Merge pull request #457 from lenneTech/develop

Release 11.6.0

Author: kaihaase

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.4.8",
+  "version": "11.6.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -25,6 +25,14 @@
     "docs:ci": "ts-node ./scripts/init-server.ts && npm run docs:bootstrap && compodoc -p tsconfig.json",
     "format": "prettier --write 'src/**/*.ts'",
     "format:staged": "pretty-quick --staged",
+    "jest": "npm run jest:e2e",
+    "jest:ci": "NODE_ENV=local jest --config jest-e2e.json --ci --forceExit",
+    "jest:cov": "NODE_ENV=local jest --coverage",
+    "jest:debug": "NODE_ENV=local node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
+    "jest:e2e": "NODE_ENV=local jest --config jest-e2e.json --forceExit",
+    "jest:e2e-cov": "NODE_ENV=local jest --config jest-e2e.json --coverage --forceExit",
+    "jest:e2e-doh": "NODE_ENV=local jest --config jest-e2e.json --forceExit --detectOpenHandles",
+    "jest:watch": "NODE_ENV=local jest --watch",
     "lint": "eslint '{src,apps,libs,tests}/**/*.{ts,js}' --cache",
     "lint:fix": "eslint '{src,apps,libs,tests}/**/*.{ts,js}' --fix --cache",
     "prestart:prod": "npm run build",
@@ -42,17 +50,18 @@
     "start:dev:swc": "nest start -b swc -w --type-check",
     "start:local": "NODE_ENV=local nodemon",
     "start:local:swc": "NODE_ENV=local nest start -b swc -w --type-check",
-    "test": "npm run test:e2e",
-    "test:cov": "NODE_ENV=local jest --coverage",
-    "test:debug": "NODE_ENV=local node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "NODE_ENV=local jest --config jest-e2e.json --forceExit",
-    "test:e2e-cov": "NODE_ENV=local jest --config jest-e2e.json --coverage --forceExit",
-    "test:e2e-doh": "NODE_ENV=local jest --config jest-e2e.json --forceExit --detectOpenHandles",
-    "test:ci": "NODE_ENV=local jest --config jest-e2e.json --ci --forceExit",
-    "test:watch": "NODE_ENV=local jest --watch",
+    "test": "npm run vitest",
+    "test:ci": "npm run vitest:ci",
+    "test:e2e": "npm run vitest",
     "prepack": "npm run prestart:prod",
     "prepublishOnly": "npm run lint && npm run test:ci",
     "preversion": "npm run lint",
+    "vitest": "NODE_ENV=local vitest run --config vitest-e2e.config.ts",
+    "vitest:ci": "NODE_ENV=ci vitest run --config vitest-e2e.config.ts",
+    "vitest:cov": "NODE_ENV=local vitest run --coverage --config vitest-e2e.config.ts",
+    "vitest:watch": "NODE_ENV=local vitest --config vitest-e2e.config.ts",
+    "vitest:unit": "vitest run --config vitest.config.ts",
+    "test:unit:watch": "vitest --config vitest.config.ts",
     "watch": "npm-watch",
     "link:eslint": "yalc add @lenne.tech/eslint-config-ts && yalc link @lenne.tech/eslint-config-ts && npm install",
     "unlink:eslint": "yalc remove @lenne.tech/eslint-config-ts && npm install"
@@ -68,24 +77,22 @@
     "node": ">= 20"
   },
   "dependencies": {
-    "@apollo/gateway": "2.12.0",
     "@getbrevo/brevo": "3.0.1",
     "@nestjs/apollo": "13.1.0",
-    "@nestjs/common": "11.1.8",
-    "@nestjs/core": "11.1.8",
-    "@nestjs/graphql": "13.1.0",
-    "@nestjs/jwt": "11.0.1",
-    "@nestjs/mongoose": "11.0.3",
+    "@nestjs/common": "11.1.9",
+    "@nestjs/core": "11.1.9",
+    "@nestjs/graphql": "13.2.0",
+    "@nestjs/jwt": "11.0.2",
+    "@nestjs/mongoose": "11.0.4",
     "@nestjs/passport": "11.0.5",
-    "@nestjs/platform-express": "11.1.8",
-    "@nestjs/schedule": "6.0.1",
-    "@nestjs/swagger": "11.2.1",
+    "@nestjs/platform-express": "11.1.9",
+    "@nestjs/schedule": "6.1.0",
+    "@nestjs/swagger": "11.2.3",
     "@nestjs/terminus": "11.0.0",
     "apollo-server-core": "3.13.0",
-    "apollo-server-express": "3.13.0",
     "bcrypt": "6.0.0",
     "class-transformer": "0.5.1",
-    "class-validator": "0.14.2",
+    "class-validator": "0.14.3",
     "compression": "1.8.1",
     "cookie-parser": "1.4.7",
     "dotenv": "17.2.3",
@@ -101,38 +108,38 @@
     "mongoose": "8.19.3",
     "multer": "2.0.2",
     "node-mailjet": "6.0.11",
-    "nodemailer": "7.0.10",
+    "nodemailer": "7.0.11",
     "passport": "0.7.0",
     "passport-jwt": "4.0.1",
     "reflect-metadata": "0.2.2",
     "rfdc": "1.4.1",
     "rxjs": "7.8.2",
+    "ts-jest": "29.4.6",
     "yuml-diagram": "1.2.0"
   },
   "devDependencies": {
-    "@babel/plugin-proposal-private-methods": "7.18.6",
     "@compodoc/compodoc": "1.1.32",
     "@lenne.tech/eslint-config-ts": "2.1.4",
-    "@nestjs/cli": "11.0.10",
+    "@nestjs/cli": "11.0.14",
     "@nestjs/schematics": "11.0.9",
-    "@nestjs/testing": "11.1.8",
+    "@nestjs/testing": "11.1.9",
     "@swc/cli": "0.7.9",
-    "@swc/core": "1.15.0",
-    "@swc/jest": "0.2.39",
+    "@swc/core": "1.15.3",
     "@types/compression": "1.8.1",
     "@types/cookie-parser": "1.4.10",
     "@types/ejs": "3.1.5",
     "@types/express": "4.17.21",
-    "@types/jest": "30.0.0",
-    "@types/lodash": "4.17.20",
+    "@types/lodash": "4.17.21",
     "@types/multer": "2.0.0",
-    "@types/node": "24.10.0",
-    "@types/nodemailer": "7.0.3",
+    "@types/node": "25.0.1",
+    "@types/nodemailer": "7.0.4",
     "@types/passport": "1.0.17",
     "@types/supertest": "6.0.3",
-    "@typescript-eslint/eslint-plugin": "8.46.3",
-    "@typescript-eslint/parser": "8.46.3",
-    "coffeescript": "2.7.0",
+    "@typescript-eslint/eslint-plugin": "8.49.0",
+    "@typescript-eslint/parser": "8.49.0",
+    "@vitest/coverage-v8": "4.0.15",
+    "@vitest/ui": "4.0.15",
+    "ansi-colors": "4.1.3",
     "eslint": "9.39.1",
     "eslint-config-prettier": "10.1.8",
     "eslint-plugin-unused-imports": "4.3.0",
@@ -143,20 +150,23 @@
     "grunt-contrib-watch": "1.1.0",
     "grunt-sync": "0.8.2",
     "husky": "9.1.7",
-    "jest": "30.2.0",
-    "nodemon": "3.1.10",
+    "nodemon": "3.1.11",
     "npm-watch": "0.13.0",
-    "pm2": "6.0.13",
-    "prettier": "3.6.2",
+    "pm2": "6.0.14",
+    "prettier": "3.7.4",
     "pretty-quick": "4.2.2",
-    "rimraf": "6.1.0",
+    "rimraf": "6.1.2",
     "supertest": "7.1.4",
-    "ts-jest": "29.4.5",
     "ts-loader": "9.5.4",
     "ts-morph": "27.0.2",
     "ts-node": "10.9.2",
     "tsconfig-paths": "4.2.0",
     "typescript": "5.9.3",
+    "unplugin-swc": "1.5.9",
+    "vite": "7.2.7",
+    "vite-plugin-node": "7.0.0",
+    "vite-tsconfig-paths": "5.1.4",
+    "vitest": "4.0.15",
     "yalc": "1.0.0-pre.53"
   },
   "overrides": {

package.json

@@ -11,7 +11,7 @@ servers:
 info:
   title: lT Nest Server
   description: Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).
-  version: 11.4.8
+  version: 11.5.0
   contact:
     name: lenne.Tech GmbH
     url: https://lenne.tech

spectaql.yml

@@ -13,6 +13,7 @@ import { CheckSecurityInterceptor } from './core/common/interceptors/check-secur
 import { IServerOptions } from './core/common/interfaces/server-options.interface';
 import { MapAndValidatePipe } from './core/common/pipes/map-and-validate.pipe';
 import { ComplexityPlugin } from './core/common/plugins/complexity.plugin';
+import { mongooseIdPlugin } from './core/common/plugins/mongoose-id.plugin';
 import { ConfigService } from './core/common/services/config.service';
 import { EmailService } from './core/common/services/email.service';
 import { MailjetService } from './core/common/services/mailjet.service';
@@ -98,8 +99,8 @@ export class CoreModule implements NestModule {
                         if (config.graphQl.enableSubscriptionAuth) {
                           // get authToken from authorization header
                           const headers = this.getHeaderFromArray(extra.request?.rawHeaders);
-                          const authToken: string
-                            = connectionParams?.Authorization?.split(' ')[1] ?? headers.Authorization?.split(' ')[1];
+                          const authToken: string =
+                            connectionParams?.Authorization?.split(' ')[1] ?? headers.Authorization?.split(' ')[1];
                           if (authToken) {
                             // verify authToken/getJwtPayLoad
                             const payload = authService.decodeJwt(authToken);
@@ -148,7 +149,7 @@ export class CoreModule implements NestModule {
         mongoose: {
           options: {
             connectionFactory: (connection) => {
-              connection.plugin(require('./core/common/plugins/mongoose-id.plugin'));
+              connection.plugin(mongooseIdPlugin);
               return connection;
             },
           },
@@ -177,11 +178,13 @@ export class CoreModule implements NestModule {
       EmailService,
       TemplateService,
       MailjetService,
-
-      // Plugins
-      ComplexityPlugin,
     ];
 
+    // Add ComplexityPlugin only if not in Vitest (Vitest has dual GraphQL loading issue)
+    if (!process.env.VITEST) {
+      providers.push(ComplexityPlugin);
+    }
+
     if (config.security?.checkResponseInterceptor ?? true) {
       // Check restrictions for output (models and output objects)
       providers.push({
@@ -225,9 +228,15 @@ export class CoreModule implements NestModule {
       imports.push(CoreHealthCheckModule);
     }
 
+    // Set exports
+    const exports: any[] = [ConfigService, EmailService, TemplateService, MailjetService];
+    if (!process.env.VITEST) {
+      exports.push(ComplexityPlugin);
+    }
+
     // Return dynamic module
     return {
-      exports: [ConfigService, EmailService, TemplateService, MailjetService, ComplexityPlugin],
+      exports,
       imports,
       module: CoreModule,
       providers,

src/core.module.ts

@@ -0,0 +1,14 @@
+/**
+ * Mongoose plugin to add a string 'id' field to documents based on the '_id' ObjectId.
+ * @param schema - The Mongoose schema to which the plugin will be applied.
+ */
+export function mongooseIdPlugin(schema) {
+  schema.post(/.*/, (docs) => {
+    const docsArray = Array.isArray(docs) ? docs : [docs];
+    for (const doc of docsArray) {
+      if (doc?._id && typeof doc._id.toHexString === 'function') {
+        doc.id = doc._id.toHexString();
+      }
+    }
+  });
+}

src/core/common/plugins/mongoose-id.plugin.js

@@ -15,6 +15,18 @@ import { ICoreAuthUser } from '../interfaces/core-auth-user.interface';
 import { JwtPayload } from '../interfaces/jwt-payload.interface';
 import { CoreAuthUserService } from './core-auth-user.service';
 
+/**
+ * Options for getResult method
+ */
+export interface GetResultOptions {
+  /** Current refresh token (for renewal) */
+  currentRefreshToken?: string;
+  /** Additional data (deviceId, deviceDescription, etc.) */
+  data?: { [key: string]: any; deviceId?: string };
+  /** Service options including currentUser for securityCheck */
+  serviceOptions?: ServiceOptions;
+}
+
 /**
  * CoreAuthService to handle user authentication
  */
@@ -71,16 +83,17 @@ export class CoreAuthService {
   /**
    * Refresh tokens
    */
-  async refreshTokens(user: ICoreAuthUser, currentRefreshToken: string) {
+  async refreshTokens(user: ICoreAuthUser, currentRefreshToken: string, serviceOptions?: ServiceOptions) {
     // Create new tokens
     const { deviceDescription, deviceId } = this.decodeJwt(currentRefreshToken);
     const tokens = await this.createTokens(user.id, { deviceDescription, deviceId });
     tokens.refreshToken = await this.updateRefreshToken(user, currentRefreshToken, tokens.refreshToken);
 
-    // Return
-    return CoreAuthModel.map({
-      ...tokens,
-      user: await this.userService.prepareOutput(user),
+    // Return with currentUser set so securityCheck knows user is requesting own data
+    return this.getResult(user, {
+      currentRefreshToken,
+      data: { deviceDescription, deviceId },
+      serviceOptions: { ...serviceOptions, currentUser: user },
     });
   }
 
@@ -114,8 +127,11 @@ export class CoreAuthService {
       throw new UnauthorizedException('Wrong password');
     }
 
-    // Return tokens and user
-    return this.getResult(user, { deviceDescription, deviceId });
+    // Return tokens and user with currentUser set so securityCheck knows user is requesting own data
+    return this.getResult(user, {
+      data: { deviceDescription, deviceId },
+      serviceOptions: { ...serviceOptions, currentUser: user },
+    });
   }
 
   /**
@@ -138,8 +154,11 @@ export class CoreAuthService {
       // Set device ID
       const { deviceDescription, deviceId } = input;
 
-      // Return tokens and user
-      return this.getResult(user, { deviceDescription, deviceId });
+      // Return tokens and user with currentUser set so securityCheck knows user is requesting own data
+      return this.getResult(user, {
+        data: { deviceDescription, deviceId },
+        serviceOptions: { ...serviceOptions, currentUser: user },
+      });
     } catch (err) {
       if (err?.message === 'Unprocessable Entity') {
         throw new BadRequestException('Email address already in use');
@@ -171,22 +190,27 @@ export class CoreAuthService {
 
   /**
    * Rest result with user and tokens
+   *
+   * @param user - The authenticated user
+   * @param options - Optional configuration for result generation
+   * @param options.data - Additional data (deviceId, deviceDescription, etc.)
+   * @param options.currentRefreshToken - Current refresh token (for renewal)
+   * @param options.serviceOptions - Service options including currentUser for securityCheck
    */
-  protected async getResult(
-    user: ICoreAuthUser,
-    data?: { [key: string]: any; deviceId?: string },
-    currentRefreshToken?: string,
-  ) {
+  protected async getResult(user: ICoreAuthUser, options?: GetResultOptions) {
+    const { currentRefreshToken, data, serviceOptions } = options || {};
+
     // Create new tokens
     const tokens = await this.createTokens(user.id, data);
 
     // Set refresh token
     tokens.refreshToken = await this.updateRefreshToken(user, currentRefreshToken, tokens.refreshToken, data);
 
     // Return tokens and user
+    // Pass serviceOptions to prepareOutput so currentUser is available for securityCheck
     return CoreAuthModel.map({
       ...tokens,
-      user: await this.userService.prepareOutput(user),
+      user: await this.userService.prepareOutput(user, serviceOptions),
     });
   }
 
@@ -199,10 +223,10 @@ export class CoreAuthService {
       path += '.refresh';
     }
     return (
-      this.configService.getFastButReadOnly(`${path}.signInOptions.secret`)
-      || this.configService.getFastButReadOnly(`${path}.signInOptions.secretOrPrivateKey`)
-      || this.configService.getFastButReadOnly(`${path}.secret`)
-      || this.configService.getFastButReadOnly(`${path}.secretOrPrivateKey`)
+      this.configService.getFastButReadOnly(`${path}.signInOptions.secret`) ||
+      this.configService.getFastButReadOnly(`${path}.signInOptions.secretOrPrivateKey`) ||
+      this.configService.getFastButReadOnly(`${path}.secret`) ||
+      this.configService.getFastButReadOnly(`${path}.secretOrPrivateKey`)
     );
   }