@airoom/nextmin-node 1.4.5 → 1.4.6

package/dist/api/apiRouter.js

@@ -309,10 +309,13 @@ class APIRouter {
         if (this.schemasRouteRegistered)
             return;
         this.schemasRouteRegistered = true;
-        this.router.get('/_schemas', this.apiKeyMiddleware, (_req, res) => {
+        this.router.get('/_schemas', this.optionalAuthMiddleware, async (req, res) => {
+            const role = await this.normalizeRoleName(this.getUserRoleFromReq(req));
+            // Typically admin/superadmin can see clinical/private fields in schema
+            const showPrivate = role === 'admin' || role === 'superadmin';
             res.json({
                 success: true,
-                data: this.schemaLoader.getPublicSchemaList(),
+                data: this.schemaLoader.getPublicSchemaList(showPrivate),
             });
         });
     }

package/dist/api/router/mountCrudRoutes.js

@@ -430,7 +430,8 @@ function mountCrudRoutes(ctx, modelNameLC) {
                     paged = merged.slice(start, start + limit);
                 }
                 else {
-                    totalRows = merged.length;
+                    // Get actual total count from database (not just current page length)
+                    totalRows = await model.count(childFilter);
                     paged = merged.slice(0, limit);
                 }
                 const data = rdec.exposePrivate

package/dist/api/router/setupAuthRoutes.js

@@ -114,7 +114,7 @@ function setupAuthRoutes(ctx) {
             res.json({
                 success: true,
                 message: 'You are successfully logged in.',
-                data: { token, user },
+                data: { token, user: { ...user, roleName } },
             });
         }
         catch (error) {
@@ -140,8 +140,12 @@ function setupAuthRoutes(ctx) {
                     .status(404)
                     .json({ error: true, message: 'User not found' });
             }
+            const roleName = (await ctx.normalizeRoleName(user.role)) ?? '';
             delete user.password;
-            return res.json({ success: true, data: user });
+            return res.json({
+                success: true,
+                data: { ...user, roleName },
+            });
         }
         catch (error) {
             return res

package/dist/policy/authorize.js

@@ -38,6 +38,23 @@ function computeSensitiveMask(schemaPolicy) {
     return negs;
 }
 /* ----------------- general helpers ----------------- */
+function getPolicySection(base, ...path) {
+    if (!base)
+        return undefined;
+    let curr = base;
+    for (let i = 0; i < path.length; i++) {
+        const part = path[i];
+        // try exact key (e.g. "roles.admin")
+        const flatKey = path.slice(i).join('.');
+        if (curr[flatKey] !== undefined)
+            return curr[flatKey];
+        // try nested
+        curr = curr[part];
+        if (curr === undefined)
+            return undefined;
+    }
+    return curr;
+}
 function asBool(v) {
     return typeof v === 'boolean' ? v : undefined;
 }
@@ -117,8 +134,9 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
     // if false → continue to roles/auth checks
     // 3) ROLES
     const roleName = (ctx.role || '').toLowerCase();
-    if (roleName && access?.roles?.[roleName]) {
-        const rule = access.roles[roleName][action];
+    const roleRules = roleName ? getPolicySection(access, 'roles', roleName) : null;
+    if (roleRules) {
+        const rule = roleRules[action];
         const rBool = asBool(rule);
         if (rBool === true) {
             const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
@@ -126,9 +144,9 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
                 allow: true,
                 readMask: effectiveReadMask,
                 writeDeny: effectiveWriteDeny,
-                createDefaults: createDefaultsBase?.roles?.[roleName] || {},
-                restrictions: restrictionsBase?.roles?.[roleName] || {},
-                queryFilter: queryFilterBase?.roles?.[roleName] || {},
+                createDefaults: getPolicySection(createDefaultsBase, 'roles', roleName) || {},
+                restrictions: getPolicySection(restrictionsBase, 'roles', roleName) || {},
+                queryFilter: getPolicySection(queryFilterBase, 'roles', roleName) || {},
                 exposePrivate: bypass,
                 sensitiveMask,
             };

package/dist/services/SchemaService.js

@@ -34,13 +34,13 @@ function startSchemaService(server, opts = {}) {
     const loader = SchemaLoader_1.SchemaLoader.getInstance?.() ?? new SchemaLoader_1.SchemaLoader();
     nsp.on('connection', (socket) => {
         Logger_1.default.info('SchemaService:', socket.id);
-        // Send full snapshot on connect
+        // Send normalized (secure) snapshot on connect
         socket.emit('schemasData', loader.getPublicSchemaList());
     });
-    // Broadcast updates on hot-reload / schema changes
+    // Broadcast sanitized updates on hot-reload / schema changes
     if (typeof loader.on === 'function') {
-        loader.on('schemasChanged', (schemas) => {
-            nsp?.emit('schemasUpdated', schemas);
+        loader.on('schemasChanged', () => {
+            nsp?.emit('schemasUpdated', loader.getPublicSchemaList());
         });
     }
 }

package/dist/utils/SchemaLoader.d.ts

@@ -33,9 +33,9 @@ export declare class SchemaLoader {
         [key: string]: Schema;
     };
     /** CLIENT/API: sanitized map with private attributes removed */
-    getPublicSchemas(): Record<string, PublicSchema>;
+    getPublicSchemas(showPrivate?: boolean): Record<string, PublicSchema>;
     /** CLIENT/API convenience: array of { modelName, attributes, allowedMethods } */
-    getPublicSchemaList(): Array<PublicSchema>;
+    getPublicSchemaList(showPrivate?: boolean): Array<PublicSchema>;
     /** Strip any attr marked private; also remove the `private` flag from others */
     /** Keep private/sensitive flags so the UI and policy layer can decide.
      *  We only shallow-clone values to avoid leaking references.

package/dist/utils/SchemaLoader.js

@@ -288,13 +288,13 @@ class SchemaLoader {
         return this.schemas;
     }
     /** CLIENT/API: sanitized map with private attributes removed */
-    getPublicSchemas() {
+    getPublicSchemas(showPrivate = false) {
         const out = {};
         for (const [name, s] of Object.entries(this.schemas)) {
             // if (this.nonOverridableSchemas.has(name)) continue;
             // Clone sanitized attributes and add timestamps
             const attributesWithTimestamps = {
-                ...this.sanitizeAttributes(s.attributes),
+                ...this.sanitizeAttributes(s.attributes, showPrivate),
                 createdAt: { type: 'datetime' },
                 updatedAt: { type: 'datetime' },
             };
@@ -308,15 +308,15 @@ class SchemaLoader {
         return out;
     }
     /** CLIENT/API convenience: array of { modelName, attributes, allowedMethods } */
-    getPublicSchemaList() {
-        const pub = this.getPublicSchemas();
+    getPublicSchemaList(showPrivate = false) {
+        const pub = this.getPublicSchemas(showPrivate);
         return Object.values(pub);
     }
     /** Strip any attr marked private; also remove the `private` flag from others */
     /** Keep private/sensitive flags so the UI and policy layer can decide.
      *  We only shallow-clone values to avoid leaking references.
      */
-    sanitizeAttributes(attrs) {
+    sanitizeAttributes(attrs, showPrivate = false) {
         const out = {};
         if (!attrs || typeof attrs !== 'object' || Array.isArray(attrs))
             return out;
@@ -325,13 +325,12 @@ class SchemaLoader {
             if (Array.isArray(attr)) {
                 const elem = attr[0];
                 if (elem && typeof elem === 'object') {
-                    // If the inner descriptor is private, omit this field entirely from public schema
-                    if (elem.private) {
+                    // If the inner descriptor is private and we're not showing private, omit this field entirely
+                    if (elem.private && !showPrivate) {
                         continue;
                     }
-                    // Keep as an array with a single shallow-cloned descriptor (without leaking private flag)
-                    const { private: _omit, ...rest } = elem;
-                    out[key] = [{ ...rest }];
+                    // Preserve the descriptor, including the 'private' flag if showPrivate is true
+                    out[key] = [{ ...elem }];
                 }
                 else {
                     // Fallback: keep as-is (no private flag to check)
@@ -341,13 +340,12 @@ class SchemaLoader {
             }
             // Single attribute object
             if (attr && typeof attr === 'object') {
-                // If marked private, omit from public schema entirely
-                if (attr.private) {
+                // If marked private and we're not showing private, omit from public schema entirely
+                if (attr.private && !showPrivate) {
                     continue;
                 }
-                // Shallow clone and drop the private flag if present
-                const { private: _omit, ...rest } = attr;
-                out[key] = { ...rest };
+                // Preserve the descriptor, including the 'private' flag if showPrivate is true
+                out[key] = { ...attr };
                 continue;
             }
             // Unexpected primitives — pass through

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@airoom/nextmin-node",
-  "version": "1.4.5",
+  "version": "1.4.6",
   "license": "MIT",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",