@objectstack/rest 11.10.0 → 12.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1884,7 +1884,8 @@ var RestServer = class {
1884
1884
  enableSearch: api.enableSearch ?? true,
1885
1885
  enableProjectScoping: api.enableProjectScoping ?? false,
1886
1886
  projectResolution: api.projectResolution ?? "auto",
1887
- requireAuth: api.requireAuth ?? false,
1887
+ requireAuth: api.requireAuth ?? true,
1888
+ // secure-by-default (ADR-0056 D2; mirrors RestApiConfigSchema)
1888
1889
  documentation: api.documentation,
1889
1890
  responseFormat: api.responseFormat
1890
1891
  },
@@ -5537,9 +5538,14 @@ function createRestApiPlugin(config = {}) {
5537
5538
  const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider, serviceExistsProvider);
5538
5539
  restServer.registerRoutes();
5539
5540
  ctx.logger.info("REST API successfully registered");
5540
- if (!config.api?.requireAuth) {
5541
+ if (config.api?.api?.requireAuth === false) {
5541
5542
  ctx.logger.warn(
5542
- "[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable. For secure-by-default set api.requireAuth=true and expose public records via share-links / publicSharing (ADR-0056 D2)."
5543
+ "[security] anonymous access to the data API is ALLOWED (api.requireAuth=false, explicit opt-out) \u2014 objects without OWD/RLS are world-readable. Remove the opt-out for secure-by-default and expose public records via share-links / publicSharing / public forms (ADR-0056 D2)."
5544
+ );
5545
+ }
5546
+ if (config.api?.requireAuth !== void 0) {
5547
+ ctx.logger.warn(
5548
+ `[security] \`api.requireAuth\` is set at the WRONG nesting level and has NO effect \u2014 move it to \`api.api.requireAuth\` (RestServerConfig.api.requireAuth). The effective value this boot is ${config.api?.api?.requireAuth ?? true}.`
5543
5549
  );
5544
5550
  }
5545
5551
  } catch (err) {