@objectstack/rest 9.10.0 → 9.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +13 -0
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +13 -0
- package/dist/index.js.map +1 -1
- package/package.json +4 -4
package/dist/index.js
CHANGED
|
@@ -770,6 +770,7 @@ var RestServer = class {
|
|
|
770
770
|
}
|
|
771
771
|
let userId;
|
|
772
772
|
let tenantId;
|
|
773
|
+
let email;
|
|
773
774
|
const keyPrincipal = await resolveApiKeyPrincipal(identityQl, headers).catch(() => void 0);
|
|
774
775
|
if (keyPrincipal) {
|
|
775
776
|
userId = keyPrincipal.userId;
|
|
@@ -780,6 +781,11 @@ var RestServer = class {
|
|
|
780
781
|
if (!session?.user?.id) return void 0;
|
|
781
782
|
userId = session.user.id;
|
|
782
783
|
tenantId = session.session?.activeOrganizationId ?? void 0;
|
|
784
|
+
if (session.user?.email) email = String(session.user.email);
|
|
785
|
+
}
|
|
786
|
+
if (!email && identityQl && typeof identityQl.find === "function") {
|
|
787
|
+
const urows = await identityQl.find("sys_user", { where: { id: userId }, limit: 1, context: { isSystem: true } }).catch(() => []);
|
|
788
|
+
if (urows?.[0]?.email) email = String(urows[0].email);
|
|
783
789
|
}
|
|
784
790
|
try {
|
|
785
791
|
let ql;
|
|
@@ -890,6 +896,7 @@ var RestServer = class {
|
|
|
890
896
|
return {
|
|
891
897
|
userId,
|
|
892
898
|
tenantId,
|
|
899
|
+
email,
|
|
893
900
|
roles,
|
|
894
901
|
permissions,
|
|
895
902
|
systemPermissions,
|
|
@@ -2963,6 +2970,7 @@ var RestServer = class {
|
|
|
2963
2970
|
Object.assign(filteredData, rawBody);
|
|
2964
2971
|
}
|
|
2965
2972
|
const context = {
|
|
2973
|
+
publicFormGrant: { object: match.object },
|
|
2966
2974
|
permissions: ["guest_portal"],
|
|
2967
2975
|
anonymous: true
|
|
2968
2976
|
};
|
|
@@ -4449,6 +4457,11 @@ function createRestApiPlugin(config = {}) {
|
|
|
4449
4457
|
const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider);
|
|
4450
4458
|
restServer.registerRoutes();
|
|
4451
4459
|
ctx.logger.info("REST API successfully registered");
|
|
4460
|
+
if (!config.api?.requireAuth) {
|
|
4461
|
+
ctx.logger.warn(
|
|
4462
|
+
"[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable. For secure-by-default set api.requireAuth=true and expose public records via share-links / publicSharing (ADR-0056 D2)."
|
|
4463
|
+
);
|
|
4464
|
+
}
|
|
4452
4465
|
} catch (err) {
|
|
4453
4466
|
ctx.logger.error("Failed to register REST API routes", { error: err.message });
|
|
4454
4467
|
throw err;
|