fix: regression of password hasing & fine tune default logging (#60)

Author: ymc9

package.json

@@ -1,6 +1,6 @@
 {
     "name": "zenstack-monorepo",
-    "version": "0.2.12",
+    "version": "0.2.15",
     "description": "",
     "scripts": {
         "build": "pnpm -r build",

packages/internal/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zenstackhq/internal",
-    "version": "0.2.12",
+    "version": "0.2.15",
     "displayName": "ZenStack Internal Library",
     "description": "ZenStack internal runtime library. This package is for supporting runtime functionality of ZenStack and not supposed to be used directly.",
     "repository": {
@@ -10,7 +10,8 @@
     "main": "lib/index.js",
     "types": "lib/index.d.ts",
     "scripts": {
-        "build": "tsc",
+        "clean": "rimraf lib",
+        "build": "npm run clean && tsc",
         "watch": "tsc --watch",
         "lint": "eslint src --ext ts",
         "prepublishOnly": "pnpm build"
@@ -45,6 +46,7 @@
         "@types/uuid": "^8.3.4",
         "eslint": "^8.27.0",
         "jest": "^29.0.3",
+        "rimraf": "^3.0.2",
         "ts-jest": "^29.0.1",
         "ts-node": "^10.9.1",
         "tsc-alias": "^1.7.0",

packages/internal/src/handler/data/handler.ts

@@ -78,9 +78,9 @@ export default class DataHandler<DbClient extends DbClientContract>
                     break;
             }
         } catch (err: unknown) {
-            this.service.error(`${method} ${model}: ${err}`);
-
             if (err instanceof RequestHandlerError) {
+                this.service.warn(`${method} ${model}: ${err}`);
+
                 // in case of errors thrown directly by ZenStack
                 switch (err.code) {
                     case ServerErrorCode.DENIED_BY_POLICY:
@@ -105,6 +105,8 @@ export default class DataHandler<DbClient extends DbClientContract>
                         });
                 }
             } else if (this.isPrismaClientKnownRequestError(err)) {
+                this.service.warn(`${method} ${model}: ${err}`);
+
                 // errors thrown by Prisma, try mapping to a known error
                 if (PRISMA_ERROR_MAPPING[err.code]) {
                     res.status(400).send({
@@ -120,6 +122,8 @@ export default class DataHandler<DbClient extends DbClientContract>
                     });
                 }
             } else if (this.isPrismaClientValidationError(err)) {
+                this.service.warn(`${method} ${model}: ${err}`);
+
                 // prisma validation error
                 res.status(400).send({
                     code: ServerErrorCode.INVALID_REQUEST_PARAMS,

packages/internal/src/handler/data/policy-utils.ts

@@ -634,7 +634,7 @@ export async function preprocessWritePayload(
         const pwdAttr = fieldInfo.attributes?.find(
             (attr) => attr.name === '@password'
         );
-        if (pwdAttr && fieldInfo.type !== 'String') {
+        if (pwdAttr && fieldInfo.type === 'String') {
             // hash password value
             let salt: string | number | undefined = pwdAttr.args.find(
                 (arg) => arg.name === 'salt'

packages/runtime/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@zenstackhq/runtime",
     "displayName": "ZenStack Runtime Library",
-    "version": "0.2.12",
+    "version": "0.2.15",
     "description": "This package contains runtime library for consuming client and server side code generated by ZenStack.",
     "repository": {
         "type": "git",

packages/schema/package.json

@@ -3,7 +3,7 @@
     "publisher": "zenstack",
     "displayName": "ZenStack Language Tools",
     "description": "ZenStack is a toolkit that simplifies full-stack development",
-    "version": "0.2.12",
+    "version": "0.2.15",
     "author": {
         "name": "ZenStack Team"
     },
@@ -67,8 +67,9 @@
         "vscode:publish": "vsce publish --no-dependencies",
         "vscode:prepublish": "cp ../../README.md ./ && pnpm lint && pnpm build",
         "vscode:package": "vsce package --no-dependencies",
+        "clean": "rimraf bundle",
         "build": "pnpm langium:generate && tsc --noEmit && pnpm bundle && cp -r src/res/* bundle/res/",
-        "bundle": "node build/bundle.js --minify",
+        "bundle": "npm run clean && node build/bundle.js --minify",
         "bundle-watch": "node build/bundle.js --watch",
         "ts:watch": "tsc --watch --noEmit",
         "tsc-alias:watch": "tsc-alias --watch",
@@ -77,7 +78,7 @@
         "langium:watch": "langium generate --watch",
         "watch": "concurrently --kill-others \"npm:langium:watch\" \"npm:bundle-watch\"",
         "test": "jest",
-        "prepublishOnly": "cp ../../README.md ./ && pnpm build && pnpm bundle"
+        "prepublishOnly": "cp ../../README.md ./ && pnpm build"
     },
     "dependencies": {
         "@zenstackhq/internal": "workspace:*",
@@ -112,6 +113,7 @@
         "eslint": "^8.27.0",
         "jest": "^29.2.1",
         "langium-cli": "^0.5.0",
+        "rimraf": "^3.0.2",
         "tmp": "^0.2.1",
         "ts-jest": "^29.0.3",
         "ts-node": "^10.9.1",

packages/schema/src/res/stdlib.zmodel

@@ -104,11 +104,13 @@ attribute @@deny(_ operation: String, _ condition: Boolean)
  * Indicates that the field is a password field and needs to be hashed before persistence.
  * 
  * ZenStack uses `bcryptjs` library to hash password. You can use the `saltLength` parameter
- * to configure length of salt, or use parameter to provide an explicit salt. By default, 12-byte
- * long salt is used.
+ * to configure the cost of hashing, or use `salt` parameter to provide an explicit salt.
+ * By default, salt length of 12 is used.
  *
- * @saltLength: length of salt to use
- * @salt: salt to use
+ * @see https://www.npmjs.com/package/bcryptjs for details
+ * 
+ * @saltLength: length of salt to use (cost factor for the hash function)
+ * @salt: salt to use (a pregenerated valid salt)
  */
 attribute @password(saltLength: Int?, salt: String?)
 

pnpm-lock.yaml

@@ -1,6 +1,6 @@
 {
     "name": "todo",
-    "version": "0.2.12",
+    "version": "0.2.15",
     "private": true,
     "scripts": {
         "dev": "next dev",

samples/todo/package.json

@@ -0,0 +1,3 @@
+{
+    "log": ["info", "warn", "error"]
+}