@objectstack/rest 9.9.1 → 9.11.0

package/dist/index.cjs

@@ -489,7 +489,7 @@ function rowsToCsv(fields, rows, includeHeader) {
   return lines.join("\r\n") + (lines.length > 0 ? "\r\n" : "");
 }
 var RestServer = class {
-  constructor(server, protocol, config = {}, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider) {
+  constructor(server, protocol, config = {}, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider) {
     /**
      * Short-TTL cache for `hostname → environmentId` (P1-4). `resolveByHostname`
      * is a control-plane lookup (typically a DB query) that otherwise runs on
@@ -520,6 +520,7 @@ var RestServer = class {
     this.sharingRulesServiceProvider = sharingRulesServiceProvider;
     this.i18nServiceProvider = i18nServiceProvider;
     this.analyticsServiceProvider = analyticsServiceProvider;
+    this.settingsServiceProvider = settingsServiceProvider;
   }
   /**
    * Resolve the protocol for a given request. When `environmentId` is present
@@ -809,6 +810,7 @@ var RestServer = class {
       }
       let userId;
       let tenantId;
+      let email;
       const keyPrincipal = await (0, import_core.resolveApiKeyPrincipal)(identityQl, headers).catch(() => void 0);
       if (keyPrincipal) {
         userId = keyPrincipal.userId;
@@ -819,6 +821,11 @@ var RestServer = class {
         if (!session?.user?.id) return void 0;
         userId = session.user.id;
         tenantId = session.session?.activeOrganizationId ?? void 0;
+        if (session.user?.email) email = String(session.user.email);
+      }
+      if (!email && identityQl && typeof identityQl.find === "function") {
+        const urows = await identityQl.find("sys_user", { where: { id: userId }, limit: 1, context: { isSystem: true } }).catch(() => []);
+        if (urows?.[0]?.email) email = String(urows[0].email);
       }
       try {
         let ql;
@@ -909,14 +916,34 @@ var RestServer = class {
         } catch {
         }
       }
+      let timezone;
+      let locale;
+      try {
+        const settings = this.settingsServiceProvider ? await this.settingsServiceProvider(environmentId).catch(() => void 0) : void 0;
+        if (settings && typeof settings.get === "function") {
+          const sctx = { tenantId, userId };
+          const [tzRes, localeRes] = await Promise.all([
+            settings.get("localization", "timezone", sctx).catch(() => void 0),
+            settings.get("localization", "locale", sctx).catch(() => void 0)
+          ]);
+          const tzVal = tzRes?.value;
+          const localeVal = localeRes?.value;
+          if (typeof tzVal === "string" && tzVal.trim()) timezone = tzVal.trim();
+          if (typeof localeVal === "string" && localeVal.trim()) locale = localeVal.trim();
+        }
+      } catch {
+      }
       return {
         userId,
         tenantId,
+        email,
         roles,
         permissions,
         systemPermissions,
         isSystem: false,
-        org_user_ids
+        org_user_ids,
+        ...timezone ? { timezone } : {},
+        ...locale ? { locale } : {}
       };
     } catch {
       return void 0;
@@ -2983,6 +3010,7 @@ var RestServer = class {
             Object.assign(filteredData, rawBody);
           }
           const context = {
+            publicFormGrant: { object: match.object },
             permissions: ["guest_portal"],
             anonymous: true
           };
@@ -4449,6 +4477,13 @@ function createRestApiPlugin(config = {}) {
           return void 0;
         }
       };
+      const settingsServiceProvider = async (_environmentId) => {
+        try {
+          return ctx.getService("settings");
+        } catch {
+          return void 0;
+        }
+      };
       if (!server) {
         ctx.logger.warn(`RestApiPlugin: HTTP Server service '${serverService}' not found. REST routes skipped.`);
         return;
@@ -4459,9 +4494,14 @@ function createRestApiPlugin(config = {}) {
       }
       ctx.logger.info("Hydrating REST API from Protocol...");
       try {
-        const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider);
+        const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider);
         restServer.registerRoutes();
         ctx.logger.info("REST API successfully registered");
+        if (!config.api?.requireAuth) {
+          ctx.logger.warn(
+            "[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable. For secure-by-default set api.requireAuth=true and expose public records via share-links / publicSharing (ADR-0056 D2)."
+          );
+        }
       } catch (err) {
         ctx.logger.error("Failed to register REST API routes", { error: err.message });
         throw err;