@omnifyjp/ts 3.19.2 → 3.19.4

package/dist/php/service-generator.js

@@ -141,6 +141,38 @@ function resolveFieldLists(schema, reader, name) {
     }
     return { searchableFields, filterableFields, sortableFields };
 }
+/**
+ * Reconstruct `relation:col1,col2` tokens after YAML flow-array parsing (#75.1).
+ *
+ * `eagerLoad: [productType:id,name, categories:id,name]` lands in JS as
+ * `['productType:id', 'name', 'categories:id', 'name']` because YAML flow
+ * arrays split on commas. Users expect Eloquent's `with('rel:col,col')`
+ * column-list shorthand to survive. Rejoin any token without a `:` onto the
+ * previous token that does have one.
+ */
+function reconstructRelationTokens(items) {
+    const result = [];
+    let current = null;
+    for (const raw of items) {
+        const item = raw.trim();
+        if (!item)
+            continue;
+        if (item.includes(':')) {
+            if (current !== null)
+                result.push(current);
+            current = item;
+        }
+        else if (current !== null) {
+            current += ',' + item;
+        }
+        else {
+            result.push(item);
+        }
+    }
+    if (current !== null)
+        result.push(current);
+    return result;
+}
 /** Collect properties that have non-null defaults (for create() method). */
 function resolveDefaults(schema, reader, name) {
     const properties = schema.properties ?? {};
@@ -189,8 +221,8 @@ function generateBaseService(name, schema, reader, config) {
     // Translatable fields
     const translatableFields = reader.getTranslatableFields(name);
     const hasTranslatable = translatableFields.length > 0;
-    // Eager load / count
-    const eagerLoad = svc.eagerLoad ?? [];
+    // Eager load / count (#75.1: rejoin YAML-split `rel:col,col` tokens)
+    const eagerLoad = reconstructRelationTokens(svc.eagerLoad ?? []);
     const eagerCount = svc.eagerCount ?? [];
     // Default sort
     const defaultSort = svc.defaultSort ?? '-created_at';
@@ -220,8 +252,10 @@ function generateBaseService(name, schema, reader, config) {
     // ── Query section ─────────────────────────────────────────────────────────
     sections.push('');
     sections.push(buildSectionComment('Query'));
+    // Allowed sort columns whitelist (#75.2: prevent SQL injection via sort filter)
+    const allowedSortColumns = buildAllowedSortColumns(searchableFields, filterableFields, sortableFields, defaultSort, hasSoftDelete);
     // list() method
-    sections.push(buildListMethod(modelName, searchableFields, filterableFields, sortableFields, hasSoftDelete, eagerLoad, eagerCount, defaultSort, perPage));
+    sections.push(buildListMethod(modelName, searchableFields, filterableFields, sortableFields, hasSoftDelete, eagerLoad, eagerCount, defaultSort, perPage, allowedSortColumns));
     // findById() method
     sections.push(buildFindByIdMethod(modelName, eagerLoad, eagerCount));
     // ── Create section ────────────────────────────────────────────────────────
@@ -243,8 +277,8 @@ function generateBaseService(name, schema, reader, config) {
     sections.push(buildDeleteMethod(modelName, hasSoftDelete, hasAuditDeletedBy));
     if (hasSoftDelete) {
         sections.push(buildRestoreMethod(modelName, eagerLoad, eagerCount));
-        sections.push(buildForceDeleteMethod(modelName));
-        sections.push(buildEmptyTrashMethod());
+        sections.push(buildForceDeleteMethod(modelName, hasTranslatable));
+        sections.push(buildEmptyTrashMethod(hasTranslatable));
     }
     // ── Lookup section ────────────────────────────────────────────────────────
     if (lookup) {
@@ -313,7 +347,27 @@ function buildLoadChain(eagerLoad, eagerCount) {
     return parts.join('\n                ');
 }
 // ── list() ──────────────────────────────────────────────────────────────────
-function buildListMethod(modelName, searchableFields, filterableFields, sortableFields, hasSoftDelete, eagerLoad, eagerCount, defaultSort, perPage) {
+function buildAllowedSortColumns(searchableFields, filterableFields, sortableFields, defaultSort, hasSoftDelete) {
+    const set = new Set();
+    for (const f of searchableFields)
+        set.add(f.colName);
+    for (const f of filterableFields)
+        set.add(f.colName);
+    for (const f of sortableFields)
+        set.add(f.colName);
+    // Standard audit/timestamp columns
+    set.add('id');
+    set.add('created_at');
+    set.add('updated_at');
+    if (hasSoftDelete)
+        set.add('deleted_at');
+    // defaultSort must always be allowed even if not otherwise listed
+    const defaultCol = defaultSort.replace(/^-/, '');
+    if (defaultCol)
+        set.add(defaultCol);
+    return Array.from(set).sort();
+}
+function buildListMethod(modelName, searchableFields, filterableFields, sortableFields, hasSoftDelete, eagerLoad, eagerCount, defaultSort, perPage, allowedSortColumns) {
     const lines = [];
     // PHPDoc with filter shape
     const filterShape = buildFilterDocShape(filterableFields, hasSoftDelete);
@@ -359,7 +413,7 @@ function buildListMethod(modelName, searchableFields, filterableFields, sortable
     }
     // Sort
     lines.push('');
-    lines.push(buildSortSection(sortableFields, defaultSort));
+    lines.push(buildSortSection(sortableFields, defaultSort, allowedSortColumns));
     // Paginate
     lines.push(`
         return $query->paginate($filters['per_page'] ?? ${perPage});
@@ -419,11 +473,18 @@ ${clauses.join('\n')}
             });
         });`;
 }
-function buildSortSection(sortableFields, defaultSort) {
-    return `        // -- Sort --
+function buildSortSection(_sortableFields, defaultSort, allowedSortColumns) {
+    const defaultCol = defaultSort.replace(/^-/, '');
+    const allowedList = allowedSortColumns.map(c => `'${c}'`).join(', ');
+    // #75.2: whitelist sort column to prevent SQL injection / arbitrary column access
+    return `        // -- Sort (#75.2: whitelist guards against SQL injection) --
         $sort = $filters['sort'] ?? '${defaultSort}';
         $direction = str_starts_with($sort, '-') ? 'desc' : 'asc';
         $column = ltrim($sort, '-');
+        $allowedSortColumns = [${allowedList}];
+        if (! in_array($column, $allowedSortColumns, true)) {
+            $column = '${defaultCol}';
+        }
         $query->orderBy($column, $direction);`;
 }
 // ── findById() ──────────────────────────────────────────────────────────────
@@ -439,11 +500,12 @@ function buildFindByIdMethod(modelName, eagerLoad, eagerCount) {
 // ── create() ────────────────────────────────────────────────────────────────
 function buildCreateMethod(modelName, hasAuditCreatedBy, hasTranslatable, translatableFields, eagerLoad, eagerCount, defaults) {
     const bodyLines = [];
-    // Audit
+    // Audit (#75.3: always overwrite — never trust client-supplied audit columns)
     if (hasAuditCreatedBy) {
-        bodyLines.push(`            // -- Audit: inject created_by --
+        bodyLines.push(`            // -- Audit: force created_by from Auth (client value discarded) --
+            unset($data['created_by_id']);
             if (Auth::check()) {
-                $data['created_by_id'] = $data['created_by_id'] ?? Auth::id();
+                $data['created_by_id'] = Auth::id();
             }
 `);
     }
@@ -495,9 +557,10 @@ ${bodyLines.join('\n')}
 function buildUpdateMethod(modelName, hasAuditUpdatedBy, hasTranslatable, eagerLoad, eagerCount) {
     const bodyLines = [];
     if (hasAuditUpdatedBy) {
-        bodyLines.push(`            // -- Audit: inject updated_by --
+        bodyLines.push(`            // -- Audit: force updated_by from Auth (#75.3) --
+            unset($data['updated_by_id']);
             if (Auth::check()) {
-                $data['updated_by_id'] = $data['updated_by_id'] ?? Auth::id();
+                $data['updated_by_id'] = Auth::id();
             }
 `);
     }
@@ -568,32 +631,69 @@ ${returnLine}
     }`;
 }
 // ── forceDelete() ───────────────────────────────────────────────────────────
-function buildForceDeleteMethod(modelName) {
-    return `
+function buildForceDeleteMethod(modelName, hasTranslatable) {
+    if (!hasTranslatable) {
+        return `
     public function forceDelete(${modelName} $model): bool
     {
         return DB::transaction(fn () => $model->forceDelete());
     }`;
+    }
+    // #75.7: explicitly drop translations inside the same transaction so the
+    // service contract does not rely on the FK's ON DELETE behaviour.
+    return `
+    public function forceDelete(${modelName} $model): bool
+    {
+        return DB::transaction(function () use ($model) {
+            // -- Cascade translations explicitly (#75.7) --
+            $model->translations()->delete();
+
+            return $model->forceDelete();
+        });
+    }`;
 }
 // ── emptyTrash() ────────────────────────────────────────────────────────────
-function buildEmptyTrashMethod() {
-    return `
+function buildEmptyTrashMethod(hasTranslatable) {
+    if (!hasTranslatable) {
+        return `
     public function emptyTrash(): int
     {
         return $this->model::onlyTrashed()->forceDelete();
     }`;
+    }
+    // #75 followup: query-builder forceDelete bypasses per-model logic,
+    // so translations would be orphaned. Chunk through trashed rows and
+    // delegate to forceDelete() which cascades explicitly.
+    return `
+    public function emptyTrash(): int
+    {
+        // #75 followup: delegate to per-model forceDelete so the translation
+        // cascade in forceDelete() runs. A query-builder DELETE would skip it.
+        $count = 0;
+        $this->model::onlyTrashed()->chunkById(100, function ($batch) use (&$count) {
+            foreach ($batch as $model) {
+                $this->forceDelete($model);
+                $count++;
+            }
+        });
+
+        return $count;
+    }`;
 }
 // ── lookup() ────────────────────────────────────────────────────────────────
-function buildLookupMethod(modelName, lookupFields, filterableFields, defaultSort) {
+function buildLookupMethod(_modelName, lookupFields, filterableFields, defaultSort) {
     const selectFields = lookupFields.map(f => `'${toSnakeCase(f)}'`).join(', ');
     const returnShape = lookupFields.map(f => `${toSnakeCase(f)}: mixed`).join(', ');
     // Sort by first non-id field or default
     const sortCol = defaultSort.replace(/^-/, '');
     const sortDir = defaultSort.startsWith('-') ? 'desc' : 'asc';
-    // Apply filterable columns to lookup too
-    const filterLines = filterableFields.map(f => `        $query->when($filters['${f.colName}'] ?? null, fn ($q, $v) => $q->where('${f.colName}', $v));`);
+    // Apply filterable columns — reuse buildFilterLine so Boolean handling
+    // matches list() (#75.4: `?? null` collapses `false` so lookup() silently
+    // dropped `is_hidden=false`; list() uses isset() which is correct).
+    const filterLines = filterableFields.map(f => buildFilterLine(f));
     return `
     /**
+     * @param  array<string, mixed>  $filters
      * @return array<int, array{${returnShape}}>
      */
     public function lookup(array $filters = []): array
@@ -603,6 +703,11 @@ function buildLookupMethod(modelName, lookupFields, filterableFields, defaultSor
             ->orderBy('${sortCol}', '${sortDir}');
 
 ${filterLines.length > 0 ? filterLines.join('\n') + '\n' : ''}
+        // #75.8: cap results so type-ahead / dropdown endpoints never load the
+        // entire table. Caller can override via ?limit=... up to a hard ceiling.
+        $limit = min((int) ($filters['limit'] ?? 100), 500);
+        $query->limit($limit);
+
         return $query->get()->toArray();
     }`;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@omnifyjp/ts",
-  "version": "3.19.2",
+  "version": "3.19.4",
   "description": "TypeScript model type generator from Omnify schemas.json",
   "type": "module",
   "main": "dist/index.js",