Merge pull request #323 from lenneTech/develop

Release 10.0.8

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "10.0.7",
+  "version": "10.0.8",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -75,21 +75,21 @@
     "@nestjs/terminus": "10.0.1",
     "apollo-server-core": "3.11.1",
     "apollo-server-express": "3.11.1",
-    "bcrypt": "5.1.0",
+    "bcrypt": "5.1.1",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.0",
     "compression": "1.7.4",
     "cookie-parser": "1.4.6",
     "ejs": "3.1.9",
-    "graphql": "16.7.1",
+    "graphql": "16.8.0",
     "graphql-query-complexity": "0.12.0",
     "graphql-subscriptions": "2.0.0",
     "graphql-upload": "15.0.2",
     "js-sha256": "0.9.0",
     "json-to-graphql-query": "2.2.5",
     "light-my-request": "5.10.0",
     "lodash": "4.17.21",
-    "mongodb": "4.16.0",
+    "mongodb": "4.17.0",
     "mongoose": "6.11.5",
     "mongoose-gridfs": "1.3.0",
     "multer": "1.4.5-lts.1",
@@ -109,12 +109,12 @@
     "@babel/plugin-proposal-private-methods": "7.18.6",
     "@compodoc/compodoc": "1.1.21",
     "@lenne.tech/eslint-config-ts": "0.0.9",
-    "@nestjs/cli": "10.1.11",
+    "@nestjs/cli": "10.1.12",
     "@nestjs/schematics": "10.0.2",
     "@nestjs/testing": "10.1.3",
     "@swc/cli": "0.1.62",
-    "@swc/core": "1.3.76",
-    "@swc/jest": "0.2.28",
+    "@swc/core": "1.3.78",
+    "@swc/jest": "0.2.29",
     "@types/compression": "1.7.2",
     "@types/cookie-parser": "1.4.3",
     "@types/cron": "2.0.1",
@@ -123,14 +123,14 @@
     "@types/jest": "29.5.3",
     "@types/lodash": "4.14.197",
     "@types/multer": "1.4.7",
-    "@types/node": "20.4.9",
+    "@types/node": "20.5.1",
     "@types/nodemailer": "6.4.9",
     "@types/passport": "1.0.12",
     "@types/supertest": "2.0.12",
-    "@typescript-eslint/eslint-plugin": "6.3.0",
-    "@typescript-eslint/parser": "6.3.0",
+    "@typescript-eslint/eslint-plugin": "6.4.0",
+    "@typescript-eslint/parser": "6.4.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.46.0",
+    "eslint": "8.47.0",
     "eslint-config-prettier": "9.0.0",
     "eslint-plugin-unused-imports": "3.0.0",
     "find-file-up": "2.0.1",
@@ -143,7 +143,7 @@
     "jest": "29.6.2",
     "npm-watch": "0.11.0",
     "pm2": "5.3.0",
-    "prettier": "3.0.1",
+    "prettier": "3.0.2",
     "pretty-quick": "3.1.3",
     "supertest": "6.3.3",
     "ts-jest": "29.1.1",

spectaql.yml

@@ -11,7 +11,7 @@ servers:
 info:
   title: lT Nest Server
   description: Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).
-  version: 10.0.7
+  version: 10.0.8
   contact:
     name: lenne.Tech GmbH
     url: https://lenne.tech

src/config.env.ts

@@ -18,6 +18,7 @@ const config: { [env: string]: IServerOptions } = {
       sayHello: {
         cronTime: CronExpression.EVERY_10_SECONDS,
         runOnInit: false,
+        disabled: false,
         runParallel: 1,
         timeZone: 'Europe/Berlin',
         throwException: false,
@@ -65,12 +66,20 @@ const config: { [env: string]: IServerOptions } = {
     },
     ignoreSelectionsForPopulate: true,
     jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      // tslint:disable-next-line:max-line-length
       secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
       signInOptions: {
         expiresIn: '15m',
       },
       refresh: {
         renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        // tslint:disable-next-line:max-line-length
         secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
         signInOptions: {
           expiresIn: '7d',
@@ -147,12 +156,20 @@ const config: { [env: string]: IServerOptions } = {
     },
     ignoreSelectionsForPopulate: true,
     jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      // tslint:disable-next-line:max-line-length
       secret: 'SECRET_OR_PRIVATE_KEY_DEV',
       signInOptions: {
         expiresIn: '15m',
       },
       refresh: {
         renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        // tslint:disable-next-line:max-line-length
         secret: 'SECRET_OR_PRIVATE_KEY_DEV_REFRESH',
         signInOptions: {
           expiresIn: '7d',
@@ -229,12 +246,20 @@ const config: { [env: string]: IServerOptions } = {
     },
     ignoreSelectionsForPopulate: true,
     jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      // tslint:disable-next-line:max-line-length
       secret: 'SECRET_OR_PRIVATE_KEY_PROD',
       signInOptions: {
         expiresIn: '15m',
       },
       refresh: {
         renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        // tslint:disable-next-line:max-line-length
         secret: 'SECRET_OR_PRIVATE_KEY_PROD_REFRESH',
         signInOptions: {
           expiresIn: '7d',

src/core.module.ts

@@ -128,6 +128,12 @@ export class CoreModule implements NestModule {
       options,
     );
 
+    // Check secrets
+    const jwtConfig = config.jwt;
+    if (jwtConfig?.secret && jwtConfig.secret && jwtConfig.refresh && jwtConfig.refresh.secret === jwtConfig.secret) {
+      console.warn('JWT secret and refresh secret are equal, this can lead to security vulnerabilities!');
+    }
+
     // Set providers
     const providers: any[] = [
       // The ConfigService provides access to the current configuration of the module

src/core/common/interfaces/cron-job-config.interface.ts

@@ -18,13 +18,19 @@ export interface CronJobConfig {
    */
   cronTime: CronExpression | string | Date | Falsy;
 
+  /**
+   * Whether the cron job is disabled or not.
+   * This option is set to `false` by default
+   */
+  disabled?: boolean;
+
   /**
    * A function that will fire when the job is complete, when it is stopped.
    */
   onComplete?: CronCommand | null;
 
   /**
-   * This will immediately fire your `onTickfunction` as soon as the requisit initialization has happened.
+   * This will immediately fire the `onTick` function as soon as the requisite initialization has happened.
    * This option is set to `true` by default.
    */
   runOnInit?: boolean;
@@ -58,8 +64,8 @@ export interface CronJobConfig {
   unrefTimeout?: boolean;
 
   /**
-   * This allows you to specify the offset of your timezone rather than using the `timeZoneparam.
-   * Probably don't use both ``timeZone` andutcOffset`` together or weird things may happen.
+   * This allows you to specify the offset of the timezone rather than using the `timeZone` parameter.
+   * Probably don't use both `timeZone` and `utcOffset` together or weird things may happen.
    */
   utcOffset?: string | number;
 }

src/core/common/interfaces/server-options.interface.ts

@@ -30,6 +30,8 @@ export interface IJwt {
 
   /**
    * Secret to encrypt the JWT
+   * Each secret should be unique and not reused in other environments,
+   * also the JWT secret should be different from the Refresh secret!
    */
   secret?: string;
 
@@ -288,10 +290,15 @@ export interface IServerOptions {
 
   /**
    * Configuration of JavaScript Web Token (JWT) module
+   *
+   * Hint: The secrets of the different environments should be different, otherwise a JWT can be used in different
+   * environments, which can lead to security vulnerabilities.
    */
   jwt?: {
     /**
      * Configuration for refresh Token (JWT)
+     * Hint: The secret of the JWT and the Refresh Token should be different, otherwise a new RefreshToken can also be
+     * requested with the JWT, which can lead to a security vulnerability.
      */
     refresh?: {
       /**

src/core/common/services/core-cron-jobs.service.ts

@@ -62,15 +62,18 @@ export abstract class CoreCronJobs implements OnApplicationBootstrap {
     // Init cron jobs
     for (const [name, CronExpressionOrConfig] of Object.entries(this.cronJobs)) {
       // Check config
-      if (!CronExpressionOrConfig) {
+      if (
+        !CronExpressionOrConfig
+        || (typeof CronExpressionOrConfig === 'object' && (CronExpressionOrConfig as CronJobConfig).disabled)
+      ) {
         continue;
       }
 
       // Prepare config
-      let conf: CronExpression | string | Date | Falsy | CronJobConfig = CronExpressionOrConfig;
-      if (typeof conf === 'string' || conf instanceof Date) {
+      let conf: CronJobConfig = (CronExpressionOrConfig as CronJobConfig);
+      if (typeof CronExpressionOrConfig === 'string' || CronExpressionOrConfig instanceof Date) {
         conf = {
-          cronTime: conf,
+          cronTime: CronExpressionOrConfig as string | Date,
         };
       }
 

src/core/common/types/wrapper.type.ts

@@ -0,0 +1,10 @@
+/**
+ * Wrapper type used to circumvent ESM modules circular dependency issue
+ * caused by reflection metadata saving the type of the property.
+ *
+ * It is needed if swc is used and ReferenceError occurs:
+ * @Inject(forwardRef(() => CustomService)) private readonly customService: WrapperType<CustomService>,
+ *
+ * See https://docs.nestjs.com/recipes/swc#common-pitfalls
+ */
+export type WrapperType<T> = T; // WrapperType === Relation

src/index.ts

@@ -80,6 +80,7 @@ export * from './core/common/types/remove-methods.type';
 export * from './core/common/types/require-only-one.type';
 export * from './core/common/types/required-at-least-one.type';
 export * from './core/common/types/string-or-object-id.type';
+export * from './core/common/types/wrapper.type';
 
 // =====================================================================================================================
 // Core - Modules - Auth