auth, WS, mailing, files, migrations, docker optimizations, tests

.github/workflows/ci.yml

@@ -1,22 +1,37 @@
 name: CI
 on: [push, pull_request]
+
 jobs:
   build:
     runs-on: ubuntu-latest
+
     services:
       mongodb:
         image: mongo:8
         ports:
           - 27018:27017
+
+    env:
+      MONGO_URL: mongodb://127.0.0.1:27018/test
+      JWT_SECRET:  ${{ secrets.JWT_SECRET }}
+      COOKIE_SECRET: ${{ secrets.COOKIE_SECRET }}
+      NODE_ENV: test
+
     steps:
       - name: Check out the source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+
       - name: Install Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: '25'
           check-latest: true
+
       - name: Install dependencies
-        run: npm install
+        run: npm ci
+
+      - name: Run Database Migrations
+        run: npx migrate-mongo up
+
       - name: Run tests
-        run: npm test
+        run: node --test test/**/*.test.js

.gitignore

@@ -8,16 +8,9 @@ pids
 *.pid
 *.seed
 
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
 # Coverage directory used by tools like istanbul
 coverage
 
-#tap output
-tap-*.log
-.tap
-
 #mongo logs
 data
 
@@ -27,12 +20,6 @@ data
 #test-results
 **/test-results
 
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
 # node-waf configuration
 .lock-wscript
 
@@ -69,3 +56,9 @@ profile-*
 profile*
 *clinic*
 *flamegraph*
+
+# env
+.env
+
+# uploads
+uploads/

Dockerfile

@@ -0,0 +1,36 @@
+# --- Stage 1 build ---
+FROM node:25-alpine AS builder
+
+WORKDIR /build
+
+COPY package.json package-lock.json ./
+
+ARG NPM_TOKEN
+RUN if [ -n "$NPM_TOKEN" ]; then echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc; fi && \
+    npm ci --omit=dev --ignore-scripts && \
+    rm -f .npmrc
+
+# --- Stage 2 Prod runner ---
+FROM platformatic/node-caged:25-alpine
+
+RUN apk update && apk add --no-cache dumb-init
+
+ENV HOME=/home/app
+ENV APP_HOME=$HOME/node/
+ENV NODE_ENV=production
+ENV NODE_OPTIONS="--max-heap-size=1024"
+
+RUN addgroup -S node && adduser -S node -G node
+
+WORKDIR $APP_HOME
+
+COPY --chown=node:node . $APP_HOME
+
+COPY --chown=node:node --from=builder /build/node_modules $APP_HOME/node_modules
+
+USER node
+
+EXPOSE 3000
+
+ENTRYPOINT ["dumb-init", "--"]
+CMD ["./node_modules/.bin/fastify", "start", "-a", "0.0.0.0", "-l", "info", "--options", "app.js"]

app.js

@@ -4,55 +4,55 @@ const path = require('node:path')
 const AutoLoad = require('@fastify/autoload')
 const closeWithGrace = require('close-with-grace')
 
-// Pass --options via CLI arguments in command to enable these options.
-const options = require('./configs/server-options.js')
-
 module.exports = async function (fastify, opts) {
-  // Place here your custom code!
-  fastify.log.info('The .env file has been read %s', process.env.MONGO_URL)
-
-  fastify.register(AutoLoad, {
-    dir: path.join(__dirname, 'schemas'),
-    indexPattern: /^loader.js$/i,
-  })
-
-  await fastify.register(require('./plugins/config'))
-  fastify.log.info('Config loaded %o', fastify.config)
-
-  // Do not touch the following lines
-
-  // This loads all plugins defined in plugins
-  // those should be support plugins that are reused
-  // through your application
-  fastify.register(AutoLoad, {
-    dir: path.join(__dirname, 'plugins'),
-    ignorePattern: /.*.no-load\.js/,
-    indexPattern: /^no$/i,
-    options: fastify.config,
-  })
-
-  // This loads all plugins defined in routes
-  // define your routes in one of these
-  fastify.register(AutoLoad, {
-    dir: path.join(__dirname, 'routes'),
-    indexPattern: /.*routes(\.js|\.cjs)$/i,
-    ignorePattern: /.*\.js/,
-    autoHooksPattern: /.*hooks(\.js|\.cjs)$/i,
-    autoHooks: true,
-    cascadeHooks: true,
-    options: Object.assign({}, opts),
-  })
-
-  // Graceful shutdown handler
-  // eslint-disable-next-line no-unused-vars
-  closeWithGrace(async function ({ signal, err, manual }) {
-    if (err) {
-      fastify.log.error({ err }, 'server closing with error')
-    } else {
-      fastify.log.info(`${signal} received, server closing`)
-    }
-    await fastify.close()
-  })
-}
-
-module.exports.options = options
+  try {
+    // Register base schema
+    await require('./routes/auth/schemas/loader').authSchemasLoader(fastify)
+    await require('./routes/notes/schemas/loader').noteSchemasLoader(fastify)
+    await require('./routes/users/schemas/loader').loadUserSchemas(fastify)
+
+    // Load Config
+    await fastify.register(require('./plugins/config'), opts)
+
+    // Load Plugins
+    await fastify.register(AutoLoad, {
+      dir: path.join(__dirname, 'plugins'),
+      ignorePattern: /.*.no-load\.js/,
+      indexPattern: /^no$/i,
+      options: Object.assign({}, opts)
+    })
+
+    // Load Routes
+    await fastify.register(AutoLoad, {
+      dir: path.join(__dirname, 'routes'),
+      indexPattern: /.*routes(\.js|\.cjs)$/i,
+      ignorePattern: /(?:^|\/)(?:schemas|utils)(?:\/|$).*\.js/,
+      autoHooksPattern: /.*hooks(\.js|\.cjs)$/i,
+      autoHooks: true,
+      cascadeHooks: true,
+      options: Object.assign({}, opts)
+    })
+
+    const closeListeners = closeWithGrace(
+      { delay: process.env.FASTIFY_CLOSE_GRACE_DELAY || 500 },
+      async function ({ signal, err, manual }) {
+        if (err) {
+          fastify.log.error({ err }, 'Server closing due to error')
+        } else {
+          fastify.log.info(`${signal} received, gracefully shutting down server...`)
+        }
+
+        await fastify.close()
+      }
+    )
+
+    fastify.addHook('onClose', (instance, done) => {
+      closeListeners.uninstall()
+      done()
+    })
+
+  } catch (err) {
+    fastify.log.error(err)
+    throw err
+  }
+}

configs/logger-options.js

@@ -1,23 +1,20 @@
 'use strict'
 module.exports = {
   level: process.env.LOG_LEVEL || 'info',
-  timestamp: () => {
-    const dateString = new Date(Date.now()).toISOString()
-    return `,"@timestamp":"${dateString}"`
-  },
+  timestamp: () => `,"time":"${new Date().toISOString()}"`,
   redact: {
     censor: '*****',
     paths: ['req.headers.authorization', 'req.body.password', 'req.body.email'],
   },
   serializers: {
     req: function (request) {
-      const shouldLogBody = request.context.config.logBody === true
+      const shouldLogBody = request.routeOptions?.config?.logBody === true
       return {
         method: request.method,
         url: request.raw.url,
-        routeUrl: request.routePath,
+        routeUrl: request.routeOptions?.url ?? request.routePath,
         version: request.headers?.['accept-version'],
-        user: request.user?.id,
+        user: request.user?._id || request.user?.id,
         headers: request.headers,
         body: shouldLogBody ? request.body : undefined,
         hostname: request.hostname,
@@ -26,9 +23,9 @@ module.exports = {
       }
     },
     res: function (reply) {
-      return {
-        statusCode: reply.statusCode,
-        responseTime: reply.getResponseTime(),
+    return {
+    statusCode: reply.statusCode,
+    responseTime: typeof reply.elapsedTime === 'number' ? reply.elapsedTime : undefined,
       }
     },
   },

configs/server-options.js

@@ -2,13 +2,46 @@
 const crypto = require('node:crypto')
 const loggerOptions = require('./logger-options')
 
+// W3C Trace Context: version(2)-trace_id(32)-parent_id(16)-flags(2)
+const TRACEPARENT_RE = /^[\da-f]{2}-([\da-f]{32})-[\da-f]{16}-[\da-f]{2}$/
+
+function extractTraceId(raw) {
+  if (!raw || typeof raw !== 'string') return null
+  const match = TRACEPARENT_RE.exec(raw)
+  return match ? match[1] : null
+}
+
+function sanitizeRequestId(value) {
+  if (!value || typeof value !== 'string') return null
+  // Cap at 128 chars to prevent memory abuse from oversized headers
+  if (value.length > 128) return null
+  return value
+}
+
 module.exports = {
   disableRequestLogging: true,
-  logger: loggerOptions,
+  logger: {
+    ...loggerOptions,
+    formatters: {
+      ...loggerOptions.formatters,
+      log: (object) => {
+        if (object.reqId && object.reqId.length === 32 && /^[\da-f]{32}$/.test(object.reqId)) {
+          object.trace_id = object.reqId
+        }
+        return object
+      }
+    }
+  },
   requestIdLogLabel: false,
-  requestIdHeader: 'x-request-id',
+  requestIdHeader: false,
+  pluginTimeout: 20000,
   genReqId(req) {
-    return req.headers['x-amz-request-id'] || crypto.randomUUID()
+    const traceId = extractTraceId(req.headers['traceparent'])
+    if (traceId) return traceId
+
+    return sanitizeRequestId(req.headers['x-request-id'])
+      || sanitizeRequestId(req.headers['x-amz-request-id'])
+      || crypto.randomUUID()
   },
   ajv: {
     customOptions: {