@airoom/nextmin-node 1.4.5 → 2.0.1

package/dist/policy/authorize.js

@@ -38,6 +38,23 @@ function computeSensitiveMask(schemaPolicy) {
     return negs;
 }
 /* ----------------- general helpers ----------------- */
+function getPolicySection(base, ...path) {
+    if (!base)
+        return undefined;
+    let curr = base;
+    for (let i = 0; i < path.length; i++) {
+        const part = path[i];
+        // try exact key (e.g. "roles.admin")
+        const flatKey = path.slice(i).join('.');
+        if (curr[flatKey] !== undefined)
+            return curr[flatKey];
+        // try nested
+        curr = curr[part];
+        if (curr === undefined)
+            return undefined;
+    }
+    return curr;
+}
 function asBool(v) {
     return typeof v === 'boolean' ? v : undefined;
 }
@@ -61,6 +78,41 @@ function isOwnerDoc(schemaPolicy, ctx, doc) {
     const candidate = typeof val === 'object' ? (val.id ?? val._id ?? String(val)) : String(val);
     return String(candidate) === String(ctx.userId);
 }
+const OPERATOR_MAP = {
+    ne: '$ne',
+    gt: '$gt',
+    gte: '$gte',
+    lt: '$lt',
+    lte: '$lte',
+    in: '$in',
+    nin: '$nin',
+    regex: '$regex',
+    options: '$options',
+    and: '$and',
+    or: '$or',
+    nor: '$nor',
+};
+function interpolate(val, ctx) {
+    if (typeof val === 'string') {
+        if (val === '$CTX.userId')
+            return ctx.userId;
+        if (val === '$CTX.role')
+            return ctx.role;
+        return val;
+    }
+    if (Array.isArray(val)) {
+        return val.map((v) => interpolate(v, ctx));
+    }
+    if (val && typeof val === 'object' && val.constructor === Object) {
+        const out = {};
+        for (const [k, v] of Object.entries(val)) {
+            const targetKey = OPERATOR_MAP[k] || k;
+            out[targetKey] = interpolate(v, ctx);
+        }
+        return out;
+    }
+    return val;
+}
 /* =================================================== */
 /* =============== MAIN AUTHORIZATION ================= */
 /* =================================================== */
@@ -71,6 +123,15 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
         return { ...EMPTY_DECISION, allow: false };
     const access = schemaPolicy?.access || {};
     const baseReadMask = [].concat(access?.readMask || []);
+    // Auto-mask private attributes
+    for (const [name, attr] of Object.entries(schemaPolicy?.attributes || {})) {
+        const a = Array.isArray(attr) ? attr[0] : attr;
+        if (a && a.private === true) {
+            const mask = `-${name}`;
+            if (!baseReadMask.includes(mask))
+                baseReadMask.push(mask);
+        }
+    }
     const baseWriteDeny = [].concat(access?.writeDeny || []);
     const restrictionsBase = access?.restrictions || {};
     const createDefaultsBase = access?.createDefaults || {};
@@ -83,27 +144,47 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
         const effectiveWriteDeny = bypass ? [] : writeDenyIn || [];
         return { effectiveReadMask, effectiveWriteDeny };
     };
-    // 1) no access block → sensible defaults
-    if (!schemaPolicy?.access) {
-        const allowedByDefault = action === 'read' ? true : !!ctx.isAuthenticated;
-        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+    const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
+    const finalizeFallback = (dec) => {
         return {
+            ...dec,
+            queryFilter: interpolate(dec.queryFilter, ctx),
+            createDefaults: interpolate(dec.createDefaults, ctx),
+            restrictions: interpolate(dec.restrictions, ctx),
+        };
+    };
+    // 1) Reachability check: Do we have ANY explicit rules for this action?
+    const hasReachabilityRule = !!(access?.public?.[action] !== undefined ||
+        access?.authenticated?.[action] !== undefined ||
+        (access?.roles &&
+            Object.values(access.roles).some((r) => r[action] !== undefined)));
+    // If no access block OR no reachability rule for this specific action → sensible defaults
+    if (!schemaPolicy?.access || !hasReachabilityRule) {
+        const allowedByDefault = action === 'read' ? true : !!ctx.isAuthenticated;
+        return finalizeFallback({
             allow: allowedByDefault,
             readMask: effectiveReadMask,
             writeDeny: effectiveWriteDeny,
             createDefaults: {},
             restrictions: {},
             queryFilter: action === 'read' ? {} : {},
-            exposePrivate: bypass, // will normally be false if no bypassPrivacy set
+            exposePrivate: bypass,
             sensitiveMask,
-        };
+        });
     }
+    const finalize = (dec) => {
+        return {
+            ...dec,
+            queryFilter: interpolate(dec.queryFilter, ctx),
+            createDefaults: interpolate(dec.createDefaults, ctx),
+            restrictions: interpolate(dec.restrictions, ctx),
+        };
+    };
     // 2) PUBLIC
     const pubRule = access?.public?.[action];
     const pubBool = asBool(pubRule);
     if (pubBool === true) {
-        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
-        return {
+        return finalize({
             allow: true,
             readMask: effectiveReadMask,
             writeDeny: effectiveWriteDeny,
@@ -112,43 +193,41 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
             queryFilter: queryFilterBase?.public || {},
             exposePrivate: bypass, // if caller has a bypass role, they get private fields (still masked by sensitive)
             sensitiveMask,
-        };
+        });
     }
     // if false → continue to roles/auth checks
     // 3) ROLES
     const roleName = (ctx.role || '').toLowerCase();
-    if (roleName && access?.roles?.[roleName]) {
-        const rule = access.roles[roleName][action];
+    const roleRules = roleName ? getPolicySection(access, 'roles', roleName) : null;
+    if (roleRules) {
+        const rule = roleRules[action];
         const rBool = asBool(rule);
         if (rBool === true) {
-            const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
-            return {
+            return finalize({
                 allow: true,
                 readMask: effectiveReadMask,
                 writeDeny: effectiveWriteDeny,
-                createDefaults: createDefaultsBase?.roles?.[roleName] || {},
-                restrictions: restrictionsBase?.roles?.[roleName] || {},
-                queryFilter: queryFilterBase?.roles?.[roleName] || {},
+                createDefaults: getPolicySection(createDefaultsBase, 'roles', roleName) || {},
+                restrictions: getPolicySection(restrictionsBase, 'roles', roleName) || {},
+                queryFilter: getPolicySection(queryFilterBase, 'roles', roleName) || {},
                 exposePrivate: bypass,
                 sensitiveMask,
-            };
+            });
         }
         if (rBool === false) {
-            const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
-            return {
+            return finalize({
                 ...EMPTY_DECISION,
                 readMask: effectiveReadMask,
                 writeDeny: effectiveWriteDeny,
                 exposePrivate: false,
                 sensitiveMask,
-            };
+            });
         }
         // role === 'owner'
         if (rule === 'owner') {
-            const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
             if (action === 'read') {
                 if (doc) {
-                    return {
+                    return finalize({
                         allow: isOwnerDoc(schemaPolicy, ctx, doc),
                         readMask: effectiveReadMask,
                         writeDeny: effectiveWriteDeny,
@@ -157,9 +236,9 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
                         queryFilter: {},
                         exposePrivate: bypass,
                         sensitiveMask,
-                    };
+                    });
                 }
-                return {
+                return finalize({
                     allow: true,
                     readMask: effectiveReadMask,
                     writeDeny: effectiveWriteDeny,
@@ -168,9 +247,9 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
                     queryFilter: ownerFilter(schemaPolicy, ctx),
                     exposePrivate: bypass,
                     sensitiveMask,
-                };
+                });
             }
-            return {
+            return finalize({
                 allow: isOwnerDoc(schemaPolicy, ctx, doc),
                 readMask: effectiveReadMask,
                 writeDeny: effectiveWriteDeny,
@@ -179,15 +258,14 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
                 queryFilter: {},
                 exposePrivate: bypass,
                 sensitiveMask,
-            };
+            });
         }
     }
     // 4) AUTHENTICATED
     const authRule = access?.authenticated?.[action];
     const aBool = asBool(authRule);
     if (aBool === true && ctx.isAuthenticated) {
-        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
-        return {
+        return finalize({
             allow: true,
             readMask: effectiveReadMask,
             writeDeny: effectiveWriteDeny,
@@ -196,23 +274,21 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
             queryFilter: queryFilterBase?.authenticated || {},
             exposePrivate: bypass,
             sensitiveMask,
-        };
+        });
     }
     if (aBool === false && ctx.isAuthenticated) {
-        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
-        return {
+        return finalize({
             ...EMPTY_DECISION,
             readMask: effectiveReadMask,
             writeDeny: effectiveWriteDeny,
             exposePrivate: false,
             sensitiveMask,
-        };
+        });
     }
     if (authRule === 'owner' && ctx.isAuthenticated) {
-        const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
         if (action === 'read') {
             if (doc) {
-                return {
+                return finalize({
                     allow: isOwnerDoc(schemaPolicy, ctx, doc),
                     readMask: effectiveReadMask,
                     writeDeny: effectiveWriteDeny,
@@ -221,9 +297,9 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
                     queryFilter: {},
                     exposePrivate: bypass,
                     sensitiveMask,
-                };
+                });
             }
-            return {
+            return finalize({
                 allow: true,
                 readMask: effectiveReadMask,
                 writeDeny: effectiveWriteDeny,
@@ -232,9 +308,9 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
                 queryFilter: ownerFilter(schemaPolicy, ctx),
                 exposePrivate: bypass,
                 sensitiveMask,
-            };
+            });
         }
-        return {
+        return finalize({
             allow: isOwnerDoc(schemaPolicy, ctx, doc),
             readMask: effectiveReadMask,
             writeDeny: effectiveReadMask, // (typo guard: will be ignored by callers; leave as is)
@@ -243,17 +319,16 @@ function authorize(modelNameLC, action, schemaPolicy, ctx, doc) {
             queryFilter: {},
             exposePrivate: bypass,
             sensitiveMask,
-        };
+        });
     }
     // 5) default deny
-    const { effectiveReadMask, effectiveWriteDeny } = mkMasks(baseReadMask, baseWriteDeny);
-    return {
+    return finalize({
         ...EMPTY_DECISION,
         readMask: effectiveReadMask,
         writeDeny: effectiveWriteDeny,
         exposePrivate: false,
         sensitiveMask,
-    };
+    });
 }
 /* ===== Helpers consumed by the router ===== */
 function applyReadMaskOne(doc, mask) {

package/dist/schemas/Users.json

@@ -4,12 +4,15 @@
     "username": {
       "type": "string",
       "required": true,
-      "unique": true
+      "unique": true,
+      "safe": true
     },
     "email": {
       "type": "string",
       "required": true,
-      "unique": true
+      "unique": true,
+      "private": true,
+      "safe": true
     },
     "firstName": {
       "type": "string",
@@ -22,9 +25,9 @@
     "password": {
       "type": "string",
       "required": true,
-      "private": true
+      "private": true,
+      "safe": true
     },
-
     "profilePicture": [
       {
         "type": "string",
@@ -35,7 +38,6 @@
         "required": true
       }
     ],
-
     "role": [
       {
         "type": "ObjectId",
@@ -45,28 +47,35 @@
         "required": true
       }
     ],
-
     "status": {
       "type": "string",
-      "enum": ["pending", "active", "suspended"],
+      "enum": [
+        "pending",
+        "active",
+        "suspended"
+      ],
       "default": "pending",
-      "required": true
+      "required": true,
+      "safe": true
     },
     "type": {
       "type": "string",
-      "enum": ["system", "default", "user"],
+      "enum": [
+        "system",
+        "default",
+        "user"
+      ],
       "default": "user",
-      "required": true
+      "required": true,
+      "safe": true
     }
   },
-
   "allowedMethods": {
     "create": true,
     "read": true,
     "update": true,
     "delete": false
   },
-
   "access": {
     "public": {
       "create": true,
@@ -77,10 +86,9 @@
     "authenticated": {
       "create": false,
       "read": "owner",
-      "update": false,
+      "update": "owner",
       "delete": false
     },
-
     "roles": {
       "admin": {
         "create": true,
@@ -95,28 +103,56 @@
         "delete": true
       }
     },
-
     "queryFilter": {
-      "authenticated": { "id": { "ne": "$CTX.userId" } },
+      "authenticated": {
+        "id": {
+          "ne": "$CTX.userId"
+        }
+      },
       "roles": {
-        "admin":       { "id": { "ne": "$CTX.userId" } },
-        "superadmin":  {}
+        "admin": {
+          "id": {
+            "ne": "$CTX.userId"
+          }
+        },
+        "superadmin": {}
+      }
+    },
+    "conditions": {
+      "owner": {
+        "by": "id"
       }
     },
-
-    "conditions": { "owner": { "by": "id" } },
-    "readMask": ["-password"],
-    "writeDeny": ["password"],
-    "bypassPrivacy": { "roles": ["admin", "superadmin"] },
-
+    "readMask": [
+      "-password"
+    ],
+    "writeDeny": [
+      "password"
+    ],
+    "bypassPrivacy": {
+      "roles": [
+        "admin",
+        "superadmin"
+      ]
+    },
     "createDefaults": {
-      "public": { "role": "user", "status": "pending" },
-      "roles.admin": { "status": "active" },
-      "roles.superadmin": { "status": "active" }
+      "public": {
+        "role": "user",
+        "status": "pending"
+      },
+      "roles.admin": {
+        "status": "active"
+      },
+      "roles.superadmin": {
+        "status": "active"
+      }
     },
-
     "restrictions": {
-      "roles.admin.cannotAssign": { "role": ["superadmin"] }
+      "roles.admin.cannotAssign": {
+        "role": [
+          "superadmin"
+        ]
+      }
     }
   }
-}
+}

package/dist/services/RealtimeService.d.ts

@@ -0,0 +1,20 @@
+import { Server as HTTPServer } from 'http';
+export declare const SOCKET_PATH = "/__nextmin__/realtime";
+export declare const NAMESPACE = "/realtime";
+/**
+ * RealtimeService handles real-time communication with clients using Socket.io.
+ * It broadcasts schema changes and CRUD events.
+ */
+export declare class RealtimeService {
+    private opts;
+    private io;
+    private nsp;
+    constructor(server: HTTPServer, opts: {
+        getApiKey?: () => string | undefined;
+        corsOrigin?: string | any;
+    });
+    private setupAuth;
+    private setupListeners;
+    private forwardSystemEvents;
+    shutdown(): void;
+}

package/dist/services/RealtimeService.js

@@ -0,0 +1,93 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RealtimeService = exports.NAMESPACE = exports.SOCKET_PATH = void 0;
+const socket_io_1 = require("socket.io");
+const SchemaLoader_1 = require("../utils/SchemaLoader");
+const Events_1 = require("../utils/Events");
+const Logger_1 = __importDefault(require("../utils/Logger"));
+exports.SOCKET_PATH = '/__nextmin__/realtime';
+exports.NAMESPACE = '/realtime';
+/**
+ * RealtimeService handles real-time communication with clients using Socket.io.
+ * It broadcasts schema changes and CRUD events.
+ */
+class RealtimeService {
+    constructor(server, opts) {
+        this.opts = opts;
+        this.io = new socket_io_1.Server(server, {
+            path: exports.SOCKET_PATH,
+            cors: { origin: opts.corsOrigin ?? '*' },
+        });
+        this.nsp = this.io.of(exports.NAMESPACE);
+        this.setupAuth();
+        this.setupListeners();
+        this.forwardSystemEvents();
+        Logger_1.default.info('RealtimeService', `Initialized at ${exports.SOCKET_PATH}`);
+    }
+    setupAuth() {
+        this.nsp.use((socket, next) => {
+            const provided = socket.handshake.auth?.apiKey;
+            const trusted = this.opts.getApiKey?.();
+            if (trusted && provided === trusted)
+                return next();
+            next(new Error('unauthorized'));
+        });
+    }
+    setupListeners() {
+        this.nsp.on('connection', (socket) => {
+            Logger_1.default.info('RealtimeService', `Client connected: ${socket.id}`);
+            const loader = SchemaLoader_1.SchemaLoader.getInstance();
+            socket.emit('schemasData', loader.getPublicSchemaList(true));
+        });
+    }
+    forwardSystemEvents() {
+        // 1. Forward Schema changes
+        const loader = SchemaLoader_1.SchemaLoader.getInstance();
+        if (typeof loader.on === 'function') {
+            loader.on('schemasChanged', () => {
+                this.nsp.emit('schemasUpdated', loader.getPublicSchemaList(true));
+            });
+        }
+        // 2. Forward CRUD events (Events from our central emitter)
+        Events_1.events.on(Events_1.Events.AFTER_CREATE, (payload) => {
+            const model = payload.modelName.toLowerCase();
+            const data = {
+                model: payload.modelName,
+                action: 'created',
+                id: payload.result.id,
+                data: payload.result
+            };
+            this.nsp.emit('doc:created', data);
+            this.nsp.emit(`${model}:created`, data);
+        });
+        Events_1.events.on(Events_1.Events.AFTER_UPDATE, (payload) => {
+            const model = payload.modelName.toLowerCase();
+            const data = {
+                model: payload.modelName,
+                action: 'updated',
+                id: payload.id,
+                data: payload.result
+            };
+            this.nsp.emit('doc:updated', data);
+            this.nsp.emit(`${model}:updated`, data);
+        });
+        Events_1.events.on(Events_1.Events.AFTER_DELETE, (payload) => {
+            const model = payload.modelName.toLowerCase();
+            const data = {
+                model: payload.modelName,
+                action: 'deleted',
+                id: payload.id
+            };
+            this.nsp.emit('doc:deleted', data);
+            this.nsp.emit(`${model}:deleted`, data);
+        });
+    }
+    shutdown() {
+        this.io.close();
+        Logger_1.default.warn('RealtimeService', 'Stopped');
+    }
+}
+exports.RealtimeService = RealtimeService;

package/dist/services/SchemaService.d.ts

@@ -7,4 +7,7 @@ export interface SchemaServiceOptions {
     /** Optional CORS origin override (defaults to "*") */
     corsOrigin?: string | RegExp | (string | RegExp)[];
 }
+/**
+ * @deprecated The SchemaService is deprecated. Use RealtimeService instead.
+ */
 export declare function startSchemaService(server: HTTPServer, opts?: SchemaServiceOptions): void;

package/dist/services/SchemaService.js

@@ -13,7 +13,11 @@ exports.NAMESPACE = '/schema';
 let started = false;
 let io = null;
 let nsp = null;
+/**
+ * @deprecated The SchemaService is deprecated. Use RealtimeService instead.
+ */
 function startSchemaService(server, opts = {}) {
+    Logger_1.default.warn('SchemaService', 'The SchemaService is deprecated. Use RealtimeService instead.');
     if (started)
         return;
     started = true;
@@ -34,13 +38,13 @@ function startSchemaService(server, opts = {}) {
     const loader = SchemaLoader_1.SchemaLoader.getInstance?.() ?? new SchemaLoader_1.SchemaLoader();
     nsp.on('connection', (socket) => {
         Logger_1.default.info('SchemaService:', socket.id);
-        // Send full snapshot on connect
-        socket.emit('schemasData', loader.getPublicSchemaList());
+        // Send normalized (secure) snapshot on connect
+        socket.emit('schemasData', loader.getPublicSchemaList(true));
     });
-    // Broadcast updates on hot-reload / schema changes
+    // Broadcast sanitized updates on hot-reload / schema changes
     if (typeof loader.on === 'function') {
-        loader.on('schemasChanged', (schemas) => {
-            nsp?.emit('schemasUpdated', schemas);
+        loader.on('schemasChanged', () => {
+            nsp?.emit('schemasUpdated', loader.getPublicSchemaList(true));
         });
     }
 }

package/dist/utils/DefaultDataInitializer.js

@@ -235,8 +235,16 @@ class DefaultDataInitializer {
         // Update only missing/empty fields (do not overwrite existing values)
         const updates = {};
         // apiKey
-        if (doc.apiKey && String(doc.apiKey).trim().length > 0) {
-            this.apiKey = doc.apiKey; // honor existing
+        const envKey = process.env.NEXTMIN_API_KEY;
+        if (envKey && String(envKey).trim().length > 0) {
+            // If environment variable is set, it takes precedence over the database
+            this.apiKey = envKey;
+            if (doc.apiKey !== envKey) {
+                updates.apiKey = envKey;
+            }
+        }
+        else if (doc.apiKey && String(doc.apiKey).trim().length > 0) {
+            this.apiKey = doc.apiKey; // honor existing if no env var
         }
         else {
             updates.apiKey = generatedApiKey;

package/dist/utils/Events.d.ts

@@ -0,0 +1,34 @@
+import { EventEmitter } from 'events';
+/**
+ * NextMinEvents is a central event emitter for the NextMin ecosystem.
+ * It allows components to hook into CRUD and system events.
+ */
+declare class NextMinEvents extends EventEmitter {
+    constructor();
+    /**
+     * Typed emit to provide better DX (Developer Experience)
+     */
+    emitEvent(event: string, payload: any): void;
+}
+export declare const events: NextMinEvents;
+export declare const Events: {
+    BEFORE_CREATE: string;
+    AFTER_CREATE: string;
+    BEFORE_UPDATE: string;
+    AFTER_UPDATE: string;
+    BEFORE_DELETE: string;
+    AFTER_DELETE: string;
+    BEFORE_READ: string;
+    AFTER_READ: string;
+    AUTH_LOGIN: string;
+    AUTH_LOGOUT: string;
+    AUTH_SIGNUP: string;
+    SCHEMA_UPDATE: string;
+    SERVER_START: string;
+    SERVER_STOP: string;
+};
+/**
+ * Helper to generate model-specific event names
+ */
+export declare function getModelEvent(modelName: string, action: 'create' | 'read' | 'update' | 'delete', phase?: 'before' | 'after'): string;
+export {};