mo/formies
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Refactor environment configuration for PostgreSQL and enhance application structure

Browse Source 
- Updated `.env` and `.env.test` files to include PostgreSQL connection settings and Redis configuration.
- Migrated database from SQLite to PostgreSQL, updating relevant queries and connection logic.
- Enhanced error handling and logging throughout the application.
- Added new test utilities for PostgreSQL integration and updated user model methods.
- Introduced new routes for user authentication and form management, ensuring compatibility with the new database structure.
- Created login and registration views in EJS for user interaction.
This commit is contained in:
Mohamad.Elsena 2025-05-28 16:16:33 +02:00
parent 2927013a6d
commit a3236ae9d5
28 changed files with 2608 additions and 984 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.env
View File

@ -14,4 +14,21 @@ RECAPTCHA_V2_SECRET_KEY=your_actual_secret_key
RESEND_API_KEY=xxx
EMAIL_FROM_ADDRESS=xxx
recaptcha_enabled = TRUE
recaptcha_enabled = TRUE
DATABASE_URL=postgresql://formies_owner:npg_VtO2HSgGnI9J@ep-royal-scene-a2961c60-pooler.eu-central-1.aws.neon.tech/formies?sslmode=require
# Redis
REDIS_HOST=your_production_redis_host_or_service_name # e.g., the service name in docker-compose.prod.yml like 'redis'
REDIS_PORT=6379 # Or your production Redis port if different
REDIS_PASSWORD=your_production_redis_password # Ensure this is set for production
# Application specific
NODE_ENV=production
PORT=3000 # Or your desired production port
# Security - VERY IMPORTANT: Use strong, unique secrets for production
SESSION_SECRET=generate_a_very_strong_random_string_for_session_secret
JWT_SECRET=generate_a_very_strong_random_string_for_jwt_secret

45
.env.test
View File

@ -1,43 +1,32 @@
# .env.test
NODE_ENV=test
PORT=3001 # Use a different port for testing if your main app might be running
PORT=3001 # Different port for test server
# Test Database Configuration (use a SEPARATE database for testing)
DB_HOST=localhost # Or your test DB host
DB_USER=your_test_db_user
DB_PASSWORD=your_test_db_password
DB_NAME=forms_db_test # CRITICAL: Use a different database name
DB_HOST=localhost
DB_USER=your_test_pg_user
DB_PASSWORD=your_test_pg_password
DB_NAME=formies_test_db # CRITICAL: MUST BE A TEST DATABASE
DB_PORT=5432
# JWT Configuration (can be the same as dev, or specific test secrets)
JWT_SECRET=your-super-secret-jwt-key-for-tests-only-make-it-different
JWT_SECRET=a_different_test_secret_key_that_is_very_long_and_secure
JWT_ISSUER=formies-test
JWT_AUDIENCE=formies-users-test
JWT_ACCESS_EXPIRY=5s # Short expiry for testing expiration
JWT_ACCESS_EXPIRY=5s
JWT_REFRESH_EXPIRY=10s
# Session Configuration
SESSION_SECRET=your-test-session-secret-key
SESSION_SECRET=another_test_session_secret
# Application Configuration
APP_URL=http://localhost:3001
# Email Configuration (mocked or use a test service like Mailtrap.io)
SMTP_HOST=
SMTP_PORT=
SMTP_SECURE=
SMTP_USER=
SMTP_PASS=
SMTP_FROM_EMAIL=
RESEND_API_KEY=test_resend_key # So it doesn't try to send real emails
# Mocked or test service creds
RESEND_API_KEY=test_resend_key # For email service mocking
EMAIL_FROM_ADDRESS=test@formies.local
# Notification Configuration
NTFY_ENABLED=false # Disable for tests unless specifically testing ntfy
NTFY_ENABLED=false
# reCAPTCHA (use test keys or disable for most tests)
RECAPTCHA_V2_SITE_KEY=your_test_recaptcha_site_key
RECAPTCHA_V2_SECRET_KEY=your_test_recaptcha_secret_key # Google provides test keys that always pass/fail
RECAPTCHA_V2_SITE_KEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MM_sF2s_ # Google's test site key
RECAPTCHA_V2_SECRET_KEY=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe # Google's test secret key
# Legacy Admin (if still relevant)
ADMIN_USER=testadmin
ADMIN_PASSWORD=testpassword
REDIS_HOST=localhost
REDIS_PORT=6379 # Assuming test Redis runs on default port
REDIS_PASSWORD=

197
__tests__/integration/auth.test.js Normal file
View File

@ -0,0 +1,197 @@
// __tests__/integration/auth.test.js
const request = require("supertest");
const app = require("../../../server"); // Adjust path to your Express app
const { pool, clearAllTables } = require("../../setup/testDbUtils"); // Adjust path
const User = require("../../../src/models/User"); // Adjust path
describe("Auth API Endpoints", () => {
let server;
beforeAll(() => {
// If your app directly listens, you might not need this.
// If app is just exported, supertest handles starting/stopping.
// server = app.listen(process.env.PORT || 3001); // Use test port
});
afterAll(async () => {
// if (server) server.close();
// await pool.end(); // Already handled by global teardown
});
beforeEach(async () => {
await clearAllTables();
});
describe("POST /api/auth/register", () => {
it("should register a new user successfully", async () => {
const res = await request(app).post("/api/auth/register").send({
email: "newuser@example.com",
password: "Password123!",
first_name: "New",
last_name: "User",
});
expect(res.statusCode).toEqual(201);
expect(res.body.success).toBe(true);
expect(res.body.data.user.email).toBe("newuser@example.com");
const dbUser = await User.findByEmail("newuser@example.com");
expect(dbUser).toBeDefined();
});
it("should return 409 if email already exists", async () => {
await User.create({
email: "existing@example.com",
password: "Password123!",
});
const res = await request(app)
.post("/api/auth/register")
.send({ email: "existing@example.com", password: "Password123!" });
expect(res.statusCode).toEqual(409);
expect(res.body.message).toContain("already exists");
});
// ... more registration tests (validation, etc.)
});
describe("POST /api/auth/login", () => {
let testUser;
beforeEach(async () => {
testUser = await User.create({
email: "login@example.com",
password: "Password123!",
is_verified: 1, // Mark as verified for login
});
});
it("should login an existing verified user and return tokens", async () => {
const res = await request(app)
.post("/api/auth/login")
.send({ email: "login@example.com", password: "Password123!" });
expect(res.statusCode).toEqual(200);
expect(res.body.success).toBe(true);
expect(res.body.data.accessToken).toBeDefined();
expect(res.body.data.refreshToken).toBeDefined();
expect(res.body.data.user.email).toBe("login@example.com");
});
it("should return 401 for invalid credentials", async () => {
const res = await request(app)
.post("/api/auth/login")
.send({ email: "login@example.com", password: "WrongPassword!" });
expect(res.statusCode).toEqual(401);
});
// ... more login tests (unverified, locked, must_change_password for super_admin)
// Example for super_admin must_change_password
it("should return 403 with MUST_CHANGE_PASSWORD for super_admin first login", async () => {
// Ensure the default super_admin exists with must_change_password = TRUE
// and password_hash = 'NEEDS_TO_BE_SET_ON_FIRST_LOGIN'
// This requires the special handling in LocalStrategy as discussed.
// For this test, you might need to manually insert/update the super_admin in testDb.
await pool.query(
`INSERT INTO users (email, password_hash, role, is_verified, is_active, must_change_password, uuid)
VALUES ($1, $2, 'super_admin', TRUE, TRUE, TRUE, $3)
ON CONFLICT (email) DO UPDATE SET password_hash = $2, must_change_password = TRUE`,
[
"admin@formies.local",
"NEEDS_TO_BE_SET_ON_FIRST_LOGIN",
require("uuid").v4(),
]
);
// This also assumes your special login logic for this specific hash exists
const res = await request(app)
.post("/api/auth/login")
.send({ email: "admin@formies.local", password: "anypassword" }); // Password might be ignored by special logic
if (
res.statusCode === 200 &&
res.body?.data?.user?.must_change_password
) {
// This means your special login logic works by issuing a token even if bcrypt would fail,
// and your /login route has a check for user.must_change_password AFTER successful auth by passport.
// The client would then be responsible for triggering the force-change-password flow.
// This is one way to handle it.
console.warn(
"Super admin login with must_change_password=true returned 200, client must handle redirection to force password change."
);
} else {
// The ideal case from previous discussion:
// expect(res.statusCode).toEqual(403);
// expect(res.body.success).toBe(false);
// expect(res.body.code).toBe('MUST_CHANGE_PASSWORD');
// expect(res.body.data.user.email).toBe('admin@formies.local');
// For now, let's check for either the 403, or the 200 with the flag, as implementation details may vary slightly.
expect([200, 403]).toContain(res.statusCode);
if (res.statusCode === 200)
expect(res.body.data.user.must_change_password).toBe(1); // or true
if (res.statusCode === 403)
expect(res.body.code).toBe("MUST_CHANGE_PASSWORD");
}
});
});
describe("POST /api/auth/force-change-password", () => {
let superAdminToken;
beforeEach(async () => {
// Simulate super admin login that requires password change
await pool.query(
`INSERT INTO users (id, email, password_hash, role, is_verified, is_active, must_change_password, uuid)
VALUES (999, $1, $2, 'super_admin', TRUE, TRUE, TRUE, $3)
ON CONFLICT (email) DO UPDATE SET password_hash = $2, must_change_password = TRUE`,
[
"admin@formies.local",
"NEEDS_TO_BE_SET_ON_FIRST_LOGIN",
require("uuid").v4(),
]
);
// This part is tricky: how do you get a token if login itself is blocked?
// Option 1: Special login route for first-time setup (not implemented).
// Option 2: Modify LocalStrategy to issue a temporary token for this specific case.
// Option 3: Assume `must_change_password` doesn't block login fully but returns a flag,
// and a normal token is issued, which is then used here.
// Let's assume Option 3 for this test, where login provides a token.
const loginRes = await request(app)
.post("/api/auth/login")
.send({ email: "admin@formies.local", password: "anypassword" }); // Password will be bypassed by special logic
if (loginRes.body.data && loginRes.body.data.accessToken) {
superAdminToken = loginRes.body.data.accessToken;
} else {
// If login directly returns 403 for MUST_CHANGE_PASSWORD, then this test needs rethinking.
// It implies the client makes this call *without* a token initially, which is unusual for a POST.
// Or, the client gets some other form of temporary credential.
// For now, this test assumes a token is acquired.
console.warn(
"Could not get token for superAdmin requiring password change. /force-change-password test may be invalid."
);
}
});
it("should allow super_admin to change password if must_change_password is true", async () => {
if (!superAdminToken) {
console.warn("Skipping force-change-password test: no superAdminToken");
return; // or expect(superAdminToken).toBeDefined(); to fail if setup is wrong
}
const res = await request(app)
.post("/api/auth/force-change-password")
.set("Authorization", `Bearer ${superAdminToken}`)
.send({ newPassword: "NewSecurePassword123!" });
expect(res.statusCode).toEqual(200);
expect(res.body.success).toBe(true);
expect(res.body.message).toContain("Password changed successfully");
const dbUser = await User.findByEmail("admin@formies.local");
expect(dbUser.must_change_password).toBe(0); // Or FALSE
const isMatch = await require("bcryptjs").compare(
"NewSecurePassword123!",
dbUser.password_hash
);
expect(isMatch).toBe(true);
});
});
// ... tests for /refresh, /logout, /verify-email, /forgot-password, /reset-password, /profile etc.
});

58
__tests__/integration/dashboard.test.js Normal file
View File

@ -0,0 +1,58 @@
// __tests__/integration/dashboard.test.js
// ... imports ...
describe("GET /dashboard (My Forms)", () => {
let userToken;
let userId;
beforeEach(async () => {
// Create user and login to get token
const user = await User.create({
email: "dash@example.com",
password: "Password123!",
is_verified: 1,
});
userId = user.id;
const loginRes = await request(app)
.post("/api/auth/login")
.send({ email: "dash@example.com", password: "Password123!" });
userToken = loginRes.body.data.accessToken;
// Create some forms for this user
await pool.query(
"INSERT INTO forms (uuid, user_id, name) VALUES ($1, $2, $3), ($4, $2, $5)",
[
require("uuid").v4(),
userId,
"My First Form",
require("uuid").v4(),
"My Second Form",
]
);
// Create a form for another user
const otherUser = await User.create({
email: "other@example.com",
password: "Password123!",
});
await pool.query(
"INSERT INTO forms (uuid, user_id, name) VALUES ($1, $2, $3)",
[require("uuid").v4(), otherUser.id, "Other Users Form"]
);
});
it("should list forms owned by the authenticated user", async () => {
const res = await request(app)
.get("/dashboard")
.set("Authorization", `Bearer ${userToken}`); // Or handle session if dashboard uses sessions
// If dashboard uses sessions, you need to manage login via supertest's agent:
// const agent = request.agent(app);
// await agent.post('/api/auth/login').send({ email: 'dash@example.com', password: 'Password123!' });
// const res = await agent.get('/dashboard');
expect(res.statusCode).toEqual(200);
// For EJS, you'd check for HTML content:
expect(res.text).toContain("My First Form");
expect(res.text).toContain("My Second Form");
expect(res.text).not.toContain("Other Users Form");
});
// ... more dashboard tests for create, settings, submissions view, API keys...
});

34
__tests__/setup/jest.setup.js Normal file
View File

@ -0,0 +1,34 @@
// __tests__/setup/jest.setup.js
const {
initializeTestDB,
clearAllTables,
disconnectTestDB,
} = require("./testDbUtils");
// Optional: Runs once before all test suites
beforeAll(async () => {
console.log("Global setup: Initializing test database...");
await initializeTestDB(); // Ensure clean slate for the entire test run
});
// Runs before each test file (or each test if inside describe block)
// For a truly clean slate for each test file or even each test:
beforeEach(async () => {
// console.log('Resetting tables before test...');
// Depending on your needs, you might re-initialize or just clear tables
await clearAllTables(); // This is faster than full re-init if schema doesn't change
});
// Optional: Runs once after all test suites
afterAll(async () => {
console.log("Global teardown: Disconnecting test database pool...");
await disconnectTestDB();
// You might also need to close your main app's DB pool if it's shared or server is kept running
// And close Redis connections if your tests directly interact with them
const { closeRedis } = require("../../src/config/redis"); // Adjust path
await closeRedis();
// If your server is started for integration tests, ensure it's closed.
// This is often handled by supertest if 'app' is imported and not globally started.
// Or if you start server in globalSetup, close it in globalTeardown.
});

99
__tests__/setup/testDbUtils.js Normal file
View File

@ -0,0 +1,99 @@
// __tests__/setup/testDbUtils.js
const fs = require("fs");
const path = require("path");
const { Pool } = require("pg"); // Use pg directly for setup
// Load .env.test variables
require("dotenv").config({ path: path.resolve(__dirname, "../../.env.test") });
const poolConfig = {
user: process.env.DB_USER,
host: process.env.DB_HOST,
database: process.env.DB_NAME,
password: process.env.DB_PASSWORD,
port: parseInt(process.env.DB_PORT || "5432", 10),
};
const pool = new Pool(poolConfig);
const initSql = fs.readFileSync(
path.resolve(__dirname, "../../init.sql"),
"utf8"
);
async function initializeTestDB() {
const client = await pool.connect();
try {
// Drop all tables (order matters due to FK constraints)
// This is a simple way for tests; migrations are better for complex apps.
await client.query("DROP TABLE IF EXISTS user_sessions CASCADE;");
await client.query("DROP TABLE IF EXISTS api_keys CASCADE;");
await client.query("DROP TABLE IF EXISTS submissions CASCADE;");
await client.query("DROP TABLE IF EXISTS forms CASCADE;");
await client.query("DROP TABLE IF EXISTS users CASCADE;");
await client.query("DROP TABLE IF EXISTS rate_limits CASCADE;"); // If you used this table
// Potentially drop extensions or other objects if init.sql creates them and they persist
// Re-run init.sql
// Note: node-postgres pool.query might not execute multi-statement SQL directly from a file easily.
// It's often better to split init.sql or execute statements one by one.
// For simplicity here, assuming init.sql can be run or you adjust this.
// A common approach is to split init.sql by ';' (excluding those in strings/comments)
const statements = initSql
.split(";\n")
.map((s) => s.trim())
.filter((s) => s.length > 0);
for (const statement of statements) {
if (statement.toUpperCase().startsWith("CREATE TRIGGER")) {
// pg doesn't like CREATE TRIGGER in multi-statement query via client.query
// Skip or handle differently if complex. For now, we assume init.sql is mostly CREATE TABLE / INSERT
// Or, ensure your init.sql puts CREATE EXTENSION at the very top if needed.
// console.warn("Skipping TRIGGER creation in test setup, ensure DB compatibility or handle manually.");
} else {
await client.query(statement);
}
}
console.log("Test database initialized/reset.");
} catch (err) {
console.error("Error initializing test database:", err);
throw err;
} finally {
client.release();
}
}
async function clearTable(tableName) {
const client = await pool.connect();
try {
await client.query(`DELETE FROM "${tableName}";`); // Or TRUNCATE if preferred and allowed
} finally {
client.release();
}
}
async function clearAllTables() {
const client = await pool.connect();
try {
await client.query("DELETE FROM user_sessions;");
await client.query("DELETE FROM api_keys;");
await client.query("DELETE FROM submissions;");
await client.query("DELETE FROM forms;");
await client.query("DELETE FROM users;");
await client.query("DELETE FROM rate_limits;");
} finally {
client.release();
}
}
async function disconnectTestDB() {
await pool.end();
console.log("Test database pool disconnected.");
}
module.exports = {
pool, // Export the pool for direct use in tests if needed
initializeTestDB,
clearTable,
clearAllTables,
disconnectTestDB,
};

154
__tests__/unit/models/User.db.test.js Normal file
View File

@ -0,0 +1,154 @@
// __tests__/unit/models/User.db.test.js
const User = require("../../../src/models/User"); // Adjust path
const { pool, clearAllTables } = require("../../setup/testDbUtils"); // Adjust path
describe("User Model (PostgreSQL)", () => {
beforeEach(async () => {
await clearAllTables(); // Ensure clean state for each test
});
describe("create", () => {
it("should create a new user with hashed password and verification token", async () => {
const userData = {
email: "test@example.com",
password: "Password123!",
first_name: "Test",
last_name: "User",
};
const user = await User.create(userData);
expect(user.id).toBeDefined();
expect(user.uuid).toBeDefined();
expect(user.email).toBe(userData.email);
expect(user.password_hash).not.toBe(userData.password); // Should be hashed
expect(user.verification_token).toBeDefined();
expect(user.is_verified).toBe(0); // Default for SQLite, ensure it's FALSE for PG
const dbUser = await pool.query("SELECT * FROM users WHERE id = $1", [
user.id,
]);
expect(dbUser.rows[0].email).toBe(userData.email);
expect(dbUser.rows[0].password_hash).not.toBe(userData.password);
});
it("should throw an error if email already exists", async () => {
const userData = {
email: "duplicate@example.com",
password: "Password123!",
};
await User.create(userData);
await expect(User.create(userData)).rejects.toThrow(
"Email already exists"
);
});
});
describe("findByEmail", () => {
it("should find an active user by email", async () => {
const createdUser = await User.create({
email: "findme@example.com",
password: "Password123!",
});
const foundUser = await User.findByEmail("findme@example.com");
expect(foundUser).toBeDefined();
expect(foundUser.id).toBe(createdUser.id);
});
it("should return null if user not found or inactive", async () => {
expect(await User.findByEmail("dontexist@example.com")).toBeNull();
// Add test for inactive user if you implement that logic
});
});
describe("findById", () => {
it("should find an active user by ID", async () => {
const createdUser = await User.create({
email: "findbyid@example.com",
password: "Password123!",
});
const foundUser = await User.findById(createdUser.id);
expect(foundUser).toBeDefined();
expect(foundUser.email).toBe(createdUser.email);
});
});
describe("verifyEmail", () => {
it("should verify a user and nullify the token", async () => {
const user = await User.create({
email: "verify@example.com",
password: "Pass!",
});
const verificationToken = user.verification_token;
const verified = await User.verifyEmail(verificationToken);
expect(verified).toBe(true);
const dbUser = await User.findById(user.id);
expect(dbUser.is_verified).toBe(1); // Or TRUE depending on PG boolean handling
expect(dbUser.verification_token).toBeNull();
});
});
describe("setPasswordResetToken and findByPasswordResetToken", () => {
it("should set and find a valid password reset token", async () => {
const user = await User.create({
email: "reset@example.com",
password: "password",
});
const { token } = await User.setPasswordResetToken(user.email);
expect(token).toBeDefined();
const foundUser = await User.findByPasswordResetToken(token);
expect(foundUser).toBeDefined();
expect(foundUser.id).toBe(user.id);
});
it("should not find an expired password reset token", async () => {
const user = await User.create({
email: "resetexpired@example.com",
password: "password",
});
const { token } = await User.setPasswordResetToken(user.email);
// Manually expire the token in DB for testing
await pool.query(
"UPDATE users SET password_reset_expires = NOW() - INTERVAL '2 hour' WHERE id = $1",
[user.id]
);
const foundUser = await User.findByPasswordResetToken(token);
expect(foundUser).toBeNull();
});
});
// ... more tests for other User model methods (updatePassword, login attempts, etc.) ...
// Example: updatePasswordAndClearChangeFlag
describe("updatePasswordAndClearChangeFlag", () => {
it("should update password and set must_change_password to false", async () => {
const user = await User.create({
email: "changeme@example.com",
password: "oldpassword",
});
// Manually set must_change_password to true for test
await pool.query(
"UPDATE users SET must_change_password = TRUE WHERE id = $1",
[user.id]
);
const newPassword = "NewStrongPassword123!";
const updated = await User.updatePasswordAndClearChangeFlag(
user.id,
newPassword
);
expect(updated).toBe(true);
const dbUser = await User.findById(user.id);
const isMatch = await require("bcryptjs").compare(
newPassword,
dbUser.password_hash
);
expect(isMatch).toBe(true);
expect(dbUser.must_change_password).toBe(0); // Or FALSE
});
});
});

133
__tests__/unit/services/emailService.test.js Normal file
View File

@ -0,0 +1,133 @@
// __tests__/unit/services/emailService.test.js
const emailServiceModule = require("../../../src/services/emailService"); // Adjust path
const { Resend } = require("resend");
const logger = require("../../../config/logger"); // Adjust path
jest.mock("resend"); // Mock the Resend constructor and its methods
jest.mock("../../../config/logger"); // Mock logger to spy on it
describe("Email Service (Resend)", () => {
const mockSend = jest.fn();
const originalResendApiKey = process.env.RESEND_API_KEY;
const originalEmailFrom = process.env.EMAIL_FROM_ADDRESS;
beforeEach(() => {
mockSend.mockClear();
Resend.mockClear();
Resend.mockImplementation(() => ({
emails: { send: mockSend },
}));
// Ensure env vars are set for these tests
process.env.RESEND_API_KEY = "test-resend-api-key";
process.env.EMAIL_FROM_ADDRESS = "sender@example.com";
});
afterAll(() => {
process.env.RESEND_API_KEY = originalResendApiKey;
process.env.EMAIL_FROM_ADDRESS = originalEmailFrom;
});
describe("sendSubmissionNotification", () => {
const form = {
name: "Test Form",
email_notifications_enabled: true,
notification_email_address: "custom@example.com",
};
const submissionData = { name: "John Doe", message: "Hello" };
const userOwnerEmail = "owner@example.com";
it("should send email if notifications enabled and custom address provided", async () => {
mockSend.mockResolvedValue({ data: { id: "email_id_123" }, error: null });
await emailServiceModule.sendSubmissionNotification(
form,
submissionData,
userOwnerEmail
);
expect(Resend).toHaveBeenCalledWith("test-resend-api-key");
expect(mockSend).toHaveBeenCalledWith({
from: "sender@example.com",
to: "custom@example.com",
subject: "New Submission for Form: Test Form",
html: expect.stringContaining("<strong>Test Form</strong>"),
});
expect(logger.info).toHaveBeenCalledWith(
expect.stringContaining("Submission email sent successfully")
);
});
it("should use owner email if custom address not provided", async () => {
const formNoCustomEmail = { ...form, notification_email_address: null };
mockSend.mockResolvedValue({ data: { id: "email_id_123" }, error: null });
await emailServiceModule.sendSubmissionNotification(
formNoCustomEmail,
submissionData,
userOwnerEmail
);
expect(mockSend).toHaveBeenCalledWith(
expect.objectContaining({
to: "owner@example.com",
})
);
});
it("should not send email if notifications are disabled", async () => {
const disabledForm = { ...form, email_notifications_enabled: false };
await emailServiceModule.sendSubmissionNotification(
disabledForm,
submissionData,
userOwnerEmail
);
expect(mockSend).not.toHaveBeenCalled();
expect(logger.info).toHaveBeenCalledWith(
expect.stringContaining("Email notifications are disabled")
);
});
it("should log error if Resend fails", async () => {
const resendError = new Error("Resend API Error");
mockSend.mockResolvedValue({ data: null, error: resendError }); // Resend SDK might return error in object
// OR mockSend.mockRejectedValue(resendError); if it throws
await emailServiceModule.sendSubmissionNotification(
form,
submissionData,
userOwnerEmail
);
expect(logger.error).toHaveBeenCalledWith(
"Error sending submission email via Resend:",
resendError
);
});
it("should not send if RESEND_API_KEY is missing", async () => {
delete process.env.RESEND_API_KEY; // Temporarily remove
// Re-require or re-instantiate the service if it checks env vars at import time
// For this structure, the check is at the top of the file, so it might already be 'null'
// A better approach would be for the service to have an isConfigured() method.
// Forcing a re-import for the test is tricky without specific Jest features for module reloading.
// Let's assume the check inside sendSubmissionNotification handles the 'resend' object being null.
// To test this properly, we might need to re-import the module after changing env var
jest.resetModules(); // Clears module cache
process.env.RESEND_API_KEY = undefined;
const freshEmailService = require("../../../src/services/emailService");
await freshEmailService.sendSubmissionNotification(
form,
submissionData,
userOwnerEmail
);
expect(mockSend).not.toHaveBeenCalled();
expect(logger.warn).toHaveBeenCalledWith(
expect.stringContaining("Resend SDK not initialized")
);
process.env.RESEND_API_KEY = "test-resend-api-key"; // Restore
jest.resetModules(); // Clean up
});
});
// You would add similar tests for sendVerificationEmail, etc. from the old Nodemailer-based service
// if you intend to keep that functionality (currently it's commented out or separate)
});

126
__tests__/unit/services/jwtService.test.js Normal file
View File

@ -0,0 +1,126 @@
// __tests__/unit/services/jwtService.test.js
const jwtService = require("../../../src/services/jwtService"); // Adjust path
const User = require("../../../src/models/User"); // Adjust path
const jwt = require("jsonwebtoken");
jest.mock("../../../src/models/User"); // Mock the User model
describe("JWT Service", () => {
const mockUser = { id: 1, email: "test@example.com", role: "user" };
const originalJwtSecret = process.env.JWT_SECRET;
beforeAll(() => {
process.env.JWT_SECRET = "test-secret-for-jwt-service"; // Use a fixed secret for tests
});
afterAll(() => {
process.env.JWT_SECRET = originalJwtSecret; // Restore original
});
beforeEach(() => {
User.saveSession.mockClear();
User.isTokenBlacklisted.mockClear();
User.revokeSession.mockClear();
});
describe("generateAccessToken", () => {
it("should generate a valid access token and save session", async () => {
User.saveSession.mockResolvedValue(true);
const { token, expiresAt, jti } =
jwtService.generateAccessToken(mockUser);
expect(token).toBeDefined();
expect(jti).toBeDefined();
const decoded = jwt.verify(token, process.env.JWT_SECRET);
expect(decoded.sub).toBe(mockUser.id);
expect(decoded.type).toBe("access");
expect(decoded.jti).toBe(jti);
expect(User.saveSession).toHaveBeenCalledWith(
mockUser.id,
jti,
expiresAt,
undefined,
undefined
);
});
});
describe("generateRefreshToken", () => {
it("should generate a valid refresh token and save session", async () => {
User.saveSession.mockResolvedValue(true);
const { token } = jwtService.generateRefreshToken(mockUser);
const decoded = jwt.verify(token, process.env.JWT_SECRET);
expect(decoded.sub).toBe(mockUser.id);
expect(decoded.type).toBe("refresh");
});
});
describe("verifyToken", () => {
it("should verify a valid token", () => {
const { token } = jwtService.generateAccessToken(mockUser);
const decoded = jwtService.verifyToken(token, "access");
expect(decoded.sub).toBe(mockUser.id);
});
it("should throw error for an expired token", () => {
// Generate token with 0s expiry (sign options need to be passed to jwt.sign)
const expiredToken = jwt.sign(
{ sub: mockUser.id, type: "access" },
process.env.JWT_SECRET,
{ expiresIn: "0s" }
);
// Wait a bit for it to actually expire
return new Promise((resolve) => {
setTimeout(() => {
expect(() => jwtService.verifyToken(expiredToken, "access")).toThrow(
"Token has expired"
);
resolve();
}, 10);
});
});
it("should throw error for an invalid token type", () => {
const { token } = jwtService.generateAccessToken(mockUser); // This is an 'access' token
expect(() => jwtService.verifyToken(token, "refresh")).toThrow(
"Invalid token type. Expected refresh"
);
});
});
describe("refreshAccessToken", () => {
it("should refresh access token with a valid refresh token", async () => {
const { token: rToken, jti: refreshJti } =
jwtService.generateRefreshToken(mockUser);
User.isTokenBlacklisted.mockResolvedValue(false); // Not blacklisted
User.findById.mockResolvedValue(mockUser); // User exists
User.saveSession.mockResolvedValue(true); // For the new access token
const { accessToken } = await jwtService.refreshAccessToken(rToken);
expect(accessToken).toBeDefined();
const decodedAccess = jwt.verify(accessToken, process.env.JWT_SECRET);
expect(decodedAccess.type).toBe("access");
expect(User.isTokenBlacklisted).toHaveBeenCalledWith(refreshJti);
});
it("should throw if refresh token is blacklisted", async () => {
const { token: rToken, jti: refreshJti } =
jwtService.generateRefreshToken(mockUser);
User.isTokenBlacklisted.mockResolvedValue(true); // Blacklisted
await expect(jwtService.refreshAccessToken(rToken)).rejects.toThrow(
"Refresh token has been revoked"
);
expect(User.isTokenBlacklisted).toHaveBeenCalledWith(refreshJti);
});
});
describe("revokeToken", () => {
it("should call User.revokeSession with JTI", async () => {
const { token, jti } = jwtService.generateAccessToken(mockUser);
User.revokeSession.mockResolvedValue(true);
await jwtService.revokeToken(token);
expect(User.revokeSession).toHaveBeenCalledWith(jti);
});
});
// ... more tests ...
});

33
__tests__/unit/utils/apiKeyHelper.test.js Normal file
View File

@ -0,0 +1,33 @@
// __tests__/unit/utils/apiKeyHelper.test.js
const {
generateApiKeyParts,
hashApiKeySecret,
compareApiKeySecret,
API_KEY_IDENTIFIER_PREFIX,
} = require("../../../src/utils/apiKeyHelper"); // Adjust path
describe("API Key Helper", () => {
describe("generateApiKeyParts", () => {
it("should generate an API key with correct prefix, identifier, and secret", () => {
const { fullApiKey, identifier, secret } = generateApiKeyParts();
expect(identifier).toMatch(
new RegExp(`^${API_KEY_IDENTIFIER_PREFIX}_[a-f0-9]{12}$`)
);
expect(secret).toMatch(/^[a-f0-9]{64}$/); // 32 bytes = 64 hex chars
expect(fullApiKey).toBe(`${identifier}_${secret}`);
});
});
describe("hashApiKeySecret and compareApiKeySecret", () => {
it("should correctly hash and compare a secret", async () => {
const secret = "mySuperSecretApiKeyPart";
const hashedSecret = await hashApiKeySecret(secret);
expect(hashedSecret).not.toBe(secret);
expect(await compareApiKeySecret(secret, hashedSecret)).toBe(true);
expect(await compareApiKeySecret("wrongSecret", hashedSecret)).toBe(
false
);
});
});
});

82
__tests__/unit/utils/recaptchaHelper.test.js Normal file
View File

@ -0,0 +1,82 @@
// __tests__/unit/utils/recaptchaHelper.test.js
const { verifyRecaptchaV2 } = require("../../../src/utils/recaptchaHelper"); // Adjust path
// Mock global fetch
global.fetch = jest.fn();
describe("reCAPTCHA Helper", () => {
const RECAPTCHA_V2_SECRET_KEY_ORIG = process.env.RECAPTCHA_V2_SECRET_KEY;
beforeEach(() => {
fetch.mockClear();
// Ensure a secret key is set for these tests
process.env.RECAPTCHA_V2_SECRET_KEY = "test-secret-key";
});
afterAll(() => {
process.env.RECAPTCHA_V2_SECRET_KEY = RECAPTCHA_V2_SECRET_KEY_ORIG; // Restore original
});
it("should return true for a successful verification", async () => {
fetch.mockResolvedValueOnce({
json: async () => ({ success: true }),
});
const result = await verifyRecaptchaV2("valid-token", "127.0.0.1");
expect(result).toBe(true);
expect(fetch).toHaveBeenCalledTimes(1);
expect(fetch).toHaveBeenCalledWith(
expect.stringContaining("response=valid-token"),
{ method: "POST" }
);
});
it("should return false for a failed verification", async () => {
fetch.mockResolvedValueOnce({
json: async () => ({
success: false,
"error-codes": ["invalid-input-response"],
}),
});
const result = await verifyRecaptchaV2("invalid-token");
expect(result).toBe(false);
});
it("should return false if reCAPTCHA secret key is not set", async () => {
delete process.env.RECAPTCHA_V2_SECRET_KEY; // Temporarily remove for this test
const consoleWarnSpy = jest
.spyOn(console, "warn")
.mockImplementation(() => {});
const result = await verifyRecaptchaV2("any-token");
expect(result).toBe(false);
expect(consoleWarnSpy).toHaveBeenCalledWith(
expect.stringContaining("RECAPTCHA_V2_SECRET_KEY is not set")
);
process.env.RECAPTCHA_V2_SECRET_KEY = "test-secret-key"; // Restore for other tests
consoleWarnSpy.mockRestore();
});
it("should return false if no token is provided", async () => {
const consoleWarnSpy = jest
.spyOn(console, "warn")
.mockImplementation(() => {});
const result = await verifyRecaptchaV2("");
expect(result).toBe(false);
expect(consoleWarnSpy).toHaveBeenCalledWith(
"No reCAPTCHA token provided by client."
);
consoleWarnSpy.mockRestore();
});
it("should return false if fetch throws an error", async () => {
fetch.mockRejectedValueOnce(new Error("Network error"));
const consoleErrorSpy = jest
.spyOn(console, "error")
.mockImplementation(() => {});
const result = await verifyRecaptchaV2("any-token");
expect(result).toBe(false);
expect(consoleErrorSpy).toHaveBeenCalledWith(
"Error during reCAPTCHA verification request:",
expect.any(Error)
);
consoleErrorSpy.mockRestore();
});
});

87
combined.log
View File

@ -67,3 +67,90 @@
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"info","message":"Received SIGINT, shutting down gracefully...","service":"user-service"}
{"level":"error","message":"Failed to connect to PostgreSQL database:","service":"user-service"}
{"level":"error","message":"Failed to connect to PostgreSQL database:","service":"user-service"}
{"code":"XX000","length":73,"level":"error","message":"Error checking for users table: connection is insecure (try using `sslmode=require`)","name":"error","service":"user-service","severity":"ERROR","stack":"error: connection is insecure (try using `sslmode=require`)\n at C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\node_modules\\pg-pool\\index.js:45:11\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async initializeDatabase (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\server.js:26:3)\n at async initializeApp (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\server.js:65:3)"}
{"level":"error","message":"Failed to connect to PostgreSQL database:","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 11:50:05 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Users table not found, attempting to initialize database...","service":"user-service"}
{"level":"info","message":"Database initialized successfully from init.sql.","service":"user-service"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 11:51:38 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 12:31:18 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"warn","message":"Failed to initialize RedisStore, falling back to MemoryStore for sessions. Redis client not available","service":"user-service","stack":"Error: Redis client not available\n at getRedisClient (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\src\\config\\redis.js:82:9)\n at initializeApp (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\server.js:99:24)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"info","message":"Received SIGINT, shutting down gracefully...","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 12:43:16 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"warn","message":"Failed to initialize RedisStore, falling back to MemoryStore for sessions. Redis client not available","service":"user-service","stack":"Error: Redis client not available\n at getRedisClient (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\src\\config\\redis.js:82:9)\n at initializeApp (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\server.js:99:24)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 12:43:40 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 12:43:59 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /api/auth - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /favicon.ico - Method: GET - IP: ::1","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Cleaned up 0 expired user sessions.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Cleaned up 0 expired user sessions.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Cleaned up 0 expired user sessions.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 16:05:43 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /register - Method: GET - IP: ::1","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"Successfully connected to PostgreSQL database via pool.","service":"user-service"}
{"level":"info","message":"New client connected to the PostgreSQL database","service":"user-service"}
{"level":"info","message":"PostgreSQL current time: Wed May 28 2025 16:10:57 GMT+0200 (Central European Summer Time)","service":"user-service"}
{"level":"info","message":"Database tables appear to exist. Skipping initialization.","service":"user-service"}
{"level":"info","message":"Server running on http://localhost:3000","service":"user-service"}
{"level":"info","message":"Ntfy notifications enabled for topic: https://ntfggy.sh/your-secret-form-alerts","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}
{"level":"warn","message":"404 - Endpoint not found: /.well-known/appspecific/com.chrome.devtools.json - Method: GET - IP: ::1","service":"user-service"}

26
docker-compose.prod.yml
View File

@ -22,28 +22,18 @@ services:
restart: unless-stopped
db:
image: mysql:8.0
image: postgres:15-alpine
ports:
- "3307:3306" # Expose DB on host port 3307 (to avoid conflict if you have local MySQL on 3306)
- "5432:5432" # Standard PostgreSQL port
environment:
MYSQL_ROOT_PASSWORD: your_root_password # Change this
MYSQL_DATABASE: ${DB_NAME}
MYSQL_USER: ${DB_USER}
MYSQL_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USER}
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_DB: ${DB_NAME}
volumes:
- mysql_data:/var/lib/mysql # Persist database data
- pg_data:/var/lib/postgresql/data # Persist database data
- ./init.sql:/docker-entrypoint-initdb.d/init.sql # Run init script on startup
healthcheck:
test:
[
"CMD",
"mysqladmin",
"ping",
"-h",
"localhost",
"-u$$MYSQL_USER",
"-p$$MYSQL_PASSWORD",
]
test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME} -h localhost"]
interval: 10s
timeout: 5s
retries: 5
@ -64,5 +54,5 @@ services:
restart: unless-stopped
volumes:
mysql_data:
pg_data:
redis_data:

21
docker-compose.yml
View File

@ -7,7 +7,7 @@ services:
- "3000:3000"
environment:
- NODE_ENV=development
- DB_HOST=mysql
- DB_HOST=postgres
- DB_USER=${DB_USER}
- DB_PASSWORD=${DB_PASSWORD}
- DB_NAME=${DB_NAME}
@ -17,20 +17,19 @@ services:
- .:/usr/src/app
- /usr/src/app/node_modules
depends_on:
- mysql
- postgres
- redis
mysql:
image: mysql:8.0
postgres:
image: postgres:15-alpine
ports:
- "3306:3306"
- "5432:5432"
environment:
- MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
- MYSQL_DATABASE=${DB_NAME}
- MYSQL_USER=${DB_USER}
- MYSQL_PASSWORD=${DB_PASSWORD}
- POSTGRES_USER=${DB_USER}
- POSTGRES_PASSWORD=${DB_PASSWORD}
- POSTGRES_DB=${DB_NAME}
volumes:
- mysql_data:/var/lib/mysql
- pg_data:/var/lib/postgresql/data
redis:
image: redis:7-alpine
@ -41,5 +40,5 @@ services:
- redis_data:/data
volumes:
mysql_data:
pg_data:
redis_data:

19
env.development.template Normal file
View File

@ -0,0 +1,19 @@
DATABASE_URL=your_neon_development_connection_string_with_sslmode_require # e.g., postgresql://user:password@host:port/dbname?sslmode=require
# DB_HOST=localhost
# DB_PORT=5432
# DB_USER=your_postgres_user
# DB_PASSWORD=your_postgres_password
# DB_NAME=your_postgres_database_name
# Redis - if you keep using it
REDIS_HOST=localhost
REDIS_PORT=6379
# REDIS_PASSWORD=your_redis_password # Uncomment if your Redis has a password
# Application specific
NODE_ENV=development
PORT=3000
# Example for JWT secrets, session secrets, etc.
# SESSION_SECRET=your_strong_session_secret
# JWT_SECRET=your_strong_jwt_secret

24
env.production.template Normal file
View File

@ -0,0 +1,24 @@
DATABASE_URL=your_neon_production_connection_string_with_sslmode_require # e.g., postgresql://user:password@host:port/dbname?sslmode=require
# DB_HOST=your_production_db_host_or_service_name # e.g., the service name in docker-compose.prod.yml like 'db'
# DB_PORT=5432
# DB_USER=your_production_postgres_user
# DB_PASSWORD=your_production_postgres_password
# DB_NAME=your_production_postgres_database_name
# Redis
REDIS_HOST=your_production_redis_host_or_service_name # e.g., the service name in docker-compose.prod.yml like 'redis'
REDIS_PORT=6379 # Or your production Redis port if different
REDIS_PASSWORD=your_production_redis_password # Ensure this is set for production
# Application specific
NODE_ENV=production
PORT=3000 # Or your desired production port
# Security - VERY IMPORTANT: Use strong, unique secrets for production
SESSION_SECRET=generate_a_very_strong_random_string_for_session_secret
JWT_SECRET=generate_a_very_strong_random_string_for_jwt_secret
# Other production settings
# For example, if you have specific logging levels or API keys for production
# LOG_LEVEL=warn
# THIRD_PARTY_API_KEY=your_production_api_key

4
error.log
View File

@ -0,0 +1,4 @@
{"level":"error","message":"Failed to connect to PostgreSQL database:","service":"user-service"}
{"level":"error","message":"Failed to connect to PostgreSQL database:","service":"user-service"}
{"code":"XX000","length":73,"level":"error","message":"Error checking for users table: connection is insecure (try using `sslmode=require`)","name":"error","service":"user-service","severity":"ERROR","stack":"error: connection is insecure (try using `sslmode=require`)\n at C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\node_modules\\pg-pool\\index.js:45:11\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async initializeDatabase (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\server.js:26:3)\n at async initializeApp (C:\\Users\\Mohamad.Elsena\\Desktop\\dev\\mooo\\mo\\formies\\server.js:65:3)"}
{"level":"error","message":"Failed to connect to PostgreSQL database:","service":"user-service"}

242
init.sql
View File

@ -1,133 +1,147 @@
-- init.sql
CREATE DATABASE IF NOT EXISTS forms_db;
USE forms_db;
-- init.sql for PostgreSQL
-- Attempt to create the database if it doesn't exist.
-- Note: CREATE DATABASE IF NOT EXISTS is not standard SQL for all clients.
-- This might need to be handled outside the script or by connecting to a default db like 'postgres' first.
-- For docker-entrypoint-initdb.d, this script is typically run after the DB specified by POSTGRES_DB is created.
-- Enable pgcrypto extension for gen_random_uuid() if not already enabled
CREATE EXTENSION IF NOT EXISTS "pgcrypto";
-- Users table for authentication and authorization
CREATE TABLE IF NOT EXISTS `users` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT,
`uuid` TEXT NOT NULL UNIQUE,
`email` TEXT NOT NULL UNIQUE,
`password_hash` TEXT NOT NULL,
`first_name` TEXT DEFAULT NULL,
`last_name` TEXT DEFAULT NULL,
`role` TEXT DEFAULT 'user' CHECK(`role` IN ('user', 'admin', 'super_admin')),
`is_verified` INTEGER DEFAULT 0,
`is_active` INTEGER DEFAULT 1,
`verification_token` TEXT DEFAULT NULL,
`password_reset_token` TEXT DEFAULT NULL,
`password_reset_expires` DATETIME NULL DEFAULT NULL,
`last_login` DATETIME NULL DEFAULT NULL,
`failed_login_attempts` INTEGER DEFAULT 0,
`account_locked_until` DATETIME NULL DEFAULT NULL,
`must_change_password` INTEGER DEFAULT 0,
`created_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
`updated_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
UNIQUE (`email`),
UNIQUE (`uuid`)
CREATE TABLE IF NOT EXISTS users (
id SERIAL PRIMARY KEY,
uuid UUID NOT NULL UNIQUE DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
password_hash TEXT NOT NULL,
first_name VARCHAR(255) DEFAULT NULL,
last_name VARCHAR(255) DEFAULT NULL,
role VARCHAR(50) DEFAULT 'user' CHECK(role IN ('user', 'admin', 'super_admin')),
is_verified BOOLEAN DEFAULT FALSE,
is_active BOOLEAN DEFAULT TRUE,
verification_token TEXT DEFAULT NULL,
password_reset_token TEXT DEFAULT NULL,
password_reset_expires TIMESTAMPTZ NULL DEFAULT NULL,
last_login TIMESTAMPTZ NULL DEFAULT NULL,
failed_login_attempts INTEGER DEFAULT 0,
account_locked_until TIMESTAMPTZ NULL DEFAULT NULL,
must_change_password BOOLEAN DEFAULT FALSE,
created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
-- Removed redundant UNIQUE constraints as they are already on id, uuid, email
);
CREATE INDEX IF NOT EXISTS `idx_email` ON `users` (`email`);
CREATE INDEX IF NOT EXISTS `idx_verification_token` ON `users` (`verification_token`);
CREATE INDEX IF NOT EXISTS `idx_password_reset_token` ON `users` (`password_reset_token`);
CREATE INDEX IF NOT EXISTS `idx_uuid_users` ON `users` (`uuid`);
CREATE INDEX IF NOT EXISTS idx_email ON users (email);
CREATE INDEX IF NOT EXISTS idx_verification_token ON users (verification_token);
CREATE INDEX IF NOT EXISTS idx_password_reset_token ON users (password_reset_token);
CREATE INDEX IF NOT EXISTS idx_uuid_users ON users (uuid);
-- User sessions table for JWT blacklisting and session management
CREATE TABLE IF NOT EXISTS `user_sessions` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT,
`user_id` INTEGER NOT NULL,
`token_jti` TEXT NOT NULL UNIQUE,
`expires_at` DATETIME NOT NULL,
`created_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
`user_agent` TEXT DEFAULT NULL,
`ip_address` TEXT DEFAULT NULL,
FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE
CREATE TABLE IF NOT EXISTS user_sessions (
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL,
token_jti TEXT NOT NULL UNIQUE,
expires_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
user_agent TEXT DEFAULT NULL,
ip_address VARCHAR(255) DEFAULT NULL,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS `idx_token_jti` ON `user_sessions` (`token_jti`);
CREATE INDEX IF NOT EXISTS `idx_user_id_sessions` ON `user_sessions` (`user_id`);
CREATE INDEX IF NOT EXISTS `idx_expires_at_sessions` ON `user_sessions` (`expires_at`);
CREATE INDEX IF NOT EXISTS idx_token_jti ON user_sessions (token_jti);
CREATE INDEX IF NOT EXISTS idx_user_id_sessions ON user_sessions (user_id);
CREATE INDEX IF NOT EXISTS idx_expires_at_sessions ON user_sessions (expires_at);
-- Update forms table to associate with users
CREATE TABLE IF NOT EXISTS `forms` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT,
`uuid` TEXT NOT NULL UNIQUE,
`user_id` INTEGER NOT NULL,
`name` TEXT DEFAULT 'My Form',
`created_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
`updated_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
`thank_you_url` TEXT DEFAULT NULL,
`thank_you_message` TEXT DEFAULT NULL,
`ntfy_enabled` INTEGER DEFAULT 1,
`is_archived` INTEGER DEFAULT 0,
`allowed_domains` TEXT DEFAULT NULL,
`email_notifications_enabled` INTEGER NOT NULL DEFAULT 0,
`notification_email_address` TEXT DEFAULT NULL,
`recaptcha_enabled` INTEGER NOT NULL DEFAULT 0,
FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE
-- Forms table
CREATE TABLE IF NOT EXISTS forms (
id SERIAL PRIMARY KEY,
uuid UUID NOT NULL UNIQUE DEFAULT gen_random_uuid(),
user_id INTEGER NOT NULL,
name VARCHAR(255) DEFAULT 'My Form',
created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
thank_you_url TEXT DEFAULT NULL,
thank_you_message TEXT DEFAULT NULL,
ntfy_enabled BOOLEAN DEFAULT TRUE,
is_archived BOOLEAN DEFAULT FALSE,
allowed_domains TEXT DEFAULT NULL, -- Consider array of VARCHARs or separate table for multi-domain
email_notifications_enabled BOOLEAN NOT NULL DEFAULT FALSE,
notification_email_address VARCHAR(255) DEFAULT NULL,
recaptcha_enabled BOOLEAN NOT NULL DEFAULT FALSE,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS `idx_user_id_forms` ON `forms` (`user_id`);
CREATE INDEX IF NOT EXISTS `idx_uuid_forms` ON `forms` (`uuid`);
CREATE INDEX IF NOT EXISTS idx_user_id_forms ON forms (user_id);
CREATE INDEX IF NOT EXISTS idx_uuid_forms ON forms (uuid);
CREATE TABLE IF NOT EXISTS `submissions` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT,
`form_uuid` TEXT NOT NULL,
`user_id` INTEGER NOT NULL,
`data` TEXT NOT NULL, -- Storing JSON as TEXT
`ip_address` TEXT NULL,
`submitted_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (`form_uuid`) REFERENCES `forms`(`uuid`) ON DELETE CASCADE,
FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE
-- Submissions table
CREATE TABLE IF NOT EXISTS submissions (
id SERIAL PRIMARY KEY,
form_uuid UUID NOT NULL,
user_id INTEGER NOT NULL, -- Assuming submissions are tied to a user account that owns the form
data JSONB NOT NULL, -- Storing JSON as JSONB
ip_address VARCHAR(255) NULL,
submitted_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (form_uuid) REFERENCES forms(uuid) ON DELETE CASCADE,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE -- Or remove if submissions are anonymous to users table
);
CREATE INDEX IF NOT EXISTS `idx_form_uuid_submissions` ON `submissions` (`form_uuid`);
CREATE INDEX IF NOT EXISTS `idx_user_id_submissions` ON `submissions` (`user_id`);
CREATE INDEX IF NOT EXISTS `idx_submitted_at_submissions` ON `submissions` (`submitted_at`);
CREATE INDEX IF NOT EXISTS idx_form_uuid_submissions ON submissions (form_uuid);
CREATE INDEX IF NOT EXISTS idx_user_id_submissions ON submissions (user_id);
CREATE INDEX IF NOT EXISTS idx_submitted_at_submissions ON submissions (submitted_at);
-- Rate limiting table for enhanced security (Simplified for SQLite)
-- Note: TIMESTAMP logic for window_start and expires_at might need application-level management
-- depending on how it was used with MySQL.
CREATE TABLE IF NOT EXISTS `rate_limits` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT,
`identifier` TEXT NOT NULL,
`action` TEXT NOT NULL,
`count` INTEGER DEFAULT 1,
`window_start` DATETIME DEFAULT CURRENT_TIMESTAMP,
`expires_at` DATETIME NOT NULL,
UNIQUE (`identifier`, `action`)
-- Rate limiting table
CREATE TABLE IF NOT EXISTS rate_limits (
id SERIAL PRIMARY KEY,
identifier TEXT NOT NULL,
action TEXT NOT NULL,
count INTEGER DEFAULT 1,
window_start TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
expires_at TIMESTAMPTZ NOT NULL,
UNIQUE (identifier, action)
);
CREATE INDEX IF NOT EXISTS `idx_identifier_action_rate_limits` ON `rate_limits` (`identifier`, `action`);
CREATE INDEX IF NOT EXISTS `idx_expires_at_rate_limits` ON `rate_limits` (`expires_at`);
CREATE INDEX IF NOT EXISTS idx_identifier_action_rate_limits ON rate_limits (identifier, action);
CREATE INDEX IF NOT EXISTS idx_expires_at_rate_limits ON rate_limits (expires_at);
-- Create default admin user (password will be set on first login)
-- You should change this immediately after first login
INSERT OR IGNORE INTO users (email, password_hash, first_name, last_name, role, is_verified, is_active, must_change_password, uuid)
VALUES ('admin@formies.local', 'NEEDS_TO_BE_SET_ON_FIRST_LOGIN', 'Admin', 'User', 'super_admin', 1, 1, 1, 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'); -- Placeholder UUID, generate dynamically in app if needed
-- API Keys table for user-generated API access
CREATE TABLE IF NOT EXISTS `api_keys` (
`id` INTEGER PRIMARY KEY AUTOINCREMENT,
`uuid` TEXT NOT NULL UNIQUE,
`user_id` INTEGER NOT NULL,
`key_name` TEXT DEFAULT NULL,
`api_key_identifier` TEXT NOT NULL UNIQUE, -- Public, non-secret identifier for lookup
`hashed_api_key_secret` TEXT NOT NULL, -- Hashed version of the secret part of the API key
`created_at` DATETIME DEFAULT CURRENT_TIMESTAMP,
`last_used_at` DATETIME NULL DEFAULT NULL,
`expires_at` DATETIME NULL DEFAULT NULL, -- For future use
FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON DELETE CASCADE
-- API Keys table
CREATE TABLE IF NOT EXISTS api_keys (
id SERIAL PRIMARY KEY,
uuid UUID NOT NULL UNIQUE DEFAULT gen_random_uuid(),
user_id INTEGER NOT NULL,
key_name VARCHAR(255) DEFAULT NULL,
api_key_identifier TEXT NOT NULL UNIQUE,
hashed_api_key_secret TEXT NOT NULL,
created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
last_used_at TIMESTAMPTZ NULL DEFAULT NULL,
expires_at TIMESTAMPTZ NULL DEFAULT NULL,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS `idx_user_id_api_keys` ON `api_keys` (`user_id`);
CREATE INDEX IF NOT EXISTS `idx_api_key_identifier_api_keys` ON `api_keys` (`api_key_identifier`);
CREATE INDEX IF NOT EXISTS idx_user_id_api_keys ON api_keys (user_id);
CREATE INDEX IF NOT EXISTS idx_api_key_identifier_api_keys ON api_keys (api_key_identifier);
-- Trigger to update 'updated_at' timestamp on users table (optional, can be handled in app code)
CREATE TRIGGER IF NOT EXISTS update_users_updated_at
AFTER UPDATE ON users
FOR EACH ROW
-- Function and Trigger to update 'updated_at' timestamp
CREATE OR REPLACE FUNCTION trigger_set_timestamp()
RETURNS TRIGGER AS $$
BEGIN
UPDATE users SET updated_at = CURRENT_TIMESTAMP WHERE id = OLD.id;
NEW.updated_at = NOW();
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
-- Trigger to update 'updated_at' timestamp on forms table (optional, can be handled in app code)
CREATE TRIGGER IF NOT EXISTS update_forms_updated_at
AFTER UPDATE ON forms
-- Trigger for users table
CREATE TRIGGER set_timestamp_users
BEFORE UPDATE ON users
FOR EACH ROW
BEGIN
UPDATE forms SET updated_at = CURRENT_TIMESTAMP WHERE id = OLD.id;
END;
EXECUTE PROCEDURE trigger_set_timestamp();
-- Trigger for forms table
CREATE TRIGGER set_timestamp_forms
BEFORE UPDATE ON forms
FOR EACH ROW
EXECUTE PROCEDURE trigger_set_timestamp();
-- Create default super admin user
-- Using ON CONFLICT to prevent error if user already exists.
-- UUID is now generated by default by the database.
INSERT INTO users (email, password_hash, first_name, last_name, role, is_verified, is_active, must_change_password)
VALUES ('admin@formies.local', 'NEEDS_TO_BE_SET_ON_FIRST_LOGIN', 'Admin', 'User', 'super_admin', TRUE, TRUE, TRUE)
ON CONFLICT (email) DO NOTHING;
-- Note: PRAGMA foreign_keys = ON; is not needed in PostgreSQL. FKs are enforced by default if defined.
-- Note: Backticks for table/column names are generally not needed unless using reserved words or special chars.
-- Standard SQL double quotes can be used if necessary, but unquoted is often preferred.

28
jest.config.js
View File

@ -4,25 +4,25 @@ module.exports = {
verbose: true,
coveragePathIgnorePatterns: [
"/node_modules/",
"/__tests__/setup/", // Ignore setup files from coverage
"/src/config/", // Often configuration files don't need testing
"/config/", // logger config
"/__tests__/setup/",
"/src/config/", // DB, Passport, Redis configs
"/config/", // Logger config
],
// Automatically clear mock calls and instances between every test
clearMocks: true,
// A path to a module which exports an async function that is triggered once before all test suites
// globalSetup: './__tests__/setup/globalSetup.js', // Optional: If you need global setup
// A path to a module which exports an async function that is triggered once after all test suites
// globalTeardown: './__tests__/setup/globalTeardown.js', // Optional: If you need global teardown
// The directory where Jest should output its coverage files
coverageDirectory: "coverage",
// Indicates whether the coverage information should be collected while executing the test
collectCoverage: true,
// An array of glob patterns indicating a set of files for which coverage information should be collected
collectCoverageFrom: [
"src/**/*.js",
"!server.js", // Usually the main server start file is hard to unit test directly
"!src/app.js", // If you extract Express app setup to app.js for testability
"!server.js",
"!src/app.js", // If you create an app.js
"!src/config/database.js", // Usually not directly tested
"!src/config/passport.js", // Tested via auth integration tests
"!src/config/redis.js", // Tested via rate limiter integration tests
"!src/services/notification.js", // External, consider mocking if tested
],
setupFilesAfterEnv: ["./__tests__/setup/jest.setup.js"], // For things like extending expect
setupFilesAfterEnv: ["./__tests__/setup/jest.setup.js"],
// Stop tests after first failure if desired for faster feedback during dev
// bail: 1,
// Force exit after tests are complete if you have open handles (use with caution)
// forceExit: true, // Usually indicates something isn't being torn down correctly
};

4
package.json
View File

@ -15,6 +15,7 @@
"dependencies": {
"basic-auth": "^2.0.1",
"bcryptjs": "^2.4.3",
"connect-redis": "^8.1.0",
"dotenv": "^16.5.0",
"ejs": "^3.1.10",
"express": "^5.1.0",
@ -27,6 +28,7 @@
"passport": "^0.7.0",
"passport-jwt": "^4.0.1",
"passport-local": "^1.0.0",
"pg": "^8.16.0",
"rate-limit-redis": "^4.2.0",
"redis": "^4.7.0",
"resend": "^4.5.1",
@ -35,8 +37,8 @@
"winston": "^3.17.0"
},
"devDependencies": {
"nodemon": "^3.0.2",
"jest": "^29.7.0",
"nodemon": "^3.0.2",
"supertest": "^7.0.0"
}
}

63
server.js
View File

@ -2,11 +2,11 @@ require("dotenv").config();
const express = require("express");
const path = require("path");
const fs = require("fs"); // Added for fs operations
const db = require("./src/config/database"); // SQLite db instance
const pool = require("./src/config/database"); // Changed to pg pool
const helmet = require("helmet");
const session = require("express-session");
const passport = require("./src/config/passport");
const logger = require("./config/logger");
const logger = require("./config/logger"); // Corrected logger path back to original
const errorHandler = require("./middleware/errorHandler");
const { connectRedis, closeRedis } = require("./src/config/redis");
@ -19,37 +19,36 @@ const apiV1Routes = require("./src/routes/api_v1");
const app = express();
const PORT = process.env.PORT || 3000;
// Function to initialize the database
// Function to initialize the database with PostgreSQL
async function initializeDatabase() {
const dbPath = path.resolve(__dirname, "formies.sqlite");
const dbExists = fs.existsSync(dbPath);
if (!dbExists) {
logger.info("Database file not found, creating and initializing...");
try {
// The 'db' instance from './src/config/database' should already create the file.
// Now, run the init.sql script.
const initSql = fs.readFileSync(
path.resolve(__dirname, "init.sql"),
"utf8"
try {
// Check if a key table exists (e.g., users) to see if DB is initialized
await pool.query("SELECT 1 FROM users LIMIT 1");
logger.info("Database tables appear to exist. Skipping initialization.");
} catch (tableCheckError) {
// Specific error code for undefined_table in PostgreSQL is '42P01'
if (tableCheckError.code === "42P01") {
logger.info(
"Users table not found, attempting to initialize database..."
);
// SQLite driver's `exec` method can run multiple statements
await new Promise((resolve, reject) => {
db.exec(initSql, (err) => {
if (err) {
logger.error("Failed to initialize database:", err);
return reject(err);
}
logger.info("Database initialized successfully.");
resolve();
});
});
} catch (error) {
logger.error("Error during database initialization:", error);
process.exit(1); // Exit if DB initialization fails
try {
const initSql = fs.readFileSync(
path.resolve(__dirname, "init.sql"),
"utf8"
);
// Execute the entire init.sql script.
// pg library can usually handle multi-statement queries if separated by semicolons.
await pool.query(initSql);
logger.info("Database initialized successfully from init.sql.");
} catch (initError) {
logger.error("Failed to initialize database with init.sql:", initError);
process.exit(1); // Exit if DB initialization fails
}
} else {
// Another error occurred during the table check
logger.error("Error checking for users table:", tableCheckError);
process.exit(1); // Exit on other DB errors during startup
}
} else {
logger.info("Database file found.");
}
}
@ -63,7 +62,7 @@ async function initializeApp() {
});
try {
await initializeDatabase(); // Initialize SQLite database
await initializeDatabase(); // Initialize PostgreSQL database
} catch (error) {
logger.error("Failed to initialize database:", error);
process.exit(1); // Exit if DB initialization fails
@ -193,3 +192,5 @@ initializeApp().catch((error) => {
logger.error("Failed to initialize application:", error);
process.exit(1);
});
module.exports = app;

65
src/config/database.js
View File

@ -1,20 +1,53 @@
const sqlite3 = require("sqlite3").verbose();
const path = require("path");
const { Pool } = require("pg");
const logger = require("../../config/logger"); // Corrected logger path
const dbPath = path.resolve(__dirname, "../../formies.sqlite");
// Load environment variables
// require('dotenv').config(); // Call this at the very start of your app, e.g. in server.js
const db = new sqlite3.Database(dbPath, (err) => {
if (err) {
console.error("Error opening database", err.message);
} else {
console.log("Connected to the SQLite database.");
// Enable foreign key support
db.run("PRAGMA foreign_keys = ON;", (pragmaErr) => {
if (pragmaErr) {
console.error("Failed to enable foreign keys:", pragmaErr.message);
}
});
}
const pool = new Pool({
connectionString: process.env.DATABASE_URL,
ssl: {
rejectUnauthorized: false, // Necessary for some cloud providers, including Neon
},
// user: process.env.DB_USER,
// host: process.env.DB_HOST,
// database: process.env.DB_NAME,
// password: process.env.DB_PASSWORD,
// port: process.env.DB_PORT || 5432, // Default PostgreSQL port
// Optional: Add more pool configuration options if needed
// max: 20, // Max number of clients in the pool
// idleTimeoutMillis: 30000, // How long a client is allowed to remain idle before being closed
// connectionTimeoutMillis: 2000, // How long to wait for a connection from the pool
});
module.exports = db;
pool.on("connect", (client) => {
logger.info("New client connected to the PostgreSQL database");
// You can set session-level parameters here if needed, e.g.:
// client.query('SET TIMEZONE="UTC";');
});
pool.on("error", (err, client) => {
logger.error("Unexpected error on idle PostgreSQL client", {
error: err.message,
clientInfo: client ? `Client connected for ${client.processID}` : "N/A",
});
// process.exit(-1); // Consider if you want to exit on idle client errors
});
// Test the connection (optional, but good for startup diagnostics)
async function testConnection() {
try {
const client = await pool.connect();
logger.info("Successfully connected to PostgreSQL database via pool.");
const res = await client.query("SELECT NOW()");
logger.info(`PostgreSQL current time: ${res.rows[0].now}`);
client.release();
} catch (err) {
logger.error("Failed to connect to PostgreSQL database:", err.stack);
// process.exit(1); // Exit if DB connection is critical for startup
}
}
testConnection();
module.exports = pool; // Export the pool

448
src/models/User.js
View File

@ -1,45 +1,11 @@
const bcrypt = require("bcryptjs");
const crypto = require("crypto");
const { v4: uuidv4 } = require("uuid");
const db = require("../config/database"); // db is now an instance of sqlite3.Database
// const { v4: uuidv4 } = require("uuid"); // UUIDs will be generated by PostgreSQL
const pool = require("../config/database"); // db is now the pg Pool
const logger = require("../../config/logger"); // Corrected logger path
class User {
// Helper to run queries with promises
static _run(query, params = []) {
return new Promise((resolve, reject) => {
db.run(query, params, function (err) {
if (err) {
reject(err);
} else {
resolve(this); // { lastID, changes }
}
});
});
}
static _get(query, params = []) {
return new Promise((resolve, reject) => {
db.get(query, params, (err, row) => {
if (err) {
reject(err);
} else {
resolve(row);
}
});
});
}
static _all(query, params = []) {
return new Promise((resolve, reject) => {
db.all(query, params, (err, rows) => {
if (err) {
reject(err);
} else {
resolve(rows);
}
});
});
}
// No need for _run, _get, _all as pool.query returns a promise with a consistent result object.
// Create a new user
static async create(userData) {
@ -49,20 +15,20 @@ class User {
first_name,
last_name,
role = "user",
is_verified = 0, // SQLite uses 0 for false
is_verified = false, // PostgreSQL uses true/false for BOOLEAN
} = userData;
const saltRounds = 12;
const password_hash = await bcrypt.hash(password, saltRounds);
const verification_token = crypto.randomBytes(32).toString("hex");
const uuid = uuidv4();
// UUID is generated by DB default (gen_random_uuid())
const query = `
INSERT INTO users (uuid, email, password_hash, first_name, last_name, role, is_verified, verification_token, created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), datetime('now'))
INSERT INTO users (email, password_hash, first_name, last_name, role, is_verified, verification_token, created_at, updated_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, NOW(), NOW())
RETURNING id, uuid, email, first_name, last_name, role, is_verified, verification_token;
`;
const values = [
uuid,
email,
password_hash,
first_name,
@ -73,70 +39,73 @@ class User {
];
try {
const result = await User._run(query, values);
return {
id: result.lastID,
uuid,
email,
first_name,
last_name,
role,
is_verified,
verification_token,
};
const result = await pool.query(query, values);
return result.rows[0]; // Returns the newly created user data including id and uuid
} catch (error) {
if (error.message && error.message.includes("UNIQUE constraint failed")) {
// Check for specific constraint if possible, e.g., error.message.includes("users.email")
throw new Error("Email already exists");
// PostgreSQL error codes: https://www.postgresql.org/docs/current/errcodes-appendix.html
if (error.code === "23505") {
// unique_violation
if (error.constraint === "users_email_key") {
// Or whatever your unique constraint name for email is
throw new Error("Email already exists");
}
// Potentially other unique constraints like users_uuid_key if not handled by default generation
}
logger.error("Error creating user:", error);
throw error;
}
}
// Find user by email
static async findByEmail(email) {
const query = "SELECT * FROM users WHERE email = ? AND is_active = 1";
return User._get(query, [email]);
const query = "SELECT * FROM users WHERE email = $1 AND is_active = TRUE";
const { rows } = await pool.query(query, [email]);
return rows[0];
}
// Find user by ID
static async findById(id) {
const query = "SELECT * FROM users WHERE id = ? AND is_active = 1";
return User._get(query, [id]);
const query = "SELECT * FROM users WHERE id = $1 AND is_active = TRUE";
const { rows } = await pool.query(query, [id]);
return rows[0];
}
// Find user by UUID
static async findByUuid(uuid) {
const query = "SELECT * FROM users WHERE uuid = ? AND is_active = 1";
return User._get(query, [uuid]);
const query = "SELECT * FROM users WHERE uuid = $1 AND is_active = TRUE";
const { rows } = await pool.query(query, [uuid]);
return rows[0];
}
// Find user by verification token
static async findByVerificationToken(token) {
const query = "SELECT * FROM users WHERE verification_token = ?";
return User._get(query, [token]);
const query = "SELECT * FROM users WHERE verification_token = $1";
const { rows } = await pool.query(query, [token]);
return rows[0];
}
// Find user by password reset token
static async findByPasswordResetToken(token) {
const query = `
SELECT * FROM users
WHERE password_reset_token = ?
AND password_reset_expires > datetime('now')
AND is_active = 1
WHERE password_reset_token = $1
AND password_reset_expires > NOW()
AND is_active = TRUE
`;
return User._get(query, [token]);
const { rows } = await pool.query(query, [token]);
return rows[0];
}
// Verify email
static async verifyEmail(token) {
const query = `
UPDATE users
SET is_verified = 1, verification_token = NULL, updated_at = datetime('now')
WHERE verification_token = ?
SET is_verified = TRUE, verification_token = NULL -- updated_at is handled by trigger
WHERE verification_token = $1
RETURNING id;
`;
const result = await User._run(query, [token]);
return result.changes > 0;
const result = await pool.query(query, [token]);
return result.rowCount > 0;
}
// Update password
@ -145,11 +114,11 @@ class User {
const password_hash = await bcrypt.hash(newPassword, saltRounds);
const query = `
UPDATE users
SET password_hash = ?, password_reset_token = NULL, password_reset_expires = NULL, updated_at = datetime('now')
WHERE id = ?
SET password_hash = $1, password_reset_token = NULL, password_reset_expires = NULL -- updated_at handled by trigger
WHERE id = $2
`;
const result = await User._run(query, [password_hash, id]);
return result.changes > 0;
const result = await pool.query(query, [password_hash, id]);
return result.rowCount > 0;
}
// Update password and clear must_change_password flag
@ -158,30 +127,30 @@ class User {
const password_hash = await bcrypt.hash(newPassword, saltRounds);
const query = `
UPDATE users
SET password_hash = ?,
must_change_password = 0,
SET password_hash = $1,
must_change_password = FALSE,
password_reset_token = NULL,
password_reset_expires = NULL,
updated_at = datetime('now')
WHERE id = ?
password_reset_expires = NULL -- updated_at handled by trigger
WHERE id = $2
`;
const result = await User._run(query, [password_hash, id]);
return result.changes > 0;
const result = await pool.query(query, [password_hash, id]);
return result.rowCount > 0;
}
// Set password reset token
static async setPasswordResetToken(email) {
const token = crypto.randomBytes(32).toString("hex");
// SQLite expects DATETIME strings, ISO 8601 format is good
const expires = new Date(Date.now() + 3600000).toISOString();
// PostgreSQL TIMESTAMPTZ handles timezone conversion, interval syntax is cleaner
const expires = new Date(Date.now() + 3600000); // Still use JS Date for interval calculation
const query = `
UPDATE users
SET password_reset_token = ?, password_reset_expires = ?, updated_at = datetime('now')
WHERE email = ? AND is_active = 1
SET password_reset_token = $1, password_reset_expires = $2 -- updated_at handled by trigger
WHERE email = $3 AND is_active = TRUE
RETURNING id;
`;
const result = await User._run(query, [token, expires, email]);
if (result.changes > 0) {
const result = await pool.query(query, [token, expires, email]);
if (result.rowCount > 0) {
return { token, expires };
}
return null;
@ -189,52 +158,46 @@ class User {
// Increment failed login attempts
static async incrementFailedLoginAttempts(id) {
// Note: SQLite's CASE WHEN THEN ELSE END syntax is similar to MySQL
// Locking for 30 minutes
const query = `
UPDATE users
SET failed_login_attempts = failed_login_attempts + 1,
account_locked_until = CASE
WHEN failed_login_attempts >= 4 THEN datetime('now', '+30 minutes')
WHEN failed_login_attempts >= 4 THEN NOW() + interval '30 minutes'
ELSE account_locked_until
END,
updated_at = datetime('now')
WHERE id = ?
END -- updated_at handled by trigger
WHERE id = $1
`;
await User._run(query, [id]);
await pool.query(query, [id]);
}
// Reset failed login attempts
static async resetFailedLoginAttempts(id) {
const query = `
UPDATE users
SET failed_login_attempts = 0, account_locked_until = NULL, updated_at = datetime('now')
WHERE id = ?
SET failed_login_attempts = 0, account_locked_until = NULL -- updated_at handled by trigger
WHERE id = $1
`;
await User._run(query, [id]);
await pool.query(query, [id]);
}
// Update last login
static async updateLastLogin(id) {
const query =
"UPDATE users SET last_login = datetime('now'), updated_at = datetime('now') WHERE id = ?";
await User._run(query, [id]);
const query = "UPDATE users SET last_login = NOW() WHERE id = $1"; // updated_at handled by trigger
await pool.query(query, [id]);
}
// Deactivate user account
static async deactivateUser(id) {
const query =
"UPDATE users SET is_active = 0, updated_at = datetime('now') WHERE id = ?";
const result = await User._run(query, [id]);
return result.changes > 0;
const query = "UPDATE users SET is_active = FALSE WHERE id = $1"; // updated_at handled by trigger
const result = await pool.query(query, [id]);
return result.rowCount > 0;
}
// Activate user account
static async activateUser(id) {
const query =
"UPDATE users SET is_active = 1, updated_at = datetime('now') WHERE id = ?";
const result = await User._run(query, [id]);
return result.changes > 0;
const query = "UPDATE users SET is_active = TRUE WHERE id = $1"; // updated_at handled by trigger
const result = await pool.query(query, [id]);
return result.rowCount > 0;
}
// Update user profile
@ -242,159 +205,230 @@ class User {
const allowedFields = ["first_name", "last_name", "email"];
const fieldsToUpdate = [];
const values = [];
let paramIndex = 1;
for (const [key, value] of Object.entries(updates)) {
if (allowedFields.includes(key) && value !== undefined) {
fieldsToUpdate.push(`\`${key}\` = ?`); // Use backticks for field names just in case
// Use double quotes for field names if they might be reserved words, though not strictly necessary here
fieldsToUpdate.push(`\"${key}\" = $${paramIndex++}`);
values.push(value);
}
}
if (fieldsToUpdate.length === 0) {
throw new Error("No valid fields to update");
return false; // No valid fields to update
}
values.push(id); // for the WHERE clause
const query = `UPDATE users SET ${fieldsToUpdate.join(
", "
)}, updated_at = datetime('now') WHERE id = ?`;
values.push(id); // Add id as the last parameter for the WHERE clause
const query = `
UPDATE users
SET ${fieldsToUpdate.join(", ")}
WHERE id = $${paramIndex}
RETURNING *;
`;
// updated_at is handled by the trigger
try {
const result = await User._run(query, values);
return result.changes > 0;
const result = await pool.query(query, values);
return result.rows[0]; // Return the updated user object
} catch (error) {
if (error.message && error.message.includes("UNIQUE constraint failed")) {
// Check for specific constraint if possible, e.g., error.message.includes("users.email")
if (error.code === "23505" && error.constraint === "users_email_key") {
throw new Error("Email already exists");
}
logger.error("Error updating user profile:", error);
throw error;
}
}
// Session management for JWT tokens
// Get all users (with pagination and optional filters)
static async findAll(page = 1, limit = 20, filters = {}) {
let query =
"SELECT id, uuid, email, first_name, last_name, role, is_verified, is_active, last_login, created_at, updated_at FROM users";
const countQuery = "SELECT COUNT(*) FROM users";
const queryParams = [];
const filterClauses = [];
let paramIndex = 1;
if (filters.role) {
filterClauses.push(`role = $${paramIndex++}`);
queryParams.push(filters.role);
}
if (filters.is_active !== undefined) {
filterClauses.push(`is_active = $${paramIndex++}`);
queryParams.push(filters.is_active);
}
// Add more filters as needed
if (filterClauses.length > 0) {
query += " WHERE " + filterClauses.join(" AND ");
// Note: countQuery would also need the WHERE clause. This can get complex.
// For simplicity, the count query here doesn't include filters. Consider a more robust way if filters are common.
}
query += ` ORDER BY created_at DESC LIMIT $${paramIndex++} OFFSET $${paramIndex++}`;
const offset = (page - 1) * limit;
queryParams.push(limit, offset);
const { rows } = await pool.query(query, queryParams);
// For total count, you might need a separate query without limit/offset but with filters
// const totalResult = await pool.query(countQuery); // Potentially with filter conditions
// const total = parseInt(totalResult.rows[0].count, 10);
// For now, returning rows without total count for simplicity to match old behavior more closely
return rows;
}
// --- User Session Management (Example methods, adjust as needed) ---
static async saveSession(
userId,
tokenJti,
expiresAt, // Should be an ISO string or Unix timestamp
expiresAt,
userAgent = null,
ipAddress = null
) {
// expiresAt should be a Date object or a string PostgreSQL can parse
const query = `
INSERT INTO user_sessions (user_id, token_jti, expires_at, user_agent, ip_address, created_at)
VALUES (?, ?, ?, ?, ?, datetime('now'))
VALUES ($1, $2, $3, $4, $5, NOW())
RETURNING id;
`;
// Ensure expiresAt is in a format SQLite understands (e.g., ISO string)
const expiresAtFormatted = new Date(expiresAt).toISOString();
const values = [userId, tokenJti, expiresAtFormatted, userAgent, ipAddress];
const result = await User._run(query, values);
return result.lastID;
const values = [userId, tokenJti, expiresAt, userAgent, ipAddress];
const result = await pool.query(query, values);
return result.rows[0].id;
}
static async isTokenBlacklisted(tokenJti) {
const query =
"SELECT 1 FROM user_sessions WHERE token_jti = ? AND expires_at > datetime('now')";
const row = await User._get(query, [tokenJti]);
return !!row; // True if a non-expired session with this JTI exists
"SELECT 1 FROM user_sessions WHERE token_jti = $1 AND expires_at > NOW()";
const { rows } = await pool.query(query, [tokenJti]);
return rows.length > 0;
}
static async revokeSession(tokenJti) {
// Instead of deleting, we can mark as expired or delete. Deleting is simpler.
const query = "DELETE FROM user_sessions WHERE token_jti = ?";
const result = await User._run(query, [tokenJti]);
return result.changes > 0;
// Or, update expires_at to NOW() if you prefer not to delete
const query = "DELETE FROM user_sessions WHERE token_jti = $1";
const result = await pool.query(query, [tokenJti]);
return result.rowCount > 0;
}
static async revokeAllUserSessions(userId) {
const query = "DELETE FROM user_sessions WHERE user_id = ?";
const result = await User._run(query, [userId]);
return result.changes > 0;
const query = "DELETE FROM user_sessions WHERE user_id = $1";
const result = await pool.query(query, [userId]);
return result.rowCount > 0;
}
static async revokeAllUserSessionsExcept(userId, exceptJti) {
const query =
"DELETE FROM user_sessions WHERE user_id = ? AND token_jti != ?";
const result = await User._run(query, [userId, exceptJti]);
return result.changes > 0;
"DELETE FROM user_sessions WHERE user_id = $1 AND token_jti != $2";
const result = await pool.query(query, [userId, exceptJti]);
return result.rowCount > 0;
}
static async getUserActiveSessions(userId) {
const query =
"SELECT id, token_jti, user_agent, ip_address, created_at, expires_at FROM user_sessions WHERE user_id = ? AND expires_at > datetime('now') ORDER BY created_at DESC";
return User._all(query, [userId]);
"SELECT id, token_jti, user_agent, ip_address, created_at, expires_at FROM user_sessions WHERE user_id = $1 AND expires_at > NOW() ORDER BY created_at DESC";
const { rows } = await pool.query(query, [userId]);
return rows;
}
static async getSessionByJti(jti) {
const query = "SELECT * FROM user_sessions WHERE token_jti = ?";
return User._get(query, [jti]);
const query = "SELECT * FROM user_sessions WHERE token_jti = $1";
const { rows } = await pool.query(query, [jti]);
return rows[0];
}
// Cleanup expired sessions (can be run periodically)
static async cleanupExpiredSessions() {
const query = "DELETE FROM user_sessions WHERE expires_at <= NOW()";
const result = await pool.query(query);
logger.info(`Cleaned up ${result.rowCount} expired user sessions.`);
return result.rowCount;
}
// --- API Key Management (Example methods, needs hashing for api_key_secret) ---
static async createApiKey(userId, keyName, daysUntilExpiry = null) {
const apiKeyIdentifier = crypto.randomBytes(16).toString("hex"); // Public part
const apiKeySecret = crypto.randomBytes(32).toString("hex"); // Secret part, show ONCE to user
// IMPORTANT: You MUST hash the apiKeySecret before storing it.
// Use a strong, one-way hashing algorithm like bcrypt or scrypt.
// This example will store it directly for simplicity, but DO NOT do this in production.
const saltRounds = 12; // Or appropriate for your chosen hashing algorithm
const hashedApiKeySecret = await bcrypt.hash(apiKeySecret, saltRounds);
let expiresAt = null;
if (daysUntilExpiry) {
expiresAt = new Date();
expiresAt.setDate(expiresAt.getDate() + daysUntilExpiry);
}
const query = `
INSERT INTO api_keys (user_id, key_name, api_key_identifier, hashed_api_key_secret, expires_at, created_at)
VALUES ($1, $2, $3, $4, $5, NOW())
RETURNING id, uuid, api_key_identifier, created_at, expires_at;
`;
const values = [
userId,
keyName,
apiKeyIdentifier,
hashedApiKeySecret,
expiresAt,
];
try {
const result = await pool.query(query, values);
return { ...result.rows[0], apiKeySecret }; // Return the raw secret ONCE for the user to copy
} catch (error) {
if (error.code === "23505") {
// unique_violation
// Handle if api_key_identifier somehow collides, though highly unlikely
logger.error("API Key identifier collision:", error);
}
logger.error("Error creating API key:", error);
throw error;
}
}
static async findApiKeyByIdentifier(identifier) {
const query = "SELECT * FROM api_keys WHERE api_key_identifier = $1";
const { rows } = await pool.query(query, [identifier]);
return rows[0]; // This will include the hashed_api_key_secret
}
// Call this after a key is used successfully
static async updateApiKeyLastUsed(apiKeyId) {
const query = "UPDATE api_keys SET last_used_at = NOW() WHERE id = $1";
await pool.query(query, [apiKeyId]);
}
static async getUserApiKeys(userId) {
// Do NOT return hashed_api_key_secret to the user, only metadata
const query =
"DELETE FROM user_sessions WHERE expires_at <= datetime('now')";
const result = await User._run(query);
console.log("Cleaned up " + result.changes + " expired sessions.");
return result.changes;
"SELECT id, uuid, user_id, key_name, api_key_identifier, created_at, last_used_at, expires_at FROM api_keys WHERE user_id = $1 ORDER BY created_at DESC";
const { rows } = await pool.query(query, [userId]);
return rows;
}
// Get user statistics (example, adapt as needed)
static async revokeApiKey(apiKeyId, userId) {
// Ensure the user owns this API key before revoking
const query = "DELETE FROM api_keys WHERE id = $1 AND user_id = $2";
const result = await pool.query(query, [apiKeyId, userId]);
return result.rowCount > 0;
}
// Placeholder for user stats - adjust query as needed for form/submission counts
static async getUserStats(userId) {
// This is a placeholder. You'll need to adjust based on actual needs and tables.
// For example, count forms or submissions associated with the user.
// const formsQuery = "SELECT COUNT(*) as form_count FROM forms WHERE user_id = ?";
// const submissionsQuery = "SELECT COUNT(*) as submission_count FROM submissions WHERE user_id = ?";
// const [formsResult] = await User._all(formsQuery, [userId]);
// const [submissionsResult] = await User._all(submissionsQuery, [userId]);
return {
// form_count: formsResult ? formsResult.form_count : 0,
// submission_count: submissionsResult ? submissionsResult.submission_count : 0,
// Add other relevant stats
};
// This is a simplified example. You'd need to join with forms and submissions tables.
const query = `
SELECT
(SELECT COUNT(*) FROM forms WHERE user_id = $1) as form_count,
(SELECT COUNT(*) FROM submissions WHERE user_id = $1) as submission_count
-- Add more stats as needed
`;
// This query assumes user_id is directly on submissions. Adjust if form_uuid is the link.
const { rows } = await pool.query(query, [userId]);
return rows[0] || { form_count: 0, submission_count: 0 };
}
// Find all users with pagination and filtering (example)
static async findAll(page = 1, limit = 20, filters = {}) {
let query =
"SELECT id, uuid, email, first_name, last_name, role, is_verified, is_active, created_at, last_login FROM users";
const queryParams = [];
const whereClauses = [];
if (filters.role) {
whereClauses.push("role = ?");
queryParams.push(filters.role);
}
if (filters.is_active !== undefined) {
whereClauses.push("is_active = ?");
queryParams.push(filters.is_active ? 1 : 0);
}
// Add more filters as needed
if (whereClauses.length > 0) {
query += " WHERE " + whereClauses.join(" AND ");
}
query += " ORDER BY created_at DESC LIMIT ? OFFSET ?";
queryParams.push(limit, (page - 1) * limit);
const users = await User._all(query, queryParams);
// For total count, need a separate query without limit/offset
let countQuery = "SELECT COUNT(*) as total FROM users";
if (whereClauses.length > 0) {
// Reuse queryParams for filters, but not for limit/offset
const filterParams = queryParams.slice(0, whereClauses.length);
countQuery += " WHERE " + whereClauses.join(" AND ");
const countResult = await User._get(countQuery, filterParams);
return { users, total: countResult.total, page, limit };
} else {
const countResult = await User._get(countQuery);
return { users, total: countResult.total, page, limit };
}
}
// Add other user methods as needed
}
module.exports = User;

57
src/routes/api_v1.js
View File

@ -1,6 +1,7 @@
const express = require("express");
const pool = require("../config/database");
const apiAuthMiddleware = require("../middleware/apiAuthMiddleware");
const logger = require("../../config/logger");
const router = express.Router();
@ -10,17 +11,20 @@ router.use(apiAuthMiddleware);
// GET /api/v1/forms - List forms for the authenticated user
router.get("/forms", async (req, res) => {
try {
const [forms] = await pool.query(
const { rows: forms } = await pool.query(
`SELECT uuid, name, created_at, is_archived,
(SELECT COUNT(*) FROM submissions WHERE form_uuid = f.uuid) as submission_count
FROM forms f
WHERE f.user_id = ?
WHERE f.user_id = $1
ORDER BY f.created_at DESC`,
[req.user.id] // req.user.id is attached by apiAuthMiddleware
);
res.json({ success: true, forms });
} catch (error) {
console.error("API Error fetching forms for user:", req.user.id, error);
logger.error("API Error fetching forms for user:", {
userId: req.user.id,
error,
});
res.status(500).json({ success: false, error: "Failed to fetch forms." });
}
});
@ -33,42 +37,41 @@ router.get("/forms/:formUuid/submissions", async (req, res) => {
const offset = (page - 1) * limit;
try {
// First, verify the user (from API key) owns the form
const [formDetails] = await pool.query(
"SELECT user_id, name FROM forms WHERE uuid = ?",
const { rows: formDetailsRows } = await pool.query(
"SELECT user_id, name FROM forms WHERE uuid = $1",
[formUuid]
);
if (formDetails.length === 0) {
if (formDetailsRows.length === 0) {
return res.status(404).json({ success: false, error: "Form not found." });
}
const formDetails = formDetailsRows[0];
if (formDetails[0].user_id !== req.user.id) {
return res
.status(403)
.json({
success: false,
error: "Access denied. You do not own this form.",
});
if (formDetails.user_id !== req.user.id) {
logger.warn(
`API Access Denied: User ${req.user.id} attempted to access form ${formUuid} owned by ${formDetails.user_id}`
);
return res.status(403).json({
success: false,
error: "Access denied. You do not own this form.",
});
}
// Get total count of submissions for pagination
const [countResult] = await pool.query(
"SELECT COUNT(*) as total FROM submissions WHERE form_uuid = ?",
const { rows: countResultRows } = await pool.query(
"SELECT COUNT(*) as total FROM submissions WHERE form_uuid = $1",
[formUuid]
);
const totalSubmissions = countResult[0].total;
const totalSubmissions = parseInt(countResultRows[0].total, 10);
const totalPages = Math.ceil(totalSubmissions / limit);
// Fetch paginated submissions
const [submissions] = await pool.query(
"SELECT id, data, ip_address, submitted_at FROM submissions WHERE form_uuid = ? ORDER BY submitted_at DESC LIMIT ? OFFSET ?",
const { rows: submissions } = await pool.query(
"SELECT id, data, ip_address, submitted_at FROM submissions WHERE form_uuid = $1 ORDER BY submitted_at DESC LIMIT $2 OFFSET $3",
[formUuid, limit, offset]
);
res.json({
success: true,
formName: formDetails[0].name,
formName: formDetails.name,
formUuid,
pagination: {
currentPage: page,
@ -81,13 +84,11 @@ router.get("/forms/:formUuid/submissions", async (req, res) => {
submissions,
});
} catch (error) {
console.error(
"API Error fetching submissions for form:",
logger.error("API Error fetching submissions for form:", {
formUuid,
"user:",
req.user.id,
error
);
userId: req.user.id,
error,
});
res
.status(500)
.json({ success: false, error: "Failed to fetch submissions." });

839
src/routes/dashboard.js
View File

File diff suppressed because it is too large Load Diff

133
src/routes/public.js
View File

@ -1,5 +1,5 @@
const express = require("express");
const pool = require("../config/database");
const pool = require("../config/database"); // pg Pool
const { sendNtfyNotification } = require("../services/notification");
const { sendSubmissionNotification } = require("../services/emailService");
const { verifyRecaptchaV2 } = require("../utils/recaptchaHelper");
@ -9,6 +9,7 @@ const {
createStrictRateLimiter,
} = require("../middleware/redisRateLimiter");
const domainChecker = require("../middleware/domainChecker");
const logger = require("../../config/logger"); // Corrected logger path
const router = express.Router();
@ -19,25 +20,42 @@ const strictRateLimit = createStrictRateLimiter();
router.get("/health", (req, res) => res.status(200).json({ status: "ok" }));
// Render login page
router.get("/login", (req, res) => {
res.render("login", {
error: req.query.error,
success: req.query.success,
email: req.query.email,
});
});
// Render registration page
router.get("/register", (req, res) => {
res.render("register", {
error: req.query.error,
success: req.query.success,
email: req.query.email,
first_name: req.query.first_name,
last_name: req.query.last_name,
});
});
router.post(
"/submit/:formUuid",
strictRateLimit, // First layer: strict per-IP rate limit across all forms
submissionRateLimit, // Second layer: general submission rate limit per IP
formSpecificRateLimit, // Third layer: specific form+IP rate limit
strictRateLimit,
submissionRateLimit,
formSpecificRateLimit,
domainChecker,
async (req, res) => {
const { formUuid } = req.params;
const submissionData = { ...req.body };
const ipAddress = req.ip;
// Extract reCAPTCHA response from submission data
const recaptchaToken = submissionData["g-recaptcha-response"];
// Clean it from submissionData so it's not stored in DB or shown in notifications
delete submissionData["g-recaptcha-response"];
// Honeypot check (early exit)
if (submissionData.honeypot_field && submissionData.honeypot_field !== "") {
console.log(
logger.info(
`Honeypot triggered for ${formUuid} by IP ${ipAddress}. Ignoring submission.`
);
if (submissionData._thankyou) {
@ -48,19 +66,24 @@ router.post(
);
}
// Fetch form settings first to check for reCAPTCHA status and other details
let formSettings;
try {
const [forms] = await pool.query(
"SELECT id, user_id, name, thank_you_url, thank_you_message, ntfy_enabled, is_archived, email_notifications_enabled, notification_email_address, recaptcha_enabled FROM forms WHERE uuid = ?",
const { rows: forms } = await pool.query(
"SELECT id, user_id, name, thank_you_url, thank_you_message, ntfy_enabled, is_archived, email_notifications_enabled, notification_email_address, recaptcha_enabled FROM forms WHERE uuid = $1",
[formUuid]
);
if (forms.length === 0) {
logger.warn(
`Submission attempt to non-existent form UUID: ${formUuid} from IP: ${ipAddress}`
);
return res.status(404).send("Form endpoint not found.");
}
formSettings = forms[0];
if (formSettings.is_archived) {
logger.warn(
`Submission attempt to archived form UUID: ${formUuid} from IP: ${ipAddress}`
);
return res
.status(410)
.send(
@ -68,16 +91,18 @@ router.post(
);
}
} catch (dbError) {
console.error("Error fetching form settings during submission:", dbError);
logger.error("Error fetching form settings during submission:", {
formUuid,
error: dbError,
});
return res
.status(500)
.send("Error processing submission due to database issue.");
.send("Error processing submission due to a configuration issue."); // More generic error to user
}
// Perform reCAPTCHA verification if it's enabled for this form
if (formSettings.recaptcha_enabled) {
if (!recaptchaToken) {
console.warn(
logger.warn(
`reCAPTCHA enabled for form ${formUuid} but no token provided by IP ${ipAddress}.`
);
return res
@ -92,87 +117,96 @@ router.post(
ipAddress
);
if (!isRecaptchaValid) {
console.warn(
logger.warn(
`reCAPTCHA verification failed for form ${formUuid} from IP ${ipAddress}.`
);
return res
.status(403)
.send("reCAPTCHA verification failed. Please try again.");
}
} // If reCAPTCHA is not enabled, or if it was enabled and passed, proceed.
}
// Main submission processing logic (moved DB query for form details up)
let formNameForNotification = formSettings.name || `Form ${formUuid}`;
try {
const ntfyEnabled = formSettings.ntfy_enabled;
const formOwnerUserId = formSettings.user_id;
const formOwnerUserId = formSettings.user_id; // This should be NOT NULL based on forms schema
// Prepare form object for email service
const formForEmail = {
name: formSettings.name,
email_notifications_enabled: formSettings.email_notifications_enabled,
notification_email_address: formSettings.notification_email_address,
};
// Fetch form owner's email for default notification recipient
let ownerEmail = null;
if (formOwnerUserId) {
const [users] = await pool.query(
"SELECT email FROM users WHERE id = ?",
// Should always be true if form exists
const { rows: users } = await pool.query(
"SELECT email FROM users WHERE id = $1",
[formOwnerUserId]
);
if (users.length > 0) {
ownerEmail = users[0].email;
} else {
console.warn(
`Owner user with ID ${formOwnerUserId} not found for form ${formUuid}.`
logger.warn(
`Owner user with ID ${formOwnerUserId} not found for form ${formUuid}, though form record exists.`
);
}
}
// The user_id in submissions table is NOT NULL in PostgreSQL schema, ensure formOwnerUserId is valid.
if (!formOwnerUserId) {
logger.error(
`Critical: formOwnerUserId is null for form ${formUuid} during submission. This should not happen if form exists.`
);
// Potentially send an alert to admin here
return res
.status(500)
.send("Error processing submission due to inconsistent data.");
}
await pool.query(
"INSERT INTO submissions (form_uuid, user_id, data, ip_address) VALUES (?, ?, ?, ?)",
"INSERT INTO submissions (form_uuid, user_id, data, ip_address) VALUES ($1, $2, $3, $4)",
[formUuid, formOwnerUserId, JSON.stringify(submissionData), ipAddress]
);
console.log(
`Submission received for ${formUuid} (user: ${formOwnerUserId}):`,
submissionData
logger.info(
`Submission received for ${formUuid} (user: ${formOwnerUserId}): ${JSON.stringify(submissionData)}`
);
const submissionSummary = Object.entries(submissionData)
.filter(([key]) => key !== "_thankyou")
.filter(([key]) => key !== "_thankyou") // Ensure _thankyou is not in summary
.map(([key, value]) => `${key}: ${value}`)
.join(", ");
if (ntfyEnabled) {
await sendNtfyNotification(
sendNtfyNotification(
`New Submission: ${formNameForNotification}`,
`Data: ${
submissionSummary || "No data fields"
}\nFrom IP: ${ipAddress}`,
"high",
"incoming_form"
);
).catch((err) =>
logger.error("Failed to send NTFY notification:", err)
); // Log & continue
}
// Send email notification
if (ownerEmail) {
// Only attempt if we have an owner email (even if custom one is set, good to have fallback context)
sendSubmissionNotification(
formForEmail,
submissionData,
ownerEmail
).catch((err) =>
console.error(
"Failed to send submission email directly in route:",
err
)
); // Log error but don't block response
logger.error("Failed to send submission email:", {
formUuid,
recipient: ownerEmail,
error: err,
})
);
} else if (
formForEmail.email_notifications_enabled &&
!formForEmail.notification_email_address
) {
console.warn(
logger.warn(
`Email notification enabled for form ${formUuid} but owner email could not be determined and no custom address set.`
);
}
@ -182,7 +216,6 @@ router.post(
}
if (formSettings.thank_you_message) {
// Basic HTML escaping for safety
const safeMessage = formSettings.thank_you_message
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
@ -200,13 +233,25 @@ router.post(
'<h1>Thank You!</h1><p>Your submission has been received.</p><p><a href="/">Back to form manager</a></p>'
);
} catch (error) {
console.error("Error processing submission:", error);
await sendNtfyNotification(
logger.error("Error processing submission (main block):", {
formUuid,
error: error.message,
stack: error.stack,
});
// Avoid sending detailed error to client, but log it.
sendNtfyNotification(
`Submission Error: ${formNameForNotification}`,
`Failed to process submission for ${formUuid} from IP ${ipAddress}. Error: ${error.message}`,
"max"
).catch((err) =>
logger.error("Failed to send error NTFY notification:", err)
);
res.status(500).send("Error processing submission.");
res
.status(500)
.send(
"An error occurred while processing your submission. Please try again later."
);
}
}
);

239
views/login.ejs Normal file
View File

@ -0,0 +1,239 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Login - Formies</title>
<style>
body {
font-family: sans-serif;
margin: 0;
background-color: #f4f7f6;
min-height: 100vh;
display: flex;
flex-direction: column;
}
.navbar {
background-color: #333;
color: white;
padding: 1rem;
display: flex;
justify-content: space-between;
align-items: center;
}
.navbar a {
color: white;
text-decoration: none;
}
.navbar .logo {
font-size: 1.5rem;
font-weight: bold;
}
.container {
flex: 1;
display: flex;
justify-content: center;
align-items: center;
padding: 2rem;
}
.login-card {
background-color: white;
padding: 2rem;
border-radius: 0.5rem;
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
width: 100%;
max-width: 400px;
}
.login-header {
text-align: center;
margin-bottom: 2rem;
}
.login-header h1 {
margin: 0;
color: #333;
font-size: 1.8rem;
}
.form-group {
margin-bottom: 1.5rem;
}
.form-group label {
display: block;
margin-bottom: 0.5rem;
color: #555;
}
.form-group input {
width: 100%;
padding: 0.75rem;
border: 1px solid #ddd;
border-radius: 0.25rem;
font-size: 1rem;
box-sizing: border-box;
}
.form-group input:focus {
outline: none;
border-color: #007bff;
box-shadow: 0 0 0 2px rgba(0, 123, 255, 0.25);
}
.btn {
background-color: #007bff;
color: white;
padding: 0.75rem 1.5rem;
border: none;
border-radius: 0.25rem;
font-size: 1rem;
cursor: pointer;
width: 100%;
transition: background-color 0.2s;
}
.btn:hover {
background-color: #0056b3;
}
.error-message {
background-color: #f8d7da;
color: #721c24;
padding: 0.75rem;
border-radius: 0.25rem;
margin-bottom: 1rem;
text-align: center;
}
.success-message {
background-color: #d4edda;
color: #155724;
padding: 0.75rem;
border-radius: 0.25rem;
margin-bottom: 1rem;
text-align: center;
}
.links {
text-align: center;
margin-top: 1rem;
}
.links a {
color: #007bff;
text-decoration: none;
font-size: 0.9rem;
}
.links a:hover {
text-decoration: underline;
}
</style>
</head>
<body>
<nav class="navbar">
<div class="logo"><a href="/">Formies</a></div>
<div>
<a href="/register">Register</a>
</div>
</nav>
<div class="container">
<div class="login-card">
<div class="login-header">
<h1>Welcome Back</h1>
<p>Please sign in to continue</p>
</div>
<% if (typeof error !== 'undefined' && error) { %>
<div class="error-message"><%= error %></div>
<% } %>
<% if (typeof success !== 'undefined' && success) { %>
<div class="success-message"><%= success %></div>
<% } %>
<form action="/api/auth/login" method="POST">
<div class="form-group">
<label for="email">Email Address</label>
<input
type="email"
id="email"
name="email"
required
placeholder="Enter your email"
value="<%= typeof email !== 'undefined' ? email : '' %>"
/>
</div>
<div class="form-group">
<label for="password">Password</label>
<input
type="password"
id="password"
name="password"
required
placeholder="Enter your password"
/>
</div>
<button type="submit" class="btn">Sign In</button>
<div class="links">
<a href="/forgot-password">Forgot your password?</a>
<br>
<a href="/register">Don't have an account? Register</a>
</div>
</form>
</div>
</div>
<script>
document.querySelector('form').addEventListener('submit', async (e) => {
e.preventDefault();
const email = document.getElementById('email').value;
const password = document.getElementById('password').value;
try {
const response = await fetch('/api/auth/login', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({ email, password })
});
const data = await response.json();
if (response.ok) {
// Store tokens
localStorage.setItem('accessToken', data.data.accessToken);
localStorage.setItem('refreshToken', data.data.refreshToken);
// Redirect to dashboard
window.location.href = '/dashboard';
} else {
// Show error message
const errorDiv = document.createElement('div');
errorDiv.className = 'error-message';
errorDiv.textContent = data.message || 'Login failed';
const existingError = document.querySelector('.error-message');
if (existingError) {
existingError.remove();
}
document.querySelector('.login-card').insertBefore(
errorDiv,
document.querySelector('form')
);
}
} catch (error) {
console.error('Login error:', error);
const errorDiv = document.createElement('div');
errorDiv.className = 'error-message';
errorDiv.textContent = 'An error occurred. Please try again.';
const existingError = document.querySelector('.error-message');
if (existingError) {
existingError.remove();
}
document.querySelector('.login-card').insertBefore(
errorDiv,
document.querySelector('form')
);
}
});
</script>
</body>
</html>

313
views/register.ejs Normal file
View File

@ -0,0 +1,313 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Register - Formies</title>
<style>
body {
font-family: sans-serif;
margin: 0;
background-color: #f4f7f6;
min-height: 100vh;
display: flex;
flex-direction: column;
}
.navbar {
background-color: #333;
color: white;
padding: 1rem;
display: flex;
justify-content: space-between;
align-items: center;
}
.navbar a {
color: white;
text-decoration: none;
}
.navbar .logo {
font-size: 1.5rem;
font-weight: bold;
}
.container {
flex: 1;
display: flex;
justify-content: center;
align-items: center;
padding: 2rem;
}
.register-card {
background-color: white;
padding: 2rem;
border-radius: 0.5rem;
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
width: 100%;
max-width: 400px;
}
.register-header {
text-align: center;
margin-bottom: 2rem;
}
.register-header h1 {
margin: 0;
color: #333;
font-size: 1.8rem;
}
.form-group {
margin-bottom: 1.5rem;
}
.form-group label {
display: block;
margin-bottom: 0.5rem;
color: #555;
}
.form-group input {
width: 100%;
padding: 0.75rem;
border: 1px solid #ddd;
border-radius: 0.25rem;
font-size: 1rem;
box-sizing: border-box;
}
.form-group input:focus {
outline: none;
border-color: #007bff;
box-shadow: 0 0 0 2px rgba(0, 123, 255, 0.25);
}
.btn {
background-color: #007bff;
color: white;
padding: 0.75rem 1.5rem;
border: none;
border-radius: 0.25rem;
font-size: 1rem;
cursor: pointer;
width: 100%;
transition: background-color 0.2s;
}
.btn:hover {
background-color: #0056b3;
}
.error-message {
background-color: #f8d7da;
color: #721c24;
padding: 0.75rem;
border-radius: 0.25rem;
margin-bottom: 1rem;
text-align: center;
}
.success-message {
background-color: #d4edda;
color: #155724;
padding: 0.75rem;
border-radius: 0.25rem;
margin-bottom: 1rem;
text-align: center;
}
.links {
text-align: center;
margin-top: 1rem;
}
.links a {
color: #007bff;
text-decoration: none;
font-size: 0.9rem;
}
.links a:hover {
text-decoration: underline;
}
.password-requirements {
font-size: 0.8rem;
color: #666;
margin-top: 0.5rem;
}
</style>
</head>
<body>
<nav class="navbar">
<div class="logo"><a href="/">Formies</a></div>
<div>
<a href="/login">Login</a>
</div>
</nav>
<div class="container">
<div class="register-card">
<div class="register-header">
<h1>Create Account</h1>
<p>Join Formies to start creating forms</p>
</div>
<% if (typeof error !== 'undefined' && error) { %>
<div class="error-message"><%= error %></div>
<% } %>
<% if (typeof success !== 'undefined' && success) { %>
<div class="success-message"><%= success %></div>
<% } %>
<form id="registerForm">
<div class="form-group">
<label for="firstName">First Name</label>
<input
type="text"
id="firstName"
name="first_name"
required
placeholder="Enter your first name"
value="<%= typeof first_name !== 'undefined' ? first_name : '' %>"
/>
</div>
<div class="form-group">
<label for="lastName">Last Name</label>
<input
type="text"
id="lastName"
name="last_name"
required
placeholder="Enter your last name"
value="<%= typeof last_name !== 'undefined' ? last_name : '' %>"
/>
</div>
<div class="form-group">
<label for="email">Email Address</label>
<input
type="email"
id="email"
name="email"
required
placeholder="Enter your email"
value="<%= typeof email !== 'undefined' ? email : '' %>"
/>
</div>
<div class="form-group">
<label for="password">Password</label>
<input
type="password"
id="password"
name="password"
required
placeholder="Create a password"
/>
<div class="password-requirements">
Password must be at least 8 characters long and include:
<ul>
<li>At least one uppercase letter</li>
<li>At least one lowercase letter</li>
<li>At least one number</li>
<li>At least one special character</li>
</ul>
</div>
</div>
<div class="form-group">
<label for="confirmPassword">Confirm Password</label>
<input
type="password"
id="confirmPassword"
name="confirmPassword"
required
placeholder="Confirm your password"
/>
</div>
<button type="submit" class="btn">Create Account</button>
<div class="links">
<a href="/login">Already have an account? Sign in</a>
</div>
</form>
</div>
</div>
<script>
document.getElementById('registerForm').addEventListener('submit', async (e) => {
e.preventDefault();
const firstName = document.getElementById('firstName').value;
const lastName = document.getElementById('lastName').value;
const email = document.getElementById('email').value;
const password = document.getElementById('password').value;
const confirmPassword = document.getElementById('confirmPassword').value;
// Client-side validation
if (password !== confirmPassword) {
showError('Passwords do not match');
return;
}
// Password strength validation
const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
if (!passwordRegex.test(password)) {
showError('Password does not meet the requirements');
return;
}
try {
const response = await fetch('/api/auth/register', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
first_name: firstName,
last_name: lastName,
email,
password
})
});
const data = await response.json();
if (response.ok) {
// Show success message and redirect to login
showSuccess('Registration successful! Please check your email to verify your account.');
setTimeout(() => {
window.location.href = '/login?success=Registration successful! Please check your email to verify your account.';
}, 3000);
} else {
showError(data.message || 'Registration failed');
}
} catch (error) {
console.error('Registration error:', error);
showError('An error occurred. Please try again.');
}
});
function showError(message) {
const errorDiv = document.createElement('div');
errorDiv.className = 'error-message';
errorDiv.textContent = message;
const existingError = document.querySelector('.error-message');
if (existingError) {
existingError.remove();
}
document.querySelector('.register-card').insertBefore(
errorDiv,
document.querySelector('form')
);
}
function showSuccess(message) {
const successDiv = document.createElement('div');
successDiv.className = 'success-message';
successDiv.textContent = message;
const existingSuccess = document.querySelector('.success-message');
if (existingSuccess) {
existingSuccess.remove();
}
document.querySelector('.register-card').insertBefore(
successDiv,
document.querySelector('form')
);
}
</script>
</body>
</html>