@momentumcms/server-express 0.5.10 → 0.5.11

package/index.js

@@ -155,7 +155,7 @@ function s3StorageAdapter(options) {
     baseUrl,
     forcePathStyle = false,
     acl = "private",
-    presignedUrlExpiry = 3600
+    presignedUrlExpiry = 900
   } = options;
   let client = null;
   async function getClient() {
@@ -2745,6 +2745,21 @@ var VersionOperationsImpl = class {
         });
       }
     }
+    if (!this.context.overrideAccess && hasFieldAccessControl(this.collectionConfig.fields)) {
+      for (let i = 0; i < docs.length; i++) {
+        const version = docs[i].version;
+        if (version && typeof version === "object") {
+          const versionRecord = version;
+          const filtered = await filterReadableFields(
+            this.collectionConfig.fields,
+            versionRecord,
+            this.buildRequestContext()
+          );
+          const filteredAsT = filtered;
+          docs[i] = { ...docs[i], version: filteredAsT };
+        }
+      }
+    }
     const countOptions = {
       includeAutosave: options?.includeAutosave,
       status: options?.status
@@ -2774,9 +2789,21 @@ var VersionOperationsImpl = class {
     if (parsedVersion === null) {
       return null;
     }
+    let filteredVersion = parsedVersion;
+    if (!this.context.overrideAccess && hasFieldAccessControl(this.collectionConfig.fields)) {
+      if (filteredVersion && typeof filteredVersion === "object") {
+        const versionRecord = filteredVersion;
+        const filtered = await filterReadableFields(
+          this.collectionConfig.fields,
+          versionRecord,
+          this.buildRequestContext()
+        );
+        filteredVersion = filtered;
+      }
+    }
     return {
       ...version,
-      version: parsedVersion
+      version: filteredVersion
     };
   }
   async restore(options) {
@@ -2998,6 +3025,415 @@ var VersionOperationsImpl = class {
   }
 };
 
+// libs/server-core/src/lib/where-clause.ts
+var OPERATOR_MAP = {
+  equals: "$eq",
+  gt: "$gt",
+  gte: "$gte",
+  lt: "$lt",
+  lte: "$lte",
+  not_equals: "$ne",
+  like: "$like",
+  contains: "$contains",
+  in: "$in",
+  not_in: "$nin",
+  exists: "$exists"
+};
+var MAX_WHERE_CONDITIONS = 20;
+var MAX_JOINS = 5;
+var MAX_WHERE_NESTING_DEPTH = 5;
+var MAX_PAGE_LIMIT = 1e3;
+var MAX_PAGE = 1e6;
+var VALID_OPERATORS = new Set(Object.keys(OPERATOR_MAP));
+function countWhereConditions(where, depth = 0) {
+  if (depth > MAX_WHERE_NESTING_DEPTH) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause nesting depth exceeds maximum of ${MAX_WHERE_NESTING_DEPTH} levels.`
+      }
+    ]);
+  }
+  let count = 0;
+  for (const [key, value] of Object.entries(where)) {
+    if ((key === "and" || key === "or") && Array.isArray(value)) {
+      for (const sub of value) {
+        if (typeof sub === "object" && sub !== null) {
+          count += countWhereConditions(sub, depth + 1);
+        }
+      }
+    } else {
+      count++;
+    }
+  }
+  return count;
+}
+function flattenWhereClause(where) {
+  if (!where)
+    return {};
+  const fieldCount = countWhereConditions(where);
+  if (fieldCount > MAX_WHERE_CONDITIONS) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause exceeds maximum of ${MAX_WHERE_CONDITIONS} conditions (got ${fieldCount}).`
+      }
+    ]);
+  }
+  return flattenWhereRecursive(where, 0);
+}
+function flattenWhereRecursive(where, depth) {
+  if (depth > MAX_WHERE_NESTING_DEPTH) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause nesting depth exceeds maximum of ${MAX_WHERE_NESTING_DEPTH} levels.`
+      }
+    ]);
+  }
+  const result = {};
+  for (const [field, condition] of Object.entries(where)) {
+    if (field === "and" || field === "or") {
+      if (!Array.isArray(condition)) {
+        throw new ValidationError([
+          {
+            field,
+            message: `The "${field}" operator requires an array of conditions.`
+          }
+        ]);
+      }
+      const internalKey = field === "and" ? "$and" : "$or";
+      result[internalKey] = condition.filter((sub) => typeof sub === "object" && sub !== null).map((sub) => {
+        if ("$join" in sub)
+          return sub;
+        return flattenWhereRecursive(sub, depth + 1);
+      });
+      continue;
+    }
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    const ops = {};
+    let hasOp = false;
+    for (const [userOp, internalOp] of Object.entries(OPERATOR_MAP)) {
+      if (userOp in condObj) {
+        let value = condObj[userOp];
+        if (internalOp === "$exists" && typeof value === "string") {
+          value = value === "true";
+        }
+        if (typeof value === "string") {
+          value = value.replace(/\0/g, "");
+        }
+        if (Array.isArray(value)) {
+          value = value.map(
+            (item) => typeof item === "string" ? item.replace(/\0/g, "") : item
+          );
+        }
+        ops[internalOp] = value;
+        hasOp = true;
+      }
+    }
+    for (const key of Object.keys(condObj)) {
+      if (!VALID_OPERATORS.has(key)) {
+        throw new ValidationError([
+          {
+            field,
+            message: `Unknown operator "${key}". Valid operators: ${[...VALID_OPERATORS].sort().join(", ")}`
+          }
+        ]);
+      }
+    }
+    if (hasOp) {
+      result[field] = ops;
+    } else {
+      result[field] = condition;
+    }
+  }
+  return result;
+}
+function extractRelationshipJoins(where, fields, allCollections) {
+  if (!where)
+    return { cleanedWhere: void 0, joins: [], allJoins: [] };
+  const dataFields = flattenDataFields(fields);
+  const fieldMap = new Map(dataFields.map((f) => [f.name, f]));
+  const joins = [];
+  const allJoins = [];
+  const cleanedWhere = {};
+  for (const [key, condition] of Object.entries(where)) {
+    if (key === "and" || key === "or") {
+      if (Array.isArray(condition)) {
+        const cleanedArray = [];
+        for (const sub of condition) {
+          if (typeof sub === "object" && sub !== null) {
+            const {
+              cleanedWhere: subCleaned,
+              joins: subTopJoins,
+              allJoins: subAllJoins
+            } = extractRelationshipJoins(
+              // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- WhereClause sub-object
+              sub,
+              fields,
+              allCollections
+            );
+            if (subCleaned)
+              cleanedArray.push(subCleaned);
+            for (const join2 of subTopJoins) {
+              cleanedArray.push({ ["$join"]: join2 });
+            }
+            allJoins.push(...subAllJoins);
+          }
+        }
+        if (cleanedArray.length > 0) {
+          cleanedWhere[key] = cleanedArray;
+        }
+      }
+      continue;
+    }
+    let field = fieldMap.get(key);
+    if (!field && key.includes(".")) {
+      const [rootKey, ...subPath] = key.split(".");
+      const rootField = fieldMap.get(rootKey);
+      if (rootField && rootField.type === "relationship" && subPath.length > 0 && condition !== null) {
+        let nested = condition;
+        for (let i = subPath.length - 1; i >= 0; i--) {
+          nested = { [subPath[i]]: nested };
+        }
+        field = rootField;
+        const {
+          cleanedWhere: subCleaned,
+          joins: subJoins,
+          allJoins: subAllJoins
+        } = extractRelationshipJoins(
+          // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- reconstructed nested where
+          { [rootKey]: nested },
+          fields,
+          allCollections
+        );
+        if (subCleaned)
+          Object.assign(cleanedWhere, subCleaned);
+        joins.push(...subJoins);
+        allJoins.push(...subAllJoins);
+        continue;
+      }
+    }
+    if (!field || field.type !== "relationship" || typeof condition !== "object" || condition === null) {
+      cleanedWhere[key] = condition;
+      continue;
+    }
+    const condObj = condition;
+    const condKeys = Object.keys(condObj);
+    const hasOperatorKeys = condKeys.some((k) => VALID_OPERATORS.has(k));
+    const hasNonOperatorKeys = condKeys.some((k) => !VALID_OPERATORS.has(k));
+    if (hasOperatorKeys && hasNonOperatorKeys) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Cannot mix operators and sub-field references on relationship field "${key}". Use either operators (e.g. { equals: 'id' }) or sub-field queries (e.g. { name: { equals: 'value' } }), not both.`
+        }
+      ]);
+    }
+    if (!hasNonOperatorKeys) {
+      cleanedWhere[key] = condition;
+      continue;
+    }
+    const relField = field;
+    let targetSlug;
+    try {
+      const targetConfig = relField.collection();
+      if (targetConfig && typeof targetConfig === "object" && "slug" in targetConfig) {
+        targetSlug = targetConfig.slug;
+      }
+    } catch {
+    }
+    if (!targetSlug) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Cannot resolve target collection for relationship field "${key}".`
+        }
+      ]);
+    }
+    const targetCollection = allCollections.find((c) => c.slug === targetSlug);
+    if (!targetCollection) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Target collection "${targetSlug}" not found for relationship field "${key}".`
+        }
+      ]);
+    }
+    const subWhere = condition;
+    const flattenedConditions = flattenWhereClause(subWhere);
+    const targetTable = targetCollection.dbName ?? targetCollection.slug;
+    const joinSpec = {
+      targetTable,
+      localField: key,
+      targetField: "id",
+      conditions: flattenedConditions,
+      rawWhere: subWhere
+    };
+    joins.push(joinSpec);
+    allJoins.push(joinSpec);
+  }
+  return {
+    cleanedWhere: Object.keys(cleanedWhere).length > 0 ? cleanedWhere : void 0,
+    joins,
+    allJoins
+  };
+}
+var SYSTEM_QUERYABLE_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status"]);
+async function validateWhereFields(where, fields, req) {
+  if (!where)
+    return;
+  const dataFields = flattenDataFields(fields);
+  const fieldMap = new Map(dataFields.map((f) => [f.name, f]));
+  for (const fieldName of Object.keys(where)) {
+    if (fieldName === "and" || fieldName === "or") {
+      const subs = where[fieldName];
+      if (Array.isArray(subs)) {
+        for (const sub of subs) {
+          if (typeof sub === "object" && sub !== null) {
+            await validateWhereFields(sub, fields, req);
+          }
+        }
+      }
+      continue;
+    }
+    const baseName = fieldName.includes(".") ? fieldName.split(".")[0] : fieldName;
+    if (SYSTEM_QUERYABLE_FIELDS.has(baseName))
+      continue;
+    const field = fieldMap.get(baseName);
+    if (!field) {
+      throw new ValidationError([{ field: fieldName, message: `Unknown field: ${baseName}` }]);
+    }
+    if (!field.access?.read)
+      continue;
+    const allowed = await Promise.resolve(field.access.read({ req }));
+    if (!allowed) {
+      throw new AccessDeniedError("read", baseName);
+    }
+  }
+}
+async function validateSortField(sort, fields, req) {
+  if (!sort)
+    return;
+  const fieldName = sort.startsWith("-") ? sort.slice(1) : sort;
+  const baseName = fieldName.includes(".") ? fieldName.split(".")[0] : fieldName;
+  const dataFields = flattenDataFields(fields);
+  const field = dataFields.find((f) => f.name === baseName);
+  if (!field?.access?.read)
+    return;
+  const allowed = await Promise.resolve(field.access.read({ req }));
+  if (!allowed) {
+    throw new AccessDeniedError("read", baseName);
+  }
+}
+
+// libs/server-core/src/lib/api-utils.ts
+function deepEqual(a, b) {
+  if (a === b)
+    return true;
+  if (a == null || b == null)
+    return false;
+  if (typeof a !== "object" || typeof b !== "object")
+    return false;
+  if (Array.isArray(a)) {
+    if (!Array.isArray(b) || a.length !== b.length)
+      return false;
+    return a.every((item, i) => deepEqual(item, b[i]));
+  }
+  if (Array.isArray(b))
+    return false;
+  const aKeys = Object.keys(a);
+  const bKeys = Object.keys(b);
+  if (aKeys.length !== bKeys.length)
+    return false;
+  const aRec = a;
+  const bRec = b;
+  return aKeys.every(
+    (key) => Object.prototype.hasOwnProperty.call(bRec, key) && deepEqual(aRec[key], bRec[key])
+  );
+}
+function stripTransientKeys(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!key.startsWith("_")) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+// libs/server-core/src/lib/collection-access.ts
+async function checkSingleCollectionAdminAccess(collection, user) {
+  const adminFn = collection.access?.admin;
+  if (!adminFn) {
+    return !!user;
+  }
+  const accessArgs = {
+    req: { user }
+  };
+  return Promise.resolve(adminFn(accessArgs));
+}
+async function checkAccessFunction(accessFn, user, defaultIfUndefined) {
+  if (!accessFn) {
+    return defaultIfUndefined;
+  }
+  const accessArgs = {
+    req: { user }
+  };
+  return Promise.resolve(accessFn(accessArgs));
+}
+async function getCollectionPermissions(config, user) {
+  const results = await Promise.all(
+    config.collections.map(async (collection) => {
+      const isManaged = collection.managed === true;
+      const [canAccess, canCreate, canRead, canUpdate, canDelete] = await Promise.all([
+        checkSingleCollectionAdminAccess(collection, user),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.create, user, !!user),
+        checkAccessFunction(collection.access?.read, user, true),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.update, user, !!user),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.delete, user, !!user)
+      ]);
+      return {
+        slug: collection.slug,
+        canAccess,
+        canCreate,
+        canRead,
+        canUpdate,
+        canDelete,
+        ...isManaged ? { managed: true } : {}
+      };
+    })
+  );
+  return results;
+}
+var ACCESS_OPS = ["read", "create", "update", "delete"];
+var ACCESS_DEFAULTS = {
+  read: "public (anyone)",
+  create: "any authenticated user",
+  update: "any authenticated user",
+  delete: "any authenticated user"
+};
+function warnInsecureDefaults(collections) {
+  const logger = createLogger("Security");
+  const warnings = [];
+  for (const collection of collections) {
+    if (collection.managed)
+      continue;
+    const missing = ACCESS_OPS.filter((op) => !collection.access?.[op]);
+    if (missing.length > 0) {
+      const details = missing.map((op) => `${op} (${ACCESS_DEFAULTS[op]})`).join(", ");
+      const msg = `Collection "${collection.slug}" has no explicit access control for: ${details}. Define access functions to restrict.`;
+      logger.warn(msg);
+      warnings.push(msg);
+    }
+  }
+  return warnings;
+}
+
 // libs/server-core/src/lib/momentum-api.ts
 var momentumApiInstance = null;
 function initializeMomentumAPI(config) {
@@ -3005,6 +3441,7 @@ function initializeMomentumAPI(config) {
     createLogger("API").warn("Already initialized, returning existing instance");
     return momentumApiInstance;
   }
+  warnInsecureDefaults(config.collections);
   momentumApiInstance = new MomentumAPIImpl(config);
   return momentumApiInstance;
 }
@@ -3062,70 +3499,6 @@ var MomentumAPIImpl = class _MomentumAPIImpl {
     return { ...this.context };
   }
 };
-function deepEqual(a, b) {
-  if (a === b)
-    return true;
-  if (a == null || b == null)
-    return false;
-  if (typeof a !== "object" || typeof b !== "object")
-    return false;
-  if (Array.isArray(a)) {
-    if (!Array.isArray(b) || a.length !== b.length)
-      return false;
-    return a.every((item, i) => deepEqual(item, b[i]));
-  }
-  if (Array.isArray(b))
-    return false;
-  const aKeys = Object.keys(a);
-  const bKeys = Object.keys(b);
-  if (aKeys.length !== bKeys.length)
-    return false;
-  const aRec = a;
-  const bRec = b;
-  return aKeys.every(
-    (key) => Object.prototype.hasOwnProperty.call(bRec, key) && deepEqual(aRec[key], bRec[key])
-  );
-}
-function stripTransientKeys(data) {
-  const result = {};
-  for (const [key, value] of Object.entries(data)) {
-    if (!key.startsWith("_")) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
-function flattenWhereClause(where) {
-  if (!where)
-    return {};
-  const result = {};
-  for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition !== "object" || condition === null) {
-      result[field] = condition;
-      continue;
-    }
-    const condObj = condition;
-    if ("equals" in condObj) {
-      result[field] = condObj["equals"];
-      continue;
-    }
-    const ops = {};
-    let hasComparisonOp = false;
-    for (const op of COMPARISON_OPS) {
-      if (op in condObj) {
-        ops[`$${op}`] = condObj[op];
-        hasComparisonOp = true;
-      }
-    }
-    if (hasComparisonOp) {
-      result[field] = ops;
-    } else {
-      result[field] = condition;
-    }
-  }
-  return result;
-}
 var CollectionOperationsImpl = class _CollectionOperationsImpl {
   constructor(slug2, collectionConfig, adapter, context, allCollections = []) {
     this.slug = slug2;
@@ -3136,11 +3509,37 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   }
   async find(options = {}) {
     await this.checkAccess("read");
+    if (!this.context.overrideAccess) {
+      await validateWhereFields(
+        options.where,
+        this.collectionConfig.fields,
+        this.buildRequestContext()
+      );
+      await validateSortField(
+        options.sort,
+        this.collectionConfig.fields,
+        this.buildRequestContext()
+      );
+    }
     await this.runBeforeReadHooks();
-    const limit = options.limit ?? 10;
-    const page = options.page ?? 1;
+    const rawLimit = options.limit ?? 10;
+    const rawPage = options.page ?? 1;
+    const limit = Math.max(
+      1,
+      Math.min(Number.isFinite(rawLimit) ? Math.floor(rawLimit) : 10, MAX_PAGE_LIMIT)
+    );
+    const page = Math.max(
+      1,
+      Math.min(Number.isFinite(rawPage) ? Math.floor(rawPage) : 1, MAX_PAGE)
+    );
     const { depth: _depth, where, withDeleted: _wd, onlyDeleted: _od, ...queryOptions } = options;
-    const whereParams = flattenWhereClause(where);
+    const { cleanedWhere, joins, allJoins } = extractRelationshipJoins(
+      where,
+      this.collectionConfig.fields,
+      this.allCollections
+    );
+    await this.enforceWhereLimits(cleanedWhere, allJoins);
+    const whereParams = flattenWhereClause(cleanedWhere);
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options.withDeleted && !options.onlyDeleted) {
       whereParams[softDeleteField] = null;
@@ -3165,6 +3564,9 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       limit,
       page
     };
+    if (joins.length > 0) {
+      query["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
     const docs = await this.adapter.find(this.slug, query);
     let afterHookDocs = await this.processAfterReadHooks(docs);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -3188,14 +3590,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       );
     }
     const countQuery = { ...queryOptions, ...whereParams };
+    if (joins.length > 0) {
+      countQuery["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
     delete countQuery["limit"];
     delete countQuery["page"];
-    const allDocs = await this.adapter.find(this.slug, {
-      ...countQuery,
-      limit: 0
-      // Signal to adapter: count-only (returns all if not supported)
-    });
-    const totalDocs = allDocs.length;
+    const totalDocs = this.adapter.count ? await this.adapter.count(this.slug, countQuery) : (
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Adapter returns Record<string, unknown>[], safe cast to T[]
+      (await this.adapter.find(this.slug, { ...countQuery, limit: 0 })).length
+    );
     const totalPages = Math.ceil(totalDocs / limit) || 1;
     return {
       docs: afterHookDocs,
@@ -3432,7 +3835,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   async restore(id) {
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (!softDeleteField) {
-      throw new Error(`Collection "${this.slug}" does not have soft delete enabled`);
+      throw new ValidationError([
+        {
+          field: "_softDelete",
+          message: `Collection "${this.slug}" does not have soft delete enabled`
+        }
+      ]);
     }
     const restoreAccessFn = this.collectionConfig.access?.restore;
     if (restoreAccessFn) {
@@ -3490,20 +3898,43 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (softDeleteField) {
       softDeleteFilter[softDeleteField] = null;
     }
+    const defaultWhereFilter = {};
+    if (this.collectionConfig.defaultWhere) {
+      const constraints = this.collectionConfig.defaultWhere(this.buildRequestContext());
+      if (constraints) {
+        Object.assign(defaultWhereFilter, constraints);
+      }
+    }
     let docs;
     if (this.adapter.search) {
       docs = await this.adapter.search(this.slug, query, searchFields, { limit, page });
       if (softDeleteField) {
         docs = docs.filter((doc) => !doc[softDeleteField]);
       }
+      if (Object.keys(defaultWhereFilter).length > 0) {
+        docs = docs.filter((doc) => {
+          return Object.entries(defaultWhereFilter).every(([key, value]) => {
+            if (value && typeof value === "object" && !Array.isArray(value)) {
+              return JSON.stringify(doc[key]) === JSON.stringify(value);
+            }
+            return doc[key] === value;
+          });
+        });
+      }
     } else {
-      docs = await this.adapter.find(this.slug, { ...softDeleteFilter, limit, page });
+      docs = await this.adapter.find(this.slug, {
+        ...softDeleteFilter,
+        ...defaultWhereFilter,
+        limit,
+        page
+      });
     }
     const resolvedDocs = docs;
-    const totalDocs = resolvedDocs.length;
+    const afterHookDocs = await this.processAfterReadHooks(resolvedDocs);
+    const totalDocs = afterHookDocs.length;
     const totalPages = Math.max(1, Math.ceil(totalDocs / limit));
     return {
-      docs: resolvedDocs,
+      docs: afterHookDocs,
       totalDocs,
       totalPages,
       page,
@@ -3516,13 +3947,40 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   }
   async count(where, options) {
     await this.checkAccess("read");
-    const whereParams = flattenWhereClause(where);
+    if (!this.context.overrideAccess) {
+      await validateWhereFields(where, this.collectionConfig.fields, this.buildRequestContext());
+    }
+    const { cleanedWhere, joins, allJoins } = extractRelationshipJoins(
+      where,
+      this.collectionConfig.fields,
+      this.allCollections
+    );
+    await this.enforceWhereLimits(cleanedWhere, allJoins);
+    const whereParams = flattenWhereClause(cleanedWhere);
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted) {
       whereParams[softDeleteField] = null;
     }
-    const query = { ...whereParams, limit: 0 };
-    const docs = await this.adapter.find(this.slug, query);
+    if (this.collectionConfig.defaultWhere) {
+      const constraints = this.collectionConfig.defaultWhere(this.buildRequestContext());
+      if (constraints) {
+        Object.assign(whereParams, constraints);
+      }
+    }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
+    const query = { ...whereParams };
+    if (joins.length > 0) {
+      query["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
+    if (this.adapter.count) {
+      return this.adapter.count(this.slug, query);
+    }
+    const docs = await this.adapter.find(this.slug, { ...query, limit: 0 });
     return docs.length;
   }
   async batchCreate(items) {
@@ -3682,6 +4140,46 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       return false;
     }
   }
+  async enforceWhereLimits(cleanedWhere, joins) {
+    if (joins.length > MAX_JOINS) {
+      throw new ValidationError([
+        {
+          field: "where",
+          message: `Number of relationship joins (${joins.length}) exceeds maximum of ${MAX_JOINS}.`
+        }
+      ]);
+    }
+    const mainCount = cleanedWhere ? countWhereConditions(cleanedWhere) : 0;
+    const joinCount = joins.reduce((sum, j) => sum + countWhereConditions(j.rawWhere), 0);
+    const totalConditions = mainCount + joinCount;
+    if (totalConditions > MAX_WHERE_CONDITIONS) {
+      throw new ValidationError([
+        {
+          field: "where",
+          message: `Where clause exceeds maximum of ${MAX_WHERE_CONDITIONS} conditions (got ${totalConditions} across main query and ${joins.length} join(s)).`
+        }
+      ]);
+    }
+    if (!this.context.overrideAccess) {
+      for (const join2 of joins) {
+        const targetCol = this.allCollections.find(
+          (c) => (c.dbName ?? c.slug) === join2.targetTable
+        );
+        if (targetCol) {
+          const collectionAccessFn = targetCol.access?.read;
+          if (collectionAccessFn) {
+            const allowed = await Promise.resolve(
+              collectionAccessFn({ req: this.buildRequestContext() })
+            );
+            if (!allowed) {
+              throw new AccessDeniedError("read", targetCol.slug);
+            }
+          }
+          await validateWhereFields(join2.rawWhere, targetCol.fields, this.buildRequestContext());
+        }
+      }
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -4090,7 +4588,14 @@ function createMomentumHandlers(config) {
       });
       return {
         docs: result.docs,
-        totalDocs: result.totalDocs
+        totalDocs: result.totalDocs,
+        totalPages: result.totalPages,
+        page: result.page,
+        limit: result.limit,
+        hasNextPage: result.hasNextPage,
+        hasPrevPage: result.hasPrevPage,
+        nextPage: result.nextPage,
+        prevPage: result.prevPage
       };
     } catch (error) {
       return handleError(error);
@@ -4178,7 +4683,14 @@ function createMomentumHandlers(config) {
       const result = await api.collection(request.collectionSlug).search(q, { fields, limit, page });
       return {
         docs: result.docs,
-        totalDocs: result.totalDocs
+        totalDocs: result.totalDocs,
+        totalPages: result.totalPages,
+        page: result.page,
+        limit: result.limit,
+        hasNextPage: result.hasNextPage,
+        hasPrevPage: result.hasPrevPage,
+        nextPage: result.nextPage,
+        prevPage: result.prevPage
       };
     } catch (error) {
       return handleError(error);
@@ -4243,51 +4755,6 @@ function handleError(error) {
   return { error: "Unknown error", status: 500 };
 }
 
-// libs/server-core/src/lib/collection-access.ts
-async function checkSingleCollectionAdminAccess(collection, user) {
-  const adminFn = collection.access?.admin;
-  if (!adminFn) {
-    return !!user;
-  }
-  const accessArgs = {
-    req: { user }
-  };
-  return Promise.resolve(adminFn(accessArgs));
-}
-async function checkAccessFunction(accessFn, user, defaultIfUndefined) {
-  if (!accessFn) {
-    return defaultIfUndefined;
-  }
-  const accessArgs = {
-    req: { user }
-  };
-  return Promise.resolve(accessFn(accessArgs));
-}
-async function getCollectionPermissions(config, user) {
-  const results = await Promise.all(
-    config.collections.map(async (collection) => {
-      const isManaged = collection.managed === true;
-      const [canAccess, canCreate, canRead, canUpdate, canDelete] = await Promise.all([
-        checkSingleCollectionAdminAccess(collection, user),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.create, user, !!user),
-        checkAccessFunction(collection.access?.read, user, true),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.update, user, !!user),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.delete, user, !!user)
-      ]);
-      return {
-        slug: collection.slug,
-        canAccess,
-        canCreate,
-        canRead,
-        canUpdate,
-        canDelete,
-        ...isManaged ? { managed: true } : {}
-      };
-    })
-  );
-  return results;
-}
-
 // libs/server-core/src/lib/seeding/seed-tracker.ts
 import { randomUUID } from "node:crypto";
 function createSeedTracker(adapter) {
@@ -5333,7 +5800,7 @@ function checkDepth(node, currentDepth, maxDepth, context) {
     }
   }
 }
-async function executeGraphQL(schema, requestBody, context) {
+async function executeGraphQL(schema, requestBody, context, options) {
   if (!requestBody.query) {
     return {
       status: 400,
@@ -5349,6 +5816,17 @@ async function executeGraphQL(schema, requestBody, context) {
       body: { errors: [{ message: "Query parsing failed" }] }
     };
   }
+  if (options?.readOnly) {
+    const hasMutation = document.definitions.some(
+      (def) => def.kind === "OperationDefinition" && def.operation === "mutation"
+    );
+    if (hasMutation) {
+      return {
+        status: 405,
+        body: { errors: [{ message: "Mutations are not allowed via GET requests" }] }
+      };
+    }
+  }
   const depthErrors = validate(schema, document, [depthLimitRule(MAX_QUERY_DEPTH)]);
   if (depthErrors.length > 0) {
     return {
@@ -6768,24 +7246,29 @@ function momentumApiMiddleware(config) {
   const router = Router();
   const handlers = createMomentumHandlers(config);
   router.use(jsonParser());
+  router.use((_req, res, next) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+    res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
+    next();
+  });
   router.use((req, res, next) => {
     const corsConfig = config.server?.cors ?? {};
     const origins = Array.isArray(corsConfig.origin) ? corsConfig.origin : corsConfig.origin ? [corsConfig.origin] : [];
-    let allowOrigin;
-    if (origins.length === 0) {
-      allowOrigin = "*";
+    if (origins.length === 0 || origins.includes("*")) {
+      if (process.env["NODE_ENV"] === "production") {
+        createLogger("CORS").warn(
+          'Origin is set to "*" in production. Configure explicit origins via config.server.cors.origin.'
+        );
+      }
+      res.setHeader("Access-Control-Allow-Origin", "*");
     } else {
       const requestOrigin = req.headers["origin"] ?? "";
-      allowOrigin = origins.includes(requestOrigin) ? requestOrigin : origins[0];
-    }
-    if (allowOrigin === "*" && process.env["NODE_ENV"] === "production") {
-      createLogger("CORS").warn(
-        'Origin is set to "*" in production. Configure explicit origins via config.server.cors.origin.'
-      );
-    }
-    res.setHeader("Access-Control-Allow-Origin", allowOrigin);
-    if (allowOrigin !== "*") {
       res.setHeader("Vary", "Origin");
+      if (origins.includes(requestOrigin)) {
+        res.setHeader("Access-Control-Allow-Origin", requestOrigin);
+      }
     }
     res.setHeader(
       "Access-Control-Allow-Methods",
@@ -6868,7 +7351,12 @@ function momentumApiMiddleware(config) {
       res.status(400).json({ errors: [{ message: "Query parameter required" }] });
       return;
     }
-    const result = await executeGraphQL(graphqlSchema, { query: queryParam }, { user });
+    const result = await executeGraphQL(
+      graphqlSchema,
+      { query: queryParam },
+      { user },
+      { readOnly: true }
+    );
     res.status(result.status).json(result.body);
   });
   router.get("/globals/:slug", async (req, res) => {
@@ -7201,7 +7689,14 @@ function momentumApiMiddleware(config) {
       res.json({ status });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
-      res.status(500).json({ error: "Failed to get status", message });
+      let status = 500;
+      if (error instanceof Error) {
+        if (error.name === "AccessDeniedError")
+          status = 403;
+        else if (error.name === "DocumentNotFoundError")
+          status = 404;
+      }
+      res.status(status).json({ error: status === 403 ? "Access denied" : "Failed to get status", message });
     }
   });
   async function handlePreviewRequest(req, res) {
@@ -7390,8 +7885,11 @@ function momentumApiMiddleware(config) {
         return { docs, totalDocs: docs.length };
       },
       findById: (slug2, id) => txAdapter.findById(slug2, id),
-      count: async (slug2) => {
-        const docs = await txAdapter.find(slug2, {});
+      count: async (slug2, where) => {
+        if (txAdapter.count) {
+          return txAdapter.count(slug2, where ?? {});
+        }
+        const docs = await txAdapter.find(slug2, where ?? {});
         return docs.length;
       },
       create: (slug2, data) => txAdapter.create(slug2, data),
@@ -7433,7 +7931,7 @@ function momentumApiMiddleware(config) {
                 throw err;
               }
             },
-            count: (slug2) => ctxApi.collection(slug2).count(),
+            count: (slug2, where) => ctxApi.collection(slug2).count(where),
             create: async (slug2, data) => {
               return await ctxApi.collection(slug2).create(data);
             },
@@ -7456,6 +7954,8 @@ function momentumApiMiddleware(config) {
             collection,
             // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Express body is parsed JSON
             body: req.body,
+            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Express query params
+            params: req.query,
             query: buildQueryHelper(contextApi)
           });
           res.status(result.status).json(result.body);
@@ -7523,7 +8023,15 @@ function momentumApiMiddleware(config) {
       }
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Batch operation failed");
-      const status = error instanceof Error && error.name === "ValidationError" ? 400 : 500;
+      let status = 500;
+      if (error instanceof Error) {
+        if (error.name === "ValidationError")
+          status = 400;
+        else if (error.name === "DocumentNotFoundError")
+          status = 404;
+        else if (error.name === "AccessDeniedError")
+          status = 403;
+      }
       res.status(status).json({ error: message });
     }
   });
@@ -7582,7 +8090,16 @@ function momentumApiMiddleware(config) {
       }
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Export failed");
-      res.status(500).json({ error: message });
+      let status = 500;
+      if (error instanceof Error) {
+        if (error.name === "AccessDeniedError")
+          status = 403;
+        else if (error.name === "ValidationError")
+          status = 400;
+        else if (error.name === "DocumentNotFoundError")
+          status = 404;
+      }
+      res.status(status).json({ error: message });
     }
   });
   router.post("/:collection/import", async (req, res) => {
@@ -8380,6 +8897,7 @@ function createSetupMiddleware(config) {
   const dbConfig = isLegacyConfig(config) ? { type: "sqlite", database: config.database } : config.db;
   const { auth } = config;
   const router = createRouter2();
+  let setupInProgress = false;
   router.get("/setup/status", async (_req, res) => {
     let hasUsers;
     if (dbConfig.type === "sqlite") {
@@ -8394,6 +8912,13 @@ function createSetupMiddleware(config) {
     res.json(status);
   });
   router.post("/setup/create-admin", async (req, res) => {
+    if (setupInProgress) {
+      res.status(409).json({
+        error: { message: "Setup is already in progress." }
+      });
+      return;
+    }
+    setupInProgress = true;
     try {
       let hasUsers;
       if (dbConfig.type === "sqlite") {
@@ -8470,9 +8995,10 @@ function createSetupMiddleware(config) {
           updatedAt: userRow.updatedAt
         }
       });
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Failed to create admin user";
-      res.status(500).json({ error: { message } });
+    } catch {
+      res.status(500).json({ error: { message: "Failed to create admin user" } });
+    } finally {
+      setupInProgress = false;
     }
   });
   return router;
@@ -8548,9 +9074,8 @@ function createApiKeyRoutes(config) {
       return;
     }
     const role = body.role ?? "user";
-    const validRoles = ["admin", "editor", "user", "viewer"];
-    if (!validRoles.includes(role)) {
-      res.status(400).json({ error: `Invalid role. Must be one of: ${validRoles.join(", ")}` });
+    if (!ROLE_HIERARCHY.includes(role)) {
+      res.status(400).json({ error: `Invalid role. Must be one of: ${ROLE_HIERARCHY.join(", ")}` });
       return;
     }
     const userRoleIndex = ROLE_HIERARCHY.indexOf(user.role ?? "viewer");
@@ -8616,7 +9141,7 @@ function createApiKeyRoutes(config) {
           return;
         }
         if (existingKey.createdBy !== user.id) {
-          res.status(403).json({ error: "You can only delete your own API keys" });
+          res.status(404).json({ error: "API key not found" });
           return;
         }
       }
@@ -8887,6 +9412,20 @@ function createHealthMiddleware(options = {}) {
   return router;
 }
 
+// libs/server-express/src/lib/rate-limit-middleware.ts
+function createRateLimitMiddleware(limiter) {
+  return (req, res, next) => {
+    const forwarded = req.headers["x-forwarded-for"];
+    const key = (forwarded ? forwarded.toString().split(",")[0].trim() : req.ip) ?? "unknown";
+    if (!limiter.isAllowed(key)) {
+      res.setHeader("Retry-After", "60");
+      res.status(429).json({ error: "Too many requests. Please try again later." });
+      return;
+    }
+    next();
+  };
+}
+
 // libs/server-express/src/lib/create-momentum-server.ts
 import express from "express";
 async function createMomentumServer(options) {
@@ -8972,6 +9511,7 @@ export {
   createMomentumServer,
   createOpenAPIMiddleware,
   createProtectMiddleware,
+  createRateLimitMiddleware,
   createSessionResolverMiddleware,
   createSetupMiddleware,
   getPluginMiddleware,