@objectstack/rest 11.9.0 → 12.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.cjs CHANGED
@@ -1924,7 +1924,8 @@ var RestServer = class {
1924
1924
  enableSearch: api.enableSearch ?? true,
1925
1925
  enableProjectScoping: api.enableProjectScoping ?? false,
1926
1926
  projectResolution: api.projectResolution ?? "auto",
1927
- requireAuth: api.requireAuth ?? false,
1927
+ requireAuth: api.requireAuth ?? true,
1928
+ // secure-by-default (ADR-0056 D2; mirrors RestApiConfigSchema)
1928
1929
  documentation: api.documentation,
1929
1930
  responseFormat: api.responseFormat
1930
1931
  },
@@ -5577,9 +5578,14 @@ function createRestApiPlugin(config = {}) {
5577
5578
  const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider, serviceExistsProvider);
5578
5579
  restServer.registerRoutes();
5579
5580
  ctx.logger.info("REST API successfully registered");
5580
- if (!config.api?.requireAuth) {
5581
+ if (config.api?.api?.requireAuth === false) {
5581
5582
  ctx.logger.warn(
5582
- "[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable. For secure-by-default set api.requireAuth=true and expose public records via share-links / publicSharing (ADR-0056 D2)."
5583
+ "[security] anonymous access to the data API is ALLOWED (api.requireAuth=false, explicit opt-out) \u2014 objects without OWD/RLS are world-readable. Remove the opt-out for secure-by-default and expose public records via share-links / publicSharing / public forms (ADR-0056 D2)."
5584
+ );
5585
+ }
5586
+ if (config.api?.requireAuth !== void 0) {
5587
+ ctx.logger.warn(
5588
+ `[security] \`api.requireAuth\` is set at the WRONG nesting level and has NO effect \u2014 move it to \`api.api.requireAuth\` (RestServerConfig.api.requireAuth). The effective value this boot is ${config.api?.api?.requireAuth ?? true}.`
5583
5589
  );
5584
5590
  }
5585
5591
  } catch (err) {