.0",
         "html-minifier-terser": "^7.2.0",
-        "http-proxy-middleware": "^2.0.6",
+        "http-proxy-middleware": "^3.0.5",
         "ignore-walk": "^8.0.0",
-        "iovalkey": "^0.2.1",
-        "json-colorizer": "^2.2.2",
-        "jsonwebtoken": "^9.0.2",
+        "iovalkey": "^0.3.3",
+        "json-colorizer": "^3.0.1",
+        "jsonwebtoken": "^9.0.3",
         "mariadb": "^3.2.2",
-        "marked": "^12.0.2",
+        "marked": "^17.0.4",
         "mocha": "^11.3.0",
-        "mongoose": "^8.9.5",
+        "mongoose": "^9.3.0",
         "morgan": "^1.10.0",
-        "nodemailer": "^7.0.9",
+        "nodemailer": "^8.0.2",
         "nodemon": "^3.0.1",
         "peer": "^1.0.2",
-        "peerjs": "^1.5.2",
+        "peerjs": "^1.5.5",
         "prom-client": "^15.1.2",
-        "read": "^2.1.0",
+        "read": "^5.0.1",
         "rrule": "^2.8.1",
         "shelljs": "^0.10.0",
-        "sitemap": "^7.1.1",
-        "socket.io": "^4.8.0",
+        "sitemap": "^9.0.1",
+        "socket.io": "^4.8.3",
         "sortablejs": "^1.15.0",
         "split-file": "^2.3.0",
-        "swagger-autogen": "^2.9.2",
+        "swagger-autogen": "^2.23.7",
         "swagger-ui-express": "^5.0.0",
         "uglify-js": "^3.17.4",
         "validator": "^13.11.0",
-        "vanilla-jsoneditor": "^2.3.2",
-        "winston": "^3.11.0"
+        "vanilla-jsoneditor": "^3.11.0",
+        "winston": "^3.19.0"
     },
     "publishConfig": {
         "provenance": true,

package/scripts/k3s-node-setup.sh

@@ -52,7 +52,7 @@ cd /home/dd/engine
 
 echo "Applying host configuration..."
 
-underpost install
+npm install
 
 node bin run secret
 

package/src/api/document/document.service.js

@@ -497,7 +497,7 @@ const DocumentService = {
         req.body.isPublic = isPublic;
         req.body.tags = tags;
 
-        return await Document.findByIdAndUpdate(req.params.id, req.body, { new: true });
+        return await Document.findByIdAndUpdate(req.params.id, req.body, { returnDocument: 'after' });
       }
     }
   },

package/src/api/file/file.controller.js

@@ -19,7 +19,9 @@ const FileController = {
   },
   get: async (req, res, options) => {
     try {
-      res.setHeader('Access-Control-Allow-Origin', '*');
+      if (req && req.headers && req.headers.origin) {
+        res.set('Access-Control-Allow-Origin', req.headers.origin);
+      } else res.setHeader('Access-Control-Allow-Origin', '*');
       res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
       const result = await FileService.get(req, res, options);
       if (result instanceof Buffer) {

package/src/api/file/file.service.js

@@ -387,12 +387,35 @@ const FileService = {
         if (doc.isPublic) return true;
 
         // Otherwise, user must be authenticated and own the document
+        // Try bearer token first
         const token = getBearerToken(req);
-        if (!token) false;
-        const payload = jwtVerify(token, options);
-        const user = await User.findOne({ _id: payload._id }).lean();
-        if (!user) return false;
-        return String(doc.userId) === String(user._id);
+        if (token) {
+          try {
+            const payload = jwtVerify(token, options);
+            const user = await User.findOne({ _id: payload._id }).lean();
+            if (user && String(doc.userId) === String(user._id)) return true;
+          } catch (bearerErr) {
+            logger.warn('Bearer token verification failed, trying cookie session fallback:', bearerErr.message);
+          }
+        }
+
+        // Fallback: check cookie-based session (refreshToken cookie)
+        const refreshToken = req.cookies?.refreshToken;
+        if (refreshToken) {
+          try {
+            const user = await User.findOne({ 'activeSessions.tokenHash': refreshToken }).lean();
+            if (user) {
+              const session = user.activeSessions.find((s) => s.tokenHash === refreshToken);
+              if (session && (!session.expiresAt || session.expiresAt >= new Date())) {
+                return String(doc.userId) === String(user._id);
+              }
+            }
+          } catch (cookieErr) {
+            logger.warn('Cookie session verification failed:', cookieErr.message);
+          }
+        }
+
+        return false;
       } catch (err) {
         console.log(err);
         logger.error('Authorization check failed:', err);

package/src/api/user/user.router.js

@@ -30,12 +30,15 @@ const UserRouter = (options) => {
             emailConfirmed: true,
             publicKey: [],
           });
-          logger.warn('Default admin user created. Please change the default password immediately!', result._doc);
+          logger.warn('Default admin user created. Please change the default password immediately!', {
+            username: result._doc.username,
+            email: result._doc.email,
+            role: result._doc.role,
+          });
         }
       }
     } catch (error) {
-      logger.error('Error checking/creating admin user');
-      console.log(error);
+      logger.error('Error checking/creating admin user', { error: error.message });
     }
 
     // Cache mailer images
@@ -46,10 +49,12 @@ const UserRouter = (options) => {
         check: fs.readFileSync(`./src/client/public/default/assets/mailer/api-user-check.png`),
         avatar: fs.readFileSync(`./src/client/public/default/assets/mailer/api-user-default-avatar.png`),
       },
-      header: (res) => {
+      header: (res, req) => {
         res.set('Cross-Origin-Resource-Policy', 'cross-origin');
-        res.set('Access-Control-Allow-Origin', '*');
         res.set('Access-Control-Allow-Headers', '*');
+        if (req && req.headers && req.headers.origin) {
+          res.set('Access-Control-Allow-Origin', req.headers.origin);
+        } else res.setHeader('Access-Control-Allow-Origin', '*');
         res.set('Content-Type', 'image/png');
       },
     };

package/src/api/user/user.service.js

@@ -265,7 +265,7 @@ const UserService = {
     }
 
     if (req.path.startsWith('/assets')) {
-      options.png.header(res);
+      options.png.header(res, req);
       return options.png.buffer[req.params.id];
     }
 
@@ -281,7 +281,7 @@ const UserService = {
         payload = verifyJWT(req.params.id, options);
       } catch (error) {
         logger.error(error, { 'req.params.id': req.params.id });
-        options.png.header(res);
+        options.png.header(res, req);
         return options.png.buffer['invalid-token'];
       }
       const user = await User.findOne({
@@ -294,10 +294,10 @@ const UserService = {
           { recoverTimeOut: new Date(+new Date() + 1000 * 60 * 15) },
           { runValidators: true },
         );
-        options.png.header(res);
+        options.png.header(res, req);
         return options.png.buffer['recover'];
       } else {
-        options.png.header(res);
+        options.png.header(res, req);
         return options.png.buffer['invalid-token'];
       }
     }
@@ -308,7 +308,7 @@ const UserService = {
         payload = verifyJWT(req.params.id, options);
       } catch (error) {
         logger.error(error, { 'req.params.id': req.params.id });
-        options.png.header(res);
+        options.png.header(res, req);
         return options.png.buffer['invalid-token'];
       }
       const user = await User.findOne({
@@ -324,10 +324,10 @@ const UserService = {
           status: 'email-confirmed',
           id: userWsId,
         });
-        options.png.header(res);
+        options.png.header(res, req);
         return options.png.buffer['check'];
       } else {
-        options.png.header(res);
+        options.png.header(res, req);
         return options.png.buffer['invalid-token'];
       }
     }

package/src/cli/baremetal.js

@@ -135,9 +135,6 @@ class UnderpostBaremetal {
     ) {
       let { ipAddress, hostname, ipFileServer, ipConfig, netmask, dnsServer } = options;
 
-      // Load environment variables from .env file, overriding existing ones if present.
-      dotenv.config({ path: `${getUnderpostRootPath()}/.env`, override: true });
-
       // Determine the root path for npm and underpost.
       const npmRoot = getNpmRootPath();
       const underpostRoot = options?.dev === true ? '.' : `${npmRoot}/underpost`;
@@ -1147,9 +1144,8 @@ rm -rf ${artifacts.join(' ')}`);
           machine: machine ? machine.system_id : null,
         });
 
-        const { discovery, machine: discoveredMachine } = await Underpost.baremetal.commissionMonitor(
-          commissionMonitorPayload,
-        );
+        const { discovery, machine: discoveredMachine } =
+          await Underpost.baremetal.commissionMonitor(commissionMonitorPayload);
         if (discoveredMachine) machine = discoveredMachine;
       }
     },
@@ -2494,10 +2490,10 @@ fi
           const discoverHostname = discovery.hostname
             ? discovery.hostname
             : discovery.mac_organization
-            ? discovery.mac_organization
-            : discovery.domain
-            ? discovery.domain
-            : `generic-host-${s4()}${s4()}`;
+              ? discovery.mac_organization
+              : discovery.domain
+                ? discovery.domain
+                : `generic-host-${s4()}${s4()}`;
 
           console.log(discoverHostname.bgBlue.bold.white);
           console.log('ip target:'.green + ipAddress, 'ip discovered:'.green + discovery.ip);

package/src/cli/cloud-init.js

@@ -5,15 +5,12 @@
  * @namespace UnderpostCloudInit
  */
 
-import dotenv from 'dotenv';
 import { shellExec } from '../server/process.js';
 import fs from 'fs-extra';
 import { loggerFactory } from '../server/logger.js';
 import { getNpmRootPath } from '../server/conf.js';
 import Underpost from '../index.js';
 
-dotenv.config();
-
 const logger = loggerFactory(import.meta);
 
 /**