| Form Name | -Submitted by | -Date | -Status | -Actions | -
|---|---|---|---|---|
| Customer Feedback Q2 | -john.doe@example.com | -May 05, 2025 | -New |
- - - | -
| Annual Conf Registration | -sarah.smith@example.com | -May 04, 2025 | -Pending |
- - - | -
| Customer Feedback Q2 | -mark.rivera@sample.net | -May 03, 2025 | -Reviewed |
- - - | -
- Welcome, Admin! - - -
-Enter a Form ID to load and submit:
-Error: Form definition is invalid.
"; - console.error("Invalid form fields definition:", formDefinition.fields); - return; - } - - formDefinition.fields.forEach((field) => { - const div = document.createElement("div"); - const label = document.createElement("label"); - label.htmlFor = `field-${field.name}`; - label.textContent = field.label || field.name; // Use label, fallback to name - div.appendChild(label); - - let input; - // Basic type handling - could be expanded - switch (field.type) { - case "textarea": // Allow explicit textarea type - case "string": - // Use textarea for string if maxLength suggests it might be long - if (field.maxLength && field.maxLength > 100) { - input = document.createElement("textarea"); - input.rows = 4; // Default rows - } else { - input = document.createElement("input"); - input.type = "text"; - } - if (field.minLength) input.minLength = field.minLength; - if (field.maxLength) input.maxLength = field.maxLength; - break; - case "email": - input = document.createElement("input"); - input.type = "email"; - break; - case "url": - input = document.createElement("input"); - input.type = "url"; - break; - case "number": - input = document.createElement("input"); - input.type = "number"; - if (field.min !== undefined) input.min = field.min; - if (field.max !== undefined) input.max = field.max; - input.step = field.step || "any"; // Allow decimals by default - break; - case "boolean": - input = document.createElement("input"); - input.type = "checkbox"; - // Checkbox label handling is slightly different - label.insertBefore(input, label.firstChild); // Put checkbox before text - input.style.width = "auto"; // Override default width - input.style.marginRight = "10px"; - break; - // Add cases for 'select', 'radio', 'date' etc. if needed - default: - input = document.createElement("input"); - input.type = "text"; - console.warn( - `Unsupported field type "${field.type}" for field "${field.name}". Rendering as text.` - ); - } - - if (input.type !== "checkbox") { - // Checkbox is already appended inside label - div.appendChild(input); - } - input.id = `field-${field.name}`; - input.name = field.name; // Crucial for form data collection - if (field.required) input.required = true; - if (field.placeholder) input.placeholder = field.placeholder; - if (field.pattern) input.pattern = field.pattern; // Add regex pattern validation - - publicForm.appendChild(div); - }); - - const submitButton = document.createElement("button"); - submitButton.type = "submit"; - submitButton.textContent = "Submit Form"; - publicForm.appendChild(submitButton); - } - - publicForm.addEventListener("submit", async (e) => { - e.preventDefault(); - showStatus(""); - const formId = e.target.dataset.formId; - if (!formId) { - showStatus("Error: Form ID is missing.", true); - return; - } - - const formData = new FormData(e.target); - const submissionData = {}; - - // Convert FormData to a plain object, handling checkboxes correctly - for (const [key, value] of formData.entries()) { - const inputElement = e.target.elements[key]; - - // Handle Checkboxes (boolean) - if (inputElement && inputElement.type === "checkbox") { - // A checkbox value is only present in FormData if it's checked. - // We need to ensure we always send a boolean. - // Check if the element exists in the form (it might be unchecked) - submissionData[key] = inputElement.checked; - } - // Handle Number inputs (convert from string) - else if (inputElement && inputElement.type === "number") { - // Only convert if the value is not empty, otherwise send null or handle as needed - if (value !== "") { - submissionData[key] = parseFloat(value); // Or parseInt if only integers allowed - if (isNaN(submissionData[key])) { - // Handle potential parsing errors if input validation fails - console.warn(`Could not parse number for field ${key}: ${value}`); - submissionData[key] = null; // Or keep as string, or show error - } - } else { - submissionData[key] = null; // Or undefined, depending on backend expectation for empty numbers - } - } - // Handle potential multiple values for the same name (e.g., multi-select), though not rendered here - else if (submissionData.hasOwnProperty(key)) { - if (!Array.isArray(submissionData[key])) { - submissionData[key] = [submissionData[key]]; - } - submissionData[key].push(value); - } - // Default: treat as string - else { - submissionData[key] = value; - } - } - - // Ensure boolean fields that were *unchecked* are explicitly set to false - // FormData only includes checked checkboxes. Find all checkbox inputs in the form. - const checkboxes = e.target.querySelectorAll('input[type="checkbox"]'); - checkboxes.forEach((cb) => { - if (!submissionData.hasOwnProperty(cb.name)) { - submissionData[cb.name] = false; // Set unchecked boxes to false - } - }); - - console.log("Submitting data:", submissionData); // Debugging - - try { - // Public submission endpoint doesn't require auth - const result = await makeApiRequest( - `/forms/${formId}/submissions`, - "POST", - submissionData, - false - ); - showStatus( - `Submission successful! Submission ID: ${result.submission_id}` - ); - e.target.reset(); // Clear the form - // Optionally hide the form after successful submission - // publicFormArea.classList.add('hidden'); - } catch (error) { - let errorMsg = `Submission failed: ${error.message}`; - // Handle validation errors specifically - if (error.validationErrors) { - errorMsg = "Submission failed due to validation errors:\n"; - for (const [field, message] of Object.entries(error.validationErrors)) { - errorMsg += `- ${field}: ${message}\n`; - } - // Highlight invalid fields? (More complex UI update) - } - showStatus(errorMsg, true); - } - }); - - // --- Initial Setup --- - toggleSections(); // Set initial view based on stored token - if (authToken) { - loadFormsButton.click(); // Auto-load forms if logged in - } -}); diff --git a/frontend/style.css b/frontend/style.css deleted file mode 100644 index 33e22c2..0000000 --- a/frontend/style.css +++ /dev/null @@ -1,411 +0,0 @@ -/* --- Variables copied from FormCraft --- */ -:root { - --color-bg: #f7f7f7; - --color-surface: #ffffff; - --color-primary: #3a4750; /* Dark grayish blue */ - --color-secondary: #d8d8d8; /* Light gray */ - --color-accent: #b06f42; /* Warm wood/leather brown */ - --color-text: #2d3436; /* Dark gray */ - --color-text-light: #636e72; /* Medium gray */ - --color-border: #e0e0e0; /* Light border gray */ - --color-success: #2e7d32; /* Green */ - --color-success-bg: #e8f5e9; - --color-error: #a94442; /* Red for errors */ - --color-error-bg: #f2dede; - --color-danger: #e74c3c; /* Red for danger buttons */ - --color-danger-hover: #c0392b; - - --shadow-sm: 0 1px 2px rgba(0, 0, 0, 0.05); - --shadow-md: 0 4px 6px rgba(0, 0, 0, 0.05); - --border-radius: 6px; -} - -/* --- Global Reset & Body Styles --- */ -* { - margin: 0; - padding: 0; - box-sizing: border-box; - font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; -} - -body { - background-color: var(--color-bg); - color: var(--color-text); - line-height: 1.6; - min-height: 100vh; - display: flex; /* Helps with potential footer later */ - flex-direction: column; -} - -/* --- Container --- */ -.container { - max-width: 900px; /* Adjusted width for simpler content */ - width: 100%; - margin: 0 auto; - padding: 32px 24px; /* Add padding like main content */ -} - -.page-container { - flex: 1; /* Make container take available space if using flex on body */ -} - -/* --- Typography --- */ -h1, -h2, -h3 { - color: var(--color-primary); - margin-bottom: 16px; - line-height: 1.3; -} - -h1.page-title { - font-size: 1.75rem; - font-weight: 600; - margin-bottom: 24px; - text-align: center; /* Center main title */ -} - -h2.section-title { - font-size: 1.25rem; - font-weight: 600; - border-bottom: 1px solid var(--color-border); - padding-bottom: 8px; - margin-bottom: 20px; -} - -h3.card-title { - font-size: 1.1rem; - font-weight: 600; - color: var(--color-primary); - margin-bottom: 16px; -} - -p { - margin-bottom: 16px; - color: var(--color-text-light); -} -p:last-child { - margin-bottom: 0; -} - -hr.divider { - border: 0; - height: 1px; - background: var(--color-border); - margin: 32px 0; -} - -/* --- Content Card / Section Styling --- */ -.content-card, -.section { - background-color: var(--color-surface); - padding: 24px; - margin-bottom: 24px; - border: 1px solid var(--color-border); - border-radius: var(--border-radius); - box-shadow: var(--shadow-sm); -} - -.admin-header p { - display: flex; - justify-content: space-between; - align-items: center; - margin-bottom: 0; - color: var(--color-text); - font-weight: 500; -} - -.admin-header span { - font-weight: 600; - color: var(--color-primary); -} - -/* --- Forms --- */ -form .form-group { - margin-bottom: 16px; -} -/* For side-by-side input and button */ -form .inline-form-group { - display: flex; - gap: 10px; - align-items: flex-start; /* Align items to top */ -} -form .inline-form-group input { - flex-grow: 1; /* Allow input to take available space */ - margin-bottom: 0; /* Remove bottom margin */ -} -form .inline-form-group button { - flex-shrink: 0; /* Prevent button from shrinking */ -} - -label { - display: block; - margin-bottom: 6px; - font-weight: 500; - font-size: 0.9rem; - color: var(--color-text-light); -} - -input[type="text"], -input[type="password"], -input[type="email"], -input[type="url"], -input[type="number"], -textarea { - width: 100%; - padding: 10px 12px; - border: 1px solid var(--color-border); - border-radius: var(--border-radius); - font-size: 0.95rem; - color: var(--color-text); - transition: border-color 0.2s ease, box-shadow 0.2s ease; -} - -input[type="text"]:focus, -input[type="password"]:focus, -input[type="email"]:focus, -input[type="url"]:focus, -input[type="number"]:focus, -textarea:focus { - outline: none; - border-color: var(--color-accent); - box-shadow: 0 0 0 2px rgba(176, 111, 66, 0.2); /* Accent focus ring */ -} - -textarea { - min-height: 80px; - resize: vertical; -} - -/* Styling for dynamically generated public form fields */ -#public-form div { - margin-bottom: 16px; /* Keep consistent spacing */ -} - -/* Specific styles for checkboxes */ -#public-form input[type="checkbox"] { - width: auto; /* Override 100% width */ - margin-right: 10px; - vertical-align: middle; /* Align checkbox nicely with label text */ - margin-bottom: 0; /* Remove bottom margin if label handles spacing */ -} -#public-form input[type="checkbox"] + label, /* Style label differently if needed when next to checkbox */ -#public-form label input[type="checkbox"] /* Style if checkbox is inside label */ { - display: inline-flex; /* Or inline-block */ - align-items: center; - margin-bottom: 0; /* Prevent double margin */ - font-weight: normal; /* Checkboxes often have normal weight labels */ - color: var(--color-text); -} - -/* --- Buttons --- */ -.button { - background-color: var(--color-primary); - color: white; - border: 1px solid transparent; /* Add border for consistency */ - padding: 10px 18px; - border-radius: var(--border-radius); - font-weight: 500; - font-size: 0.9rem; - cursor: pointer; - display: inline-flex; - align-items: center; - justify-content: center; - gap: 8px; - transition: all 0.2s ease; - text-decoration: none; - line-height: 1.5; - vertical-align: middle; /* Align with text/inputs */ -} - -.button:hover { - background-color: #2c373f; /* Slightly darker hover */ - box-shadow: var(--shadow-sm); -} -.button:active { - background-color: #1e2a31; /* Even darker active state */ -} - -.button-secondary { - background-color: var(--color-surface); - color: var(--color-primary); - border: 1px solid var(--color-border); -} - -.button-secondary:hover { - background-color: #f8f8f8; /* Subtle hover for secondary */ - border-color: #d0d0d0; -} -.button-secondary:active { - background-color: #f0f0f0; -} - -.button-danger { - background-color: var(--color-danger); - border-color: var(--color-danger); -} -.button-danger:hover { - background-color: var(--color-danger-hover); - border-color: var(--color-danger-hover); -} -.button-danger:active { - background-color: #a52e22; /* Even darker red */ -} - -/* Smaller button variant for lists? */ -.button-sm { - padding: 5px 10px; - font-size: 0.8rem; -} - -/* Ensure buttons added by JS (like submit in public form) get styled */ -#public-form button[type="submit"] { - /* Inherit .button styles if possible, otherwise redefine */ - background-color: var(--color-primary); - color: white; - border: 1px solid transparent; - padding: 10px 18px; - border-radius: var(--border-radius); - font-weight: 500; - font-size: 0.9rem; - cursor: pointer; - transition: all 0.2s ease; - line-height: 1.5; - margin-top: 10px; /* Add some space above submit */ -} -#public-form button[type="submit"]:hover { - background-color: #2c373f; - box-shadow: var(--shadow-sm); -} -#public-form button[type="submit"]:active { - background-color: #1e2a31; -} - -/* --- Lists (Forms & Submissions) --- */ -ul.styled-list { - list-style: none; - padding: 0; - margin-top: 20px; /* Space below heading/button */ -} - -ul.styled-list li { - background-color: #fcfcfc; /* Slightly off-white */ - border: 1px solid var(--color-border); - padding: 12px 16px; - margin-bottom: 8px; - border-radius: var(--border-radius); - display: flex; - justify-content: space-between; - align-items: center; - transition: background-color 0.2s ease; - font-size: 0.95rem; -} - -ul.styled-list li:hover { - background-color: #f5f5f5; -} - -ul.styled-list li button { - margin-left: 16px; /* Space between text and button */ - /* Use smaller button style */ - padding: 5px 10px; - font-size: 0.8rem; - /* Inherit base button colors or use secondary */ - background-color: var(--color-surface); - color: var(--color-primary); - border: 1px solid var(--color-border); -} -ul.styled-list li button:hover { - background-color: #f8f8f8; - border-color: #d0d0d0; -} - -/* Specific styling for submissions list items */ -ul.submissions li { - display: block; /* Allow pre tag to format */ - background-color: var(--color-surface); /* White background for submissions */ -} - -ul.submissions li pre { - white-space: pre-wrap; /* Wrap long lines */ - word-wrap: break-word; /* Break long words */ - background-color: #f9f9f9; /* Light grey background for code block */ - padding: 10px; - border-radius: var(--border-radius); - border: 1px solid var(--color-border); - font-size: 0.85rem; - color: var(--color-text); - max-height: 200px; /* Limit height */ - overflow-y: auto; /* Add scroll if needed */ -} - -/* --- Status Area --- */ -.status { - padding: 12px 16px; - margin-bottom: 20px; - border-radius: var(--border-radius); - font-weight: 500; - border: 1px solid transparent; - display: none; /* Hide by default, JS shows it */ -} -.status.success, -.status.error { - display: block; /* Show when class is added */ -} - -.status.success { - background-color: var(--color-success-bg); - color: var(--color-success); - border-color: var(--color-success); /* Darker green border */ -} -.status.error { - background-color: var(--color-error-bg); - color: var(--color-error); - border-color: var(--color-error); /* Darker red border */ - white-space: pre-wrap; /* Allow multi-line errors */ -} - -/* --- Utility --- */ -.hidden { - display: none !important; /* Use !important to override potential inline styles if needed */ -} - -/* --- Responsive Adjustments (Basic) --- */ -@media (max-width: 768px) { - .container { - padding: 24px 16px; - } - h1.page-title { - font-size: 1.5rem; - } - h2.section-title { - font-size: 1.15rem; - } - ul.styled-list li { - flex-direction: column; - align-items: flex-start; - gap: 8px; - } - ul.styled-list li button { - margin-left: 0; - align-self: flex-end; /* Move button to bottom right */ - } - form .inline-form-group { - flex-direction: column; - align-items: stretch; /* Make elements full width */ - } - form .inline-form-group button { - width: 100%; /* Make button full width */ - } -} - -@media (max-width: 576px) { - .content-card, - .section { - padding: 16px; - } - .button { - padding: 8px 14px; - font-size: 0.85rem; - } -} diff --git a/init.sql b/init.sql new file mode 100644 index 0000000..f868dcf --- /dev/null +++ b/init.sql @@ -0,0 +1,133 @@ +-- init.sql +CREATE DATABASE IF NOT EXISTS forms_db; +USE forms_db; + +-- Users table for authentication and authorization +CREATE TABLE IF NOT EXISTS `users` ( + `id` INTEGER PRIMARY KEY AUTOINCREMENT, + `uuid` TEXT NOT NULL UNIQUE, + `email` TEXT NOT NULL UNIQUE, + `password_hash` TEXT NOT NULL, + `first_name` TEXT DEFAULT NULL, + `last_name` TEXT DEFAULT NULL, + `role` TEXT DEFAULT 'user' CHECK(`role` IN ('user', 'admin', 'super_admin')), + `is_verified` INTEGER DEFAULT 0, + `is_active` INTEGER DEFAULT 1, + `verification_token` TEXT DEFAULT NULL, + `password_reset_token` TEXT DEFAULT NULL, + `password_reset_expires` DATETIME NULL DEFAULT NULL, + `last_login` DATETIME NULL DEFAULT NULL, + `failed_login_attempts` INTEGER DEFAULT 0, + `account_locked_until` DATETIME NULL DEFAULT NULL, + `must_change_password` INTEGER DEFAULT 0, + `created_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + `updated_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + UNIQUE (`email`), + UNIQUE (`uuid`) +); +CREATE INDEX IF NOT EXISTS `idx_email` ON `users` (`email`); +CREATE INDEX IF NOT EXISTS `idx_verification_token` ON `users` (`verification_token`); +CREATE INDEX IF NOT EXISTS `idx_password_reset_token` ON `users` (`password_reset_token`); +CREATE INDEX IF NOT EXISTS `idx_uuid_users` ON `users` (`uuid`); + +-- User sessions table for JWT blacklisting and session management +CREATE TABLE IF NOT EXISTS `user_sessions` ( + `id` INTEGER PRIMARY KEY AUTOINCREMENT, + `user_id` INTEGER NOT NULL, + `token_jti` TEXT NOT NULL UNIQUE, + `expires_at` DATETIME NOT NULL, + `created_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + `user_agent` TEXT DEFAULT NULL, + `ip_address` TEXT DEFAULT NULL, + FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE +); +CREATE INDEX IF NOT EXISTS `idx_token_jti` ON `user_sessions` (`token_jti`); +CREATE INDEX IF NOT EXISTS `idx_user_id_sessions` ON `user_sessions` (`user_id`); +CREATE INDEX IF NOT EXISTS `idx_expires_at_sessions` ON `user_sessions` (`expires_at`); + +-- Update forms table to associate with users +CREATE TABLE IF NOT EXISTS `forms` ( + `id` INTEGER PRIMARY KEY AUTOINCREMENT, + `uuid` TEXT NOT NULL UNIQUE, + `user_id` INTEGER NOT NULL, + `name` TEXT DEFAULT 'My Form', + `created_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + `updated_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + `thank_you_url` TEXT DEFAULT NULL, + `thank_you_message` TEXT DEFAULT NULL, + `ntfy_enabled` INTEGER DEFAULT 1, + `is_archived` INTEGER DEFAULT 0, + `allowed_domains` TEXT DEFAULT NULL, + `email_notifications_enabled` INTEGER NOT NULL DEFAULT 0, + `notification_email_address` TEXT DEFAULT NULL, + `recaptcha_enabled` INTEGER NOT NULL DEFAULT 0, + FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE +); +CREATE INDEX IF NOT EXISTS `idx_user_id_forms` ON `forms` (`user_id`); +CREATE INDEX IF NOT EXISTS `idx_uuid_forms` ON `forms` (`uuid`); + +CREATE TABLE IF NOT EXISTS `submissions` ( + `id` INTEGER PRIMARY KEY AUTOINCREMENT, + `form_uuid` TEXT NOT NULL, + `user_id` INTEGER NOT NULL, + `data` TEXT NOT NULL, -- Storing JSON as TEXT + `ip_address` TEXT NULL, + `submitted_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + FOREIGN KEY (`form_uuid`) REFERENCES `forms`(`uuid`) ON DELETE CASCADE, + FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE +); +CREATE INDEX IF NOT EXISTS `idx_form_uuid_submissions` ON `submissions` (`form_uuid`); +CREATE INDEX IF NOT EXISTS `idx_user_id_submissions` ON `submissions` (`user_id`); +CREATE INDEX IF NOT EXISTS `idx_submitted_at_submissions` ON `submissions` (`submitted_at`); + +-- Rate limiting table for enhanced security (Simplified for SQLite) +-- Note: TIMESTAMP logic for window_start and expires_at might need application-level management +-- depending on how it was used with MySQL. +CREATE TABLE IF NOT EXISTS `rate_limits` ( + `id` INTEGER PRIMARY KEY AUTOINCREMENT, + `identifier` TEXT NOT NULL, + `action` TEXT NOT NULL, + `count` INTEGER DEFAULT 1, + `window_start` DATETIME DEFAULT CURRENT_TIMESTAMP, + `expires_at` DATETIME NOT NULL, + UNIQUE (`identifier`, `action`) +); +CREATE INDEX IF NOT EXISTS `idx_identifier_action_rate_limits` ON `rate_limits` (`identifier`, `action`); +CREATE INDEX IF NOT EXISTS `idx_expires_at_rate_limits` ON `rate_limits` (`expires_at`); + +-- Create default admin user (password will be set on first login) +-- You should change this immediately after first login +INSERT OR IGNORE INTO users (email, password_hash, first_name, last_name, role, is_verified, is_active, must_change_password, uuid) +VALUES ('admin@formies.local', 'NEEDS_TO_BE_SET_ON_FIRST_LOGIN', 'Admin', 'User', 'super_admin', 1, 1, 1, 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'); -- Placeholder UUID, generate dynamically in app if needed + +-- API Keys table for user-generated API access +CREATE TABLE IF NOT EXISTS `api_keys` ( + `id` INTEGER PRIMARY KEY AUTOINCREMENT, + `uuid` TEXT NOT NULL UNIQUE, + `user_id` INTEGER NOT NULL, + `key_name` TEXT DEFAULT NULL, + `api_key_identifier` TEXT NOT NULL UNIQUE, -- Public, non-secret identifier for lookup + `hashed_api_key_secret` TEXT NOT NULL, -- Hashed version of the secret part of the API key + `created_at` DATETIME DEFAULT CURRENT_TIMESTAMP, + `last_used_at` DATETIME NULL DEFAULT NULL, + `expires_at` DATETIME NULL DEFAULT NULL, -- For future use + FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE +); +CREATE INDEX IF NOT EXISTS `idx_user_id_api_keys` ON `api_keys` (`user_id`); +CREATE INDEX IF NOT EXISTS `idx_api_key_identifier_api_keys` ON `api_keys` (`api_key_identifier`); + +-- Trigger to update 'updated_at' timestamp on users table (optional, can be handled in app code) +CREATE TRIGGER IF NOT EXISTS update_users_updated_at +AFTER UPDATE ON users +FOR EACH ROW +BEGIN + UPDATE users SET updated_at = CURRENT_TIMESTAMP WHERE id = OLD.id; +END; + +-- Trigger to update 'updated_at' timestamp on forms table (optional, can be handled in app code) +CREATE TRIGGER IF NOT EXISTS update_forms_updated_at +AFTER UPDATE ON forms +FOR EACH ROW +BEGIN + UPDATE forms SET updated_at = CURRENT_TIMESTAMP WHERE id = OLD.id; +END; \ No newline at end of file diff --git a/jest.config.js b/jest.config.js new file mode 100644 index 0000000..5f953bc --- /dev/null +++ b/jest.config.js @@ -0,0 +1,28 @@ +// jest.config.js +module.exports = { + testEnvironment: "node", + verbose: true, + coveragePathIgnorePatterns: [ + "/node_modules/", + "/__tests__/setup/", // Ignore setup files from coverage + "/src/config/", // Often configuration files don't need testing + "/config/", // logger config + ], + // Automatically clear mock calls and instances between every test + clearMocks: true, + // A path to a module which exports an async function that is triggered once before all test suites + // globalSetup: './__tests__/setup/globalSetup.js', // Optional: If you need global setup + // A path to a module which exports an async function that is triggered once after all test suites + // globalTeardown: './__tests__/setup/globalTeardown.js', // Optional: If you need global teardown + // The directory where Jest should output its coverage files + coverageDirectory: "coverage", + // Indicates whether the coverage information should be collected while executing the test + collectCoverage: true, + // An array of glob patterns indicating a set of files for which coverage information should be collected + collectCoverageFrom: [ + "src/**/*.js", + "!server.js", // Usually the main server start file is hard to unit test directly + "!src/app.js", // If you extract Express app setup to app.js for testability + ], + setupFilesAfterEnv: ["./__tests__/setup/jest.setup.js"], // For things like extending expect +}; diff --git a/middleware/errorHandler.js b/middleware/errorHandler.js new file mode 100644 index 0000000..459ed1f --- /dev/null +++ b/middleware/errorHandler.js @@ -0,0 +1,31 @@ +const logger = require("../config/logger"); + +const errorHandler = (err, req, res, next) => { + logger.error(err.message, { + stack: err.stack, + path: req.path, + method: req.method, + }); + + // If the error is a known type, customize the response + // Otherwise, send a generic server error + if (err.isOperational) { + // You can add an 'isOperational' property to your custom errors + res.status(err.statusCode || 500).json({ + error: { + message: err.message, + code: err.errorCode || "INTERNAL_SERVER_ERROR", + }, + }); + } else { + // For unexpected errors, don't leak details to the client + res.status(500).json({ + error: { + message: "An unexpected error occurred.", + code: "INTERNAL_SERVER_ERROR", + }, + }); + } +}; + +module.exports = errorHandler; diff --git a/notes.md b/notes.md new file mode 100644 index 0000000..7f56132 --- /dev/null +++ b/notes.md @@ -0,0 +1,340 @@ +## Task 2.1: User Dashboard & Form Management UI (Replacing current "admin") + +- Mindset Shift: This is no longer an admin panel. It's the user's control center. + +### Subtask 2.1.1: Design User Dashboard Layout + +- **Wireframe basic layout:** + - **Navigation Bar:** + - Logo/App Name (e.g., "Formies") + - My Forms (Active Link) + - Create New Form + - Account Settings (e.g., "Hi, [User Name]" dropdown with "Settings", "Logout") + - **Main Content Area (for "My Forms" view):** + - Header: "My Forms" + - Button: "+ Create New Form" + - Forms List Table: + - Columns: Form Name, Submissions (count), Endpoint URL, Created Date, Actions + - Actions per row: View Submissions, Settings, Archive/Delete + - Pagination for the forms list if it becomes long. + - **Main Content Area (for "Create New Form" view - initial thought, might be a separate page/modal):** + - Header: "Create New Form" + - Form fields: Form Name + - Button: "Create Form" + - **Main Content Area (for "Account Settings" - placeholder for now):** + - Header: "Account Settings" + - Placeholder content. +- **Frontend Tech Decision:** + - EJS for templating, made dynamic with client-side JavaScript. This aligns with the existing structure and MVP scope. We will enhance EJS views to be more interactive. + +[X] Wireframe basic layout: List forms, create form, account settings (placeholder). - _Textual wireframe defined above_ +[X] Decide on frontend tech (EJS is fine for MVP if you make it dynamic with client-side JS, or consider a simple SPA framework if comfortable). - _Decision made: EJS with client-side JS_ + +- Created `views/dashboard.ejs` as the main layout. +- Created `views/partials/_forms_table.ejs` for displaying the list of forms. + +### Subtask 2.1.2: "My Forms" View: + +- Objective: Fetch and display forms owned by the logged-in user. +- Show key info: name, submission count, endpoint URL, created date, status (Active/Archived). +- Links/Actions: View Submissions, Settings, Archive/Unarchive, Delete. +- Frontend: `views/dashboard.ejs` with `view = 'my_forms'` and `views/partials/_forms_table.ejs` will handle this. +- Backend: + - Need a new route, e.g., `GET /dashboard`, protected by authentication (e.g., `requireAuth` from `authMiddleware.js`). + - This route handler will: + - Fetch forms for `req.user.id` from the database. + - Query should include `name`, `uuid`, `created_at`, `is_archived`, and `submission_count`. + - Render `views/dashboard.ejs` passing the forms data, `user` object, `appUrl`, and `view = 'my_forms'`. + - Implemented in `src/routes/dashboard.js` via GET `/`. + +[X] Fetch and display forms owned by the logged-in user. +[X] Show key info: name, submission count, endpoint URL, created date. +[X] Links to: view submissions, edit settings, delete. (Links are present in `_forms_table.ejs`, functionality for all to be built out in subsequent tasks) + +### Subtask 2.1.3: "Create New Form" Functionality (for logged-in user): + +- UI: `dashboard.ejs` (with `view = 'create_form'`) provides the form input. + - Route `GET /dashboard/create-form` in `src/routes/dashboard.js` renders this view. +- Backend: `POST /dashboard/forms/create` route in `src/routes/dashboard.js` handles form submission. + - Associates form with `req.user.id`. + - Redirects to `/dashboard` on success. + - Handles errors and re-renders create form view with an error message. + +[X] UI and backend logic. Associates form with req.user.id. + +### Subtask 2.1.4: "View Form Submissions" (Scoped & Paginated): + +- Objective: Allow users to view submissions for their specific forms, with pagination. +- UI: + - `views/partials/_submissions_view.ejs` created to display submissions list and pagination. + - `views/dashboard.ejs` updated to include this partial when `view = 'form_submissions'`. +- Backend: + - Route: `GET /dashboard/submissions/:formUuid` added to `src/routes/dashboard.js`. + - Verifies that `req.user.id` owns the `formUuid`. + - Fetches paginated submissions for the given `formUuid`. + - Renders `dashboard.ejs` with `view = 'form_submissions'`, passing submissions data, form details, and pagination info. + - Error handling improved to render user-friendly messages within the dashboard view. + +[X] UI and backend for a user to view submissions for their specific form. +[X] Pagination is critical here (as you have). + +### Subtask 2.1.5: Form Settings UI (Basic): + +- Objective: Allow users to update basic form settings, starting with the form name. +- UI: + - A new view/section in `dashboard.ejs` (e.g., when `view = 'form_settings'`). + - This view will display a form with an input for the form name. + - It will also be a placeholder for future settings (thank you URL, notifications). +- Backend: + - Route: `GET /dashboard/forms/:formUuid/settings` to display the settings page. + - Implemented in `src/routes/dashboard.js`. + - Verifies form ownership by `req.user.id`. + - Fetches current form details (name). + - Renders the `form_settings` view in `dashboard.ejs`. + - Route: `POST /dashboard/forms/:formUuid/settings/update-name` to handle the update. + - Implemented in `src/routes/dashboard.js`. + - Verifies form ownership. + - Updates the form name in the database. + - Redirects back to form settings page with a success/error message via query parameters. + +[X] Allow users to update form name. +[X] Placeholder for future settings (thank you URL, notifications) - (Placeholders added in EJS). + +### Subtask 2.1.6: Delete Form/Submission (with soft delete/archival consideration): + +- Objective: Implement form archival (soft delete) and permanent deletion for users. +- Users should be able to archive/unarchive their forms. +- True delete should be a confirmed, rare operation. +- The `is_archived` field in the `forms` table will be used. +- Submissions deletion is already partially handled in `_submissions_view.ejs` via a POST to `/dashboard/submissions/delete/:submissionId`. We need to implement this backend route. + +- **Form Archival/Unarchival:** + - UI: Buttons for "Archive" / "Unarchive" are already in `views/partials/_forms_table.ejs`. + - Archive action: `POST /dashboard/forms/archive/:formUuid` + - Unarchive action: `POST /dashboard/forms/unarchive/:formUuid` + - Backend: + - Create these two POST routes in `src/routes/dashboard.js`. + - Must verify form ownership by `req.user.id`. + - Fetch current form details (name). + - Render the settings view. + - Route: `POST /dashboard/forms/:formUuid/settings` (or `/dashboard/forms/:formUuid/update-name`) to handle the update. + - Must verify form ownership. + - Update the form name in the database. + - Redirect back to form settings page or main dashboard with a success message. + +* **Submission Deletion (User-scoped):** + - UI: "Delete" button per submission in `views/partials/_submissions_view.ejs` (with `confirm()` dialog). + - Action: `POST /dashboard/submissions/delete/:submissionId` + - Backend (in `src/routes/dashboard.js`): + - Implemented `POST /dashboard/submissions/delete/:submissionId`: + - Verifies the `req.user.id` owns the form to which the submission belongs. + - Deletes the specific submission. + - Redirects back to the form's submissions view (`/dashboard/submissions/:formUuid`) with message. + +[X] You have is_archived. Solidify this. Users should be able to archive/unarchive. +[X] True delete should be a confirmed, rare operation. +[X] Implement user-scoped submission deletion. + +## Task 2.2: Per-Form Configuration by User + +- Mindset Shift: Empower users to customize their form behavior. + +### Subtask 2.2.1: Database Schema Updates for forms Table: + +- Objective: Add new fields to the `forms` table to support per-form email notification settings. +- Review existing fields (`thank_you_url`, `thank_you_message`, `ntfy_enabled`, `allowed_domains`) - these are good as per plan. +- **New fields to add:** + - `email_notifications_enabled` (BOOLEAN, DEFAULT FALSE, NOT NULL) + - `notification_email_address` (VARCHAR(255), NULL) - This will store an override email address. If NULL, the user's primary email will be used. + +[X] Review existing fields (thank_you_url, thank_you_message, ntfy_enabled, allowed_domains). These are good. +[X] Add email_notifications_enabled (boolean). (Added to `init.sql`) +[X] Add notification_email_address (string, defaults to user's email, but allow override). (Added to `init.sql`) + +### Subtask 2.2.2: UI for Form Settings Page: + +- Objective: Enhance the form settings page to allow users to configure these new email notification options. +- The existing form settings page is `dashboard.ejs` with `view = 'form_settings'` (created in Subtask 2.1.5). +- **UI Elements to add to this page:** + - **Email Notifications Section:** + - Checkbox/Toggle: "Enable Email Notifications for new submissions" + - Controls `email_notifications_enabled`. + - Input Field (text, email type): "Notification Email Address" + - Controls `notification_email_address`. + - Should be pre-filled with the user's primary email if `notification_email_address` is NULL/empty in the DB. + - Label should indicate that if left blank, notifications will go to the account email. +- The `GET /dashboard/forms/:formUuid/settings` route will need to fetch these new fields. +- The form on this page will need to be updated to submit these new fields. The POST route will likely be `/dashboard/forms/:formUuid/settings/update-notifications` or similar, or a general update to the existing `/dashboard/forms/:formUuid/settings/update-name` to become a general settings update route. + +[X] Create a dedicated page/modal for each form's settings. (Using existing settings section in `dashboard.ejs`) +[X] Allow users to edit: Name, Email Notification toggle, Notification Email Address. (Thank You URL, Thank You Message, Allowed Domains are placeholders for now as per 2.1.5). +_ UI elements added to `dashboard.ejs` in the `form_settings` view. +_ `GET /dashboard/forms/:formUuid/settings` in `src/routes/dashboard.js` updated to fetch and pass these settings. \* `POST /dashboard/forms/:formUuid/settings/update-notifications` in `src/routes/dashboard.js` created to save these settings. + +### Subtask 2.2.3: Backend to Save and Apply Settings: + +- Objective: Ensure the backend API endpoints correctly save and the submission logic uses these settings. +- API endpoints to update settings for a specific form (owned by user): + - `POST .../update-name` (Done in 2.1.5) + - `POST .../update-notifications` (Done in 2.2.2) + - Future: endpoints for Thank You URL, Message, Allowed Domains. +- Logic in `/submit/:formUuid` to use these form-specific settings: + - When a form is submitted to `/submit/:formUuid`: + - Fetch the form's settings from the DB, including `email_notifications_enabled` and `notification_email_address`. + - This logic is now implemented in `src/routes/public.js` as part of Task 2.3.2 integration. + +[X] API endpoints to update these settings for a specific form (owned by user). (Name and Email Notification settings covered so far) +[X] Logic in /submit/:formUuid to use these form-specific settings. (Addressed as part of 2.3.2) + +## Task 2.3: Email Notifications for Submissions (Core Feature) + +- Mindset Shift: Ntfy is cool for you. Users expect email. + +### Subtask 2.3.1: Integrate Transactional Email Service: + +- Objective: Set up a third-party email service to send submission notifications. +- **Action for you (USER):** + - Choose a transactional email service (e.g., SendGrid, Mailgun, AWS SES). Many offer free tiers. + - Sign up for the service and obtain an API Key. + - Securely store this API Key as an environment variable in your `.env` file. + - For example, if you choose SendGrid, you might use `SENDGRID_API_KEY=your_actual_api_key`. + - Also, note the sender email address you configure with the service (e.g., `EMAIL_FROM_ADDRESS=notifications@yourdomain.com`). +- Once you have these, let me know which service you've chosen so I can help with installing the correct SDK and writing the integration code. + - User selected: Resend + - API Key ENV Var: `RESEND_API_KEY` + - From Email ENV Var: `EMAIL_FROM_ADDRESS` + +[X] Sign up for SendGrid, Mailgun, AWS SES (free tiers available). (User selected Resend) +[X] Install their SDK. (npm install resend done) +[X] Store API key securely (env vars). (User confirmed `RESEND_API_KEY` and `EMAIL_FROM_ADDRESS` are set up) + +### Subtask 2.3.2: Email Sending Logic: + +- Objective: Create a reusable service/function to handle the sending of submission notification emails. +- This service will use the Resend SDK and the configured API key. +- **Create a new service file:** `src/services/emailService.js` + - It should export a function, e.g., `sendSubmissionNotification(form, submissionData, userEmail)`. + - `form`: An object containing form details (`name`, `email_notifications_enabled`, `notification_email_address`). + - `submissionData`: The actual data submitted to the form. + - `userEmail`: The email of the user who owns the form (to be used if `form.notification_email_address` is not set). + - Inside the function: + - Check if `form.email_notifications_enabled` is true. + - Determine the recipient: `form.notification_email_address` or `userEmail`. + - Construct the email subject and body (using a basic template for now - Subtask 2.3.3). + - Use the Resend SDK to send the email. + - Include error handling (Subtask 2.3.4). + +[X] Create a service/function sendSubmissionNotification(form, submissionData, userEmail) - (`src/services/emailService.js` created with this function). +[X] If email_notifications_enabled for the form, send an email to notification_email_address (or user's email). - (Logic implemented in `emailService.js` and integrated into `/submit/:formUuid` route in `src/routes/public.js`). + +### Subtask 2.3.3: Basic Email Template: + +- Objective: Define a simple, clear email template for notifications. +- The current `createEmailHtmlBody` function in `src/services/emailService.js` provides a very basic HTML template: + - Subject: "New Submission for [Form Name]" + - Body: Lists submitted data (key-value pairs). +- This fulfills the MVP requirement. + +[X] Simple, clear email: "New Submission for [Form Name]", list submitted data. (Implemented in `emailService.js`) + +### Subtask 2.3.4: Error Handling for Email Sending: + +- Objective: Ensure email sending failures don't break the submission flow and are logged. +- In `src/services/emailService.js`, within `sendSubmissionNotification`: + - Errors from `resend.emails.send()` are caught and logged. + - The function does not throw an error that would halt the caller, allowing the submission to be considered successful even if the email fails. +- In `src/routes/public.js` (`/submit/:formUuid` route): + - The call to `sendSubmissionNotification` is followed by `.catch()` to log any unexpected errors from the email sending promise itself, ensuring the main response to the user is not blocked. + +[X] Log errors if email fails to send; don't let it break the submission flow. (Implemented in `emailService.js` and `public.js` route) + +## Task 2.4: Enhanced Spam Protection (Beyond Basic Honeypot) + +- Mindset Shift: Your honeypot is step 1. Real services need more. + +### Subtask 2.4.1: Integrate CAPTCHA (e.g., Google reCAPTCHA): + +- Objective: Add server-side CAPTCHA validation to the form submission process. +- We'll use Google reCAPTCHA v2 ("I'm not a robot" checkbox) for this MVP. +- **Action for you (USER):** + - Go to the [Google reCAPTCHA admin console](https://www.google.com/recaptcha/admin/create). + - Register your site: Choose reCAPTCHA v2, then "I'm not a robot" Checkbox. + - Add your domain(s) (e.g., `localhost` for development, and your production domain). + - Accept the terms of service. + - You will receive a **Site Key** and a **Secret Key**. + - Store these securely in your `.env` file: + - `RECAPTCHA_V2_SITE_KEY=your_site_key` + - `RECAPTCHA_V2_SECRET_KEY=your_secret_key` +- Let me know once you have these keys set up in your `.env` file. + +- **Frontend Changes (Illustrative - User will implement on their actual forms):** + - User needs to include the reCAPTCHA API script in their HTML form page: `` + - User needs to add the reCAPTCHA widget div where the checkbox should appear: `` (replacing with the actual site key, possibly passed from server or configured client-side if site key is public). +- **Backend Changes (`/submit/:formUuid` route in `src/routes/public.js`):** + - When a submission is received, it should include a `g-recaptcha-response` field from the reCAPTCHA widget. + - Create a new middleware or a helper function `verifyRecaptcha(recaptchaResponse, clientIp)`. + - This function will make a POST request to Google's verification URL: `https://www.google.com/recaptcha/api/siteverify`. + - Parameters: `secret` (your `RECAPTCHA_V2_SECRET_KEY`), `response` (the `g-recaptcha-response` value), `remoteip` (optional, user's IP). + - The response from Google will be JSON indicating success or failure. + - In the `/submit` route, call this verification function. If verification fails, reject the submission with an appropriate error. + +[X] Sign up for reCAPTCHA (v2 "I'm not a robot" or v3 invisible). Get site/secret keys. (User action) - _User confirmed keys are in .env_ +[ ] Frontend: Add reCAPTCHA widget/JS to user's HTML form example. (User responsibility for their forms) +[X] Backend: /submit/:formUuid endpoint must verify reCAPTCHA token with Google. (_Already implemented in `src/routes/public.js` using `src/utils/recaptchaHelper.js`_) + +### Subtask 2.4.2: User Configuration for Spam Protection: + +- [x] Database Schema: Add `recaptcha_enabled` (BOOLEAN, DEFAULT FALSE) to `forms` table. (_Done in `init.sql`_) +- [x] UI: Added reCAPTCHA toggle to Form Settings page (`dashboard.ejs`) and consolidated settings form to POST to `/dashboard/forms/:formUuid/settings/update`. (_Done_) +- [x] Backend: + - [x] `GET /dashboard/forms/:formUuid/settings` fetches and passes `recaptcha_enabled`. (_Done_) + - [x] Consolidated `POST /dashboard/forms/:formUuid/settings/update` saves `recaptcha_enabled` and other settings (formName, emailNotificationsEnabled, notificationEmailAddress). (_Done_) + - [x] `/submit/:formUuid` in `public.js` now checks form's `recaptcha_enabled` flag: if true, token is required & verified; if false, check is skipped. (_Done_) +- [x] Allow users to enable/disable reCAPTCHA for their forms (and input their own site key if they want, or use a global one you provide). - _Implemented using global keys for MVP._ + +- Subtask 2.4.3: (Future Consideration) Akismet / Content Analysis. + +## Task 2.5: Basic API for Users to Access Their Data + +- Mindset Shift: Power users and integrations need an API. + +### Subtask 2.5.1: API Key Generation & Management: + +- Objective: Allow users to generate/revoke API keys from their dashboard. +- **Action for you (USER):** + - Choose a RESTful API framework (e.g., Express, Fastify). + - Implement the API endpoints to allow users to access their data. + - Ensure the API is secure and uses authentication. +- Let me know once you have the API implemented and tested. + +[X] Database Schema: Create `api_keys` table (user*id, key_name, api_key_identifier, hashed_api_key_secret, etc.). (\_Done in `init.sql` with refined structure*) +[X] Helper Utilities: Created `src/utils/apiKeyHelper.js` with `generateApiKeyParts`, `hashApiKeySecret`, `compareApiKeySecret`. (_Done_) +[X] Backend Routes: Added `GET /dashboard/api-keys` (list), `POST /dashboard/api-keys/generate` (create), `POST /dashboard/api-keys/:apiKeyUuid/revoke` (delete) to `src/routes/dashboard.js`. (_Done_) +[X] UI in Dashboard: Added "API Keys" section to `dashboard.ejs` for generating, listing (name, identifier, created/last*used), and revoking keys. Displays newly generated key once via session. (\_Done*) +[X] Allow users to generate/revoke API keys from their dashboard. (_Done_) +[X] Store hashed API keys in DB, associated with user. (_Done via backend routes and helpers_) + +### Subtask 2.5.2: Secure API Endpoints: + +- Objective: Ensure the API is secure and uses authentication. +- **Action for you (USER):** + - Choose a RESTful API framework (e.g., Express, Fastify). + - Implement the API endpoints to allow users to access their data. + - Ensure the API is secure and uses authentication. +- Let me know once you have the API implemented and tested. + +[X] Created `src/middleware/apiAuthMiddleware.js` for Bearer token authentication (checks signature, expiry, active user, updates last*used). (\_Done*) +[X] Created `src/routes/api_v1.js` and mounted it at `/api/v1` in `server.js`. (_Done_) +[X] Added `GET /api/v1/forms` (list user's forms) and `GET /api/v1/forms/:formUuid/submissions` (list form submissions, paginated), both protected by the API auth middleware. (_Done_) +[X] Create new API routes (e.g., /api/v1/forms, /api/v1/forms/:uuid/submissions). (_Covered by above point_) +[X] Authenticate using API keys (e.g., Bearer token). (_Done_) + +### Subtask 2.5.3: Basic API Documentation: + +- Objective: Provide basic documentation for the API. +- **Action for you (USER):** + - Choose a documentation format (e.g., Swagger, Postman, Markdown). + - Implement the documentation for the API endpoints. +- Let me know once you have the API documentation implemented. + +[ ] Simple Markdown file explaining authentication and available endpoints. diff --git a/package.json b/package.json new file mode 100644 index 0000000..c65ff7d --- /dev/null +++ b/package.json @@ -0,0 +1,42 @@ +{ + "name": "formies", + "version": "1.0.0", + "main": "server.js", + "scripts": { + "test": "NODE_ENV=test jest --runInBand --detectOpenHandles --forceExit", + "test:watch": "NODE_ENV=test jest --watch", + "start": "node server.js", + "dev": "nodemon server.js" + }, + "keywords": [], + "author": "", + "license": "ISC", + "description": "", + "dependencies": { + "basic-auth": "^2.0.1", + "bcryptjs": "^2.4.3", + "dotenv": "^16.5.0", + "ejs": "^3.1.10", + "express": "^5.1.0", + "express-rate-limit": "^7.1.5", + "express-session": "^1.17.3", + "express-validator": "^7.0.1", + "helmet": "^8.1.0", + "jsonwebtoken": "^9.0.2", + "nodemailer": "^6.9.8", + "passport": "^0.7.0", + "passport-jwt": "^4.0.1", + "passport-local": "^1.0.0", + "rate-limit-redis": "^4.2.0", + "redis": "^4.7.0", + "resend": "^4.5.1", + "sqlite3": "^5.1.7", + "uuid": "^11.1.0", + "winston": "^3.17.0" + }, + "devDependencies": { + "nodemon": "^3.0.2", + "jest": "^29.7.0", + "supertest": "^7.0.0" + } +} diff --git a/repomix-output.xml b/repomix-output.xml index a9f29db..e47ced5 100644 --- a/repomix-output.xml +++ b/repomix-output.xml @@ -43,4552 +43,6579 @@ The content is organized as follows:| Form Name | -Submitted by | -Date | -Status | -Actions | -
|---|---|---|---|---|
| Customer Feedback Q2 | -john.doe@example.com | -May 05, 2025 | -New |
- - - | -
| Annual Conf Registration | -sarah.smith@example.com | -May 04, 2025 | -Pending |
- - - | -
| Customer Feedback Q2 | -mark.rivera@sample.net | -May 03, 2025 | -Reviewed |
- - - | -
- Welcome, Admin! - - -
-Enter a Form ID to load and submit:
-Error: Form definition is invalid.
"; - console.error("Invalid form fields definition:", formDefinition.fields); - return; - } - - formDefinition.fields.forEach((field) => { - const div = document.createElement("div"); - const label = document.createElement("label"); - label.htmlFor = `field-${field.name}`; - label.textContent = field.label || field.name; // Use label, fallback to name - div.appendChild(label); - - let input; - // Basic type handling - could be expanded - switch (field.type) { - case "textarea": // Allow explicit textarea type - case "string": - // Use textarea for string if maxLength suggests it might be long - if (field.maxLength && field.maxLength > 100) { - input = document.createElement("textarea"); - input.rows = 4; // Default rows - } else { - input = document.createElement("input"); - input.type = "text"; - } - if (field.minLength) input.minLength = field.minLength; - if (field.maxLength) input.maxLength = field.maxLength; - break; - case "email": - input = document.createElement("input"); - input.type = "email"; - break; - case "url": - input = document.createElement("input"); - input.type = "url"; - break; - case "number": - input = document.createElement("input"); - input.type = "number"; - if (field.min !== undefined) input.min = field.min; - if (field.max !== undefined) input.max = field.max; - input.step = field.step || "any"; // Allow decimals by default - break; - case "boolean": - input = document.createElement("input"); - input.type = "checkbox"; - // Checkbox label handling is slightly different - label.insertBefore(input, label.firstChild); // Put checkbox before text - input.style.width = "auto"; // Override default width - input.style.marginRight = "10px"; - break; - // Add cases for 'select', 'radio', 'date' etc. if needed - default: - input = document.createElement("input"); - input.type = "text"; - console.warn( - `Unsupported field type "${field.type}" for field "${field.name}". Rendering as text.` - ); - } - - if (input.type !== "checkbox") { - // Checkbox is already appended inside label - div.appendChild(input); - } - input.id = `field-${field.name}`; - input.name = field.name; // Crucial for form data collection - if (field.required) input.required = true; - if (field.placeholder) input.placeholder = field.placeholder; - if (field.pattern) input.pattern = field.pattern; // Add regex pattern validation - - publicForm.appendChild(div); - }); - - const submitButton = document.createElement("button"); - submitButton.type = "submit"; - submitButton.textContent = "Submit Form"; - publicForm.appendChild(submitButton); - } - - publicForm.addEventListener("submit", async (e) => { - e.preventDefault(); - showStatus(""); - const formId = e.target.dataset.formId; - if (!formId) { - showStatus("Error: Form ID is missing.", true); - return; - } - - const formData = new FormData(e.target); - const submissionData = {}; - - // Convert FormData to a plain object, handling checkboxes correctly - for (const [key, value] of formData.entries()) { - const inputElement = e.target.elements[key]; - - // Handle Checkboxes (boolean) - if (inputElement && inputElement.type === "checkbox") { - // A checkbox value is only present in FormData if it's checked. - // We need to ensure we always send a boolean. - // Check if the element exists in the form (it might be unchecked) - submissionData[key] = inputElement.checked; - } - // Handle Number inputs (convert from string) - else if (inputElement && inputElement.type === "number") { - // Only convert if the value is not empty, otherwise send null or handle as needed - if (value !== "") { - submissionData[key] = parseFloat(value); // Or parseInt if only integers allowed - if (isNaN(submissionData[key])) { - // Handle potential parsing errors if input validation fails - console.warn(`Could not parse number for field ${key}: ${value}`); - submissionData[key] = null; // Or keep as string, or show error - } - } else { - submissionData[key] = null; // Or undefined, depending on backend expectation for empty numbers - } - } - // Handle potential multiple values for the same name (e.g., multi-select), though not rendered here - else if (submissionData.hasOwnProperty(key)) { - if (!Array.isArray(submissionData[key])) { - submissionData[key] = [submissionData[key]]; - } - submissionData[key].push(value); - } - // Default: treat as string - else { - submissionData[key] = value; - } - } - - // Ensure boolean fields that were *unchecked* are explicitly set to false - // FormData only includes checked checkboxes. Find all checkbox inputs in the form. - const checkboxes = e.target.querySelectorAll('input[type="checkbox"]'); - checkboxes.forEach((cb) => { - if (!submissionData.hasOwnProperty(cb.name)) { - submissionData[cb.name] = false; // Set unchecked boxes to false - } - }); - - console.log("Submitting data:", submissionData); // Debugging - - try { - // Public submission endpoint doesn't require auth - const result = await makeApiRequest( - `/forms/${formId}/submissions`, - "POST", - submissionData, - false - ); - showStatus( - `Submission successful! Submission ID: ${result.submission_id}` - ); - e.target.reset(); // Clear the form - // Optionally hide the form after successful submission - // publicFormArea.classList.add('hidden'); - } catch (error) { - let errorMsg = `Submission failed: ${error.message}`; - // Handle validation errors specifically - if (error.validationErrors) { - errorMsg = "Submission failed due to validation errors:\n"; - for (const [field, message] of Object.entries(error.validationErrors)) { - errorMsg += `- ${field}: ${message}\n`; - } - // Highlight invalid fields? (More complex UI update) - } - showStatus(errorMsg, true); - } - }); - - // --- Initial Setup --- - toggleSections(); // Set initial view based on stored token - if (authToken) { - loadFormsButton.click(); // Auto-load forms if logged in - } +Your submission has been received.
" + ); + } + + // Fetch form settings first to check for reCAPTCHA status and other details + let formSettings; + try { + const [forms] = await pool.query( + "SELECT id, user_id, name, thank_you_url, thank_you_message, ntfy_enabled, is_archived, email_notifications_enabled, notification_email_address, recaptcha_enabled FROM forms WHERE uuid = ?", + [formUuid] + ); + if (forms.length === 0) { + return res.status(404).send("Form endpoint not found."); + } + formSettings = forms[0]; + + if (formSettings.is_archived) { + return res + .status(410) + .send( + "This form has been archived and is no longer accepting submissions." + ); + } + } catch (dbError) { + console.error("Error fetching form settings during submission:", dbError); + return res + .status(500) + .send("Error processing submission due to database issue."); + } + + // Perform reCAPTCHA verification if it's enabled for this form + if (formSettings.recaptcha_enabled) { + if (!recaptchaToken) { + console.warn( + `reCAPTCHA enabled for form ${formUuid} but no token provided by IP ${ipAddress}.` + ); + return res + .status(403) + .send( + "reCAPTCHA is required for this form. Please complete the challenge." + ); + } + + const isRecaptchaValid = await verifyRecaptchaV2( + recaptchaToken, + ipAddress + ); + if (!isRecaptchaValid) { + console.warn( + `reCAPTCHA verification failed for form ${formUuid} from IP ${ipAddress}.` + ); + return res + .status(403) + .send("reCAPTCHA verification failed. Please try again."); + } + } // If reCAPTCHA is not enabled, or if it was enabled and passed, proceed. + + // Main submission processing logic (moved DB query for form details up) + let formNameForNotification = formSettings.name || `Form ${formUuid}`; + try { + const ntfyEnabled = formSettings.ntfy_enabled; + const formOwnerUserId = formSettings.user_id; + + // Prepare form object for email service + const formForEmail = { + name: formSettings.name, + email_notifications_enabled: formSettings.email_notifications_enabled, + notification_email_address: formSettings.notification_email_address, + }; + + // Fetch form owner's email for default notification recipient + let ownerEmail = null; + if (formOwnerUserId) { + const [users] = await pool.query( + "SELECT email FROM users WHERE id = ?", + [formOwnerUserId] + ); + if (users.length > 0) { + ownerEmail = users[0].email; + } else { + console.warn( + `Owner user with ID ${formOwnerUserId} not found for form ${formUuid}.` + ); + } + } + + await pool.query( + "INSERT INTO submissions (form_uuid, user_id, data, ip_address) VALUES (?, ?, ?, ?)", + [formUuid, formOwnerUserId, JSON.stringify(submissionData), ipAddress] + ); + console.log( + `Submission received for ${formUuid} (user: ${formOwnerUserId}):`, + submissionData + ); + + const submissionSummary = Object.entries(submissionData) + .filter(([key]) => key !== "_thankyou") + .map(([key, value]) => `${key}: ${value}`) + .join(", "); + + if (ntfyEnabled) { + await sendNtfyNotification( + `New Submission: ${formNameForNotification}`, + `Data: ${ + submissionSummary || "No data fields" + }\nFrom IP: ${ipAddress}`, + "high", + "incoming_form" + ); + } + + // Send email notification + if (ownerEmail) { + // Only attempt if we have an owner email (even if custom one is set, good to have fallback context) + sendSubmissionNotification( + formForEmail, + submissionData, + ownerEmail + ).catch((err) => + console.error( + "Failed to send submission email directly in route:", + err + ) + ); // Log error but don't block response + } else if ( + formForEmail.email_notifications_enabled && + !formForEmail.notification_email_address + ) { + console.warn( + `Email notification enabled for form ${formUuid} but owner email could not be determined and no custom address set.` + ); + } + + if (formSettings.thank_you_url) { + return res.redirect(formSettings.thank_you_url); + } + + if (formSettings.thank_you_message) { + // Basic HTML escaping for safety + const safeMessage = formSettings.thank_you_message + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); + return res.send(safeMessage); + } + + if (submissionData._thankyou) { + return res.redirect(submissionData._thankyou); + } + + res.send( + 'Your submission has been received.
' + ); + } catch (error) { + console.error("Error processing submission:", error); + await sendNtfyNotification( + `Submission Error: ${formNameForNotification}`, + `Failed to process submission for ${formUuid} from IP ${ipAddress}. Error: ${error.message}`, + "max" + ); + res.status(500).send("Error processing submission."); + } + } +); + +module.exports = router; +Thank you for signing up for Formies! To complete your registration, please verify your email address by clicking the button below:
+ +If the button doesn't work, you can copy and paste this link into your browser:
+${verificationUrl}
+This link will expire in 24 hours.
+If you didn't create an account with Formies, you can safely ignore this email.
+We received a request to reset your password for your Formies account. If you made this request, click the button below to reset your password:
++ Reset Password +
+If the button doesn't work, you can copy and paste this link into your browser:
+${resetUrl}
+This link will expire in 1 hour.
+If you didn't request a password reset, you can safely ignore this email. Your password won't be changed.
+Welcome to Formies! Your email has been verified and your account is now active.
+You can now start creating beautiful forms and collecting submissions. Here's what you can do:
++ Go to Dashboard +
+This email confirms that your password has been successfully changed for your Formies account.
+If you didn't make this change, please contact our support team immediately.
+For your security, here are some tips:
+You have a new submission for your form: ${formName}.
`; + body += "Here are the details:
Thank you for using Formies!
"; + return body; +} + +/** + * Sends a submission notification email. + * @param {object} form - Form details (name, email_notifications_enabled, notification_email_address). + * @param {object} submissionData - The actual data submitted to the form. + * @param {string} userOwnerEmail - The email of the user who owns the form. + */ +async function sendSubmissionNotification( + form, + submissionData, + userOwnerEmail +) { + if (!resend) { + logger.warn( + "Resend SDK not initialized due to missing API key. Skipping email notification." + ); + return; + } + if (!emailFromAddress) { + logger.warn( + "EMAIL_FROM_ADDRESS not configured. Skipping email notification." + ); + return; + } + + if (!form || !form.email_notifications_enabled) { + logger.info( + `Email notifications are disabled for form: ${form ? form.name : "Unknown Form"}. Skipping.` + ); + return; + } + + const recipientEmail = form.notification_email_address || userOwnerEmail; + if (!recipientEmail) { + logger.warn( + `No recipient email address found for form: ${form.name}. Skipping notification.` + ); + return; + } + + const subject = `New Submission for Form: ${form.name}`; + const htmlBody = createEmailHtmlBody(form.name, submissionData); + + try { + const { data, error } = await resend.emails.send({ + from: emailFromAddress, + to: recipientEmail, + subject: subject, + html: htmlBody, + }); + + if (error) { + logger.error("Error sending submission email via Resend:", error); + // Do not let email failure break the submission flow (as per 2.3.4) + return; // Or throw a specific error to be caught upstream if needed for more complex handling + } + + logger.info( + `Submission email sent successfully to ${recipientEmail} for form ${form.name}. Message ID: ${data ? data.id : "N/A"}` + ); + } catch (err) { + logger.error("Exception caught while sending submission email:", err); + // Do not let email failure break the submission flow + } +} + +module.exports = { + sendSubmissionNotification, + // Potentially export createEmailHtmlBody if it needs to be used elsewhere or for testing +}; +Account settings will be here.
+ <% } else if (view === 'form_settings') { %> + + + <% if (typeof successMessage !== 'undefined' && successMessage) { %> +Important: This is the only time you will see this API key. Copy it now and store it securely.
+<%= newlyGeneratedApiKey %>| Name | +Identifier (Prefix) | +Created At | +Last Used | +Actions | +
|---|---|---|---|---|
| <%= key.key_name %> | +<%= key.api_key_identifier %> | +<%= new Date(key.created_at).toLocaleDateString() %> | +<%= key.last_used_at ? new Date(key.last_used_at).toLocaleDateString() : 'Never' %> | ++ + | +
You have not generated any API keys yet.
+ <% } %> +| Form Name | +Submissions | +Endpoint URL | +Created Date | +Status | +Actions | +
|---|---|---|---|---|---|
| <%= form.name %> | +<%= form.submission_count %> | +
+ <%= appUrl %>/submit/<%= form.uuid %>
+
+ |
+ <%= new Date(form.created_at).toLocaleDateString() %> | +<%= form.is_archived ? 'Archived' : 'Active' %> | ++ View Submissions + Settings + + + + | +
You haven't created any forms yet. Create one now!
+<% } %> + + +