@airoom/nextmin-node 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/dist/api/apiRouter.d.ts +6 -20
  2. package/dist/api/apiRouter.js +86 -1476
  3. package/dist/api/router/ctx.d.ts +25 -0
  4. package/dist/api/router/ctx.js +2 -0
  5. package/dist/api/router/mountCrudRoutes.d.ts +2 -0
  6. package/dist/api/router/mountCrudRoutes.js +754 -0
  7. package/dist/api/router/mountFindRoutes.d.ts +2 -0
  8. package/dist/api/router/mountFindRoutes.js +205 -0
  9. package/dist/api/router/setupAuthRoutes.d.ts +2 -0
  10. package/dist/api/router/setupAuthRoutes.js +247 -0
  11. package/dist/api/router/setupFileRoutes.d.ts +2 -0
  12. package/dist/api/router/setupFileRoutes.js +85 -0
  13. package/dist/api/router/utils.d.ts +63 -0
  14. package/dist/api/router/utils.js +247 -0
  15. package/dist/database/MongoAdapter.d.ts +1 -1
  16. package/dist/database/MongoAdapter.js +21 -32
  17. package/dist/schemas/Roles.json +7 -2
  18. package/dist/utils/DefaultDataInitializer.js +3 -0
  19. package/dist/utils/SchemaLoader.js +28 -7
  20. package/package.json +1 -1
package/dist/api/apiRouter.js CHANGED
@@ -7,16 +7,15 @@ exports.APIRouter = void 0;
7
7
  const express_1 = __importDefault(require("express"));
8
8
  const BaseModel_1 = require("../models/BaseModel");
9
9
  const Logger_1 = __importDefault(require("../utils/Logger"));
10
- const bcrypt_1 = __importDefault(require("bcrypt"));
11
10
  const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
12
11
  const SchemaLoader_1 = require("../utils/SchemaLoader");
13
12
  const InMemoryAdapter_1 = require("../database/InMemoryAdapter");
14
13
  const DefaultDataInitializer_1 = require("../utils/DefaultDataInitializer");
15
14
  const SchemaService_1 = require("../services/SchemaService");
16
- const multer_1 = __importDefault(require("multer"));
17
- const filename_1 = require("../files/filename");
18
- const authorize_1 = require("../policy/authorize");
19
- const fieldCodecs_1 = require("../utils/fieldCodecs");
15
+ const setupFileRoutes_1 = require("./router/setupFileRoutes");
16
+ const setupAuthRoutes_1 = require("./router/setupAuthRoutes");
17
+ const mountCrudRoutes_1 = require("./router/mountCrudRoutes");
18
+ const mountFindRoutes_1 = require("./router/mountFindRoutes");
20
19
  class APIRouter {
21
20
  constructor(options) {
22
21
  this.models = {};
@@ -25,7 +24,8 @@ class APIRouter {
25
24
  this.schemasRouteRegistered = false;
26
25
  this.registeredModels = new Set();
27
26
  this.liveSchemas = {};
28
- // ---------------- Live lookups ----------------
27
+ this.fileRoutesMounted = false;
28
+ // ---------- Live lookups ----------
29
29
  this.getSchema = (name) => {
30
30
  const s = this.liveSchemas[name];
31
31
  if (!s) {
@@ -45,8 +45,7 @@ class APIRouter {
45
45
  }
46
46
  return m;
47
47
  };
48
- this.fileAuthMiddleware = (req, res, next) => this.authenticateMiddleware(req, res, next);
49
- // ---------------- Auth (login/me/change-password) ----------------
48
+ // ---------- middleware ----------
50
49
  this.optionalAuthMiddleware = (req, res, next) => {
51
50
  this.apiKeyMiddleware(req, res, () => {
52
51
  const authHeader = req.headers.authorization;
@@ -65,7 +64,7 @@ class APIRouter {
65
64
  });
66
65
  };
67
66
  this.normalizeRoleName = async (value) => {
68
- const rolesModel = this.getModel('roles'); // already available in your router
67
+ const rolesModel = this.getModel('roles');
69
68
  const isHex24 = (s) => /^[0-9a-fA-F]{24}$/.test(s);
70
69
  const fromString = async (s) => {
71
70
  if (!s)
@@ -75,7 +74,7 @@ class APIRouter {
75
74
  const n = docs?.[0]?.name;
76
75
  return typeof n === 'string' ? n : null;
77
76
  }
78
- return s; // assume literal role name like "admin"
77
+ return s;
79
78
  };
80
79
  if (typeof value === 'string')
81
80
  return (await fromString(value))?.toLowerCase() ?? null;
@@ -102,6 +101,7 @@ class APIRouter {
102
101
  }
103
102
  return null;
104
103
  };
104
+ // ---------- auth middlewares ----------
105
105
  this.apiKeyMiddleware = (req, res, next) => {
106
106
  const apiKey = req.headers['x-api-key'];
107
107
  if (typeof apiKey !== 'string' || apiKey !== this.trustedApiKey) {
@@ -128,10 +128,50 @@ class APIRouter {
128
128
  }
129
129
  });
130
130
  };
131
+ // ---------- helpers ----------
132
+ this.validateRequiredFields = (schema, payload, mode = 'create') => {
133
+ const missing = [];
134
+ const isEmpty = (v) => v === undefined ||
135
+ v === null ||
136
+ (typeof v === 'string' && v.trim() === '');
137
+ let baseKeys = null;
138
+ const baseName = schema?.extends;
139
+ if (baseName) {
140
+ try {
141
+ const baseLC = baseName.toLowerCase();
142
+ const baseSchema = this.getSchema(baseLC);
143
+ baseKeys = new Set(Object.keys(baseSchema.attributes || {}));
144
+ }
145
+ catch {
146
+ baseKeys = null;
147
+ }
148
+ }
149
+ for (const [key, attribute] of Object.entries(schema.attributes)) {
150
+ if (Array.isArray(attribute))
151
+ continue;
152
+ if (attribute?.private)
153
+ continue;
154
+ if (baseKeys && key !== 'baseId' && baseKeys.has(key))
155
+ continue;
156
+ const reqd = Boolean(attribute?.required);
157
+ if (!reqd)
158
+ continue;
159
+ if (mode === 'create') {
160
+ if (isEmpty(payload[key]))
161
+ missing.push(key);
162
+ }
163
+ else {
164
+ if (Object.prototype.hasOwnProperty.call(payload, key) &&
165
+ isEmpty(payload[key])) {
166
+ missing.push(key);
167
+ }
168
+ }
169
+ }
170
+ return missing;
171
+ };
131
172
  this.isDevelopment = process.env.APP_MODE !== 'production';
132
173
  this.router = express_1.default.Router();
133
174
  this.fileStorage = options.fileStorageAdapter;
134
- this.setupFileRoutes();
135
175
  this.dbAdapter = options.dbAdapter || new InMemoryAdapter_1.InMemoryAdapter();
136
176
  this.jwtSecret = process.env.JWT_SECRET || 'default_jwt_secret';
137
177
  if (this.isDevelopment && options.server) {
@@ -156,6 +196,7 @@ class APIRouter {
156
196
  this.mountSchemasEndpointOnce();
157
197
  this.mountRoutes(initialSchemas);
158
198
  this.mountFindRoutes();
199
+ this.mountFileRoutes();
159
200
  await this.syncAllIndexes(initialSchemas);
160
201
  const initializer = new DefaultDataInitializer_1.DefaultDataInitializer(this.dbAdapter, this.models);
161
202
  try {
@@ -185,10 +226,9 @@ class APIRouter {
185
226
  });
186
227
  }
187
228
  getRouter() {
188
- // Avoid noisy logs on each getRouter() call
189
229
  return this.router;
190
230
  }
191
- // ---------------- Hot reload ----------------
231
+ // ---------- Hot reload ----------
192
232
  wireSchemaHotReload() {
193
233
  const anyLoader = this.schemaLoader;
194
234
  if (typeof anyLoader.on !== 'function')
@@ -226,7 +266,7 @@ class APIRouter {
226
266
  async syncAllIndexes(schemas) {
227
267
  if (typeof this.dbAdapter.syncIndexes !== 'function')
228
268
  return;
229
- const plan = this.schemaLoader.getIndexPlan(); // modelName -> { field: dir }
269
+ const plan = this.schemaLoader.getIndexPlan();
230
270
  for (const s of Object.values(schemas)) {
231
271
  const modelName = s.modelName;
232
272
  const spec = plan[modelName];
@@ -262,7 +302,6 @@ class APIRouter {
262
302
  this.models[name] = new BaseModel_1.BaseModel(s, this.dbAdapter);
263
303
  }
264
304
  }
265
- // ---------------- Mounting ----------------
266
305
  mountSchemasEndpointOnce() {
267
306
  if (this.schemasRouteRegistered)
268
307
  return;
@@ -276,1176 +315,56 @@ class APIRouter {
276
315
  }
277
316
  mountRoutes(schemas) {
278
317
  if (!this.authRoutesInitialized && this.liveSchemas['users']) {
279
- this.setupAuthRoutes();
318
+ (0, setupAuthRoutes_1.setupAuthRoutes)(this.createCtx());
280
319
  this.authRoutesInitialized = true;
281
320
  }
282
321
  for (const s of Object.values(schemas)) {
283
322
  const name = s.modelName.toLowerCase();
284
323
  if (this.registeredModels.has(name))
285
324
  continue;
286
- this.setupRoutes(name);
325
+ (0, mountCrudRoutes_1.mountCrudRoutes)(this.createCtx(), name);
287
326
  this.registeredModels.add(name);
288
327
  }
289
328
  this.ensureNotFoundLast();
290
329
  }
291
- // ---------------- Generic CRUD (policy-enforced) ----------------
292
- setupRoutes(modelNameLC) {
293
- const basePath = `/${modelNameLC}`;
294
- const mwCreate = this.pickAuthFor('create', modelNameLC);
295
- const mwRead = this.pickAuthFor('read', modelNameLC);
296
- const mwUpdate = this.pickAuthFor('update', modelNameLC);
297
- const mwDelete = this.pickAuthFor('delete', modelNameLC);
298
- const ctxFromReq = (req) => {
299
- const raw = req.user?.role;
300
- let roleStr = null;
301
- if (typeof raw === 'string') {
302
- roleStr = raw;
303
- }
304
- else if (Array.isArray(raw)) {
305
- const first = raw[0];
306
- if (typeof first === 'string')
307
- roleStr = first;
308
- else if (first &&
309
- typeof first === 'object' &&
310
- typeof first.name === 'string') {
311
- roleStr = first.name;
312
- }
313
- }
314
- else if (raw &&
315
- typeof raw === 'object' &&
316
- typeof raw.name === 'string') {
317
- roleStr = raw.name;
318
- }
319
- roleStr = roleStr ? roleStr.toLowerCase() : null;
320
- return {
321
- isAuthenticated: !!req.user,
322
- role: roleStr,
323
- userId: req.user?.id ?? req.user?._id ?? null,
324
- isSuperadmin: roleStr === 'superadmin',
325
- apiKeyOk: true,
326
- };
327
- };
328
- // -------------- CREATE --------------
329
- this.router.post(basePath, mwCreate, async (req, res) => {
330
- try {
331
- const schema = this.getSchema(modelNameLC);
332
- if (!schema.allowedMethods.create) {
333
- return res
334
- .status(405)
335
- .json({ error: true, message: 'Method not allowed' });
336
- }
337
- const model = this.getModel(modelNameLC);
338
- const ctx = ctxFromReq(req);
339
- const schemaPolicy = {
340
- allowedMethods: schema.allowedMethods,
341
- access: schema.access,
342
- };
343
- const cdec = (0, authorize_1.authorize)(modelNameLC, 'create', schemaPolicy, ctx);
344
- if (!cdec.allow) {
345
- return res.status(403).json({ error: true, message: 'forbidden' });
346
- }
347
- let payload = (0, authorize_1.mergeCreateDefaults)(req.body, cdec.createDefaults);
348
- (0, authorize_1.enforceRestrictions)(payload, cdec.restrictions, ctx);
349
- if (!cdec.exposePrivate) {
350
- payload = (0, authorize_1.stripWriteDeny)(payload, cdec.writeDeny);
351
- }
352
- // ✅ NEW: DB-agnostic coercion (time/date/range → canonical strings)
353
- payload = (0, fieldCodecs_1.coerceForStorage)(schema, payload);
354
- // CREATE: required fields must be present and non-empty (now in canonical shape)
355
- const missing = this.validateRequiredFields(schema, payload, 'create');
356
- if (missing.length) {
357
- return res.status(400).json({
358
- error: true,
359
- message: `Missing required fields: ${missing.join(', ')}`,
360
- });
361
- }
362
- const conflicts = await this.checkUniqueFields(schema, payload);
363
- if (conflicts && conflicts.length > 0) {
364
- return res.status(400).json({
365
- error: true,
366
- fields: conflicts.map((field) => ({
367
- field,
368
- error: true,
369
- message: `You cannot use this ${field}. It's already been used.`,
370
- })),
371
- });
372
- }
373
- // Hash password for Users creates
374
- if (modelNameLC === 'users' && payload.password && this.jwtSecret) {
375
- const salt = await bcrypt_1.default.genSalt(10);
376
- payload.password = await bcrypt_1.default.hash(String(payload.password) + this.jwtSecret, salt);
377
- }
378
- // Extended schema handling: split into base + child
379
- if (schema.extends) {
380
- const baseName = String(schema.extends);
381
- const baseLC = baseName.toLowerCase();
382
- const baseSchema = this.getSchema(baseLC);
383
- const baseModel = this.getModel(baseLC);
384
- // Partition payload by base attributes
385
- const basePayload = {};
386
- const childPayload = {};
387
- for (const [k, v] of Object.entries(payload)) {
388
- if (baseSchema.attributes[k])
389
- basePayload[k] = v;
390
- else
391
- childPayload[k] = v;
392
- }
393
- // Unique checks per collection
394
- const baseConflicts = await this.checkUniqueFields(baseSchema, basePayload);
395
- if (baseConflicts && baseConflicts.length > 0) {
396
- return res.status(400).json({
397
- error: true,
398
- fields: baseConflicts.map((field) => ({
399
- field,
400
- error: true,
401
- message: `You cannot use this ${field}. It's already been used.`,
402
- })),
403
- });
404
- }
405
- const childConflicts = await this.checkUniqueFields(schema, childPayload);
406
- if (childConflicts && childConflicts.length > 0) {
407
- return res.status(400).json({
408
- error: true,
409
- fields: childConflicts.map((field) => ({
410
- field,
411
- error: true,
412
- message: `You cannot use this ${field}. It's already been used.`,
413
- })),
414
- });
415
- }
416
- // Hash password if base is Users
417
- if (baseLC === 'users' && basePayload.password && this.jwtSecret) {
418
- const salt = await bcrypt_1.default.genSalt(10);
419
- basePayload.password = await bcrypt_1.default.hash(String(basePayload.password) + this.jwtSecret, salt);
420
- }
421
- // Create base first
422
- const baseCreated = await baseModel.create(basePayload);
423
- // Then create child linking to base
424
- const linkField = 'baseId';
425
- const childToCreate = { ...childPayload, [linkField]: baseCreated.id };
426
- const childCreated = await model.create(childToCreate);
427
- // Merge docs for response (child overrides base on conflicts)
428
- let resultDoc = { ...baseCreated, ...childCreated };
429
- delete resultDoc.baseId;
430
- if (cdec.exposePrivate && childCreated?.id) {
431
- // Re-fetch both with private if needed
432
- const [refChild] = await model.read({ id: childCreated.id }, 1, 0, true);
433
- const [refBase] = await baseModel.read({ id: baseCreated.id }, 1, 0, true);
434
- if (refChild && refBase) {
435
- resultDoc = { ...refBase, ...refChild };
436
- delete resultDoc.baseId;
437
- }
438
- }
439
- const masked = cdec.exposePrivate
440
- ? (0, authorize_1.applyReadMaskOne)(resultDoc, cdec.sensitiveMask)
441
- : (0, authorize_1.applyReadMaskOne)(resultDoc, cdec.readMask);
442
- return res.status(201).json({
443
- success: true,
444
- message: `${schema.modelName} has been created successfully.`,
445
- data: masked,
446
- });
447
- }
448
- // Default (non-extended)
449
- const created = await model.create(payload);
450
- let resultDoc = created;
451
- if (cdec.exposePrivate && created?.id) {
452
- const refetched = await model.read({ id: created.id }, 1, 0, true);
453
- if (refetched?.[0])
454
- resultDoc = refetched[0];
455
- }
456
- const masked = cdec.exposePrivate
457
- ? (0, authorize_1.applyReadMaskOne)(resultDoc, cdec.sensitiveMask)
458
- : (0, authorize_1.applyReadMaskOne)(resultDoc, cdec.readMask);
459
- return res.status(201).json({
460
- success: true,
461
- message: `${schema.modelName} has been created successfully.`,
462
- data: masked,
463
- });
464
- }
465
- catch (error) {
466
- if (error?.code === 'MODEL_REMOVED') {
467
- return res
468
- .status(410)
469
- .json({ error: true, message: error.message });
470
- }
471
- this.handleWriteError(error, res);
472
- }
473
- });
474
- // -------------- READ (list) --------------
475
- this.router.get(basePath, mwRead, async (req, res) => {
476
- try {
477
- const schema = this.getSchema(modelNameLC);
478
- if (!schema.allowedMethods.read) {
479
- return res
480
- .status(405)
481
- .json({ error: true, message: 'Method not allowed' });
482
- }
483
- const model = this.getModel(modelNameLC);
484
- const page = Number.parseInt(String(req.query.page ?? '0'), 10) || 0;
485
- const limit = Number.parseInt(String(req.query.limit ?? '10'), 10) || 10;
486
- // ---- search params (extended) ----
487
- const q = String(req.query.q ?? '').trim();
488
- const searchKey = String(req.query.searchKey ?? '').trim();
489
- const searchKeysCSV = String(req.query.searchKeys ?? '').trim();
490
- const searchMode = /^(and|or)$/i.test(String(req.query.searchMode ?? ''))
491
- ? String(req.query.searchMode).toLowerCase()
492
- : 'or';
493
- const dateFromStr = String(req.query.dateFrom ?? '').trim();
494
- const dateToStr = String(req.query.dateTo ?? '').trim();
495
- let dateKey = String(req.query.dateKey ?? 'createdAt').trim();
496
- // ---- NEW: sort params (supports CSV for multi-field) ----
497
- const sortRaw = String(req.query.sort ?? '').trim(); // e.g. "name,createdAt"
498
- const sortTypeRaw = String(req.query.sortType ?? '').trim(); // e.g. "asc,desc"
499
- const filter = {};
500
- const splitCSV = (raw) => raw
501
- .split(',')
502
- .map((s) => s.trim())
503
- .filter(Boolean);
504
- // Build sort spec limited to schema fields. Default desc(createdAt) if nothing valid provided.
505
- const buildSortSpec = () => {
506
- const keys = splitCSV(sortRaw);
507
- const dirs = splitCSV(sortTypeRaw);
508
- const sort = {};
509
- keys.forEach((k, i) => {
510
- // keep the guard so unknown fields are ignored
511
- if (!schema.attributes?.[k])
512
- return;
513
- const d = dirs[i] ?? dirs[dirs.length - 1] ?? 'desc';
514
- sort[k] = /^(desc|-1)$/i.test(d) ? -1 : 1;
515
- });
516
- if (!Object.keys(sort).length) {
517
- // ✅ always default
518
- sort.createdAt = -1;
519
- }
520
- return sort;
521
- };
522
- // ---- SEARCH (legacy + multi) ----
523
- const ors = [];
524
- const ands = [];
525
- const buildPredicateForField = (field, attr, raw) => {
526
- const isArray = Array.isArray(attr);
527
- const base = isArray ? attr[0] : attr;
528
- const attrType = this.normalizeAttrType(base);
529
- const tokens = splitCSV(raw);
530
- switch (attrType) {
531
- case 'string':
532
- return isArray
533
- ? { [field]: { $in: tokens.length ? tokens : [raw] } }
534
- : { [field]: { $regex: raw, $options: 'i' } };
535
- case 'number': {
536
- const nums = tokens.map(Number).filter((n) => !Number.isNaN(n));
537
- return isArray
538
- ? nums.length
539
- ? { [field]: { $in: nums } }
540
- : null
541
- : nums.length
542
- ? { [field]: nums[0] }
543
- : null;
544
- }
545
- case 'boolean': {
546
- const toBool = (t) => /^(true|1|yes)$/i.test(t)
547
- ? true
548
- : /^(false|0|no)$/i.test(t)
549
- ? false
550
- : null;
551
- if (isArray) {
552
- const bools = tokens
553
- .map(toBool)
554
- .filter((v) => v !== null);
555
- return bools.length ? { [field]: { $in: bools } } : null;
556
- }
557
- const b = toBool(raw);
558
- return b === null ? null : { [field]: b };
559
- }
560
- case 'objectid':
561
- return isArray || tokens.length > 1
562
- ? { [field]: { $in: tokens } }
563
- : raw
564
- ? { [field]: raw }
565
- : null;
566
- case 'date': {
567
- const toDate = (t) => {
568
- const d = new Date(t);
569
- return Number.isNaN(+d) ? null : d;
570
- };
571
- if (isArray) {
572
- const ds = tokens.map(toDate).filter((d) => !!d);
573
- return ds.length ? { [field]: { $in: ds } } : null;
574
- }
575
- const d = toDate(raw);
576
- return d ? { [field]: d } : null;
577
- }
578
- default:
579
- return isArray
580
- ? { [field]: { $in: tokens.length ? tokens : [raw] } }
581
- : { [field]: raw };
582
- }
583
- };
584
- if (q && searchKey && schema.attributes?.[searchKey]) {
585
- const p = buildPredicateForField(searchKey, schema.attributes[searchKey], q);
586
- if (p)
587
- ors.push(p);
588
- }
589
- if (q && searchKeysCSV) {
590
- const keys = splitCSV(searchKeysCSV);
591
- const preds = keys
592
- .filter((k) => !!schema.attributes?.[k])
593
- .map((k) => buildPredicateForField(k, schema.attributes[k], q))
594
- .filter(Boolean);
595
- if (preds.length) {
596
- if (searchMode === 'and')
597
- ands.push(...preds);
598
- else
599
- ors.push(...preds);
600
- }
601
- }
602
- if (ands.length && ors.length)
603
- filter.$and = [...ands, { $or: ors }];
604
- else if (ands.length)
605
- filter.$and = [...(filter.$and || []), ...ands];
606
- else if (ors.length)
607
- filter.$or = [...(filter.$or || []), ...ors];
608
- // ---- DATE RANGE (unchanged) ----
609
- if (dateFromStr || dateToStr) {
610
- if (!schema.attributes?.[dateKey]) {
611
- if (schema.attributes?.createdAt)
612
- dateKey = 'createdAt';
613
- else if (schema.attributes?.updatedAt)
614
- dateKey = 'updatedAt';
615
- }
616
- if (dateKey && schema.attributes?.[dateKey]) {
617
- const range = {};
618
- if (dateFromStr) {
619
- const d = new Date(dateFromStr);
620
- if (!Number.isNaN(+d))
621
- range.$gte = d;
622
- }
623
- if (dateToStr) {
624
- const d = new Date(dateToStr);
625
- if (!Number.isNaN(+d))
626
- range.$lte = d;
627
- }
628
- if (Object.keys(range).length)
629
- filter[dateKey] = range;
630
- }
631
- }
632
- const ctx = ctxFromReq(req);
633
- const schemaPolicy = {
634
- allowedMethods: schema.allowedMethods,
635
- access: schema.access,
636
- };
637
- const rdec = (0, authorize_1.authorize)(modelNameLC, 'read', schemaPolicy, ctx);
638
- if (!rdec.allow)
639
- return res.status(403).json({ error: true, message: 'forbidden' });
640
- const finalFilter = (0, authorize_1.andFilter)(filter, rdec.queryFilter || {});
641
- const isUsersModel = modelNameLC === 'user' ||
642
- modelNameLC === 'users' ||
643
- (schema?.modelName ?? '').toLowerCase() === 'users';
644
- const currentUserId = req?.user?.id;
645
- // ---- NEW: compute sort spec
646
- const sort = buildSortSpec();
647
- // count
648
- const totalRows = await model.count(finalFilter);
649
- // try DB-level sort (preferred). Fallback to in-memory if adapter lacks sort support.
650
- let rawRows = [];
651
- // Ensure we can hydrate: baseId is private, so read with private when extended
652
- const needPrivateForHydrate = !!schema.extends;
653
- const exposePrivateForRead = needPrivateForHydrate || !!rdec.exposePrivate;
654
- try {
655
- rawRows = await model.read(finalFilter, limit + 1, page * limit, exposePrivateForRead, { sort });
656
- }
657
- catch {
658
- rawRows = await model.read(finalFilter, limit + 1, page * limit, exposePrivateForRead);
659
- if (sort && Object.keys(sort).length) {
660
- const orderKeys = Object.keys(sort);
661
- rawRows.sort((a, b) => {
662
- for (const k of orderKeys) {
663
- const dir = sort[k];
664
- const av = a?.[k];
665
- const bv = b?.[k];
666
- const ax = av instanceof Date ? +av : (av?.toString?.() ?? av);
667
- const bx = bv instanceof Date ? +bv : (bv?.toString?.() ?? bv);
668
- if (ax == null && bx == null)
669
- continue;
670
- if (ax == null)
671
- return 1 * dir;
672
- if (bx == null)
673
- return -1 * dir;
674
- if (ax > bx)
675
- return 1 * dir;
676
- if (ax < bx)
677
- return -1 * dir;
678
- }
679
- return 0;
680
- });
681
- }
682
- }
683
- let rows = currentUserId && isUsersModel
684
- ? rawRows
685
- .filter((r) => String(r?.id) !== String(currentUserId))
686
- .slice(0, limit)
687
- : rawRows.slice(0, limit);
688
- // If extended, hydrate with base data using baseId
689
- if (schema.extends) {
690
- const baseName = String(schema.extends);
691
- const baseLC = baseName.toLowerCase();
692
- const baseModel = this.getModel(baseLC);
693
- const hydrated = [];
694
- for (const row of rows) {
695
- const baseId = row?.baseId;
696
- if (baseId) {
697
- const [baseDoc] = await baseModel.read({ id: baseId }, 1, 0, !!rdec.exposePrivate);
698
- if (baseDoc) {
699
- const merged = { ...baseDoc, ...row };
700
- delete merged.baseId;
701
- hydrated.push(merged);
702
- continue;
703
- }
704
- }
705
- const fallback = { ...row };
706
- delete fallback.baseId;
707
- hydrated.push(fallback);
708
- }
709
- rows = hydrated;
710
- }
711
- const data = rdec.exposePrivate
712
- ? (0, authorize_1.applyReadMaskMany)(rows, rdec.sensitiveMask)
713
- : (0, authorize_1.applyReadMaskMany)(rows, rdec.readMask);
714
- return res.status(200).json({
715
- success: true,
716
- message: `Data fetched for ${schema.modelName}`,
717
- data,
718
- pagination: { totalRows, page, limit },
719
- sort, // optional echo
720
- });
721
- }
722
- catch (error) {
723
- if (error?.code === 'MODEL_REMOVED') {
724
- return res.status(410).json({ error: true, message: error.message });
725
- }
726
- return res.status(400).json({ error: true, message: error.message });
727
- }
728
- });
729
- // -------------- READ (by id) --------------
730
- this.router.get(`${basePath}/:id`, mwRead, async (req, res) => {
731
- try {
732
- const schema = this.getSchema(modelNameLC);
733
- if (!schema.allowedMethods.read) {
734
- return res
735
- .status(405)
736
- .json({ error: true, message: 'Method not allowed' });
737
- }
738
- const model = this.getModel(modelNameLC);
739
- const ctx = ctxFromReq(req);
740
- const schemaPolicy = {
741
- allowedMethods: schema.allowedMethods,
742
- access: schema.access,
743
- };
744
- const decForInclude = (0, authorize_1.authorize)(modelNameLC, 'read', schemaPolicy, ctx);
745
- // Ensure we can hydrate: baseId is private, so read with private when extended
746
- const needPrivateForHydrate2 = !!schema.extends;
747
- const exposePrivateForRead2 = needPrivateForHydrate2 || !!decForInclude.exposePrivate;
748
- const recordArr = await model.read({ id: req.params.id }, 1, 0, exposePrivateForRead2);
749
- const doc = recordArr?.[0];
750
- if (!doc) {
751
- return res
752
- .status(404)
753
- .json({ error: true, message: `${schema.modelName} not found` });
754
- }
755
- const dec = (0, authorize_1.authorize)(modelNameLC, 'read', schemaPolicy, ctx, doc);
756
- if (!dec.allow)
757
- return res.status(403).json({ error: true, message: 'forbidden' });
758
- let toReturn = doc;
759
- if (schema.extends) {
760
- const baseName = String(schema.extends);
761
- const baseLC = baseName.toLowerCase();
762
- const baseModel = this.getModel(baseLC);
763
- const baseId = doc?.baseId;
764
- if (baseId) {
765
- const [baseDoc] = await baseModel.read({ id: baseId }, 1, 0, !!dec.exposePrivate);
766
- if (baseDoc) {
767
- toReturn = { ...baseDoc, ...doc };
768
- delete toReturn.baseId;
769
- }
770
- }
771
- }
772
- const data = dec.exposePrivate
773
- ? (0, authorize_1.applyReadMaskOne)(toReturn, dec.sensitiveMask)
774
- : (0, authorize_1.applyReadMaskOne)(toReturn, dec.readMask);
775
- return res.status(200).json({
776
- success: true,
777
- message: `${schema.modelName} found`,
778
- data,
779
- });
780
- }
781
- catch (error) {
782
- if (error?.code === 'MODEL_REMOVED')
783
- return res
784
- .status(410)
785
- .json({ error: true, message: error.message });
786
- Logger_1.default.error('error', error.message);
787
- res.status(400).json({ error: true, message: error.message });
788
- }
789
- });
790
- // -------------- UPDATE --------------
791
- this.router.put(`${basePath}/:id`, mwUpdate, async (req, res) => {
792
- try {
793
- const schema = this.getSchema(modelNameLC);
794
- if (!schema.allowedMethods.update) {
795
- return res
796
- .status(405)
797
- .json({ error: true, message: 'Method not allowed' });
798
- }
799
- const model = this.getModel(modelNameLC);
800
- const beforeArr = await model.read({ id: req.params.id }, 1, 0, true);
801
- const before = beforeArr?.[0];
802
- const ctx = ctxFromReq(req);
803
- const schemaPolicy = {
804
- allowedMethods: schema.allowedMethods,
805
- access: schema.access,
806
- };
807
- const udec = (0, authorize_1.authorize)(modelNameLC, 'update', schemaPolicy, ctx, before);
808
- if (!udec.allow) {
809
- return res.status(403).json({ error: true, message: 'forbidden' });
810
- }
811
- let upd = { ...req.body };
812
- (0, authorize_1.enforceRestrictions)(upd, udec.restrictions, ctx);
813
- if (!udec.exposePrivate) {
814
- upd = (0, authorize_1.stripWriteDeny)(upd, udec.writeDeny);
815
- }
816
- // ✅ NEW: DB-agnostic coercion (time/date/range → canonical strings)
817
- upd = (0, fieldCodecs_1.coerceForStorage)(schema, upd);
818
- // Users: handle password if (and only if) provided
819
- if (modelNameLC === 'users' &&
820
- Object.prototype.hasOwnProperty.call(upd, 'password')) {
821
- if (!upd.password) {
822
- delete upd.password; // ignore empty → do not overwrite
823
- }
824
- else if (this.jwtSecret) {
825
- const salt = await bcrypt_1.default.genSalt(10);
826
- upd.password = await bcrypt_1.default.hash(String(upd.password) + this.jwtSecret, salt);
827
- }
828
- }
829
- // UPDATE: validate only fields present in payload (now in canonical shape)
830
- const missing = this.validateRequiredFields(schema, upd, 'update');
831
- if (missing.length) {
832
- return res.status(400).json({
833
- error: true,
834
- message: `Missing required fields: ${missing.join(', ')}`,
835
- });
836
- }
837
- // Extended schema update handling
838
- if (schema.extends) {
839
- const baseName = String(schema.extends);
840
- const baseLC = baseName.toLowerCase();
841
- const baseSchema = this.getSchema(baseLC);
842
- const baseModel = this.getModel(baseLC);
843
- const baseId = before?.baseId;
844
- if (!baseId) {
845
- return res.status(400).json({ error: true, message: 'Invalid extended record: missing baseId' });
846
- }
847
- // Partition update
848
- const baseUpd = {};
849
- const childUpd = {};
850
- for (const [k, v] of Object.entries(upd)) {
851
- if (k === 'baseId')
852
- continue; // never allow changing link
853
- if (baseSchema.attributes[k])
854
- baseUpd[k] = v;
855
- else
856
- childUpd[k] = v;
857
- }
858
- // Unique checks per collection
859
- const baseConflicts = await this.checkUniqueFields(baseSchema, baseUpd, String(baseId));
860
- if (baseConflicts && baseConflicts.length > 0) {
861
- return res.status(400).json({
862
- error: true,
863
- message: 'There are some error while updating record.',
864
- fields: baseConflicts.map((field) => ({
865
- field,
866
- error: true,
867
- message: `You cannot use this ${field}. It's already been used.`,
868
- })),
869
- });
870
- }
871
- const childConflicts = await this.checkUniqueFields(schema, childUpd, req.params.id);
872
- if (childConflicts && childConflicts.length > 0) {
873
- return res.status(400).json({
874
- error: true,
875
- message: 'There are some error while updating record.',
876
- fields: childConflicts.map((field) => ({
877
- field,
878
- error: true,
879
- message: `You cannot use this ${field}. It's already been used.`,
880
- })),
881
- });
882
- }
883
- // Hash password if base is Users and provided
884
- if (baseLC === 'users' &&
885
- Object.prototype.hasOwnProperty.call(baseUpd, 'password')) {
886
- if (!baseUpd.password) {
887
- delete baseUpd.password;
888
- }
889
- else if (this.jwtSecret) {
890
- const salt = await bcrypt_1.default.genSalt(10);
891
- baseUpd.password = await bcrypt_1.default.hash(String(baseUpd.password) + this.jwtSecret, salt);
892
- }
893
- }
894
- // Perform updates
895
- let updatedChild = before;
896
- if (Object.keys(childUpd).length) {
897
- updatedChild = await model.update(req.params.id, childUpd);
898
- }
899
- if (Object.keys(baseUpd).length) {
900
- await baseModel.update(String(baseId), baseUpd);
901
- }
902
- // Re-read and merge
903
- const [refChild] = await model.read({ id: updatedChild.id }, 1, 0, true);
904
- const [refBase] = await baseModel.read({ id: String(baseId) }, 1, 0, true);
905
- let responseDoc = refChild && refBase ? { ...refBase, ...refChild } : updatedChild;
906
- if (responseDoc)
907
- delete responseDoc.baseId;
908
- const masked = udec.exposePrivate
909
- ? (0, authorize_1.applyReadMaskOne)(responseDoc, udec.sensitiveMask)
910
- : (0, authorize_1.applyReadMaskOne)(responseDoc, udec.readMask);
911
- return res.json(masked);
912
- }
913
- // Default (non-extended)
914
- const conflicts = await this.checkUniqueFields(schema, upd, req.params.id);
915
- if (conflicts && conflicts.length > 0) {
916
- return res.status(400).json({
917
- error: true,
918
- message: 'There are some error while updating record.',
919
- fields: conflicts.map((field) => ({
920
- field,
921
- error: true,
922
- message: `You cannot use this ${field}. It's already been used.`,
923
- })),
924
- });
925
- }
926
- const updatedRecord = await model.update(req.params.id, upd);
927
- let responseDoc = updatedRecord;
928
- if (udec.exposePrivate && updatedRecord?.id) {
929
- const refetched = await model.read({ id: updatedRecord.id }, 1, 0, true);
930
- if (refetched?.[0])
931
- responseDoc = refetched[0];
932
- }
933
- const masked = udec.exposePrivate
934
- ? (0, authorize_1.applyReadMaskOne)(responseDoc, udec.sensitiveMask)
935
- : (0, authorize_1.applyReadMaskOne)(responseDoc, udec.readMask);
936
- return res.json(masked);
937
- }
938
- catch (error) {
939
- if (error?.code === 'MODEL_REMOVED') {
940
- return res
941
- .status(410)
942
- .json({ error: true, message: error.message });
943
- }
944
- this.handleWriteError(error, res);
945
- }
946
- });
947
- // -------------- DELETE --------------
948
- this.router.delete(`${basePath}/:id`, mwDelete, async (req, res) => {
949
- try {
950
- const schema = this.getSchema(modelNameLC);
951
- if (!schema.allowedMethods.delete) {
952
- return res
953
- .status(405)
954
- .json({ error: true, message: 'Method not allowed' });
955
- }
956
- const model = this.getModel(modelNameLC);
957
- const docArr = await model.read({ id: req.params.id }, 1, 0, true);
958
- const doc = docArr?.[0];
959
- const ctx = ctxFromReq(req);
960
- const schemaPolicy = {
961
- allowedMethods: schema.allowedMethods,
962
- access: schema.access,
963
- };
964
- const ddec = (0, authorize_1.authorize)(modelNameLC, 'delete', schemaPolicy, ctx, doc);
965
- if (!ddec.allow)
966
- return res.status(403).json({ error: true, message: 'forbidden' });
967
- // Extended delete: remove child then base
968
- if (schema.extends) {
969
- const baseName = String(schema.extends);
970
- const baseLC = baseName.toLowerCase();
971
- const baseModel = this.getModel(baseLC);
972
- const baseId = doc?.baseId;
973
- const deletedChild = await model.delete(req.params.id);
974
- if (baseId) {
975
- try {
976
- await baseModel.delete(String(baseId));
977
- }
978
- catch (e) {
979
- // ignore if already missing
980
- }
981
- }
982
- const merged = baseId
983
- ? (() => {
984
- // Try to include base snapshot for response if available
985
- return { ...deletedChild, baseId: undefined };
986
- })()
987
- : deletedChild;
988
- const masked = ddec.exposePrivate
989
- ? (0, authorize_1.applyReadMaskOne)(merged, ddec.sensitiveMask)
990
- : (0, authorize_1.applyReadMaskOne)(merged, ddec.readMask);
991
- return res.json({
992
- success: true,
993
- message: `We have deleted the record successfully.`,
994
- data: masked,
995
- });
996
- }
997
- const deletedRecord = await model.delete(req.params.id);
998
- if (!deletedRecord) {
999
- return res
1000
- .status(404)
1001
- .json({ error: true, message: `${schema.modelName} not found` });
1002
- }
1003
- const masked = ddec.exposePrivate
1004
- ? (0, authorize_1.applyReadMaskOne)(deletedRecord, ddec.sensitiveMask)
1005
- : (0, authorize_1.applyReadMaskOne)(deletedRecord, ddec.readMask);
1006
- return res.json({
1007
- success: true,
1008
- message: `We have deleted the record successfully.`,
1009
- data: masked,
1010
- });
1011
- }
1012
- catch (error) {
1013
- if (error?.code === 'MODEL_REMOVED')
1014
- return res
1015
- .status(410)
1016
- .json({ error: true, message: error.message });
1017
- res.status(400).json({ error: true, message: error.message });
1018
- }
1019
- });
1020
- }
1021
330
  mountFindRoutes() {
1022
331
  if (this.findRoutesMounted)
1023
332
  return;
1024
333
  this.findRoutesMounted = true;
1025
- // ---------- helpers ----------
1026
- const parseSort = (expr) => {
1027
- if (!expr)
1028
- return;
1029
- const out = {};
1030
- for (const raw of expr
1031
- .split(',')
1032
- .map((s) => s.trim())
1033
- .filter(Boolean)) {
1034
- if (raw.startsWith('-'))
1035
- out[raw.slice(1)] = -1;
1036
- else if (raw.startsWith('+'))
1037
- out[raw.slice(1)] = 1;
1038
- else
1039
- out[raw] = 1;
1040
- }
1041
- return Object.keys(out).length ? out : undefined;
1042
- };
1043
- const parseQuery = (req) => {
1044
- const limit = Math.min(parseInt(String(req.query.limit ?? '12'), 10) || 12, 100);
1045
- const page = Math.max(parseInt(String(req.query.page ?? '1'), 10) || 1, 1);
1046
- const skip = (page - 1) * limit;
1047
- const fields = String(req.query.fields ?? '')
1048
- .split(',')
1049
- .map((s) => s.trim())
1050
- .filter(Boolean);
1051
- const projection = fields.length
1052
- ? Object.fromEntries(fields.map((f) => [f, 1]))
1053
- : undefined;
1054
- const sort = parseSort(String(req.query.sort ?? '-createdAt'));
1055
- return { limit, page, skip, projection, sort };
1056
- };
1057
- // normalize possible values into an array of string ids
1058
- const extractIds = (val) => {
1059
- if (val == null)
1060
- return [];
1061
- const arr = Array.isArray(val) ? val : [val];
1062
- const toId = (v) => {
1063
- if (!v)
1064
- return null;
1065
- if (typeof v === 'string')
1066
- return v; // "6523..."
1067
- if (typeof v === 'number')
1068
- return String(v);
1069
- if (typeof v === 'object') {
1070
- if (typeof v.id === 'string')
1071
- return v.id; // populated doc.id
1072
- if (v._id && typeof v._id === 'string')
1073
- return v._id;
1074
- if (v._id && typeof v._id.toString === 'function')
1075
- return v._id.toString();
1076
- }
1077
- return null;
1078
- };
1079
- return arr.map(toId).filter((s) => !!s);
1080
- };
1081
- // minimal ctx (same logic as setupRoutes)
1082
- const ctxFromReq = (req) => {
1083
- const raw = req.user?.role;
1084
- let roleStr = null;
1085
- if (typeof raw === 'string')
1086
- roleStr = raw;
1087
- else if (Array.isArray(raw)) {
1088
- const first = raw[0];
1089
- if (typeof first === 'string')
1090
- roleStr = first;
1091
- else if (first &&
1092
- typeof first === 'object' &&
1093
- typeof first.name === 'string') {
1094
- roleStr = first.name;
1095
- }
1096
- }
1097
- else if (raw &&
1098
- typeof raw === 'object' &&
1099
- typeof raw.name === 'string') {
1100
- roleStr = raw.name;
1101
- }
1102
- roleStr = roleStr ? roleStr.toLowerCase() : null;
1103
- return {
1104
- isAuthenticated: !!req.user,
1105
- role: roleStr,
1106
- userId: req.user?.id ?? req.user?._id ?? null,
1107
- isSuperadmin: roleStr === 'superadmin',
1108
- apiKeyOk: true,
1109
- };
1110
- };
1111
- // detect { type: "ObjectId"/"ref" } or array of { type: "ObjectId", ref }
1112
- const refInfoFromAttr = (attr) => {
1113
- if (!attr)
1114
- return null;
1115
- // array style from your JSON schema
1116
- if (Array.isArray(attr) && attr[0] && attr[0].ref) {
1117
- return { ref: String(attr[0].ref), isArray: true };
1118
- }
1119
- const a = Array.isArray(attr) ? attr?.[0] : attr;
1120
- const t = (typeof a?.type === 'string' ? a.type : String(a?.type || '')).toLowerCase();
1121
- if (a?.ref && (t === 'objectid' || t === 'ref')) {
1122
- return { ref: String(a.ref), isArray: false };
1123
- }
1124
- return null;
1125
- };
1126
- // try adapter.findOne with projection to avoid autopopulate; fallback to model.read
1127
- const safeGetContainerRefIDs = async (containerModelLC, id, refField) => {
1128
- const containerSchema = this.getSchema(containerModelLC);
1129
- const adapterAny = this.dbAdapter;
1130
- if (typeof adapterAny.findOne === 'function') {
1131
- try {
1132
- // adapter should map id → db PK correctly (e.g., _id for Mongo)
1133
- const raw = await adapterAny.findOne(containerSchema.modelName, { id }, { projection: { [refField]: 1 } });
1134
- return extractIds(raw?.[refField]);
1135
- }
1136
- catch {
1137
- // fall through
1138
- }
1139
- }
1140
- // fallback: BaseModel.read (may autopopulate, so we still normalize)
1141
- const containerDoc = (await this.getModel(containerModelLC).read({ id }, 1, 0, true))?.[0];
1142
- return extractIds(containerDoc?.[refField]);
1143
- };
1144
- // ---------- FORWARD ----------
1145
- // /find/:container/:refField/:id
1146
- this.router.get('/find/:container/:refField/:id', this.optionalAuthMiddleware, async (req, res) => {
1147
- try {
1148
- const containerLC = String(req.params.container || '').toLowerCase();
1149
- const refField = String(req.params.refField || '');
1150
- const id = String(req.params.id || '');
1151
- const schema = this.getSchema(containerLC); // ensure container exists
1152
- const attr = schema.attributes?.[refField];
1153
- const rinfo = refInfoFromAttr(attr);
1154
- if (!rinfo) {
1155
- return res.status(400).json({
1156
- error: true,
1157
- message: 'refField is not a reference field',
1158
- });
1159
- }
1160
- const { limit, page, skip, projection, sort } = parseQuery(req);
1161
- // policy on container read
1162
- const ctx = ctxFromReq(req);
1163
- const cPolicy = {
1164
- allowedMethods: schema.allowedMethods,
1165
- access: schema.access,
1166
- };
1167
- const cDec = (0, authorize_1.authorize)(containerLC, 'read', cPolicy, ctx);
1168
- if (!cDec.allow)
1169
- return res.status(403).json({ error: true, message: 'forbidden' });
1170
- // get raw ids safely (no autopopulate dependency)
1171
- const ids = await safeGetContainerRefIDs(containerLC, id, refField);
1172
- const targetLC = String(rinfo.ref || '').toLowerCase();
1173
- const targetSchema = this.getSchema(targetLC);
1174
- const tPolicy = {
1175
- allowedMethods: targetSchema.allowedMethods,
1176
- access: targetSchema.access,
1177
- };
1178
- const tDec = (0, authorize_1.authorize)(targetLC, 'read', tPolicy, ctx);
1179
- if (!tDec.allow)
1180
- return res.status(403).json({ error: true, message: 'forbidden' });
1181
- if (ids.length === 0) {
1182
- return res.status(200).json({
1183
- success: true,
1184
- message: `Data fetched for ${targetSchema.modelName}`,
1185
- data: [],
1186
- pagination: { totalRows: 0, page, limit },
1187
- });
1188
- }
1189
- const adapterAny = this.dbAdapter;
1190
- let items = [];
1191
- if (typeof adapterAny.findMany === 'function') {
1192
- items = await adapterAny.findMany(targetSchema.modelName, { id: { $in: ids } }, // DB-agnostic: adapter maps id → PK
1193
- { sort, skip, limit, projection });
1194
- }
1195
- else {
1196
- // fallback (BaseModel.read); note: no projection/sort
1197
- items = await this.getModel(targetLC).read({ id: { $in: ids } }, limit, skip, !!tDec.exposePrivate);
1198
- }
1199
- // If extended, hydrate with base data using baseId before masking
1200
- if (targetSchema.extends && Array.isArray(items) && items.length) {
1201
- const baseName = String(targetSchema.extends);
1202
- const baseLC = baseName.toLowerCase();
1203
- const baseModel = this.getModel(baseLC);
1204
- const baseIds = Array.from(new Set(items.map((it) => it?.baseId).filter(Boolean)));
1205
- if (baseIds.length) {
1206
- const baseDocs = await baseModel.read({ id: { $in: baseIds } }, baseIds.length, 0, !!tDec.exposePrivate);
1207
- const baseMap = new Map(baseDocs.map((b) => [String(b?.id ?? b?._id), b]));
1208
- items = items.map((it) => {
1209
- const bid = String(it?.baseId || '');
1210
- const b = bid ? baseMap.get(bid) : null;
1211
- const merged = b ? { ...b, ...it } : { ...it };
1212
- delete merged.baseId;
1213
- return merged;
1214
- });
1215
- }
1216
- else {
1217
- items = items.map((it) => {
1218
- const copy = { ...it };
1219
- delete copy.baseId;
1220
- return copy;
1221
- });
1222
- }
1223
- }
1224
- const masked = tDec.exposePrivate
1225
- ? (0, authorize_1.applyReadMaskMany)(items, tDec.sensitiveMask)
1226
- : (0, authorize_1.applyReadMaskMany)(items, tDec.readMask);
1227
- const totalRows = ids.length;
1228
- return res.status(200).json({
1229
- success: true,
1230
- message: `Data fetched for ${targetSchema.modelName}`,
1231
- data: masked,
1232
- pagination: { totalRows, page, limit },
1233
- });
1234
- }
1235
- catch (err) {
1236
- if (err?.code === 'MODEL_REMOVED') {
1237
- return res.status(410).json({ error: true, message: err.message });
1238
- }
1239
- return res
1240
- .status(400)
1241
- .json({ error: true, message: err?.message || 'Error' });
1242
- }
1243
- });
1244
- // ---------- REVERSE ----------
1245
- // /find/reverse/:target/:byField/:id
1246
- this.router.get('/find/reverse/:target/:byField/:id', this.optionalAuthMiddleware, async (req, res) => {
1247
- try {
1248
- const targetLC = String(req.params.target || '').toLowerCase();
1249
- const byField = String(req.params.byField || '');
1250
- const id = String(req.params.id || '');
1251
- const targetSchema = this.getSchema(targetLC);
1252
- const attr = targetSchema.attributes?.[byField];
1253
- const rinfo = refInfoFromAttr(attr);
1254
- if (!rinfo) {
1255
- return res.status(400).json({
1256
- error: true,
1257
- message: 'byField is not a reference field',
1258
- });
1259
- }
1260
- const { limit, page, skip, projection, sort } = parseQuery(req);
1261
- // policy on target read
1262
- const ctx = ctxFromReq(req);
1263
- const tPolicy = {
1264
- allowedMethods: targetSchema.allowedMethods,
1265
- access: targetSchema.access,
1266
- };
1267
- const tDec = (0, authorize_1.authorize)(targetLC, 'read', tPolicy, ctx);
1268
- if (!tDec.allow)
1269
- return res.status(403).json({ error: true, message: 'forbidden' });
1270
- // reverse filter (DB-agnostic; adapter maps appropriately)
1271
- const filter = rinfo.isArray
1272
- ? { [byField]: { $in: [id] } }
1273
- : { [byField]: id };
1274
- const adapterAny = this.dbAdapter;
1275
- let items = [];
1276
- let totalRows = 0;
1277
- if (typeof adapterAny.findMany === 'function') {
1278
- items = await adapterAny.findMany(targetSchema.modelName, filter, {
1279
- sort,
1280
- skip,
1281
- limit,
1282
- projection,
1283
- });
1284
- if (typeof adapterAny.count === 'function') {
1285
- totalRows = await adapterAny.count(targetSchema.modelName, filter);
1286
- }
1287
- else {
1288
- // fallback count
1289
- const all = await this.getModel(targetLC).read(filter, 0, 0, !!tDec.exposePrivate);
1290
- totalRows = all.length;
1291
- }
1292
- }
1293
- else {
1294
- // fallback (BaseModel.read); note: no projection/sort
1295
- const all = await this.getModel(targetLC).read(filter, 0, 0, !!tDec.exposePrivate);
1296
- totalRows = all.length;
1297
- items = all.slice(skip, skip + limit);
1298
- }
1299
- // If extended, hydrate with base data using baseId before masking
1300
- if (targetSchema.extends && Array.isArray(items) && items.length) {
1301
- const baseName = String(targetSchema.extends);
1302
- const baseLC = baseName.toLowerCase();
1303
- const baseModel = this.getModel(baseLC);
1304
- const baseIds = Array.from(new Set(items.map((it) => it?.baseId).filter(Boolean)));
1305
- if (baseIds.length) {
1306
- const baseDocs = await baseModel.read({ id: { $in: baseIds } }, baseIds.length, 0, !!tDec.exposePrivate);
1307
- const baseMap = new Map(baseDocs.map((b) => [String(b?.id ?? b?._id), b]));
1308
- items = items.map((it) => {
1309
- const bid = String(it?.baseId || '');
1310
- const b = bid ? baseMap.get(bid) : null;
1311
- const merged = b ? { ...b, ...it } : { ...it };
1312
- delete merged.baseId;
1313
- return merged;
1314
- });
1315
- }
1316
- else {
1317
- items = items.map((it) => {
1318
- const copy = { ...it };
1319
- delete copy.baseId;
1320
- return copy;
1321
- });
1322
- }
1323
- }
1324
- const masked = tDec.exposePrivate
1325
- ? (0, authorize_1.applyReadMaskMany)(items, tDec.sensitiveMask)
1326
- : (0, authorize_1.applyReadMaskMany)(items, tDec.readMask);
1327
- return res.status(200).json({
1328
- success: true,
1329
- message: `Data fetched for ${targetSchema.modelName}`,
1330
- data: masked,
1331
- pagination: { totalRows, page, limit },
1332
- });
1333
- }
1334
- catch (err) {
1335
- if (err?.code === 'MODEL_REMOVED') {
1336
- return res.status(410).json({ error: true, message: err.message });
1337
- }
1338
- return res
1339
- .status(400)
1340
- .json({ error: true, message: err?.message || 'Error' });
1341
- }
1342
- });
1343
- // keep 404 as last if needed
334
+ (0, mountFindRoutes_1.mountFindRoutes)(this.createCtx());
1344
335
  this.ensureNotFoundLast();
1345
336
  }
1346
- /** Mount generic file endpoints under this router */
1347
- setupFileRoutes() {
1348
- if (!this.fileStorage)
337
+ mountFileRoutes() {
338
+ if (this.fileRoutesMounted)
1349
339
  return;
1350
- const upload = (0, multer_1.default)({
1351
- storage: multer_1.default.memoryStorage(),
1352
- limits: { fileSize: 50 * 1024 * 1024, files: 20 }, // 50MB
1353
- });
1354
- // POST /files
1355
- this.router.post('/files', this.fileAuthMiddleware, upload.any(), async (req, res) => {
1356
- try {
1357
- const files = req.files ?? [];
1358
- if (!files.length) {
1359
- return res
1360
- .status(400)
1361
- .json({ error: true, message: 'No files uploaded' });
1362
- }
1363
- const results = await Promise.all(files.map(async (f) => {
1364
- const folder = this.shortFolder(); // uploads/YYYY/MM/DD
1365
- const ext = (f.originalname.match(/\.([A-Za-z0-9]{1,8})$/)?.[1] ??
1366
- (0, filename_1.extFromMime)(f.mimetype) ??
1367
- 'bin').toLowerCase();
1368
- const key = `${folder}/${this.shortUid()}.${ext}`;
1369
- const out = await this.fileStorage.upload({
1370
- key,
1371
- body: f.buffer,
1372
- contentType: f.mimetype,
1373
- metadata: { originalName: f.originalname || '' },
1374
- });
1375
- return {
1376
- provider: out.provider,
1377
- bucket: out.bucket,
1378
- key: out.key,
1379
- url: out.url,
1380
- etag: out.etag,
1381
- contentType: out.contentType,
1382
- size: out.size,
1383
- metadata: out.metadata,
1384
- originalName: f.originalname,
1385
- };
1386
- }));
1387
- return res.json({
1388
- success: true,
1389
- message: 'Files uploaded successfully',
1390
- data: results,
1391
- });
1392
- }
1393
- catch (err) {
1394
- return res
1395
- .status(400)
1396
- .json({ error: true, message: err?.message ?? 'Upload failed' });
1397
- }
1398
- });
1399
- // DELETE /files/:key(*)
1400
- this.router.delete('/files/:key(*)', this.fileAuthMiddleware, async (req, res) => {
1401
- try {
1402
- const key = String(req.params.key || '');
1403
- if (!key) {
1404
- return res
1405
- .status(400)
1406
- .json({ error: true, message: 'Key is required' });
1407
- }
1408
- const { deleted } = await this.fileStorage.delete(key);
1409
- return res.json({
1410
- success: true,
1411
- message: deleted ? 'File deleted' : 'Delete attempted',
1412
- key,
1413
- deleted,
1414
- });
1415
- }
1416
- catch (err) {
1417
- return res
1418
- .status(400)
1419
- .json({ error: true, message: err?.message ?? 'Delete failed' });
1420
- }
1421
- });
1422
- }
1423
- /** uploads/YYYY/MM/DD */
1424
- shortFolder() {
1425
- const d = new Date();
1426
- const y = d.getFullYear();
1427
- const m = String(d.getMonth() + 1).padStart(2, '0');
1428
- const day = String(d.getDate()).padStart(2, '0');
1429
- return `uploads/${y}/${m}/${day}`;
1430
- }
1431
- /** small, URL-safe uid */
1432
- shortUid() {
1433
- return (Date.now().toString(36) + Math.random().toString(36).slice(2, 6)).toLowerCase();
340
+ if (this.fileStorage) {
341
+ (0, setupFileRoutes_1.setupFileRoutes)(this.createCtx());
342
+ this.fileRoutesMounted = true;
343
+ this.ensureNotFoundLast();
344
+ }
1434
345
  }
1435
- normalizeAttrType(attr) {
1436
- const a = Array.isArray(attr) ? attr?.[0] : attr;
1437
- let t = a?.type ?? a;
1438
- if (typeof t === 'function' && t.name)
1439
- t = t.name;
1440
- if (t && typeof t === 'object' && 'name' in t)
1441
- t = t.name;
1442
- if (typeof t === 'string')
1443
- t = t.toLowerCase();
1444
- if (t === 'bool')
1445
- t = 'boolean';
1446
- if (t === 'objectid' || t === 'oid' || t === 'ref')
1447
- t = 'objectid';
1448
- return String(t || '');
346
+ // ---------- Context builder for modules ----------
347
+ createCtx() {
348
+ return {
349
+ router: this.router,
350
+ dbAdapter: this.dbAdapter,
351
+ schemaLoader: this.schemaLoader,
352
+ liveSchemas: this.liveSchemas,
353
+ models: this.models,
354
+ jwtSecret: this.jwtSecret,
355
+ trustedApiKey: this.trustedApiKey,
356
+ fileStorage: this.fileStorage,
357
+ getSchema: this.getSchema,
358
+ getModel: this.getModel,
359
+ apiKeyMiddleware: this.apiKeyMiddleware,
360
+ optionalAuthMiddleware: this.optionalAuthMiddleware,
361
+ authenticateMiddleware: this.authenticateMiddleware,
362
+ pickAuthFor: this.pickAuthFor,
363
+ validateRequiredFields: this.validateRequiredFields,
364
+ handleWriteError: this.handleWriteError.bind(this),
365
+ checkUniqueFields: this.checkUniqueFields.bind(this),
366
+ normalizeRoleName: this.normalizeRoleName.bind(this),
367
+ };
1449
368
  }
1450
369
  pickAuthFor(action, modelNameLC) {
1451
370
  try {
@@ -1474,308 +393,6 @@ class APIRouter {
1474
393
  ? r.name
1475
394
  : null;
1476
395
  }
1477
- setupAuthRoutes() {
1478
- const basePath = '/auth/users';
1479
- // ---- REGISTER ----
1480
- this.router.post(`${basePath}/register`, this.apiKeyMiddleware, async (req, res) => {
1481
- try {
1482
- let { email, username, password, ...rest } = req.body;
1483
- // Basic password policy (keep minimal, align with change-password)
1484
- if (String(password).length < 8) {
1485
- return res.status(400).json({
1486
- error: true,
1487
- message: 'Password must be at least 8 characters long',
1488
- });
1489
- }
1490
- const userModel = this.getModel('users');
1491
- const usersSchema = this.getSchema('users');
1492
- // Normalize unique identifiers
1493
- if (email)
1494
- email = String(email).trim().toLowerCase();
1495
- if (username)
1496
- username = String(username).trim();
1497
- // Prevent client from sending password in plain; we will hash below
1498
- const data = { ...rest };
1499
- if (email)
1500
- data.email = email;
1501
- if (username)
1502
- data.username = username;
1503
- // Provide a sensible default status so login works immediately
1504
- if (data.status == null)
1505
- data.status = 'active';
1506
- // Validate required fields against schema (create mode)
1507
- if (usersSchema) {
1508
- const missing = this.validateRequiredFields(usersSchema, {
1509
- ...data,
1510
- password,
1511
- });
1512
- if (missing.length > 0) {
1513
- return res.status(400).json({
1514
- error: true,
1515
- message: `Missing required field(s): ${missing.join(', ')}`,
1516
- });
1517
- }
1518
- // Check unique constraints before writing
1519
- const conflicts = await this.checkUniqueFields(usersSchema, data);
1520
- if (conflicts && conflicts.length) {
1521
- return res.status(400).json({
1522
- error: true,
1523
- message: `Duplicate value for field(s): ${conflicts.join(', ')}`,
1524
- });
1525
- }
1526
- }
1527
- // Hash password
1528
- const salt = await bcrypt_1.default.genSalt(10);
1529
- const hashed = await bcrypt_1.default.hash(String(password) + this.jwtSecret, salt);
1530
- data.password = hashed;
1531
- // Create user
1532
- const created = await userModel.create(data);
1533
- // Prepare response: generate token and strip password
1534
- const roleName = (await this.normalizeRoleName(created.role)) ?? '';
1535
- const token = jsonwebtoken_1.default.sign({ id: created.id, role: roleName }, this.jwtSecret, {
1536
- expiresIn: '7days',
1537
- });
1538
- delete created.password;
1539
- return res.json({
1540
- success: true,
1541
- message: 'Registration successful.',
1542
- data: { token, user: created },
1543
- });
1544
- }
1545
- catch (error) {
1546
- this.handleWriteError(error, res);
1547
- }
1548
- });
1549
- // ---- LOGIN ----
1550
- this.router.post(`${basePath}/login`, this.apiKeyMiddleware, async (req, res) => {
1551
- let { email, username, password } = req.body;
1552
- if ((!email && !username) || !password) {
1553
- return res.status(400).json({
1554
- error: true,
1555
- message: 'Email/username and password are required',
1556
- });
1557
- }
1558
- try {
1559
- const userModel = this.getModel('users');
1560
- const findBy = email
1561
- ? { email: String(email).trim().toLowerCase() }
1562
- : { username: String(username).trim() };
1563
- const users = await userModel.read(findBy, 1, 0, true);
1564
- const user = users?.[0];
1565
- if (!user)
1566
- return res
1567
- .status(400)
1568
- .json({ error: true, message: 'Invalid credentials' });
1569
- const hashedPassword = user.password;
1570
- if (!hashedPassword)
1571
- return res
1572
- .status(400)
1573
- .json({ error: true, message: 'User password not set' });
1574
- const isMatch = await bcrypt_1.default.compare(String(password) + this.jwtSecret, hashedPassword);
1575
- if (!isMatch)
1576
- return res
1577
- .status(400)
1578
- .json({ error: true, message: 'Invalid credentials' });
1579
- const status = user.status;
1580
- if (status && status !== 'active') {
1581
- const msg = status === 'pending'
1582
- ? 'Your account is awaiting approval.'
1583
- : 'Your account is suspended.';
1584
- return res.status(403).json({ error: true, message: msg });
1585
- }
1586
- const roleName = (await this.normalizeRoleName(user.role)) ?? '';
1587
- const token = jsonwebtoken_1.default.sign({ id: user.id, role: roleName }, // normalize here
1588
- this.jwtSecret, { expiresIn: '7days' });
1589
- delete user.password;
1590
- res.json({
1591
- success: true,
1592
- message: 'You are successfully logged in.',
1593
- data: { token, user },
1594
- });
1595
- }
1596
- catch (error) {
1597
- if (error?.code === 'MODEL_REMOVED')
1598
- return res
1599
- .status(410)
1600
- .json({ error: true, message: error.message });
1601
- res.status(500).json({ error: true, message: error.message });
1602
- }
1603
- });
1604
- // ---- ME ----
1605
- this.router.get(`${basePath}/me`, this.apiKeyMiddleware, this.authenticateMiddleware.bind(this), async (req, res) => {
1606
- try {
1607
- const userId = req.user?.id ?? req.user?._id ?? null;
1608
- if (!userId) {
1609
- return res
1610
- .status(401)
1611
- .json({ error: true, message: 'Not authenticated' });
1612
- }
1613
- const userModel = this.getModel('users');
1614
- const arr = await userModel.read({ id: userId }, 1, 0, true);
1615
- const user = arr?.[0];
1616
- if (!user) {
1617
- return res
1618
- .status(404)
1619
- .json({ error: true, message: 'User not found' });
1620
- }
1621
- delete user.password;
1622
- return res.json({ success: true, data: user });
1623
- }
1624
- catch (error) {
1625
- return res
1626
- .status(400)
1627
- .json({ error: true, message: error?.message || 'Error' });
1628
- }
1629
- });
1630
- // ---- CHANGE PASSWORD ----
1631
- this.router.post(`${basePath}/change-password`, this.apiKeyMiddleware, this.authenticateMiddleware.bind(this), async (req, res) => {
1632
- try {
1633
- const { oldPassword, newPassword } = req.body;
1634
- if (!oldPassword || !newPassword) {
1635
- return res.status(400).json({
1636
- error: true,
1637
- message: 'oldPassword and newPassword are required',
1638
- });
1639
- }
1640
- // basic policy (customize as desired)
1641
- if (String(newPassword).length < 8) {
1642
- return res.status(400).json({
1643
- error: true,
1644
- message: 'New password must be at least 8 characters long',
1645
- });
1646
- }
1647
- if (String(newPassword) === String(oldPassword)) {
1648
- return res.status(400).json({
1649
- error: true,
1650
- message: 'New password must be different from old password',
1651
- });
1652
- }
1653
- const userId = req.user?.id ?? req.user?._id ?? null;
1654
- if (!userId) {
1655
- return res
1656
- .status(401)
1657
- .json({ error: true, message: 'Not authenticated' });
1658
- }
1659
- const userModel = this.getModel('users');
1660
- const arr = await userModel.read({ id: userId }, 1, 0, true);
1661
- const user = arr?.[0];
1662
- if (!user) {
1663
- return res
1664
- .status(404)
1665
- .json({ error: true, message: 'User not found' });
1666
- }
1667
- const storedHash = user.password;
1668
- if (!storedHash) {
1669
- return res
1670
- .status(400)
1671
- .json({ error: true, message: 'User password not set' });
1672
- }
1673
- const match = await bcrypt_1.default.compare(String(oldPassword) + this.jwtSecret, storedHash);
1674
- if (!match) {
1675
- return res
1676
- .status(400)
1677
- .json({ error: true, message: 'Old password is incorrect' });
1678
- }
1679
- const salt = await bcrypt_1.default.genSalt(10);
1680
- const newHash = await bcrypt_1.default.hash(String(newPassword) + this.jwtSecret, salt);
1681
- await userModel.update(user.id, { password: newHash });
1682
- return res.json({
1683
- success: true,
1684
- message: 'Password changed successfully.',
1685
- });
1686
- }
1687
- catch (error) {
1688
- res
1689
- .status(400)
1690
- .json({ error: true, message: error?.message || 'Error' });
1691
- }
1692
- });
1693
- // ---- FORGOT PASSWORD ----
1694
- const forgotPasswordHandler = async (req, res) => {
1695
- try {
1696
- const { email } = (req.body || {});
1697
- if (!email || !String(email).trim()) {
1698
- return res
1699
- .status(400)
1700
- .json({ error: true, message: 'Email is required' });
1701
- }
1702
- // Normalize and (optionally) look up the user. We do NOT reveal whether the user exists.
1703
- const normalizedEmail = String(email).trim().toLowerCase();
1704
- try {
1705
- const userModel = this.getModel('users');
1706
- // Best-effort read; ignore result to avoid leaking existence
1707
- await userModel.read({ email: normalizedEmail }, 1, 0, true);
1708
- }
1709
- catch {
1710
- // Ignore lookup errors deliberately
1711
- }
1712
- // In a real implementation, generate a reset token, store it with expiry, and send an email.
1713
- // Here we return a generic success message so the React app flow can proceed.
1714
- return res.json({
1715
- success: true,
1716
- message: 'If an account exists, reset instructions have been sent.',
1717
- });
1718
- }
1719
- catch (error) {
1720
- return res
1721
- .status(400)
1722
- .json({ error: true, message: error?.message || 'Error' });
1723
- }
1724
- };
1725
- // Primary (plural) route under /auth/users
1726
- this.router.post(`${basePath}/forgot-password`, this.apiKeyMiddleware, forgotPasswordHandler);
1727
- // NOTE: All Users/Roles CRUD routes are handled by generic routes.
1728
- }
1729
- // ---------------- Common helpers ----------------
1730
- /**
1731
- * Validate required fields.
1732
- * - create: field must exist and be non-empty (not null/undefined/'').
1733
- * - update: only validate fields that are explicitly present in the payload;
1734
- * absence means "unchanged".
1735
- */
1736
- validateRequiredFields(schema, payload, mode = 'create') {
1737
- const missing = [];
1738
- const isEmpty = (v) => v === undefined ||
1739
- v === null ||
1740
- (typeof v === 'string' && v.trim() === '');
1741
- // If this is an extended schema, skip validating base fields here
1742
- let baseKeys = null;
1743
- const baseName = schema?.extends;
1744
- if (baseName) {
1745
- try {
1746
- const baseLC = baseName.toLowerCase();
1747
- const baseSchema = this.getSchema(baseLC);
1748
- baseKeys = new Set(Object.keys(baseSchema.attributes || {}));
1749
- }
1750
- catch {
1751
- baseKeys = null;
1752
- }
1753
- }
1754
- for (const [key, attribute] of Object.entries(schema.attributes)) {
1755
- // Skip array defs here (arrays wrap inner type), and skip private fields entirely from client-required validation
1756
- if (Array.isArray(attribute))
1757
- continue;
1758
- if (attribute?.private)
1759
- continue;
1760
- if (baseKeys && key !== 'baseId' && baseKeys.has(key))
1761
- continue; // do not require base fields on child
1762
- const req = Boolean(attribute?.required);
1763
- if (!req)
1764
- continue;
1765
- if (mode === 'create') {
1766
- if (isEmpty(payload[key]))
1767
- missing.push(key);
1768
- }
1769
- else {
1770
- // update → only if field is being sent AND is empty
1771
- if (Object.prototype.hasOwnProperty.call(payload, key) &&
1772
- isEmpty(payload[key])) {
1773
- missing.push(key);
1774
- }
1775
- }
1776
- }
1777
- return missing;
1778
- }
1779
396
  handleWriteError(error, res) {
1780
397
  if (error?.code === 'MODEL_REMOVED') {
1781
398
  res.status(410).json({ error: true, message: error.message });
@@ -1811,13 +428,6 @@ class APIRouter {
1811
428
  this.router.stack = this.router.stack.filter((layer) => layer?.handle !== this.notFoundHandler);
1812
429
  this.router.use('*', this.notFoundHandler);
1813
430
  }
1814
- async validateRoleValue(roleValue) {
1815
- const roleModel = this.models['role'];
1816
- if (!roleModel)
1817
- return false;
1818
- const roles = await roleModel.read({ name: roleValue }, 1, 0);
1819
- return roles.length > 0;
1820
- }
1821
431
  async checkUniqueFields(schema, data, excludeId) {
1822
432
  const uniqueFields = Object.entries(schema.attributes)
1823
433
  .filter(([_, attr]) => attr.unique)