chore(release): merge develop/v1 with CSP security config, new utils, and README updates

- Added content security policy (CSP) configuration for Helmet.
- Added `isValidDomain` utility with unit tests.
- Enhanced `view-engine` asset handling for external CDN.
- Improved token refresh validation logic.
- Updated README with RESTful API documentation and Postman image.
- Bumped express-validator and validator dependencies.
- Minor layout fixes for admin and user views.
- Extended .gitignore to include .env.* files.

Author: agoenks29D

.gitignore

@@ -5,4 +5,5 @@ storage/
 notes/
 logs/
 .env
+.env.*
 *.bak.*

README.md

@@ -9,7 +9,7 @@
 ![GitHub License](https://img.shields.io/github/license/agoenks29D/exzly)
 ![GitHub Code Size](https://img.shields.io/github/languages/code-size/agoenks29D/exzly)
 
-[![CI - Setup, Test & Coverage](https://github.com/agoenks29D/exzly/actions/workflows/ci.yml/badge.svg?branch=develop)](https://github.com/agoenks29D/exzly/actions/workflows/ci.yml)
+[![CI - Setup, Test & Coverage](https://github.com/agoenks29D/exzly/actions/workflows/ci.yml/badge.svg)](https://github.com/agoenks29D/exzly/actions/workflows/ci.yml)
 [![codecov](https://codecov.io/gh/agoenks29D/exzly/branch/main/graph/badge.svg?token=7UVW9XHW3Y)](https://codecov.io/gh/agoenks29D/exzly)
 
 ## 📖 Description
@@ -36,7 +36,7 @@ Whether you're creating a business platform, a complex service, or a company-gra
 - [🧹 Linter and Formatter](#-linter-and-formatter)
 - [🚀 Running the Project](#-running-the-project)
 - [🧪 Running Tests](#-running-tests)
-- [📬 API Documentation (Postman)](#-api-documentation-postman)
+- [📬 RESTful API Documentation](#-restful-api-documentation)
 - [👤 Default Account](#-default-account)
 - [📄 License](#-license)
 
@@ -204,7 +204,6 @@ Handle database migrations and seeders as follows:
   ```
 
 - **Run specific seeders:**
-
   - Start seeder (used for production, no fake data):
 
     ```bash
@@ -277,11 +276,11 @@ Run test coverage:
 npm run test:cov
 ```
 
-## 📬 API Documentation (Postman)
+## 📬 RESTful API Documentation
 
-You can explore and test all available API endpoints using our public Postman documentation:
+You can explore and test all available API endpoints using our Postman documentation:
 
-👉 [View Exzly Postman Collection](https://www.postman.com/medansoftware/public-projects/collection/sp6dra0/exzly)
+[<p align="center"><img src="images/logo/Postman.png" alt="Postman Logo" width="200"><br><b>Visit the Exzly Postman Collection</b></p>](https://www.postman.com/medansoftware/open-source/collection/sp6dra0/exzly)
 
 ## 👤 Default Account
 

__tests__/utils.spec.js

@@ -6,6 +6,7 @@ const {
   byteFormat,
   getFileTypeFromBuffer,
   getFileTypeFromFile,
+  isNumeric,
 } = require('@exzly-utils');
 
 const loadSample = (fileName) => path.join(process.cwd(), '__tests__/samples', fileName);
@@ -97,6 +98,38 @@ describe('Utils', () => {
     });
   });
 
+  describe('isNumeric', () => {
+    it('should return true for integers', () => {
+      expect(isNumeric(123)).toBe(true);
+      expect(isNumeric(0)).toBe(true);
+      expect(isNumeric(-5)).toBe(true);
+    });
+
+    it('should return true for numeric strings (only digits)', () => {
+      expect(isNumeric('456')).toBe(true);
+      expect(isNumeric('0')).toBe(true);
+    });
+
+    it('should return false for floats/decimals', () => {
+      expect(isNumeric(12.3)).toBe(false);
+      expect(isNumeric(-1.5)).toBe(false);
+    });
+
+    it('should return false for strings containing non-digits', () => {
+      expect(isNumeric('123a')).toBe(false);
+      expect(isNumeric('4.5')).toBe(false);
+      expect(isNumeric('')).toBe(false);
+    });
+
+    it('should return false for non-numeric types', () => {
+      expect(isNumeric(null)).toBe(false);
+      expect(isNumeric(undefined)).toBe(false);
+      expect(isNumeric(true)).toBe(false);
+      expect(isNumeric({})).toBe(false);
+      expect(isNumeric([])).toBe(false);
+    });
+  });
+
   describe('getFileTypeFromBuffer', () => {
     it('should return the correct file type for a known buffer', async () => {
       const pngHeader = Buffer.from([

images/logo/Postman.png

@@ -1,3 +1,28 @@
+/**
+ * @typedef {import('express').Request} Request
+ * @typedef {import('express').Response} Response
+ * @typedef {import('express').NextFunction} NextFunction
+ * @typedef {(req: Request, res: Response, next: NextFunction) => string} NonceFunction
+ */
+
+/**
+ * @typedef {Object} CSPDirectives
+ * @property {(string|NonceFunction)[]} defaultSrc - Default content sources. Restricts all resources to the same origin.
+ * @property {(string|NonceFunction)[]} imgSrc - Allowed image sources. Includes self, data URIs, and trusted CDNs.
+ * @property {(string|NonceFunction)[]} scriptSrc - Allowed JavaScript sources. Supports nonces for inline scripts.
+ * @property {(string|NonceFunction)[]} scriptSrcElem - Allowed sources for script elements.
+ * @property {(string|NonceFunction)[]} scriptSrcAttr - Allowed sources for inline script attributes.
+ * @property {string} [reportUri] - Optional URI endpoint for reporting CSP violations.
+ */
+
+/**
+ * @typedef {Object} ContentSecurityPolicy
+ * @property {boolean} useDefaults - Enables Helmet’s default CSP directives.
+ * @property {CSPDirectives} directives - Custom-defined CSP directives that specify allowed content sources.
+ */
+
+const { isValidDomain } = require('@exzly-utils');
+
 /**
  * Allowed MIME types for image files.
  * These are the supported formats for image uploads.
@@ -91,9 +116,47 @@ const rateLimit = {
   forgotPasswordRateLimitDuration: '10m', // default: 10 minutes
 };
 
+/**
+ * Content Security Policy (CSP) configuration.
+ * This policy defines the sources from which content can be loaded, helping to mitigate
+ * cross-site scripting (XSS), data injection, and other code execution attacks.
+ *
+ * The configuration follows Helmet's CSP middleware format and can be customized
+ * based on the application's asset sources and security needs.
+ *
+ * @type {ContentSecurityPolicy}
+ */
+const contentSecurityPolicy = {
+  useDefaults: true,
+  directives: {
+    defaultSrc: ["'self'"],
+    imgSrc: [
+      'data:',
+      "'self'",
+      'https://picsum.photos',
+      'https://loremflickr.com',
+      'https://fastly.picsum.photos',
+      'https://cdn.jsdelivr.net',
+    ],
+    scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
+    scriptSrcElem: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
+    scriptSrcAttr: [(req, res) => `'nonce-${res.locals.nonce}'`],
+    // reportUri: `${process.env.API_ROUTE}/csp-violation-report`,
+  },
+};
+
+if (isValidDomain(process.env.ASSETS_URL)) {
+  const CDN_URL = process.env.ASSETS_URL;
+  contentSecurityPolicy.directives.imgSrc.push(CDN_URL);
+  contentSecurityPolicy.directives.scriptSrc.push(CDN_URL);
+  contentSecurityPolicy.directives.scriptSrcElem.push(CDN_URL);
+  contentSecurityPolicy.directives.scriptSrcAttr.push(CDN_URL);
+}
+
 module.exports = {
   allowedImageMimeTypes,
   refreshTokenExpires,
   passwordResetExpires,
   rateLimit,
+  contentSecurityPolicy,
 };

package-lock.json

@@ -11,7 +11,7 @@ const lodash = require('lodash');
 const nunjucks = require('nunjucks');
 const httpErrors = require('http-errors');
 const { viewEngineHelper } = require('@exzly-helpers');
-const { getPackageJSON, createRoute } = require('@exzly-utils');
+const { getPackageJSON, createRoute, isValidDomain } = require('@exzly-utils');
 
 /**
  * View engine
@@ -74,7 +74,15 @@ module.exports = (express) => {
     );
     viewEngine.addGlobal('assetsUrl', (assetPath) => {
       const assetsURL = process.env.ASSETS_URL || '/';
-      return `${assetsURL}${assetPath}`.replace(/\/{2,}/g, '/');
+
+      assetPath = `${assetPath}`.replace(/\/{2,}/g, '/');
+
+      if (isValidDomain(assetsURL)) {
+        assetPath = assetPath.replace(/^\/public/, '/').replace(/\/{2,}/g, '/');
+        return assetsURL + assetPath;
+      }
+
+      return assetPath;
     });
 
     /**

src/config/security.js

@@ -151,11 +151,22 @@ app.post(
 app.post(
   '/refresh-token',
   [authValidator.refreshToken],
-  asyncRoute(async (req, res) => {
+  asyncRoute(async (req, res, next) => {
     const { refreshToken } = matchedData(req, { locations: ['body'] });
+    const findRefreshToken = AuthTokenModel.findOne({
+      where: { token: refreshToken, type: 'refresh-token' },
+    });
     const { userId } = jwtDecode(refreshToken);
-    const accessToken = jwtHelper.createUserToken('access-token', userId);
 
+    if (!findRefreshToken) {
+      return next(httpErrors.Unauthorized('Invalid token'));
+    }
+
+    if (findRefreshToken.isRevoked) {
+      return next(httpErrors.Unauthorized('Token was revoked'));
+    }
+
+    const accessToken = jwtHelper.createUserToken('access-token', userId);
     await AuthTokenModel.create({ type: 'access-token', token: accessToken });
 
     // send response

src/middlewares/view-engine.js

@@ -4,6 +4,7 @@ const morgan = require('morgan');
 const express = require('express');
 const compression = require('compression');
 const { unless } = require('express-unless');
+const { securityConfig } = require('@exzly-config');
 const {
   viewEngineMiddleware,
   fileLoaderMiddleware,
@@ -20,23 +21,7 @@ const adminErrorHandler = require('./admin/error');
 const app = express();
 
 const helmetMiddleware = helmet({
-  contentSecurityPolicy: {
-    useDefaults: true,
-    directives: {
-      defaultSrc: ["'self'"],
-      imgSrc: [
-        'data:',
-        "'self'",
-        'https://picsum.photos',
-        'https://loremflickr.com',
-        'https://fastly.picsum.photos',
-        'https://cdn.jsdelivr.net',
-      ],
-      scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
-      scriptSrcAttr: [(req, res) => `'nonce-${res.locals.nonce}'`],
-      // reportUri: `${process.env.API_ROUTE}/csp-violation-report`,
-    },
-  },
+  contentSecurityPolicy: securityConfig.contentSecurityPolicy,
 });
 
 helmetMiddleware.unless = unless;
@@ -53,7 +38,11 @@ app.set('view engine', 'njk');
 app.use(cors());
 app.use(
   morgan('dev', {
-    skip: () => process.env.NODE_ENV !== 'development',
+    skip: (req) => {
+      const byRegex = /^\/public\//;
+      const isProduction = process.env.NODE_ENV !== 'development';
+      return isProduction || byRegex.test(req.originalUrl);
+    },
   }),
 );
 app.use(compression());

src/routes/api/auth.js

@@ -45,4 +45,15 @@ const randomString = (
   return str;
 };
 
-module.exports = { maskEmail, randomString };
+/**
+ * Validate if a string is a valid domain.
+ *
+ * @param {string} domain - The domain to be validated.
+ * @returns {boolean} true if the domain is valid, false otherwise.
+ */
+const isValidDomain = (domain) => {
+  const regex = /^(https?:\/\/)?([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?$/;
+  return regex.test(domain);
+};
+
+module.exports = { maskEmail, randomString, isValidDomain };