feat: Critical auth+autodiscovery fix and enhanced initModules() API

- CRITICAL: Fixed auth middleware bypass with auto-discovered modules
- Added bulletproof initModules() API for explicit module loading
- Ensures middleware order: auth runs before module routes
- Works with disabled auto-discovery via forced loading
- Synchronous interface: app.initModules() - no await required
- Identical behavior to enabled auto-discovery
- Comprehensive edge case handling and race condition protection

Completes v1.5.17

Author: M-Chris

CHANGELOG.md

@@ -1,4 +1,18 @@
-## [1.5.17] - 2025-09-28
+## [1.5.17] - 2025-09-29
+
+### Critical Fix
+- **Auto-Discovery + Auth Middleware Compatibility**: Fixed critical issue where auto-discovery could bypass user middleware (like auth)
+  - Module routes now properly respect the middleware chain order
+  - Auth middleware is guaranteed to run before module route handlers
+  - Comprehensive race condition protection and edge case handling
+
+### Major Enhancement
+- **Enhanced `initModules()` API**: Added powerful public API for explicit module loading control
+  - **Synchronous interface**: `app.initModules()` - no `await` required
+  - **Works with disabled auto-discovery**: Forces module loading even when `autoDiscover: false`
+  - **Custom configuration support**: `app.initModules({ paths: ['./my-modules'] })`
+  - **Identical behavior**: Uses same discovery and loading mechanisms as enabled auto-discovery
+  - **Perfect timing**: Ensures modules load before server starts, maintaining middleware order
 
 ### Fixed
 - **JWT Error Handling**: Enhanced JWT error detection and handling to provide elegant user-friendly messages
@@ -15,6 +29,9 @@
 ### Architectural Improvements
 - **Separation of Concerns**: HTTP server now focuses purely on HTTP protocol concerns, not application-specific authentication
 - **Cleaner Error Handling**: JWT errors are handled elegantly at the middleware level where they belong
+- **Robust Module Loading**: Two-phase module mounting ensures middleware order is preserved
+- **Race Condition Protection**: Auto-discovery initialization is idempotent and handles concurrent calls safely
+- **Unified Module Loading**: All module loading paths now use identical discovery and loading mechanisms
 
 ## [1.5.16] - 2025-09-28
 

src/core/framework.ts

@@ -619,22 +619,61 @@ export class Moro extends EventEmitter {
     this.logger.debug(`Mounting router for basePath: ${basePath}`, 'Router');
 
     // Enterprise-grade middleware integration with performance optimization
+    // IMPORTANT: Module middleware runs AFTER user middleware (like auth) to ensure proper order
     this.httpServer.use(async (req: HttpRequest, res: HttpResponse, next: () => void) => {
       if (req.path.startsWith(basePath)) {
         this.logger.debug(`Module middleware handling: ${req.method} ${req.path}`, 'Middleware', {
           basePath,
         });
 
+        // Mark this request as being handled by a module
+        (req as any).__moduleBasePath = basePath;
+        (req as any).__moduleRouter = router;
+
+        // Continue to next middleware (including auth) first
+        next();
+      } else {
+        next();
+      }
+    });
+
+    this.logger.info(`Router mounted for ${basePath}`, 'Router');
+  }
+
+  private finalModuleHandlerSetup = false;
+
+  // Setup final module handler that runs after all user middleware
+  setupFinalModuleHandler(): void {
+    // Prevent duplicate setup
+    if (this.finalModuleHandlerSetup) {
+      this.logger.debug('Final module handler already set up, skipping', 'ModuleSystem');
+      return;
+    }
+    this.finalModuleHandlerSetup = true;
+
+    this.logger.info(
+      'Setting up final module handler to run after user middleware',
+      'ModuleSystem'
+    );
+
+    this.httpServer.use(async (req: HttpRequest, res: HttpResponse, next: () => void) => {
+      // Check if this request was marked for module handling
+      const moduleBasePath = (req as any).__moduleBasePath;
+      const moduleRouter = (req as any).__moduleRouter;
+
+      if (moduleBasePath && moduleRouter && !res.headersSent) {
+        this.logger.debug(`Final module handler processing: ${req.method} ${req.path}`, 'Router');
+
         try {
-          const handled = await router.handle(req, res, basePath);
-          this.logger.debug(`Route handled: ${handled}`, 'Router');
+          const handled = await moduleRouter.handle(req, res, moduleBasePath);
+          this.logger.debug(`Route handled by module: ${handled}`, 'Router');
 
           if (!handled) {
             next(); // Let other middleware handle it
           }
           // If handled, the router already sent the response, so don't call next()
         } catch (error) {
-          this.logger.error('Router error', 'Router', {
+          this.logger.error('Module router error', 'Router', {
             error: error instanceof Error ? error.message : String(error),
           });
           if (!res.headersSent) {
@@ -645,8 +684,6 @@ export class Moro extends EventEmitter {
         next();
       }
     });
-
-    this.logger.info(`Router mounted for ${basePath}`, 'Router');
   }
 
   private async setupWebSocketHandlers(config: ModuleConfig): Promise<void> {

src/moro.ts

@@ -27,6 +27,9 @@ export class Moro extends EventEmitter {
   private lazyModules = new Map<string, ModuleConfig>();
   private routeHandlers: Record<string, Function> = {};
   private moduleDiscovery?: any; // Store for cleanup
+  private autoDiscoveryOptions: MoroOptions | null = null;
+  private autoDiscoveryInitialized = false;
+  private autoDiscoveryPromise: Promise<void> | null = null;
   // Enterprise event system integration
   private eventBus: MoroEventBus;
   // Application logger
@@ -118,15 +121,10 @@ export class Moro extends EventEmitter {
       ...options,
     });
 
-    // Auto-discover modules if enabled
-    if (options.autoDiscover !== false) {
-      // Initialize auto-discovery asynchronously
-      this.initializeAutoDiscovery(options).catch(error => {
-        this.logger.error('Auto-discovery initialization failed', 'Framework', {
-          error: error instanceof Error ? error.message : String(error),
-        });
-      });
-    }
+    // Store auto-discovery options for later initialization
+    // IMPORTANT: Auto-discovery is deferred to ensure user middleware (like auth)
+    // is registered before module middleware that might bypass it
+    this.autoDiscoveryOptions = options.autoDiscover !== false ? options : null;
 
     // Emit initialization event through enterprise event bus
     this.eventBus.emit('framework:initialized', {
@@ -355,6 +353,13 @@ export class Moro extends EventEmitter {
         version: moduleOrPath.version || '1.0.0',
       });
     }
+
+    // IMPORTANT: If modules are loaded manually after auto-discovery,
+    // ensure the final module handler is set up to maintain middleware order
+    if (this.autoDiscoveryInitialized) {
+      this.coreFramework.setupFinalModuleHandler();
+    }
+
     return this;
   }
 
@@ -496,35 +501,162 @@ export class Moro extends EventEmitter {
       this.registerDirectRoutes();
     }
 
-    const actualCallback = () => {
-      const displayHost = host || 'localhost';
-      this.logger.info('Moro Server Started', 'Server');
-      this.logger.info(`Runtime: ${this.runtimeType}`, 'Server');
-      this.logger.info(`HTTP API: http://${displayHost}:${port}`, 'Server');
-      if (this.config.websocket.enabled) {
-        this.logger.info(`WebSocket: ws://${displayHost}:${port}`, 'Server');
-      }
-      this.logger.info('Learn more at https://morojs.com', 'Server');
+    const startServer = () => {
+      const actualCallback = () => {
+        const displayHost = host || 'localhost';
+        this.logger.info('Moro Server Started', 'Server');
+        this.logger.info(`Runtime: ${this.runtimeType}`, 'Server');
+        this.logger.info(`HTTP API: http://${displayHost}:${port}`, 'Server');
+        if (this.config.websocket.enabled) {
+          this.logger.info(`WebSocket: ws://${displayHost}:${port}`, 'Server');
+        }
+        this.logger.info('Learn more at https://morojs.com', 'Server');
+
+        // Log intelligent routes info
+        const intelligentRoutes = this.intelligentRouting.getIntelligentRoutes();
+        if (intelligentRoutes.length > 0) {
+          this.logger.info(`Intelligent Routes: ${intelligentRoutes.length} registered`, 'Server');
+        }
+
+        this.eventBus.emit('server:started', { port, runtime: this.runtimeType });
+        if (callback) callback();
+      };
 
-      // Log intelligent routes info
-      const intelligentRoutes = this.intelligentRouting.getIntelligentRoutes();
-      if (intelligentRoutes.length > 0) {
-        this.logger.info(`Intelligent Routes: ${intelligentRoutes.length} registered`, 'Server');
+      if (host && typeof host === 'string') {
+        this.coreFramework.listen(port, host, actualCallback);
+      } else {
+        this.coreFramework.listen(port, actualCallback);
       }
+    };
 
-      this.eventBus.emit('server:started', { port, runtime: this.runtimeType });
-      if (callback) callback();
+    // Ensure auto-discovery is complete before starting server
+    this.ensureAutoDiscoveryComplete()
+      .then(() => {
+        startServer();
+      })
+      .catch(error => {
+        this.logger.error('Auto-discovery initialization failed during server start', 'Framework', {
+          error: error instanceof Error ? error.message : String(error),
+        });
+        // Start server anyway - auto-discovery failure shouldn't prevent startup
+        startServer();
+      });
+  }
+
+  // Public method to manually initialize auto-discovery
+  // Useful for ensuring auth middleware is registered before auto-discovery
+  async initializeAutoDiscoveryNow(): Promise<void> {
+    return this.ensureAutoDiscoveryComplete();
+  }
+
+  // Public API: Initialize modules explicitly after middleware setup
+  // This provides users with explicit control over module loading timing
+  // IMPORTANT: This forces module loading even if autoDiscovery.enabled is false
+  // Usage: app.initModules() or app.initModules({ paths: ['./my-modules'] })
+  initModules(options?: {
+    paths?: string[];
+    patterns?: string[];
+    recursive?: boolean;
+    loadingStrategy?: 'eager' | 'lazy' | 'conditional';
+    watchForChanges?: boolean;
+    ignorePatterns?: string[];
+    loadOrder?: 'alphabetical' | 'dependency' | 'custom';
+    failOnError?: boolean;
+    maxDepth?: number;
+  }): void {
+    this.logger.info('User-requested module initialization', 'ModuleSystem');
+
+    // If already initialized, do nothing
+    if (this.autoDiscoveryInitialized) {
+      this.logger.debug('Auto-discovery already completed, skipping', 'ModuleSystem');
+      return;
+    }
+
+    // Store the options and mark that we want to force initialization
+    this.autoDiscoveryOptions = {
+      autoDiscover: {
+        enabled: true, // Force enabled regardless of original config
+        paths: options?.paths || ['./modules', './src/modules'],
+        patterns: options?.patterns || [
+          '**/*.module.{ts,js}',
+          '**/index.{ts,js}',
+          '**/*.config.{ts,js}',
+        ],
+        recursive: options?.recursive ?? true,
+        loadingStrategy: options?.loadingStrategy || ('eager' as const),
+        watchForChanges: options?.watchForChanges ?? false,
+        ignorePatterns: options?.ignorePatterns || [
+          '**/*.test.{ts,js}',
+          '**/*.spec.{ts,js}',
+          '**/node_modules/**',
+        ],
+        loadOrder: options?.loadOrder || ('dependency' as const),
+        failOnError: options?.failOnError ?? false,
+        maxDepth: options?.maxDepth ?? 5,
+      },
     };
 
-    if (host && typeof host === 'string') {
-      this.coreFramework.listen(port, host, actualCallback);
-    } else {
-      this.coreFramework.listen(port, actualCallback);
+    this.logger.debug(
+      'Module initialization options stored, will execute on next listen/getHandler call',
+      'ModuleSystem'
+    );
+  }
+
+  // Robust method to ensure auto-discovery is complete, handling race conditions
+  private async ensureAutoDiscoveryComplete(): Promise<void> {
+    // If already initialized, nothing to do
+    if (this.autoDiscoveryInitialized) {
+      return;
+    }
+
+    // If auto-discovery is disabled, mark as initialized
+    if (!this.autoDiscoveryOptions) {
+      this.autoDiscoveryInitialized = true;
+      return;
+    }
+
+    // If already in progress, wait for it to complete
+    if (this.autoDiscoveryPromise) {
+      return this.autoDiscoveryPromise;
+    }
+
+    // Start auto-discovery
+    this.autoDiscoveryPromise = this.performAutoDiscovery();
+
+    try {
+      await this.autoDiscoveryPromise;
+      this.autoDiscoveryInitialized = true;
+    } catch (error) {
+      // Reset promise on error so it can be retried
+      this.autoDiscoveryPromise = null;
+      throw error;
+    } finally {
+      this.autoDiscoveryOptions = null; // Clear after attempt
     }
   }
 
+  // Perform the actual auto-discovery work
+  private async performAutoDiscovery(optionsOverride?: MoroOptions): Promise<void> {
+    const optionsToUse = optionsOverride || this.autoDiscoveryOptions;
+    if (!optionsToUse) return;
+
+    this.logger.debug('Starting auto-discovery initialization', 'AutoDiscovery');
+
+    await this.initializeAutoDiscovery(optionsToUse);
+
+    this.logger.debug('Auto-discovery initialization completed', 'AutoDiscovery');
+  }
+
   // Get handler for non-Node.js runtimes
   getHandler() {
+    // Ensure auto-discovery is complete for non-Node.js runtimes
+    // This handles the case where users call getHandler() immediately after createApp()
+    this.ensureAutoDiscoveryComplete().catch(error => {
+      this.logger.error('Auto-discovery initialization failed for runtime handler', 'Framework', {
+        error: error instanceof Error ? error.message : String(error),
+      });
+    });
+
     // Create a unified request handler that works with the runtime adapter
     const handler = async (req: HttpRequest, res: HttpResponse) => {
       // Add documentation middleware first (if enabled)
@@ -902,6 +1034,9 @@ export class Moro extends EventEmitter {
       // Load modules based on strategy
       await this.loadDiscoveredModules(modules, autoDiscoveryConfig);
 
+      // Setup final module handler to run after user middleware (like auth)
+      this.coreFramework.setupFinalModuleHandler();
+
       // Setup file watching if enabled
       if (autoDiscoveryConfig.watchForChanges) {
         this.moduleDiscovery.watchModulesAdvanced(

tests/unit/core/moro-auto-discovery.test.ts

@@ -113,8 +113,8 @@ describe('Moro Auto-Discovery Integration', () => {
         }
       });
 
-      // Wait for auto-discovery to complete
-      await new Promise(resolve => setTimeout(resolve, 100));
+      // Trigger auto-discovery manually (using the async method for tests)
+      await app.initializeAutoDiscoveryNow();
 
       // Check that modules are loaded
       expect((app as any).loadedModules.has('users')).toBe(true);
@@ -130,8 +130,8 @@ describe('Moro Auto-Discovery Integration', () => {
         }
       });
 
-      // Wait for auto-discovery to complete
-      await new Promise(resolve => setTimeout(resolve, 100));
+      // Trigger auto-discovery manually (using the async method for tests)
+      await app.initializeAutoDiscoveryNow();
 
       // Check that modules are registered for lazy loading
       expect((app as any).lazyModules.has('users')).toBe(true);
@@ -173,8 +173,8 @@ describe('Moro Auto-Discovery Integration', () => {
         }
       });
 
-      // Wait for auto-discovery to complete
-      await new Promise(resolve => setTimeout(resolve, 100));
+      // Trigger auto-discovery manually (using the async method for tests)
+      await app.initializeAutoDiscoveryNow();
 
       // Admin module should not be loaded in development
       expect((app as any).loadedModules.has('admin')).toBe(false);
@@ -346,7 +346,8 @@ describe('Moro Auto-Discovery Integration', () => {
 
       const app = createApp({ autoDiscover: true });
 
-      await new Promise(resolve => setTimeout(resolve, 100));
+      // Trigger auto-discovery manually (using the async method for tests)
+      await app.initializeAutoDiscoveryNow();
 
       expect((app as any).loadedModules.has('legacy')).toBe(true);
     });
@@ -360,7 +361,8 @@ describe('Moro Auto-Discovery Integration', () => {
 
       const app = createApp({ modulesPath: './modules' });
 
-      await new Promise(resolve => setTimeout(resolve, 200));
+      // Trigger auto-discovery manually (using the async method for tests)
+      await app.initializeAutoDiscoveryNow();
 
       expect((app as any).loadedModules.has('custom-path')).toBe(true);
     });