@constructive-io/graphql-server 3.1.1 → 4.0.1

package/middleware/api.js

@@ -3,37 +3,93 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getApiConfig = exports.getSvcKey = exports.queryServiceByApiName = exports.createApiMiddleware = exports.getSubdomain = exports.normalizeApiRecord = void 0;
+exports.createApiMiddleware = exports.getApiConfig = exports.getSvcKey = exports.getSubdomain = void 0;
 const graphql_env_1 = require("@constructive-io/graphql-env");
 const logger_1 = require("@pgpmjs/logger");
 const server_utils_1 = require("@pgpmjs/server-utils");
 const url_domains_1 = require("@constructive-io/url-domains");
-const graphile_query_1 = require("graphile-query");
-const graphile_settings_1 = require("graphile-settings");
 const pg_cache_1 = require("pg-cache");
 const _50x_1 = __importDefault(require("../errors/50x"));
 const _404_message_1 = __importDefault(require("../errors/404-message"));
-/**
- * Normalizes API records into ApiStructure
- */
-const gql_1 = require("./gql");
-require("./types"); // for Request type
-var gql_2 = require("./gql");
-Object.defineProperty(exports, "normalizeApiRecord", { enumerable: true, get: function () { return gql_2.normalizeApiRecord; } });
+require("./types");
 const log = new logger_1.Logger('api');
 const isDev = () => (0, graphql_env_1.getNodeEnv)() === 'development';
-const isApiError = (svc) => !!svc && typeof svc.errorHtml === 'string';
-const getPortFromRequest = (req) => {
-    const host = req.headers.host;
-    if (!host)
-        return null;
-    const parts = host.split(':');
-    return parts.length === 2 ? `:${parts[1]}` : null;
-};
-const parseCommaSeparatedHeader = (value) => value
-    .split(',')
-    .map((item) => item.trim())
-    .filter((item) => item.length > 0);
+// =============================================================================
+// SQL Queries
+// =============================================================================
+const DOMAIN_LOOKUP_SQL = `
+  SELECT 
+    a.id as api_id,
+    a.database_id,
+    a.dbname,
+    a.role_name,
+    a.anon_role,
+    a.is_public,
+    COALESCE(array_agg(s.schema_name) FILTER (WHERE s.schema_name IS NOT NULL), '{}') as schemas
+  FROM services_public.domains d
+  JOIN services_public.apis a ON d.api_id = a.id
+  LEFT JOIN services_public.api_schemas aps ON a.id = aps.api_id
+  LEFT JOIN metaschema_public.schema s ON aps.schema_id = s.id
+  WHERE d.domain = $1 
+    AND (($2::text IS NULL AND d.subdomain IS NULL) OR d.subdomain = $2)
+    AND a.is_public = $3
+  GROUP BY a.id, a.database_id, a.dbname, a.role_name, a.anon_role, a.is_public
+  LIMIT 1
+`;
+const API_NAME_LOOKUP_SQL = `
+  SELECT 
+    a.id as api_id,
+    a.database_id,
+    a.dbname,
+    a.role_name,
+    a.anon_role,
+    a.is_public,
+    COALESCE(array_agg(s.schema_name) FILTER (WHERE s.schema_name IS NOT NULL), '{}') as schemas
+  FROM services_public.apis a
+  LEFT JOIN services_public.api_schemas aps ON a.id = aps.api_id
+  LEFT JOIN metaschema_public.schema s ON aps.schema_id = s.id
+  WHERE a.database_id = $1 
+    AND a.name = $2
+    AND a.is_public = $3
+  GROUP BY a.id, a.database_id, a.dbname, a.role_name, a.anon_role, a.is_public
+  LIMIT 1
+`;
+const API_LIST_SQL = `
+  SELECT 
+    a.id,
+    a.database_id,
+    a.name,
+    a.dbname,
+    a.role_name,
+    a.anon_role,
+    a.is_public,
+    COALESCE(
+      json_agg(
+        json_build_object('domain', d.domain, 'subdomain', d.subdomain)
+      ) FILTER (WHERE d.domain IS NOT NULL),
+      '[]'
+    ) as domains
+  FROM services_public.apis a
+  LEFT JOIN services_public.domains d ON a.id = d.api_id
+  WHERE a.is_public = $1
+  GROUP BY a.id, a.database_id, a.name, a.dbname, a.role_name, a.anon_role, a.is_public
+  LIMIT 100
+`;
+const RLS_MODULE_SQL = `
+  SELECT 
+    rm.authenticate,
+    rm.authenticate_strict,
+    ps.schema_name as private_schema_name
+  FROM metaschema_modules_public.rls_module rm
+  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id
+  WHERE rm.api_id = $1
+  LIMIT 1
+`;
+// =============================================================================
+// Helpers
+// =============================================================================
+const isApiError = (result) => !!result && typeof result.errorHtml === 'string';
+const parseCommaSeparatedHeader = (value) => value.split(',').map((s) => s.trim()).filter(Boolean);
 const getUrlDomains = (req) => {
     const fullUrl = `${req.protocol}://${req.get('host')}${req.originalUrl}`;
     const parsed = (0, url_domains_1.parseUrl)(fullUrl);
@@ -42,297 +98,317 @@ const getUrlDomains = (req) => {
         subdomains: parsed.subdomains ?? [],
     };
 };
-const getSubdomain = (reqDomains) => {
-    const names = reqDomains.filter((name) => !['www'].includes(name));
-    return !names.length ? null : names.join('.');
+const getSubdomain = (subdomains) => {
+    const filtered = subdomains.filter((name) => name !== 'www');
+    return filtered.length ? filtered.join('.') : null;
 };
 exports.getSubdomain = getSubdomain;
-const createApiMiddleware = (opts) => {
-    return async (req, res, next) => {
-        // Log incoming request details at debug level to avoid excessive info logs in production
-        log.debug(`[api-middleware] Request: ${req.method} ${req.path}`);
-        log.debug(`[api-middleware] Headers: X-Api-Name=${req.get('X-Api-Name')}, X-Database-Id=${req.get('X-Database-Id')}, X-Meta-Schema=${req.get('X-Meta-Schema')}, Host=${req.get('Host')}`);
-        if (opts.api?.enableServicesApi === false) {
-            const schemas = opts.api.exposedSchemas ?? [];
-            const anonRole = opts.api.anonRole ?? '';
-            const roleName = opts.api.roleName ?? '';
-            const databaseId = opts.api.defaultDatabaseId;
-            const api = {
-                dbname: opts.pg?.database ?? '',
-                anonRole,
-                roleName,
-                schema: schemas,
-                apiModules: [],
-                domains: [],
-                databaseId,
-                isPublic: false,
-            };
-            req.api = api;
-            req.databaseId = databaseId;
-            req.svc_key = 'meta-api-off';
-            return next();
+const getSvcKey = (opts, req) => {
+    const { domain, subdomains } = getUrlDomains(req);
+    const baseKey = subdomains.filter((n) => n !== 'www').concat(domain).join('.');
+    if (opts.api?.isPublic === false) {
+        if (req.get('X-Api-Name')) {
+            return `api:${req.get('X-Database-Id')}:${req.get('X-Api-Name')}`;
         }
-        try {
-            const apiConfig = await (0, exports.getApiConfig)(opts, req);
-            if (isApiError(apiConfig)) {
-                res
-                    .status(404)
-                    .send((0, _404_message_1.default)('API not found', apiConfig.errorHtml));
-                return;
-            }
-            else if (!apiConfig) {
-                res
-                    .status(404)
-                    .send((0, _404_message_1.default)('API service not found for the given domain/subdomain.'));
-                return;
-            }
-            req.api = apiConfig;
-            req.databaseId = apiConfig.databaseId;
-            if (isDev())
-                log.debug(`Resolved API: db=${apiConfig.dbname}, schemas=[${apiConfig.schema?.join(', ')}]`);
-            next();
+        if (req.get('X-Schemata')) {
+            return `schemata:${req.get('X-Database-Id')}:${req.get('X-Schemata')}`;
         }
-        catch (error) {
-            const err = error;
-            if (err.code === 'NO_VALID_SCHEMAS') {
-                res.status(404).send((0, _404_message_1.default)(err.message));
-            }
-            else if (err.message?.match(/does not exist/)) {
-                res
-                    .status(404)
-                    .send((0, _404_message_1.default)("The resource you're looking for does not exist."));
-            }
-            else {
-                log.error('API middleware error:', err);
-                res.status(500).send(_50x_1.default);
-            }
+        if (req.get('X-Meta-Schema')) {
+            return `metaschema:api:${req.get('X-Database-Id')}`;
         }
+    }
+    return baseKey;
+};
+exports.getSvcKey = getSvcKey;
+const toRlsModule = (row) => {
+    if (!row || !row.private_schema_name)
+        return undefined;
+    return {
+        authenticate: row.authenticate ?? undefined,
+        authenticateStrict: row.authenticate_strict ?? undefined,
+        privateSchema: {
+            schemaName: row.private_schema_name,
+        },
     };
 };
-exports.createApiMiddleware = createApiMiddleware;
-const createAdminApiStructure = ({ opts, schemata, key, databaseId, }) => {
-    const api = {
+const toApiStructure = (row, opts, rlsModuleRow) => ({
+    dbname: row.dbname || opts.pg?.database || '',
+    anonRole: row.anon_role || 'anon',
+    roleName: row.role_name || 'authenticated',
+    schema: row.schemas || [],
+    apiModules: [],
+    rlsModule: toRlsModule(rlsModuleRow ?? null),
+    domains: [],
+    databaseId: row.database_id,
+    isPublic: row.is_public,
+});
+const createAdminStructure = (opts, schemas, databaseId) => ({
+    dbname: opts.pg?.database ?? '',
+    anonRole: 'administrator',
+    roleName: 'administrator',
+    schema: schemas,
+    apiModules: [],
+    domains: [],
+    databaseId,
+    isPublic: false,
+});
+// =============================================================================
+// Database Queries
+// =============================================================================
+const validateSchemata = async (pool, schemas) => {
+    const result = await pool.query(`SELECT schema_name FROM information_schema.schemata WHERE schema_name = ANY($1::text[])`, [schemas]);
+    return result.rows.map((row) => row.schema_name);
+};
+const queryByDomain = async (pool, domain, subdomain, isPublic) => {
+    const result = await pool.query(DOMAIN_LOOKUP_SQL, [domain, subdomain, isPublic]);
+    return result.rows[0] ?? null;
+};
+const queryByApiName = async (pool, databaseId, name, isPublic) => {
+    const result = await pool.query(API_NAME_LOOKUP_SQL, [databaseId, name, isPublic]);
+    return result.rows[0] ?? null;
+};
+const queryApiList = async (pool, isPublic) => {
+    const result = await pool.query(API_LIST_SQL, [isPublic]);
+    return result.rows;
+};
+const queryRlsModule = async (pool, apiId) => {
+    const result = await pool.query(RLS_MODULE_SQL, [apiId]);
+    return result.rows[0] ?? null;
+};
+// =============================================================================
+// Resolution Logic
+// =============================================================================
+const determineMode = (ctx) => {
+    const { opts, headers } = ctx;
+    if (opts.api?.enableServicesApi === false)
+        return 'services-disabled';
+    if (opts.api?.isPublic === false) {
+        if (headers.schemata)
+            return 'schemata-header';
+        if (headers.apiName)
+            return 'api-name-header';
+        if (headers.metaSchema)
+            return 'meta-schema-header';
+    }
+    return 'domain-lookup';
+};
+const resolveServicesDisabled = (ctx) => {
+    const { opts } = ctx;
+    return {
         dbname: opts.pg?.database ?? '',
-        anonRole: 'administrator',
-        roleName: 'administrator',
-        schema: schemata,
+        anonRole: opts.api?.anonRole ?? '',
+        roleName: opts.api?.roleName ?? '',
+        schema: opts.api?.exposedSchemas ?? [],
         apiModules: [],
         domains: [],
-        databaseId,
+        databaseId: opts.api?.defaultDatabaseId,
         isPublic: false,
     };
-    server_utils_1.svcCache.set(key, api);
-    return api;
 };
-const queryServiceByDomainAndSubdomain = async ({ opts, key, domainModel, domain, subdomain, }) => {
-    const where = {
-        domain: { equalTo: domain },
-        subdomain: subdomain === null || subdomain === undefined
-            ? { isNull: true }
-            : { equalTo: subdomain },
-    };
-    const result = await domainModel
-        .findFirst({ select: gql_1.domainSelect, where })
-        .execute();
-    if (!result.ok) {
-        log.error('GraphQL query errors:', result.errors);
-        return null;
+const resolveSchemataHeader = async (ctx, validatedSchemas) => {
+    const { opts, headers } = ctx;
+    const headerSchemas = parseCommaSeparatedHeader(headers.schemata);
+    const validSet = new Set(validatedSchemas);
+    const validHeaderSchemas = headerSchemas.filter((s) => validSet.has(s));
+    if (validHeaderSchemas.length === 0) {
+        return { errorHtml: 'No valid schemas found for the supplied X-Schemata header.' };
     }
-    const domainRecord = result.data.domains.nodes[0];
-    const api = domainRecord?.api;
-    const apiPublic = opts.api?.isPublic;
-    if (!api || api.isPublic !== apiPublic)
-        return null;
-    const apiStructure = (0, gql_1.normalizeApiRecord)(api);
-    server_utils_1.svcCache.set(key, apiStructure);
-    return apiStructure;
+    return createAdminStructure(opts, validHeaderSchemas, headers.databaseId);
 };
-const queryServiceByApiName = async ({ opts, key, queryOps, databaseId, name, }) => {
-    if (!databaseId)
+const resolveApiNameHeader = async (ctx) => {
+    const { opts, pool, headers } = ctx;
+    if (!headers.databaseId)
         return null;
-    const result = await queryOps
-        .apiByDatabaseIdAndName({ databaseId, name }, { select: gql_1.apiSelect })
-        .execute();
-    if (!result.ok) {
-        log.error('GraphQL query errors:', result.errors);
+    const isPublic = opts.api?.isPublic ?? false;
+    const row = await queryByApiName(pool, headers.databaseId, headers.apiName, isPublic);
+    if (!row) {
+        log.debug(`[api-name-lookup] No API found for databaseId=${headers.databaseId} name=${headers.apiName}`);
         return null;
     }
-    const api = result.data.apiByDatabaseIdAndName;
-    const apiPublic = opts.api?.isPublic;
-    if (api && api.isPublic === apiPublic) {
-        const apiStructure = (0, gql_1.normalizeApiRecord)(api);
-        server_utils_1.svcCache.set(key, apiStructure);
-        return apiStructure;
-    }
-    return null;
+    const rlsModule = await queryRlsModule(pool, row.api_id);
+    log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}`);
+    return toApiStructure(row, opts, rlsModule);
 };
-exports.queryServiceByApiName = queryServiceByApiName;
-const getSvcKey = (opts, req) => {
-    const { domain, subdomains } = getUrlDomains(req);
-    const key = subdomains
-        .filter((name) => !['www'].includes(name))
-        .concat(domain)
-        .join('.');
-    const apiPublic = opts.api?.isPublic;
-    if (apiPublic === false) {
-        if (req.get('X-Api-Name')) {
-            return 'api:' + req.get('X-Database-Id') + ':' + req.get('X-Api-Name');
-        }
-        if (req.get('X-Schemata')) {
-            return ('schemata:' + req.get('X-Database-Id') + ':' + req.get('X-Schemata'));
-        }
-        if (req.get('X-Meta-Schema')) {
-            return 'metaschema:api:' + req.get('X-Database-Id');
-        }
+const resolveMetaSchemaHeader = (ctx, validatedSchemas) => {
+    return createAdminStructure(ctx.opts, validatedSchemas, ctx.headers.databaseId);
+};
+const resolveDomainLookup = async (ctx) => {
+    const { opts, pool, domain, subdomain } = ctx;
+    const isPublic = opts.api?.isPublic ?? false;
+    log.debug(`[domain-lookup] domain=${domain} subdomain=${subdomain} isPublic=${isPublic}`);
+    const row = await queryByDomain(pool, domain, subdomain, isPublic);
+    if (!row) {
+        log.debug(`[domain-lookup] No API found for domain=${domain} subdomain=${subdomain}`);
+        return null;
     }
-    return key;
+    const rlsModule = await queryRlsModule(pool, row.api_id);
+    log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}`);
+    return toApiStructure(row, opts, rlsModule);
 };
-exports.getSvcKey = getSvcKey;
-const validateSchemata = async (pool, schemata) => {
-    const result = await pool.query(`SELECT schema_name FROM information_schema.schemata WHERE schema_name = ANY($1::text[])`, [schemata]);
-    return result.rows.map((row) => row.schema_name);
+const buildDevFallbackError = async (ctx, req) => {
+    if ((0, graphql_env_1.getNodeEnv)() !== 'development')
+        return null;
+    const isPublic = ctx.opts.api?.isPublic ?? false;
+    const apis = await queryApiList(ctx.pool, isPublic);
+    if (!apis.length)
+        return null;
+    const host = req.get('host') || '';
+    const portMatch = host.match(/:(\d+)$/);
+    const port = portMatch ? portMatch[1] : '';
+    const apiCards = apis.map((api) => {
+        const domains = api.domains.length
+            ? api.domains.map((d) => {
+                const hostname = d.subdomain ? `${d.subdomain}.${d.domain}` : d.domain;
+                const url = port ? `http://${hostname}:${port}/graphiql` : `http://${hostname}/graphiql`;
+                return `<a href="${url}" style="color:#01A1FF;text-decoration:none;font-weight:500" onmouseover="this.style.textDecoration='underline'" onmouseout="this.style.textDecoration='none'">${hostname}</a>`;
+            }).join('<span style="color:#D4DCEA;margin:0 4px">·</span>')
+            : '<span style="color:#8E9398;font-style:italic;font-size:11px">no domains</span>';
+        const badge = api.is_public
+            ? '<span style="color:#01A1FF;font-size:10px;font-weight:500">public</span>'
+            : '<span style="color:#8E9398;font-size:10px">private</span>';
+        return `
+      <div style="background:#fff;border-radius:8px;padding:10px 14px;margin-bottom:6px;box-shadow:0 1px 3px rgba(0,0,0,0.04);border:1px solid #E8ECF0;display:flex;align-items:center;gap:12px;transition:background 0.15s" onmouseover="this.style.background='#FAFBFC'" onmouseout="this.style.background='#fff'">
+        <div style="flex:1;min-width:0;display:flex;align-items:center;gap:8px;font-size:13px">
+          <span style="font-weight:600;color:#232323;white-space:nowrap">${api.name}</span>
+          <span style="color:#D4DCEA">→</span>
+          ${domains}
+        </div>
+        <div style="display:flex;align-items:center;gap:8px;flex-shrink:0">
+          <span style="color:#8E9398;font-size:11px;font-family:'SF Mono',Monaco,monospace">${api.dbname}</span>
+          ${badge}
+        </div>
+      </div>`;
+    }).join('');
+    return {
+        errorHtml: `
+      <div style="text-align:left;max-width:600px;margin:0 auto">
+        <p style="color:#8E9398;font-size:11px;margin-bottom:10px;font-weight:500;text-transform:uppercase;letter-spacing:0.5px">Available APIs</p>
+        ${apiCards}
+      </div>`,
+    };
 };
+// =============================================================================
+// Main Resolution Function
+// =============================================================================
 const getApiConfig = async (opts, req) => {
-    const rootPgPool = (0, pg_cache_1.getPgPool)(opts.pg);
+    const pool = (0, pg_cache_1.getPgPool)(opts.pg);
     const { domain, subdomains } = getUrlDomains(req);
     const subdomain = (0, exports.getSubdomain)(subdomains);
-    const key = (0, exports.getSvcKey)(opts, req);
-    req.svc_key = key;
-    let apiConfig;
-    if (server_utils_1.svcCache.has(key)) {
-        if (isDev())
-            log.debug(`Cache HIT for key=${key}`);
-        apiConfig = server_utils_1.svcCache.get(key);
+    const cacheKey = (0, exports.getSvcKey)(opts, req);
+    req.svc_key = cacheKey;
+    // Check cache first
+    if (server_utils_1.svcCache.has(cacheKey)) {
+        log.debug(`Cache HIT for key=${cacheKey}`);
+        return server_utils_1.svcCache.get(cacheKey);
     }
-    else {
-        if (isDev())
-            log.debug(`Cache MISS for key=${key}, looking up API`);
-        const apiOpts = opts.api || {};
-        const apiPublic = apiOpts.isPublic;
-        const schemataHeader = req.get('X-Schemata');
-        const apiNameHeader = req.get('X-Api-Name');
-        const metaSchemaHeader = req.get('X-Meta-Schema');
-        const databaseIdHeader = req.get('X-Database-Id');
-        const headerSchemata = schemataHeader
-            ? parseCommaSeparatedHeader(schemataHeader)
-            : [];
-        const candidateSchemata = apiPublic === false && headerSchemata.length
-            ? Array.from(new Set([...(apiOpts.metaSchemas || []), ...headerSchemata]))
-            : apiOpts.metaSchemas || [];
-        const validatedSchemata = await validateSchemata(rootPgPool, candidateSchemata);
-        if (validatedSchemata.length === 0) {
-            const schemaSource = headerSchemata.length
-                ? headerSchemata
-                : apiOpts.metaSchemas || [];
-            const label = headerSchemata.length ? 'X-Schemata' : 'metaSchemas';
-            const message = `No valid schemas found. Configured ${label}: [${schemaSource.join(', ')}]`;
-            if (isDev())
-                log.debug(message);
-            const error = new Error(message);
-            error.code = 'NO_VALID_SCHEMAS';
-            throw error;
-        }
-        const validSchemaSet = new Set(validatedSchemata);
-        const validatedHeaderSchemata = headerSchemata.filter((schemaName) => validSchemaSet.has(schemaName));
-        const settings = (0, graphile_settings_1.getGraphileSettings)({
-            graphile: {
-                schema: validatedSchemata,
-            },
-        });
-        const graphileSettings = {
-            ...settings,
-            schema: validatedSchemata,
-        };
-        const schema = await (0, graphile_query_1.getSchema)(rootPgPool, graphileSettings);
-        const graphileClient = new graphile_query_1.GraphileQuery({
-            schema,
-            pool: rootPgPool,
-            settings: graphileSettings,
-        });
-        const orm = (0, gql_1.createGraphileOrm)(graphileClient);
-        if (apiPublic === false) {
-            if (schemataHeader) {
-                if (validatedHeaderSchemata.length === 0) {
-                    return {
-                        errorHtml: 'No valid schemas found for the supplied X-Schemata header.',
-                    };
-                }
-                apiConfig = createAdminApiStructure({
-                    opts,
-                    schemata: validatedHeaderSchemata,
-                    key,
-                    databaseId: databaseIdHeader,
-                });
-            }
-            else if (apiNameHeader) {
-                apiConfig = await (0, exports.queryServiceByApiName)({
-                    opts,
-                    key,
-                    queryOps: orm.query,
-                    name: apiNameHeader,
-                    databaseId: databaseIdHeader,
-                });
-            }
-            else if (metaSchemaHeader) {
-                apiConfig = createAdminApiStructure({
-                    opts,
-                    schemata: validatedSchemata,
-                    key,
-                    databaseId: databaseIdHeader,
-                });
-            }
-            else {
-                apiConfig = await queryServiceByDomainAndSubdomain({
-                    opts,
-                    key,
-                    domainModel: orm.domain,
-                    domain,
-                    subdomain,
-                });
+    log.debug(`Cache MISS for key=${cacheKey}, resolving API`);
+    const ctx = {
+        opts,
+        pool,
+        domain,
+        subdomain,
+        cacheKey,
+        headers: {
+            schemata: req.get('X-Schemata'),
+            apiName: req.get('X-Api-Name'),
+            metaSchema: req.get('X-Meta-Schema'),
+            databaseId: req.get('X-Database-Id'),
+        },
+    };
+    // Validate schemas upfront for modes that need them
+    const apiOpts = opts.api || {};
+    const headerSchemas = ctx.headers.schemata ? parseCommaSeparatedHeader(ctx.headers.schemata) : [];
+    const candidateSchemas = apiOpts.isPublic === false && headerSchemas.length
+        ? [...new Set([...(apiOpts.metaSchemas || []), ...headerSchemas])]
+        : apiOpts.metaSchemas || [];
+    const validatedSchemas = await validateSchemata(pool, candidateSchemas);
+    if (validatedSchemas.length === 0) {
+        const source = headerSchemas.length ? headerSchemas : apiOpts.metaSchemas || [];
+        const label = headerSchemas.length ? 'X-Schemata' : 'metaSchemas';
+        const error = new Error(`No valid schemas found. Configured ${label}: [${source.join(', ')}]`);
+        error.code = 'NO_VALID_SCHEMAS';
+        throw error;
+    }
+    // Route to appropriate resolver based on mode
+    const mode = determineMode(ctx);
+    let result;
+    switch (mode) {
+        case 'services-disabled':
+            result = resolveServicesDisabled(ctx);
+            break;
+        case 'schemata-header':
+            result = await resolveSchemataHeader(ctx, validatedSchemas);
+            break;
+        case 'api-name-header':
+            result = await resolveApiNameHeader(ctx);
+            break;
+        case 'meta-schema-header':
+            result = resolveMetaSchemaHeader(ctx, validatedSchemas);
+            break;
+        case 'domain-lookup':
+            result = await resolveDomainLookup(ctx);
+            if (!result && apiOpts.isPublic) {
+                const fallback = await buildDevFallbackError(ctx, req);
+                if (fallback)
+                    return fallback;
             }
-        }
-        else {
-            apiConfig = await queryServiceByDomainAndSubdomain({
+            break;
+    }
+    // Cache successful results
+    if (result && !isApiError(result)) {
+        server_utils_1.svcCache.set(cacheKey, result);
+    }
+    return result;
+};
+exports.getApiConfig = getApiConfig;
+// =============================================================================
+// Express Middleware
+// =============================================================================
+const createApiMiddleware = (opts) => {
+    return async (req, res, next) => {
+        log.debug(`[api-middleware] ${req.method} ${req.path}`);
+        // Fast path: services disabled
+        if (opts.api?.enableServicesApi === false) {
+            req.api = resolveServicesDisabled({
                 opts,
-                key,
-                domainModel: orm.domain,
-                domain,
-                subdomain,
+                pool: null,
+                domain: '',
+                subdomain: null,
+                cacheKey: 'meta-api-off',
+                headers: {},
             });
+            req.databaseId = req.api.databaseId;
+            req.svc_key = 'meta-api-off';
+            return next();
+        }
+        try {
+            const apiConfig = await (0, exports.getApiConfig)(opts, req);
+            if (isApiError(apiConfig)) {
+                res.status(404).send((0, _404_message_1.default)('API not found', apiConfig.errorHtml));
+                return;
+            }
             if (!apiConfig) {
-                // IMPORTANT NOTE: ONLY DO THIS IN DEV MODE
-                if ((0, graphql_env_1.getNodeEnv)() === 'development') {
-                    const fallbackResult = await orm.api
-                        .findMany({ select: gql_1.apiListSelect, first: gql_1.connectionFirst })
-                        .execute();
-                    if (fallbackResult.ok && fallbackResult.data.apis.nodes.length) {
-                        const port = getPortFromRequest(req);
-                        const allDomains = fallbackResult.data.apis.nodes.flatMap((api) => api.domains.nodes.map((d) => ({
-                            domain: d.domain,
-                            subdomain: d.subdomain,
-                            href: d.subdomain
-                                ? `http://${d.subdomain}.${d.domain}${port}/graphiql`
-                                : `http://${d.domain}${port}/graphiql`,
-                        })));
-                        const linksHtml = allDomains.length
-                            ? `<ul class="mt-4 pl-5 list-disc space-y-1">` +
-                                allDomains
-                                    .map((domainLink) => `<li><a href="${domainLink.href}" class="text-brand hover:underline">${domainLink.href}</a></li>`)
-                                    .join('') +
-                                `</ul>`
-                            : `<p class="text-gray-600">No APIs are currently registered for this database.</p>`;
-                        const errorHtml = `
-          <p class="text-sm text-gray-700">Try some of these:</p>
-          <div class="mt-4">
-            ${linksHtml}
-          </div>
-        `.trim();
-                        return { errorHtml };
-                    }
-                }
+                res.status(404).send((0, _404_message_1.default)('API service not found for the given domain/subdomain.'));
+                return;
             }
+            req.api = apiConfig;
+            req.databaseId = apiConfig.databaseId;
+            log.debug(`Resolved API: db=${apiConfig.dbname}, schemas=[${apiConfig.schema?.join(', ')}]`);
+            next();
         }
-    }
-    return apiConfig;
+        catch (error) {
+            const err = error;
+            if (err.code === 'NO_VALID_SCHEMAS') {
+                res.status(404).send((0, _404_message_1.default)(err.message));
+                return;
+            }
+            if (err.message?.includes('does not exist')) {
+                res.status(404).send((0, _404_message_1.default)("The resource you're looking for does not exist."));
+                return;
+            }
+            log.error('API middleware error:', err);
+            res.status(500).send(_50x_1.default);
+        }
+    };
 };
-exports.getApiConfig = getApiConfig;
+exports.createApiMiddleware = createApiMiddleware;