@objectstack/runtime 9.5.1 → 9.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +51 -3
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +51 -3
- package/dist/index.js.map +1 -1
- package/package.json +19 -19
package/dist/index.cjs
CHANGED
|
@@ -5,8 +5,13 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
|
5
5
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
6
|
var __getProtoOf = Object.getPrototypeOf;
|
|
7
7
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
8
|
-
var __esm = (fn, res) => function __init() {
|
|
9
|
-
|
|
8
|
+
var __esm = (fn, res, err) => function __init() {
|
|
9
|
+
if (err) throw err[0];
|
|
10
|
+
try {
|
|
11
|
+
return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
|
|
12
|
+
} catch (e) {
|
|
13
|
+
throw err = [e], e;
|
|
14
|
+
}
|
|
10
15
|
};
|
|
11
16
|
var __export = (target, all) => {
|
|
12
17
|
for (var name in all)
|
|
@@ -1231,7 +1236,8 @@ var init_app_plugin = __esm({
|
|
|
1231
1236
|
"ragPipelines",
|
|
1232
1237
|
"data",
|
|
1233
1238
|
"emailTemplates",
|
|
1234
|
-
"docs"
|
|
1239
|
+
"docs",
|
|
1240
|
+
"books"
|
|
1235
1241
|
];
|
|
1236
1242
|
const hasAppPayload = APP_CATEGORY_KEYS.some((k) => {
|
|
1237
1243
|
const v = (bundle && bundle[k]) ?? (sys && sys[k]);
|
|
@@ -1936,6 +1942,35 @@ var import_system2 = require("@objectstack/spec/system");
|
|
|
1936
1942
|
var import_shared2 = require("@objectstack/spec/shared");
|
|
1937
1943
|
init_package_state_store();
|
|
1938
1944
|
|
|
1945
|
+
// src/api-exposure.ts
|
|
1946
|
+
var ACTION_TO_API_METHOD = {
|
|
1947
|
+
create: "create",
|
|
1948
|
+
get: "get",
|
|
1949
|
+
update: "update",
|
|
1950
|
+
delete: "delete",
|
|
1951
|
+
query: "list",
|
|
1952
|
+
find: "list",
|
|
1953
|
+
batch: "bulk"
|
|
1954
|
+
};
|
|
1955
|
+
function checkApiExposure(def, action) {
|
|
1956
|
+
if (!def) return { allowed: true };
|
|
1957
|
+
if (def.apiEnabled === false) {
|
|
1958
|
+
return { allowed: false, status: 404, reason: "object is not exposed via the API" };
|
|
1959
|
+
}
|
|
1960
|
+
const whitelist = def.apiMethods;
|
|
1961
|
+
if (Array.isArray(whitelist) && whitelist.length > 0) {
|
|
1962
|
+
const method = ACTION_TO_API_METHOD[action];
|
|
1963
|
+
if (method && !whitelist.includes(method)) {
|
|
1964
|
+
return {
|
|
1965
|
+
allowed: false,
|
|
1966
|
+
status: 405,
|
|
1967
|
+
reason: `API operation '${method}' is not allowed for this object`
|
|
1968
|
+
};
|
|
1969
|
+
}
|
|
1970
|
+
}
|
|
1971
|
+
return { allowed: true };
|
|
1972
|
+
}
|
|
1973
|
+
|
|
1939
1974
|
// src/security/api-key.ts
|
|
1940
1975
|
var import_core2 = require("@objectstack/core");
|
|
1941
1976
|
|
|
@@ -2216,6 +2251,19 @@ var _HttpDispatcher = class _HttpDispatcher {
|
|
|
2216
2251
|
* @param scopeId - Optional project ID for scoped service resolution (SharedProjectPlugin mode)
|
|
2217
2252
|
*/
|
|
2218
2253
|
async callData(action, params, dataDriver, scopeId, executionContext) {
|
|
2254
|
+
if (!executionContext?.isSystem && params?.object) {
|
|
2255
|
+
let def;
|
|
2256
|
+
try {
|
|
2257
|
+
const meta = await this.resolveService("metadata", scopeId);
|
|
2258
|
+
def = await meta?.getObject?.(params.object);
|
|
2259
|
+
} catch {
|
|
2260
|
+
def = void 0;
|
|
2261
|
+
}
|
|
2262
|
+
const gate = checkApiExposure(def, action);
|
|
2263
|
+
if (!gate.allowed) {
|
|
2264
|
+
throw { statusCode: gate.status ?? 403, message: gate.reason ?? "API access denied" };
|
|
2265
|
+
}
|
|
2266
|
+
}
|
|
2219
2267
|
const protocol = await this.resolveService("protocol", scopeId);
|
|
2220
2268
|
const qlService = dataDriver ?? await this.getObjectQLService(scopeId);
|
|
2221
2269
|
const ql = qlService ?? await this.resolveService("objectql", scopeId);
|