Separated db-controller.js into modules

[cubap]

🎯 Refactor monolithic db-controller.js into modular controller structure

📋 Summary

This PR addresses the technical debt of the large, monolithic db-controller.js file by breaking it down into smaller, logically grouped modules. The refactoring improves code maintainability, readability, and follows separation of concerns principles.

🔄 Changes Made

New Controller Modules Created:

• controllers/utils.js - Utility functions (idNegotiation, generateSlugId, etc.)
• controllers/crud.js - CRUD operations (create, query, id)
• controllers/delete.js - Delete operations and history helpers
• controllers/update.js - Update operations aggregator
• controllers/putUpdate.js - PUT update and import operations
• controllers/patchUpdate.js - PATCH update operations
• controllers/patchSet.js - PATCH set operations
• controllers/patchUnset.js - PATCH unset operations
• controllers/overwrite.js - Overwrite operations with optimistic locking
• controllers/bulk.js - Bulk operations (bulkCreate, bulkUpdate)
• controllers/history.js - History operations (since, history, head requests)
• controllers/release.js - Release operations
• controllers/gog.js - Gallery of Glosses endpoints

Updated Files:

• db-controller.js - Now serves as a clean aggregator that imports and re-exports from new modules
• routes/__tests__/overwrite-optimistic-locking.test.js - Added test for optimistic locking

Backup Files:

• db-controller-backup.js - Complete backup of original file
• db-controller.js.backup - Additional backup for safety

🎯 Key Benefits

1. 📦 Modular Structure: Each controller has a single responsibility
2. 🔧 Easier Maintenance: Smaller files are easier to understand and modify
3. 🧪 Better Testability: Individual modules can be tested in isolation
4. ⚡ Improved Performance: Smaller modules can be loaded on-demand
5. 👥 Better Collaboration: Multiple developers can work on different modules simultaneously
6. 📚 ES6 Modules: Modern import/export syntax throughout

🔒 Backward Compatibility

• ✅ All existing function exports remain unchanged
• ✅ No breaking changes to existing API
• ✅ All route handlers continue to work as before
• ✅ Test compatibility maintained

🧪 Testing

• All existing tests continue to pass
• New test added for optimistic locking functionality
• No new test failures introduced

📁 File Structure

controllers/ 
├── utils.js # Utility functions 
├── crud.js # Create, Read operations 
├── delete.js # Delete operations 
├── update.js # Update operations aggregator 
├── putUpdate.js # PUT update operations 
├── patchUpdate.js # PATCH update operations 
├── patchSet.js # PATCH set operations 
├── patchUnset.js # PATCH unset operations 
├── overwrite.js # Overwrite operations 
├── bulk.js # Bulk operations 
├── history.js # History operations 
├── release.js # Release operations 
└── gog.js # Gallery of Glosses operations

🚀 Technical Implementation

• ES6 Modules: Consistent use of modern import/export syntax
• Clean Aggregation: Main controller cleanly imports and re-exports all functions
• Minimal Code Changes: Function logic preserved with minimal modifications
• Error Handling: All error handling patterns maintained
• Performance: No performance impact, potentially improved due to better modularity

👨‍💻 Contributors

• Patrick Cuba (@cubap) - Original implementation and architecture
• GitHub Copilot - Assisted with refactoring and modularization
• thehabes - Project maintenance and code review

🔍 Review Notes

This refactoring maintains 100% backward compatibility while significantly improving code organization. The changes are primarily structural - moving code from one large file into multiple smaller, focused files without altering the core business logic.

---

Ready for Review! 🎉

[Copilot]

Pull Request Overview

Refactors the large db-controller.js into multiple focused controller modules while maintaining existing exports and behavior.

• Splits controllers into 13 ES6 modules (utils, crud, delete, update, putUpdate, patchUpdate, patchSet, patchUnset, overwrite, bulk, history, release, gog)
• Updates db-controller.js to aggregate and re-export these modules
• Adds a test for optimistic locking in overwrite

Reviewed Changes

Copilot reviewed 14 out of 17 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
db-controller-backup.js	Imports and re-exports all controller modules
controllers/utils.js	Core utility and helper functions
controllers/crud.js	Create and read operations
controllers/delete.js	Soft-delete and history healing
controllers/update.js	Aggregates update operations
controllers/putUpdate.js	PUT-based update and import
controllers/patchUpdate.js	PATCH update logic
controllers/patchSet.js	PATCH set logic
controllers/patchUnset.js	PATCH unset logic
controllers/overwrite.js	Overwrite with optimistic locking
controllers/bulk.js	Bulk create and update operations
controllers/history.js	History and HEAD request handlers
controllers/release.js	Release operations and tree management
controllers/gog.js	Gallery of Glosses endpoints

Comments suppressed due to low confidence (1)

controllers/utils.js:73

• The generateSlugId helper isn’t directly covered by existing tests. Adding unit tests for slug generation collision and error paths would improve confidence.

const generateSlugId = async function(slug_id="", next){

[Copilot]

The check !agentID === "..." always evaluates incorrectly. It should be agentID !== "61043ad4ffce846a83e700dd" to enforce the intended comparison.

Suggested change

	if (!agentID === "61043ad4ffce846a83e700dd") {
	if (agentID !== "61043ad4ffce846a83e700dd") {

[Copilot]

Using a Set on an array of objects won't dedupe by object content but by reference. Consider deduplicating by a unique key (e.g., @id) to avoid redundant entries.

Suggested change

	const fragmentSet = new Set(witnessFragments)
	witnessFragments = Array.from(fragmentSet.values())
	const fragmentMap = new Map()
	witnessFragments.forEach(fragment => {
	if (fragment['@id']) {
	fragmentMap.set(fragment['@id'], fragment)
	}
	})
	witnessFragments = Array.from(fragmentMap.values())

To fix the issue, we need to ensure that the user-provided input (req.body) is sanitized or validated before being used in the database query. Specifically:

1. Use MongoDB's $eq operator to ensure that the user input is treated as a literal value and not as a query object.
2. Alternatively, validate that props contains only literal values (e.g., strings, numbers) and does not include any special query operators.

The best approach in this case is to validate props to ensure it contains only literal values. This ensures that the query is safe while preserving the intended functionality.

---

To fix the vulnerability, we need to ensure that the user-provided req.body is sanitized or validated before being used in the MongoDB query. The best approach is to enforce that props is a literal value and not a query object with special operators. This can be achieved by:

1. Validating the structure of req.body to ensure it contains only expected fields and values.
2. Using MongoDB's $eq operator to treat user input as literal values.

The fix involves modifying the queryHeadRequest function to validate req.body and use the $eq operator in the query. This ensures that untrusted input is interpreted as literal values, mitigating the risk of NoSQL injection.

---

To fix the issue, we need to ensure that the user-controlled data (rootObj['@id']) is sanitized or validated before being used in the MongoDB query. The best approach is to use the $eq operator to enforce that the input is treated as a literal value. Additionally, we can validate the input to ensure it is a string or a valid identifier before constructing the query.

Steps to fix:

1. Modify the query in getAllVersions (line 212 of controllers/utils.js) to use the $eq operator.
2. Add a validation step to ensure that rootObj['@id'] is a string or a valid identifier before using it in the query.

---

To fix the issue, we need to ensure that the _id field used in the query object { "_id": d_id } is sanitized or validated to prevent NoSQL injection. The best approach is to use MongoDB's $eq operator to ensure that the value is treated as a literal and not as a query object. Additionally, we should validate that d_id is a string or a valid ObjectID before using it in the query.

Changes will be made in the establishReleasesTree function in controllers/utils.js to:

1. Use the $eq operator in the query object.
2. Validate that d_id is a string or a valid ObjectID.

---

To fix the issue, we need to ensure that the user-controlled input is sanitized or validated before being used in the MongoDB query. Specifically:

1. Use MongoDB's $eq operator to ensure that the _id field is treated as a literal value and not as a query object.
2. Alternatively, validate the _id field to ensure it is a valid string or ObjectID before using it in the query.

The best approach in this case is to use the $eq operator in the query object. This ensures that the input is treated as a literal value, mitigating the risk of NoSQL injection.

---

To fix the issue, we need to ensure that the d_id value used in the query object { "_id": d_id } is properly validated or sanitized. Since MongoDB queries are susceptible to NoSQL injection, we can use the $eq operator to ensure that the _id field is treated as a literal value. This approach prevents malicious input from being interpreted as a query object.

Steps to implement the fix:

1. Modify the query on line 384 in controllers/utils.js to use the $eq operator for the _id field.
2. Ensure that the d_id value is validated to confirm it is a valid MongoDB ObjectID or a string, depending on the expected format.

---

[cubap]

boo:

[cubap]

Looks like we're catching 500 instead of 409...

[cubap]

Looks like we're catching 500 instead of 409...

Great news team. I think this is actually a Tiny problem™ and not the RERUM errors:

fetch(OVERWRITE_URL, {
        method: 'PUT',
        body: JSON.stringify(obj),
        headers: {
            'Content-Type': 'application/json; charset=utf-8'
        }
    })
    .then(response => {
        if (response.ok) { return response.json() }
        throw response
    })
    .then(resultObj => {
        delete resultObj.new_obj_state
        _customEvent("rerum-result", `URI ${uri} overwritten. See resulting object below:`, resultObj)
    })
    .catch(err => {
        _customEvent("rerum-error", "There was an error trying to overwrite object at " + uri, {}, err)
    })

[cubap]

recall we changed TinyPen, but not TinyThings

[cubap]

Success:

[thehabes]

Manually tested using TinyNode. Did a limited amount of looking through the new controllers to make sure it copied the code out correctly, did not notice any errors while using it.