npm - @dtdyq/restbase - Versions diffs - 2.1.0 → 2.1.1 - Mend

@dtdyq/restbase 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -107,6 +107,7 @@ bun run build              # 编译为当前平台独立二进制
 | `SVR_PORT`                | 服务端口                       | `3333`              |
 | `SVR_STATIC`              | 静态文件目录（前端托管）               | 空                   |
 | `SVR_API_LIMIT`           | API 限流（每秒每接口请求数）           | `100`               |
+| `SVR_CORS_ORIGIN`        | CORS 允许的来源（逗号分隔，`*`=全部）  | `*`                 |
 | `DB_URL`                  | 数据库连接串                     | `sqlite://:memory:` |
 | `DB_AUTH_TABLE`           | 用户表名                       | `users`             |
 | `DB_AUTH_FIELD`           | owner 字段名                  | `owner`             |

package/bin/restbase.ts CHANGED Viewed

@@ -22,6 +22,7 @@
 import {spawn, execSync} from "child_process";
 import {
+    closeSync,
     existsSync,
     mkdirSync,
     openSync,
@@ -159,6 +160,10 @@ async function cmdStart() {
     });
     child.unref();
+    /* 父进程不再需要这些 fd，关闭防止泄漏 */
+    closeSync(out);
+    closeSync(err);
     console.log(`RestBase started (PID: ${child.pid}, port: ${port})`);
 }
@@ -372,11 +377,13 @@ function parseEnvFile(path: string): Record<string, string> {
 /** Interactive env — prompt user for each config parameter */
 async function cmdEnv() {
-    const envPath = resolve(process.cwd(), ".env");
+    const nodeEnv = process.env.NODE_ENV;
+    const envFile = nodeEnv ? `.env.${nodeEnv}` : ".env";
+    const envPath = resolve(process.cwd(), envFile);
     const existing = parseEnvFile(envPath);
     const isUpdate = Object.keys(existing).length > 0;
-    p.intro(isUpdate ? "Reconfigure .env (current values as defaults)" : "Initialize .env configuration");
+    p.intro(isUpdate ? `Reconfigure ${envFile} (current values as defaults)` : `Initialize ${envFile} configuration`);
     /* helper: get default — existing value > built-in default */
     const d = (key: string, fallback: string) => existing[key] ?? fallback;
@@ -422,6 +429,10 @@ async function cmdEnv() {
         message: "Rate limit (max requests per second per API, 0 = off)",
         key: "SVR_API_LIMIT", fallback: "100",
     });
+    const SVR_CORS_ORIGIN = await ask({
+        message: "CORS allowed origins (comma-separated, * = all)",
+        key: "SVR_CORS_ORIGIN", fallback: "*", placeholder: "e.g. https://example.com",
+    });
     // ── Database ──
     p.log.step("Database");
@@ -514,6 +525,7 @@ async function cmdEnv() {
         line("SVR_PORT", SVR_PORT, "Server port"),
         line("SVR_STATIC", SVR_STATIC, "Static file directory"),
         line("SVR_API_LIMIT", SVR_API_LIMIT, "Rate limit per API"),
+        line("SVR_CORS_ORIGIN", SVR_CORS_ORIGIN, "CORS origins (* = all)"),
         "",
         "# ── Database ──────────────────────────────────────────────",
         line("DB_URL", DB_URL, ""),

package/client/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@dtdyq/restbase-client",
-    "version": "2.1.0",
+    "version": "2.1.1",
     "description": "Type-safe, zero-dependency client for RestBase API — works in Browser / Node / Bun / Deno",
     "keywords": ["restbase", "rest", "api", "client", "typescript", "query-builder"],
     "license": "MIT",

package/client/restbase-client.ts CHANGED Viewed

@@ -477,7 +477,11 @@ class HttpClient {
     }
     setBasicAuth(username: string, password: string): void {
-        this._basicAuth = btoa(`${username}:${password}`);
+        /* Unicode-safe base64: TextEncoder 处理非 ASCII 字符 */
+        const bytes = new TextEncoder().encode(`${username}:${password}`);
+        let binary = "";
+        for (const b of bytes) binary += String.fromCharCode(b);
+        this._basicAuth = btoa(binary);
         this._token = null;
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@dtdyq/restbase",
-    "version": "2.1.0",
+    "version": "2.1.1",
     "description": "Zero-code REST API server for SQLite / MySQL — CLI with daemon mode, health monitoring, built-in auth & tenant isolation",
     "keywords": ["rest", "api", "crud", "sqlite", "mysql", "hono", "bun", "zero-code", "cli", "daemon"],
     "license": "MIT",

package/src/auth.ts CHANGED Viewed

@@ -51,7 +51,7 @@ export const authMiddleware = async (
                 const password = decoded.slice(sep + 1);
                 const user = await findUser(username);
                 if (user && user.password === password) {
-                    c.set("userId", user.id as number);
+                    c.set("userId", user.id);
                     c.set("username", username);
                     return next();
                 }
@@ -66,14 +66,20 @@ export const authMiddleware = async (
 /* ═══════════ 内部工具 ═══════════ */
-async function findUser(username: string) {
+interface AuthUser {
+    id: number;
+    username: string;
+    password: string;
+}
+async function findUser(username: string): Promise<AuthUser | null> {
     const rows = await run(
         `SELECT id, username, password
          FROM ${q(cfg.authTable)}
          WHERE username = $1`,
         [username],
     );
-    return rows.length > 0 ? (rows[0] as any) : null;
+    return rows.length > 0 ? (rows[0] as AuthUser) : null;
 }
 async function issueToken(uid: number, username: string): Promise<string> {
@@ -114,6 +120,7 @@ export function registerAuthRoutes(app: Hono<AppEnv>) {
                 [username, password],
             );
             const user = await findUser(username);
+            if (!user) throw new AppError("AUTH_ERROR", "Registration failed");
             return c.json(ok(await issueToken(user.id, username)));
         },
     );
@@ -128,9 +135,7 @@ export function registerAuthRoutes(app: Hono<AppEnv>) {
             [userId],
         );
         if (rows.length === 0) throw new AppError("AUTH_ERROR", "User not found");
-        const data = {...(rows[0] as any)};
-        delete data.id;
-        delete data.password;
+        const {id: _, password: _pw, ...data} = rows[0] as Record<string, unknown>;
         return c.json(ok(data));
     });

package/src/crud.ts CHANGED Viewed

@@ -23,7 +23,7 @@ import {
     zodHook, bodyQuerySchema, bodyDeleteSchema, bodyDataSchema,
     type BodyQuery, type BodyWhereInput,
 } from "./types.ts";
-import {getTable, isAuthTable, run, type TblMeta} from "./db.ts";
+import {db, getTable, isAuthTable, run, type TblMeta} from "./db.ts";
 import {buildBodyDeleteSQL, buildBodyListSQL, buildDeleteSQL, buildListSQL} from "./query.ts";
 /* ═══════════ 注册路由 ═══════════ */
@@ -60,8 +60,7 @@ export function registerCrudRoutes(app: Hono<AppEnv>) {
         const body = c.req.valid("json")
         const {sql, values} = buildBodyDeleteSQL(tbl, body, userId);
-        const ids = await collectDeletedIds(tbl, sql, values);
-        await run(sql, values);
+        const ids = await transactionalDelete(tbl, sql, values);
         return c.json(ok({deleted: ids}));
     });
@@ -176,8 +175,7 @@ export function registerCrudRoutes(app: Hono<AppEnv>) {
         for (const [k, v] of url.searchParams.entries()) params[k] = v;
         const {sql, values} = buildDeleteSQL(tbl, params, userId);
-        const ids = await collectDeletedIds(tbl, sql, values);
-        await run(sql, values);
+        const ids = await transactionalDelete(tbl, sql, values);
         return c.json(ok({deleted: ids}));
     });
@@ -208,20 +206,31 @@ export function registerCrudRoutes(app: Hono<AppEnv>) {
 /* ═══════════ 内部工具 ═══════════ */
 /**
- * 在执行 DELETE 之前，先用相同 WHERE 条件 SELECT 出即将被删的主键列表。
+ * 在事务中先 SELECT 待删除的主键列表，再执行 DELETE，保证一致性。
  * 将 DELETE SQL 改写为 SELECT pk FROM ... WHERE ...
  */
-async function collectDeletedIds(
+async function transactionalDelete(
     tbl: TblMeta, deleteSql: string, values: unknown[],
 ): Promise<unknown[]> {
-    if (!tbl.pk) return [];
-    /* 把 "DELETE ... FROM ..." 替换为 "SELECT pk FROM ..."（SQL 模板可能含换行） */
+    if (!tbl.pk) {
+        await run(deleteSql, values);
+        return [];
+    }
     const selectSql = deleteSql.replace(
         /^DELETE\s+FROM/i,
         `SELECT ${q(tbl.pk)} FROM`,
     );
-    const rows = await run(selectSql, values);
-    return rows.map((r: any) => r[tbl.pk!]);
+    await db.unsafe("BEGIN");
+    try {
+        const rows = await run(selectSql, values);
+        const ids = rows.map((r: any) => r[tbl.pk!]);
+        await run(deleteSql, values);
+        await db.unsafe("COMMIT");
+        return ids;
+    } catch (err) {
+        await db.unsafe("ROLLBACK");
+        throw err;
+    }
 }
 /** 去掉 owner 字段 */

package/src/query.ts CHANGED Viewed

@@ -238,10 +238,13 @@ function buildIn(
     /* BETWEEN: 12...20 */
     if (inner.includes("...")) {
-        const [lo, hi] = inner.split("...");
+        const parts = inner.split("...");
+        const lo = parts[0];
+        const hi = parts[parts.length - 1];
+        if (!lo || !hi) throw new AppError("QUERY_ERROR", "BETWEEN requires two values: lo...hi");
         return {
             sql: `${f} ${not}BETWEEN $${ctx.n++} AND $${ctx.n++}`,
-            values: [typed(lo!, col), typed(hi!, col)],
+            values: [typed(lo, col), typed(hi, col)],
         };
     }

package/src/server.ts CHANGED Viewed

@@ -51,7 +51,7 @@ const app = new Hono<AppEnv>();
 /* ═══════════ 3. CORS 中间件 ═══════════ */
 app.use("*", cors({
-    origin: "*",                     // 允许所有来源（生产环境可改为具体域名）
+    origin: cfg.corsOrigin === "*" ? "*" : cfg.corsOrigin.split(",").map((s) => s.trim()),
     allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allowHeaders: ["Content-Type", "Authorization", "X-Request-Id"],
     exposeHeaders: ["X-Request-Id"],
@@ -69,8 +69,26 @@ if (cfg.apiLimit > 0) {
     /** API 路径 → { tokens: 剩余令牌, lastRefill: 上次填充时间戳 } */
     const buckets = new Map<string, { tokens: number; lastRefill: number }>();
+    /**
+     * 归一化路径：只保留 /api/ 后前两段，截断更深的路径参数。
+     * 例如 /api/data/products/123 → /api/data/products
+     * 通用规则，新增接口无需修改。
+     */
+    function normalizePath(path: string): string {
+        const segs = path.split("/"); // ["", "api", "data", "products", "123"]
+        return segs.length > 4 ? segs.slice(0, 4).join("/") : path;
+    }
+    /** 定期清理超过 60 秒未使用的 bucket，防止内存泄漏 */
+    setInterval(() => {
+        const cutoff = Date.now() - 60_000;
+        for (const [key, bucket] of buckets) {
+            if (bucket.lastRefill < cutoff) buckets.delete(key);
+        }
+    }, 60_000).unref();
     app.use("/api/*", async (c, next) => {
-        const key = `${c.req.method} ${c.req.path}`;
+        const key = `${c.req.method} ${normalizePath(c.req.path)}`;
         const now = Date.now();
         let bucket = buckets.get(key);

package/src/types.ts CHANGED Viewed

@@ -18,7 +18,9 @@ export const cfg = {
     /** 静态文件目录（相对路径，为空则不托管） */
     staticDir: Bun.env.SVR_STATIC ?? "",
     /** API 限流：每秒每个 API 接口允许的最大请求数（0 = 不限流） */
-    apiLimit: Number(Bun.env.SVR_API_LIMIT) || 100,
+    apiLimit: Bun.env.SVR_API_LIMIT !== undefined ? Number(Bun.env.SVR_API_LIMIT) : 100,
+    /** CORS 允许的来源（默认 *，生产环境建议改为具体域名，逗号分隔多个） */
+    corsOrigin: Bun.env.SVR_CORS_ORIGIN ?? "*",
     /** 数据库连接字符串 */
     db: _db,
     /** 是否 SQLite（非 mysql:// 则视为 SQLite） */