npm - @objectstack/rest - Versions diffs - 9.7.0 → 9.8.0 - Mend

@objectstack/rest 9.7.0 → 9.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -299,6 +299,25 @@ declare class RestServer {
      * requests (they're internal-only), so they cannot bypass this gate.
      */
     private enforceAuth;
+    /**
+     * Enforce object-level API exposure (ObjectSchema `enable.apiEnabled` /
+     * `enable.apiMethods`) on the REST data surface — the *external* API boundary
+     * only. Internal callers (hooks, flows, raw objectql) are unaffected, which is
+     * the point: `apiEnabled` controls automatic API exposure, not data access.
+     *
+     * - `enable.apiEnabled === false` → object hidden from the API (404, so its
+     *   existence isn't revealed).
+     * - `enable.apiMethods` (non-empty whitelist) → unlisted operations rejected (405).
+     *
+     * Default-allow: objects with no `enable` block (or `apiEnabled` unset/true and
+     * no `apiMethods` whitelist) behave exactly as before — no regression. Unknown
+     * objects fall through to the normal 404 path. A metadata-read failure does not
+     * block (the data call itself needs the same metadata and will surface the
+     * error). Returns `true` when the request was blocked (response already sent).
+     *
+     * See ADR-0049 (#1889): shipping a non-enforcing `apiEnabled` is false security.
+     */
+    private enforceApiAccess;
     /**
      * Resolve the request's execution context (RBAC/RLS/FLS) by looking up
      * the better-auth session via the project's `auth` service. Returns

package/dist/index.d.ts CHANGED Viewed

@@ -299,6 +299,25 @@ declare class RestServer {
      * requests (they're internal-only), so they cannot bypass this gate.
      */
     private enforceAuth;
+    /**
+     * Enforce object-level API exposure (ObjectSchema `enable.apiEnabled` /
+     * `enable.apiMethods`) on the REST data surface — the *external* API boundary
+     * only. Internal callers (hooks, flows, raw objectql) are unaffected, which is
+     * the point: `apiEnabled` controls automatic API exposure, not data access.
+     *
+     * - `enable.apiEnabled === false` → object hidden from the API (404, so its
+     *   existence isn't revealed).
+     * - `enable.apiMethods` (non-empty whitelist) → unlisted operations rejected (405).
+     *
+     * Default-allow: objects with no `enable` block (or `apiEnabled` unset/true and
+     * no `apiMethods` whitelist) behave exactly as before — no regression. Unknown
+     * objects fall through to the normal 404 path. A metadata-read failure does not
+     * block (the data call itself needs the same metadata and will surface the
+     * error). Returns `true` when the request was blocked (response already sent).
+     *
+     * See ADR-0049 (#1889): shipping a non-enforcing `apiEnabled` is false security.
+     */
+    private enforceApiAccess;
     /**
      * Resolve the request's execution context (RBAC/RLS/FLS) by looking up
      * the better-auth session via the project's `auth` service. Returns

package/dist/index.js CHANGED Viewed

@@ -627,6 +627,60 @@ var RestServer = class {
     });
     return true;
   }
+  /**
+   * Enforce object-level API exposure (ObjectSchema `enable.apiEnabled` /
+   * `enable.apiMethods`) on the REST data surface — the *external* API boundary
+   * only. Internal callers (hooks, flows, raw objectql) are unaffected, which is
+   * the point: `apiEnabled` controls automatic API exposure, not data access.
+   *
+   * - `enable.apiEnabled === false` → object hidden from the API (404, so its
+   *   existence isn't revealed).
+   * - `enable.apiMethods` (non-empty whitelist) → unlisted operations rejected (405).
+   *
+   * Default-allow: objects with no `enable` block (or `apiEnabled` unset/true and
+   * no `apiMethods` whitelist) behave exactly as before — no regression. Unknown
+   * objects fall through to the normal 404 path. A metadata-read failure does not
+   * block (the data call itself needs the same metadata and will surface the
+   * error). Returns `true` when the request was blocked (response already sent).
+   *
+   * See ADR-0049 (#1889): shipping a non-enforcing `apiEnabled` is false security.
+   */
+  async enforceApiAccess(req, res, p, environmentId, operation) {
+    const objectName = req?.params?.object;
+    if (!objectName) return false;
+    let enable;
+    try {
+      const r = await p.getMetaItems?.({
+        type: "object",
+        ...environmentId ? { environmentId } : {}
+      });
+      const items = Array.isArray(r?.items) ? r.items : Array.isArray(r) ? r : [];
+      const obj = items.find((o) => o?.name === objectName);
+      if (!obj) return false;
+      enable = obj.enable;
+    } catch {
+      return false;
+    }
+    if (!enable) return false;
+    if (enable.apiEnabled === false) {
+      res.status(404).json({
+        error: `Object '${objectName}' is not exposed via the API`,
+        code: "OBJECT_API_DISABLED",
+        object: objectName
+      });
+      return true;
+    }
+    if (Array.isArray(enable.apiMethods) && enable.apiMethods.length > 0 && !enable.apiMethods.includes(operation)) {
+      res.status(405).json({
+        error: `API operation '${operation}' is not allowed on object '${objectName}'`,
+        code: "OBJECT_API_METHOD_NOT_ALLOWED",
+        object: objectName,
+        allowed: enable.apiMethods
+      });
+      return true;
+    }
+    return false;
+  }
   /**
    * Resolve the request's execution context (RBAC/RLS/FLS) by looking up
    * the better-auth session via the project's `auth` service. Returns
@@ -2078,6 +2132,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "list")) return;
             const result = await p.findData({
               object: req.params.object,
               query: req.query,
@@ -2112,6 +2167,7 @@ var RestServer = class {
             const { select, expand } = req.query || {};
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "get")) return;
             const result = await p.getData({
               object: req.params.object,
               id: req.params.id,
@@ -2143,6 +2199,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "create")) return;
             const result = await p.createData({
               object: req.params.object,
               data: req.body,
@@ -2172,6 +2229,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "list")) return;
             const result = await p.findData({
               object: req.params.object,
               query: req.body || {},
@@ -2209,6 +2267,7 @@ var RestServer = class {
               const { expectedVersion: _drop, ...rest } = data;
               data = rest;
             }
+            if (await this.enforceApiAccess(req, res, p, environmentId, "update")) return;
             const result = await p.updateData({
               object: req.params.object,
               id: req.params.id,
@@ -2243,6 +2302,7 @@ var RestServer = class {
             const ifMatchHeader = req.headers?.["if-match"] ?? req.headers?.["If-Match"];
             const queryVersion = req.query && typeof req.query === "object" ? req.query.expectedVersion : void 0;
             const expectedVersion = queryVersion ?? ifMatchHeader;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "delete")) return;
             const result = await p.deleteData({
               object: req.params.object,
               id: req.params.id,
@@ -2311,6 +2371,42 @@ var RestServer = class {
         tags: ["data", "lead"]
       }
     });
+    this.routeManager.register({
+      method: "POST",
+      path: `${dataPath}/:object/:id/clone`,
+      handler: async (req, res) => {
+        try {
+          const environmentId = isScoped ? req.params?.environmentId : void 0;
+          const p = await this.resolveProtocol(environmentId, req);
+          const context = await this.resolveExecCtx(environmentId, req);
+          if (this.enforceAuth(req, res, context)) return;
+          if (await this.enforceApiAccess(req, res, p, environmentId, "create")) return;
+          const cloneData = p.cloneData;
+          if (typeof cloneData !== "function") {
+            res.status(501).json({ code: "NOT_IMPLEMENTED", error: "Clone not supported by this protocol" });
+            return;
+          }
+          const body = req.body ?? {};
+          const overrides = body && typeof body === "object" && "overrides" in body ? body.overrides : body;
+          const result = await cloneData.call(p, {
+            object: req.params.object,
+            id: req.params.id,
+            ...overrides && typeof overrides === "object" ? { overrides } : {},
+            ...environmentId ? { environmentId } : {},
+            ...context ? { context } : {}
+          });
+          res.status(201).json(result);
+        } catch (error) {
+          const status = typeof error?.status === "number" ? error.status : mapDataError(error, req.params?.object).status;
+          if (!isExpectedDataStatus(status) && error?.code !== "VALIDATION_FAILED") logError("[REST] Unhandled error:", error);
+          sendError(res, error, req.params?.object);
+        }
+      },
+      metadata: {
+        summary: "Clone a record (gated by enable.clone)",
+        tags: ["data", "clone"]
+      }
+    });
     this.routeManager.register({
       method: "POST",
       path: `${dataPath}/:object/import`,
@@ -2325,6 +2421,7 @@ var RestServer = class {
             res.status(400).json({ code: "INVALID_REQUEST", error: "object is required" });
             return;
           }
+          if (await this.enforceApiAccess(req, res, p, environmentId, "import")) return;
           const body = req.body ?? {};
           const dryRun = body.dryRun === true;
           const mapping = body.mapping ?? {};
@@ -2408,6 +2505,7 @@ var RestServer = class {
             res.status(400).json({ code: "INVALID_REQUEST", error: "object is required" });
             return;
           }
+          if (await this.enforceApiAccess(req, res, p, environmentId, "export")) return;
           const q = req.query ?? {};
           const format = String(q.format ?? "csv").toLowerCase() === "json" ? "json" : "csv";
           const HARD_CAP = 5e4;
@@ -3929,6 +4027,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "bulk")) return;
             const result = await p.batchData({
               object: req.params.object,
               request: req.body,
@@ -3957,6 +4056,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "create")) return;
             const result = await p.createManyData({
               object: req.params.object,
               records: req.body || [],
@@ -3985,6 +4085,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "update")) return;
             const result = await p.updateManyData({
               object: req.params.object,
               ...req.body,
@@ -4013,6 +4114,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "delete")) return;
             const result = await p.deleteManyData({
               object: req.params.object,
               ...req.body,