underpost 3.2.5 → 3.2.9

package/src/api/test/test.controller.js

@@ -3,8 +3,8 @@ import { TestService } from './test.service.js';
 
 const logger = loggerFactory(import.meta);
 
-const TestController = {
-  post: async (req, res, options) => {
+class TestController {
+  static post = async (req, res, options) => {
     try {
       return res.status(200).json({
         status: 'success',
@@ -17,8 +17,8 @@ const TestController = {
         message: error.message,
       });
     }
-  },
-  get: async (req, res, options) => {
+  };
+  static get = async (req, res, options) => {
     try {
       const result = await TestService.get(req, res, options);
       if (result)
@@ -37,8 +37,8 @@ const TestController = {
         message: error.message,
       });
     }
-  },
-  delete: async (req, res, options) => {
+  };
+  static delete = async (req, res, options) => {
     try {
       const result = await TestService.delete(req, res, options);
 
@@ -53,7 +53,7 @@ const TestController = {
         message: error.message,
       });
     }
-  },
-};
+  };
+}
 
 export { TestController };

package/src/api/test/test.service.js

@@ -5,14 +5,14 @@ import { getYouTubeID, validatePassword } from '../../client/components/core/Com
 
 const logger = loggerFactory(import.meta);
 
-const TestService = {
-  post: async (req, res, options) => {
+class TestService {
+  static post = async (req, res, options) => {
     switch (req.params.id) {
       default:
         break;
     }
-  },
-  get: async (req, res, options) => {
+  };
+  static get = async (req, res, options) => {
     switch (req.params.id) {
       case 'verify-email':
         return validator.isEmail(req.query.email);
@@ -23,13 +23,13 @@ const TestService = {
 
       default:
     }
-  },
-  delete: async (req, res, options) => {
+  };
+  static delete = async (req, res, options) => {
     switch (req.params.id) {
       default:
         break;
     }
-  },
-};
+  };
+}
 
 export { TestService };

package/src/api/user/guest.service.js

@@ -0,0 +1,99 @@
+import mongoose from 'mongoose';
+import { UserDto } from './user.model.js';
+import { ValkeyAPI } from '../../server/valkey.js';
+import { hashPassword, getBearerToken, jwtSign } from '../../server/auth.js';
+
+// ─── TTL ──────────────────────────────────────────────────────────────────────
+
+const _guestTtlMs = () => {
+  const minutes = Number.parseInt(process.env.REFRESH_EXPIRE_MINUTES || '60', 10);
+  return Number.isFinite(minutes) && minutes > 0 ? minutes * 60 * 1000 : 60 * 60 * 1000;
+};
+
+// ─── Domain helpers ───────────────────────────────────────────────────────────
+
+/**
+ * Constructs a new ephemeral guest user object.
+ * This is domain logic specific to the guest lifecycle; it does not belong
+ * in the generic Valkey storage module.
+ *
+ * @param {{ host?: string }} options
+ * @returns {object}
+ */
+const buildGuestUser = (options) => {
+  const now = new Date().toISOString();
+  const _id = new mongoose.Types.ObjectId().toString();
+  const role = 'guest';
+  return {
+    _id: `${role}${_id}`,
+    username: `${role}${_id.slice(-5)}`,
+    email: `${_id}@${options.host || 'localhost'}`,
+    password: hashPassword(process.env.JWT_SECRET),
+    role,
+    emailConfirmed: false,
+    profileImageId: null,
+    publicKey: [],
+    phoneNumbers: [],
+    activeSessions: [],
+    failedLoginAttempts: 0,
+    recoverTimeOut: null,
+    lastLoginDate: null,
+    createdAt: now,
+    updatedAt: now,
+    guestSessionExpiresAt: Date.now() + _guestTtlMs(),
+  };
+};
+
+/**
+ * Projects a user object to the public-safe fields defined by UserDto.select.get().
+ * Keeps this logic next to the guest domain instead of in a generic utility.
+ *
+ * @param {object} user
+ * @returns {object}
+ */
+const _toPublicUser = (user) => {
+  const select = UserDto.select.get();
+  return Object.fromEntries(
+    Object.keys(select)
+      .filter((k) => select[k] === 1 && k in user)
+      .map((k) => [k, user[k]]),
+  );
+};
+
+const _withRefreshedExpiry = (user) => ({ ...user, guestSessionExpiresAt: Date.now() + _guestTtlMs() });
+
+// ─── Service ──────────────────────────────────────────────────────────────────
+
+class GuestService {
+  static async create(req, options) {
+    const user = buildGuestUser(options);
+
+    await ValkeyAPI.set(options, user.email, user, _guestTtlMs());
+
+    return {
+      token: jwtSign(
+        UserDto.auth.payload(user, null, req.ip, req.headers['user-agent'], options.host, options.path),
+        options,
+      ),
+      user: _toPublicUser(user),
+    };
+  }
+
+  static async auth(req, options) {
+    const user = await ValkeyAPI.get(options, req.auth.user.email);
+    if (!user) throw new Error('guest user expired');
+
+    const expiresAt = Number(user.guestSessionExpiresAt || 0);
+    if (expiresAt && expiresAt <= Date.now()) throw new Error('guest user expired');
+
+    const refreshed = _withRefreshedExpiry(user);
+    await ValkeyAPI.set(options, refreshed.email, refreshed, _guestTtlMs());
+
+    return {
+      user: _toPublicUser(refreshed),
+      token: getBearerToken(req),
+    };
+  }
+}
+
+export { GuestService };

package/src/api/user/user.controller.js

@@ -25,11 +25,11 @@ const handleRequest = (serviceMethod) => async (req, res, options) => {
   }
 };
 
-const UserController = {
-  post: handleRequest(UserService.post),
-  get: handleRequest(UserService.get),
-  delete: handleRequest(UserService.delete),
-  put: handleRequest(UserService.put),
-};
+class UserController {
+  static post = handleRequest(UserService.post);
+  static get = handleRequest(UserService.get);
+  static delete = handleRequest(UserService.delete);
+  static put = handleRequest(UserService.put);
+}
 
 export { UserController };

package/src/api/user/user.model.js

@@ -3,7 +3,6 @@ import validator from 'validator';
 import { userRoleEnum } from '../../client/components/core/CommonJs.js';
 import crypto from 'crypto';
 // https://mongoosejs.com/docs/2.7.x/docs/schematypes.html
-
 const UserSchema = new Schema(
   {
     email: {
@@ -88,13 +87,10 @@ const UserSchema = new Schema(
     timestamps: true,
   },
 );
-
 const UserModel = model('User', UserSchema);
-
 const ProviderSchema = UserSchema;
-
-const UserDto = {
-  select: {
+class UserDto {
+  static select = {
     get: () => {
       return {
         _id: 1,
@@ -112,8 +108,8 @@ const UserDto = {
     getAll: () => {
       return { _id: 1 };
     },
-  },
-  public: {
+  };
+  static public = {
     get: () => {
       return {
         _id: 1,
@@ -125,8 +121,8 @@ const UserDto = {
         updatedAt: 1,
       };
     },
-  },
-  auth: {
+  };
+  static auth = {
     payload: (user, jwtid, ip, userAgent, host, path) => {
       const tokenPayload = {
         _id: user._id.toString(),
@@ -141,7 +137,6 @@ const UserDto = {
       };
       return tokenPayload;
     },
-  },
-};
-
+  };
+}
 export { UserSchema, UserModel, userRoleEnum, ProviderSchema, UserDto };

package/src/api/user/user.service.js

@@ -9,7 +9,6 @@ import {
   refreshSessionAndToken,
   logoutSession,
   jwtSign,
-  getBearerToken,
   validatePasswordMiddleware,
 } from '../../server/auth.js';
 import { MailerProvider } from '../../mailer/MailerProvider.js';
@@ -19,8 +18,8 @@ import validator from 'validator';
 import { DataBaseProvider } from '../../db/DataBaseProvider.js';
 import { FileFactory, FileCleanup } from '../file/file.service.js';
 import { UserDto } from './user.model.js';
-import { selectDtoFactory, ValkeyAPI } from '../../server/valkey.js';
 import { timer } from '../../client/components/core/CommonJs.js';
+import { GuestService } from './guest.service.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -226,15 +225,7 @@ const UserService = {
         } else throw new Error('Invalid credentials');
 
       case 'guest': {
-        const user = await ValkeyAPI.valkeyObjectFactory(options, 'user');
-        await ValkeyAPI.setValkeyObject(options, user.email, user);
-        return {
-          token: jwtSign(
-            UserDto.auth.payload(user, null, req.ip, req.headers['user-agent'], options.host, options.path),
-            options,
-          ),
-          user: selectDtoFactory(user, UserDto.select.get()),
-        };
+        return await GuestService.create(req, options);
       }
 
       default:
@@ -360,8 +351,7 @@ const UserService = {
       case 'auth': {
         let user;
         if (req.auth.user._id.match('guest')) {
-          user = await ValkeyAPI.getValkeyObject(options, req.auth.user.email);
-          if (!user) throw new Error('guest user expired');
+          return await GuestService.auth(req, options);
         } else
           user = await User.findOne({
             _id: req.auth.user._id,
@@ -369,13 +359,6 @@ const UserService = {
 
         if (!user) throw new Error('user not found');
 
-        const guestUser = await ValkeyAPI.getValkeyObject(options, req.auth.user.email);
-        if (guestUser)
-          return {
-            user: selectDtoFactory(guestUser, UserDto.select.get()),
-            token: getBearerToken(req),
-          };
-
         return {
           token: await refreshSessionAndToken(req, res, User, options),
           user: await User.findOne({

package/src/cli/cluster.js

@@ -172,9 +172,19 @@ class UnderpostCluster {
           const podNetworkCidr = options.podNetworkCidr || '192.168.0.0/16';
           const controlPlaneEndpoint = options.controlPlaneEndpoint || `${os.hostname()}:6443`;
 
-          // Initialize kubeadm control plane
+          // Initialize kubeadm control plane.
+          // Use CRI-O socket when available, otherwise fall back to containerd.
+          const crioSocket = 'unix:///var/run/crio/crio.sock';
+          const containerdSocket = 'unix:///run/containerd/containerd.sock';
+          const criSocket =
+            shellExec(`test -S /var/run/crio/crio.sock && echo crio || echo containerd`, {
+              stdout: true,
+              silent: true,
+            }).trim() === 'crio'
+              ? crioSocket
+              : containerdSocket;
           shellExec(
-            `sudo kubeadm init --pod-network-cidr=${podNetworkCidr} --control-plane-endpoint="${controlPlaneEndpoint}"`,
+            `sudo kubeadm init --pod-network-cidr=${podNetworkCidr} --control-plane-endpoint="${controlPlaneEndpoint}" --cri-socket=${criSocket}`,
           );
           // Configure kubectl for the current user
           Underpost.cluster.chown('kubeadm'); // Pass 'kubeadm' to chown
@@ -389,8 +399,17 @@ EOF
         );
         shellExec(`rm -f ${tarPath}`);
       } else if (options.kubeadm || options.k3s) {
-        // Kubeadm / K3s: use crictl to pull directly into containerd
-        shellExec(`sudo crictl pull ${image}`);
+        // Kubeadm / K3s: use crictl to pull directly into the active CRI runtime.
+        // crictl is not in sudo's secure_path; pass full PATH through env.
+        // Point crictl at CRI-O when the socket exists, otherwise fall back to containerd.
+        const criSock =
+          shellExec(`test -S /var/run/crio/crio.sock && echo crio || echo containerd`, {
+            stdout: true,
+            silent: true,
+          }).trim() === 'crio'
+            ? 'unix:///var/run/crio/crio.sock'
+            : 'unix:///run/containerd/containerd.sock';
+        shellExec(`sudo env PATH="$PATH:/usr/local/bin:/usr/bin" crictl --runtime-endpoint ${criSock} pull ${image}`);
       }
     },
 
@@ -453,12 +472,11 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
       shellExec(`sudo sysctl -w fs.inotify.max_queued_events=2099999999`);
 
       // shellExec(`sudo sysctl --system`); // Apply sysctl changes immediately
-      // Apply NAT iptables rules.
+      // Apply NAT iptables rules and configure firewalld for Kubernetes.
+      // nat-iptables.sh enables firewalld and opens all required ports; do NOT stop it
+      // afterwards — keeping firewalld running with these rules is required for
+      // multi-machine kubeadm inter-node communication.
       shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
-
-      // Disable firewalld (common cause of network issues in Kubernetes)
-      shellExec(`sudo systemctl stop firewalld`); // Stop if running
-      shellExec(`sudo systemctl disable firewalld`); // Disable from starting on boot
     },
 
     /**
@@ -575,8 +593,10 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         shellExec('sudo systemctl stop kubelet');
         shellExec('sudo systemctl stop docker');
         shellExec('sudo systemctl stop podman');
-        // Safely unmount pod filesystems to avoid errors.
-        shellExec('sudo umount -f /var/lib/kubelet/pods/*/*');
+        // Lazy-unmount all kubelet pod mounts to avoid 'Device or resource busy' on rm.
+        shellExec(
+          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l' 2>/dev/null || true`,
+        );
 
         // Phase 3: Execute official uninstallation commands (type-specific)
         const clusterType = options.clusterType || 'kind';
@@ -584,6 +604,14 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
           `Phase 3/7: Executing official reset/uninstallation commands for cluster type: '${clusterType}'...`,
         );
         if (clusterType === 'kubeadm') {
+          // Kill control plane processes that hold ports (6443, 10257, 10259, 2379, 2380)
+          // so the next `kubeadm init` does not fail with [ERROR Port-xxxx].
+          logger.info('  -> Stopping and killing control plane containers and processes...');
+          shellExec('sudo crictl rm -a -f 2>/dev/null || true');
+          shellExec('sudo crictl rmp -a -f 2>/dev/null || true');
+          shellExec('sudo systemctl stop etcd 2>/dev/null || true');
+          for (const port of [6443, 10259, 10257, 2379, 2380])
+            shellExec(`sudo fuser -k ${port}/tcp 2>/dev/null || true`);
           logger.info('  -> Executing kubeadm reset...');
           shellExec('sudo kubeadm reset --force');
         } else if (clusterType === 'k3s') {
@@ -600,7 +628,12 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         // Remove any leftover configurations and data.
         shellExec('sudo rm -rf /etc/kubernetes/*');
         shellExec('sudo rm -rf /etc/cni/net.d/*');
+        // Second-pass lazy umount before rm to clear any remaining busy mounts.
+        shellExec(
+          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l' 2>/dev/null || true`,
+        );
         shellExec('sudo rm -rf /var/lib/kubelet/*');
+        shellExec('sudo rm -rf /var/lib/etcd');
         shellExec('sudo rm -rf /var/lib/cni/*');
         shellExec('sudo rm -rf /var/lib/docker/*');
         shellExec('sudo rm -rf /var/lib/containerd/*');
@@ -613,11 +646,14 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         // Remove iptables rules and CNI network interfaces.
         shellExec('sudo iptables -F');
         shellExec('sudo iptables -t nat -F');
-        shellExec('sudo ip link del cni0');
-        shellExec('sudo ip link del flannel.1');
+        shellExec('sudo ip link del cni0 2>/dev/null || true');
+        shellExec('sudo ip link del flannel.1 2>/dev/null || true');
+        shellExec('sudo ip link del vxlan.calico 2>/dev/null || true');
+        shellExec('sudo ip link del tunl0 2>/dev/null || true');
 
         logger.info('Phase 6/7: Clean up images');
-        shellExec(`podman rmi $(podman images -qa) --force`);
+        shellExec('sudo podman rmi --all --force 2>/dev/null || true');
+        shellExec('sudo crictl rmi --prune 2>/dev/null || true');
 
         // Phase 6: Reload daemon and finalize
         logger.info('Phase 7/7: Reloading the system daemon and finalizing...');
@@ -687,6 +723,9 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
       // Install Podman
       shellExec(`sudo dnf -y install podman`);
 
+      // Install CRI-O (required for kubeadm with CRI-O socket)
+      shellExec(`node bin run install-crio`);
+
       // Install Kind (Kubernetes in Docker)
       shellExec(`[ $(uname -m) = ${archData.name} ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-${archData.alias}
 chmod +x ./kind
@@ -744,6 +783,14 @@ EOF`);
       console.log('Removing Podman...');
       shellExec(`sudo dnf -y remove podman`);
 
+      // Remove CRI-O
+      console.log('Removing CRI-O...');
+      shellExec(`sudo systemctl stop crio 2>/dev/null || true`);
+      shellExec(`sudo systemctl disable crio 2>/dev/null || true`);
+      shellExec(`sudo dnf -y remove cri-o`);
+      shellExec(`sudo rm -f /etc/yum.repos.d/cri-o.repo`);
+      shellExec(`sudo rm -f /etc/crictl.yaml`);
+
       // Remove Kubeadm, Kubelet, and Kubectl
       console.log('Removing Kubernetes tools...');
       shellExec(`sudo yum remove -y kubelet kubeadm kubectl`);

package/src/cli/db.js

@@ -839,6 +839,8 @@ class UnderpostDB {
                 pods: podsToProcess.map((p) => p.NAME),
               });
 
+              let exportSucceeded = false;
+
               // Process each pod
               for (const pod of podsToProcess) {
                 logger.info('Processing pod', { podName: pod.NAME, node: pod.NODE, status: pod.STATUS });
@@ -871,7 +873,7 @@ class UnderpostDB {
 
                     if (options.export === true) {
                       const outputPath = options.outPath || toNewSqlPath;
-                      await Underpost.db._exportMariaDB({
+                      const success = await Underpost.db._exportMariaDB({
                         pod,
                         namespace,
                         dbName,
@@ -879,6 +881,7 @@ class UnderpostDB {
                         password,
                         outputPath,
                       });
+                      exportSucceeded = exportSucceeded || success;
                     }
                     break;
                   }
@@ -909,13 +912,14 @@ class UnderpostDB {
 
                     if (options.export === true) {
                       const outputPath = options.outPath || toNewBsonPath;
-                      Underpost.db._exportMongoDB({
+                      const success = Underpost.db._exportMongoDB({
                         pod,
                         namespace,
                         dbName,
                         outputPath,
                         collections: options.collections,
                       });
+                      exportSucceeded = exportSucceeded || success;
                     }
                     break;
                   }
@@ -926,6 +930,10 @@ class UnderpostDB {
                 }
               }
 
+              if (options.export === true && exportSucceeded === true) {
+                Underpost.db._enforceBackupRetention(`../${repoName}/${hostFolder}`);
+              }
+
               // Mark this host+path combination as processed
               processedHostPaths.add(hostPathKey);
             }
@@ -948,6 +956,43 @@ class UnderpostDB {
         throw error;
       }
     },
+    /**
+     * Helper: Removes old timestamp backup folders and keeps only the newest ones.
+     * @method _enforceBackupRetention
+     * @memberof UnderpostDB
+     * @param {string} backupDir - Path to host-folder backup directory.
+     * @param {number} [maxRetention=MAX_BACKUP_RETENTION] - Maximum folders to keep.
+     * @return {number} Number of removed backup folders.
+     */
+    _enforceBackupRetention(backupDir, maxRetention = MAX_BACKUP_RETENTION) {
+      try {
+        if (!fs.existsSync(backupDir)) return 0;
+
+        const timestamps = fs
+          .readdirSync(backupDir)
+          .filter((entry) => /^\d+$/.test(entry))
+          .sort((a, b) => parseInt(b, 10) - parseInt(a, 10));
+
+        if (timestamps.length <= maxRetention) return 0;
+
+        const staleTimestamps = timestamps.slice(maxRetention);
+        staleTimestamps.forEach((timestamp) => {
+          fs.removeSync(`${backupDir}/${timestamp}`);
+        });
+
+        logger.info('Pruned old backup timestamp folders', {
+          backupDir,
+          kept: maxRetention,
+          removed: staleTimestamps.length,
+          removedTimestamps: staleTimestamps,
+        });
+
+        return staleTimestamps.length;
+      } catch (error) {
+        logger.error('Failed to enforce backup retention', { backupDir, maxRetention, error: error.message });
+        return 0;
+      }
+    },
 
     /**
      * Creates cluster metadata for the specified deployment.