@opensaas/stack-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. package/.turbo/turbo-build.log +4 -0
  2. package/README.md +447 -0
  3. package/dist/access/engine.d.ts +73 -0
  4. package/dist/access/engine.d.ts.map +1 -0
  5. package/dist/access/engine.js +244 -0
  6. package/dist/access/engine.js.map +1 -0
  7. package/dist/access/field-transforms.d.ts +47 -0
  8. package/dist/access/field-transforms.d.ts.map +1 -0
  9. package/dist/access/field-transforms.js +2 -0
  10. package/dist/access/field-transforms.js.map +1 -0
  11. package/dist/access/index.d.ts +3 -0
  12. package/dist/access/index.d.ts.map +1 -0
  13. package/dist/access/index.js +2 -0
  14. package/dist/access/index.js.map +1 -0
  15. package/dist/access/types.d.ts +83 -0
  16. package/dist/access/types.d.ts.map +1 -0
  17. package/dist/access/types.js +2 -0
  18. package/dist/access/types.js.map +1 -0
  19. package/dist/config/index.d.ts +39 -0
  20. package/dist/config/index.d.ts.map +1 -0
  21. package/dist/config/index.js +38 -0
  22. package/dist/config/index.js.map +1 -0
  23. package/dist/config/types.d.ts +413 -0
  24. package/dist/config/types.d.ts.map +1 -0
  25. package/dist/config/types.js +2 -0
  26. package/dist/config/types.js.map +1 -0
  27. package/dist/context/index.d.ts +31 -0
  28. package/dist/context/index.d.ts.map +1 -0
  29. package/dist/context/index.js +524 -0
  30. package/dist/context/index.js.map +1 -0
  31. package/dist/context/nested-operations.d.ts +10 -0
  32. package/dist/context/nested-operations.d.ts.map +1 -0
  33. package/dist/context/nested-operations.js +261 -0
  34. package/dist/context/nested-operations.js.map +1 -0
  35. package/dist/fields/index.d.ts +78 -0
  36. package/dist/fields/index.d.ts.map +1 -0
  37. package/dist/fields/index.js +381 -0
  38. package/dist/fields/index.js.map +1 -0
  39. package/dist/hooks/index.d.ts +58 -0
  40. package/dist/hooks/index.d.ts.map +1 -0
  41. package/dist/hooks/index.js +79 -0
  42. package/dist/hooks/index.js.map +1 -0
  43. package/dist/index.d.ts +11 -0
  44. package/dist/index.d.ts.map +1 -0
  45. package/dist/index.js +12 -0
  46. package/dist/index.js.map +1 -0
  47. package/dist/lib/case-utils.d.ts +49 -0
  48. package/dist/lib/case-utils.d.ts.map +1 -0
  49. package/dist/lib/case-utils.js +68 -0
  50. package/dist/lib/case-utils.js.map +1 -0
  51. package/dist/lib/case-utils.test.d.ts +2 -0
  52. package/dist/lib/case-utils.test.d.ts.map +1 -0
  53. package/dist/lib/case-utils.test.js +101 -0
  54. package/dist/lib/case-utils.test.js.map +1 -0
  55. package/dist/utils/password.d.ts +81 -0
  56. package/dist/utils/password.d.ts.map +1 -0
  57. package/dist/utils/password.js +132 -0
  58. package/dist/utils/password.js.map +1 -0
  59. package/dist/validation/schema.d.ts +17 -0
  60. package/dist/validation/schema.d.ts.map +1 -0
  61. package/dist/validation/schema.js +42 -0
  62. package/dist/validation/schema.js.map +1 -0
  63. package/dist/validation/schema.test.d.ts +2 -0
  64. package/dist/validation/schema.test.d.ts.map +1 -0
  65. package/dist/validation/schema.test.js +143 -0
  66. package/dist/validation/schema.test.js.map +1 -0
  67. package/docs/type-distribution-fix.md +136 -0
  68. package/package.json +48 -0
  69. package/src/access/engine.ts +360 -0
  70. package/src/access/field-transforms.ts +99 -0
  71. package/src/access/index.ts +20 -0
  72. package/src/access/types.ts +103 -0
  73. package/src/config/index.ts +71 -0
  74. package/src/config/types.ts +478 -0
  75. package/src/context/index.ts +814 -0
  76. package/src/context/nested-operations.ts +412 -0
  77. package/src/fields/index.ts +438 -0
  78. package/src/hooks/index.ts +132 -0
  79. package/src/index.ts +62 -0
  80. package/src/lib/case-utils.test.ts +127 -0
  81. package/src/lib/case-utils.ts +74 -0
  82. package/src/utils/password.ts +147 -0
  83. package/src/validation/schema.test.ts +171 -0
  84. package/src/validation/schema.ts +59 -0
  85. package/tests/access-relationships.test.ts +613 -0
  86. package/tests/access.test.ts +499 -0
  87. package/tests/config.test.ts +195 -0
  88. package/tests/context.test.ts +248 -0
  89. package/tests/hooks.test.ts +417 -0
  90. package/tests/password-type-distribution.test.ts +155 -0
  91. package/tests/password-types.test.ts +147 -0
  92. package/tests/password.test.ts +249 -0
  93. package/tsconfig.json +12 -0
  94. package/tsconfig.tsbuildinfo +1 -0
  95. package/vitest.config.ts +27 -0
package/tests/access-relationships.test.ts ADDED
@@ -0,0 +1,613 @@
1
+ import { describe, it, expect } from 'vitest'
2
+ import { filterReadableFields, getRelatedListConfig } from '../src/access/engine.js'
3
+ import type { OpenSaasConfig, AccessContext } from '../src/index.js'
4
+
5
+ describe('Relationship Access Control', () => {
6
+ const mockContext: AccessContext = {
7
+ session: null,
8
+ prisma: {},
9
+ db: {},
10
+ }
11
+
12
+ describe('getRelatedListConfig', () => {
13
+ const config: OpenSaasConfig = {
14
+ db: {
15
+ provider: 'postgresql',
16
+ url: 'postgresql://localhost:5432/test',
17
+ },
18
+ lists: {
19
+ User: {
20
+ fields: {
21
+ name: { type: 'text' },
22
+ },
23
+ },
24
+ Post: {
25
+ fields: {
26
+ title: { type: 'text' },
27
+ },
28
+ },
29
+ },
30
+ }
31
+
32
+ it('should parse relationship ref and return list config', () => {
33
+ const result = getRelatedListConfig('Post.author', config)
34
+
35
+ expect(result).toBeDefined()
36
+ expect(result?.listName).toBe('Post')
37
+ expect(result?.listConfig).toBeDefined()
38
+ expect(result?.listConfig.fields.title).toBeDefined()
39
+ })
40
+
41
+ it('should return null for invalid ref format', () => {
42
+ const result = getRelatedListConfig('InvalidRef', config)
43
+
44
+ expect(result).toBeNull()
45
+ })
46
+
47
+ it('should return null for non-existent list', () => {
48
+ const result = getRelatedListConfig('NonExistent.field', config)
49
+
50
+ expect(result).toBeNull()
51
+ })
52
+ })
53
+
54
+ describe('filterReadableFields with relationships', () => {
55
+ describe('single relationships', () => {
56
+ it('should apply access control to single relationship', async () => {
57
+ const config: OpenSaasConfig = {
58
+ db: {
59
+ provider: 'postgresql',
60
+ url: 'postgresql://localhost:5432/test',
61
+ },
62
+ lists: {
63
+ User: {
64
+ fields: {
65
+ name: { type: 'text' },
66
+ },
67
+ access: {
68
+ operation: {
69
+ query: () => true, // Allow reading users
70
+ },
71
+ },
72
+ },
73
+ Post: {
74
+ fields: {
75
+ title: { type: 'text' },
76
+ author: {
77
+ type: 'relationship',
78
+ ref: 'User.posts',
79
+ },
80
+ },
81
+ },
82
+ },
83
+ }
84
+
85
+ const post = {
86
+ id: '1',
87
+ title: 'Test Post',
88
+ author: {
89
+ id: '1',
90
+ name: 'John Doe',
91
+ },
92
+ }
93
+
94
+ const result = await filterReadableFields(
95
+ post,
96
+ config.lists.Post.fields,
97
+ {
98
+ session: null,
99
+ context: mockContext,
100
+ },
101
+ config,
102
+ )
103
+
104
+ expect(result.title).toBe('Test Post')
105
+ expect(result.author).toBeDefined()
106
+ expect(result.author?.name).toBe('John Doe')
107
+ })
108
+
109
+ it('should filter out single relationship when access denied (via buildIncludeWithAccessControl)', async () => {
110
+ const config: OpenSaasConfig = {
111
+ db: {
112
+ provider: 'postgresql',
113
+ url: 'postgresql://localhost:5432/test',
114
+ },
115
+ lists: {
116
+ User: {
117
+ fields: {
118
+ name: { type: 'text' },
119
+ },
120
+ access: {
121
+ operation: {
122
+ query: () => false, // Deny reading users
123
+ },
124
+ },
125
+ },
126
+ Post: {
127
+ fields: {
128
+ title: { type: 'text' },
129
+ author: {
130
+ type: 'relationship',
131
+ ref: 'User.posts',
132
+ },
133
+ },
134
+ },
135
+ },
136
+ }
137
+
138
+ // Test that buildIncludeWithAccessControl excludes the denied relationship
139
+ const { buildIncludeWithAccessControl } = await import('../src/access/engine.js')
140
+
141
+ const include = await buildIncludeWithAccessControl(
142
+ config.lists.Post.fields,
143
+ {
144
+ session: null,
145
+ context: mockContext,
146
+ },
147
+ config,
148
+ )
149
+
150
+ // When access is denied, the relationship should not be included
151
+ expect(include).toBeDefined()
152
+ expect(include?.author).toBeUndefined()
153
+ })
154
+
155
+ it('should apply field-level access to single relationship', async () => {
156
+ const config: OpenSaasConfig = {
157
+ db: {
158
+ provider: 'postgresql',
159
+ url: 'postgresql://localhost:5432/test',
160
+ },
161
+ lists: {
162
+ User: {
163
+ fields: {
164
+ name: { type: 'text' },
165
+ email: {
166
+ type: 'text',
167
+ access: {
168
+ read: () => false, // Hide email
169
+ },
170
+ },
171
+ },
172
+ access: {
173
+ operation: {
174
+ query: () => true,
175
+ },
176
+ },
177
+ },
178
+ Post: {
179
+ fields: {
180
+ title: { type: 'text' },
181
+ author: {
182
+ type: 'relationship',
183
+ ref: 'User.posts',
184
+ },
185
+ },
186
+ },
187
+ },
188
+ }
189
+
190
+ const post = {
191
+ id: '1',
192
+ title: 'Test Post',
193
+ author: {
194
+ id: '1',
195
+ name: 'John Doe',
196
+ email: 'john@example.com',
197
+ },
198
+ }
199
+
200
+ const result = await filterReadableFields(
201
+ post,
202
+ config.lists.Post.fields,
203
+ {
204
+ session: null,
205
+ context: mockContext,
206
+ },
207
+ config,
208
+ )
209
+
210
+ expect(result.author).toBeDefined()
211
+ expect(result.author?.name).toBe('John Doe')
212
+ expect(result.author?.email).toBeUndefined()
213
+ })
214
+ })
215
+
216
+ describe('many relationships (arrays)', () => {
217
+ it('should apply access control to many relationships', async () => {
218
+ const config: OpenSaasConfig = {
219
+ db: {
220
+ provider: 'postgresql',
221
+ url: 'postgresql://localhost:5432/test',
222
+ },
223
+ lists: {
224
+ User: {
225
+ fields: {
226
+ name: { type: 'text' },
227
+ posts: {
228
+ type: 'relationship',
229
+ ref: 'Post.author',
230
+ many: true,
231
+ },
232
+ },
233
+ },
234
+ Post: {
235
+ fields: {
236
+ title: { type: 'text' },
237
+ status: { type: 'select', options: [] },
238
+ },
239
+ access: {
240
+ operation: {
241
+ query: () => true, // Allow all posts
242
+ },
243
+ },
244
+ },
245
+ },
246
+ }
247
+
248
+ const user = {
249
+ id: '1',
250
+ name: 'John Doe',
251
+ posts: [
252
+ { id: '1', title: 'Post 1', status: 'published' },
253
+ { id: '2', title: 'Post 2', status: 'draft' },
254
+ ],
255
+ }
256
+
257
+ const result = await filterReadableFields(
258
+ user,
259
+ config.lists.User.fields,
260
+ {
261
+ session: null,
262
+ context: mockContext,
263
+ },
264
+ config,
265
+ )
266
+
267
+ expect(result.posts).toHaveLength(2)
268
+ expect(result.posts?.[0].title).toBe('Post 1')
269
+ expect(result.posts?.[1].title).toBe('Post 2')
270
+ })
271
+
272
+ it('should filter items in many relationships based on query access (via buildIncludeWithAccessControl)', async () => {
273
+ const config: OpenSaasConfig = {
274
+ db: {
275
+ provider: 'postgresql',
276
+ url: 'postgresql://localhost:5432/test',
277
+ },
278
+ lists: {
279
+ User: {
280
+ fields: {
281
+ name: { type: 'text' },
282
+ posts: {
283
+ type: 'relationship',
284
+ ref: 'Post.author',
285
+ many: true,
286
+ },
287
+ },
288
+ },
289
+ Post: {
290
+ fields: {
291
+ title: { type: 'text' },
292
+ status: { type: 'select', options: [] },
293
+ },
294
+ access: {
295
+ operation: {
296
+ // Only show published posts
297
+ query: () => ({ status: { equals: 'published' } }),
298
+ },
299
+ },
300
+ },
301
+ },
302
+ }
303
+
304
+ // Test that buildIncludeWithAccessControl creates the right where clause
305
+ const { buildIncludeWithAccessControl } = await import('../src/access/engine.js')
306
+
307
+ const include = await buildIncludeWithAccessControl(
308
+ config.lists.User.fields,
309
+ {
310
+ session: null,
311
+ context: mockContext,
312
+ },
313
+ config,
314
+ )
315
+
316
+ // Should include posts with a where filter
317
+ expect(include).toBeDefined()
318
+ expect(include?.posts).toBeDefined()
319
+ // @ts-expect-error the test
320
+ expect(include?.posts.where).toEqual({ status: { equals: 'published' } })
321
+ })
322
+
323
+ it('should apply field-level access to items in many relationships', async () => {
324
+ const config: OpenSaasConfig = {
325
+ db: {
326
+ provider: 'postgresql',
327
+ url: 'postgresql://localhost:5432/test',
328
+ },
329
+ lists: {
330
+ User: {
331
+ fields: {
332
+ name: { type: 'text' },
333
+ posts: {
334
+ type: 'relationship',
335
+ ref: 'Post.author',
336
+ many: true,
337
+ },
338
+ },
339
+ },
340
+ Post: {
341
+ fields: {
342
+ title: { type: 'text' },
343
+ internalNotes: {
344
+ type: 'text',
345
+ access: {
346
+ read: () => false, // Hide internal notes
347
+ },
348
+ },
349
+ },
350
+ access: {
351
+ operation: {
352
+ query: () => true,
353
+ },
354
+ },
355
+ },
356
+ },
357
+ }
358
+
359
+ const user = {
360
+ id: '1',
361
+ name: 'John Doe',
362
+ posts: [
363
+ { id: '1', title: 'Post 1', internalNotes: 'Secret notes' },
364
+ { id: '2', title: 'Post 2', internalNotes: 'More secrets' },
365
+ ],
366
+ }
367
+
368
+ const result = await filterReadableFields(
369
+ user,
370
+ config.lists.User.fields,
371
+ {
372
+ session: null,
373
+ context: mockContext,
374
+ },
375
+ config,
376
+ )
377
+
378
+ expect(result.posts).toHaveLength(2)
379
+ expect(result.posts?.[0].title).toBe('Post 1')
380
+ expect(result.posts?.[0].internalNotes).toBeUndefined()
381
+ expect(result.posts?.[1].title).toBe('Post 2')
382
+ expect(result.posts?.[1].internalNotes).toBeUndefined()
383
+ })
384
+
385
+ it('should handle empty arrays', async () => {
386
+ const config: OpenSaasConfig = {
387
+ db: {
388
+ provider: 'postgresql',
389
+ url: 'postgresql://localhost:5432/test',
390
+ },
391
+ lists: {
392
+ User: {
393
+ fields: {
394
+ name: { type: 'text' },
395
+ posts: {
396
+ type: 'relationship',
397
+ ref: 'Post.author',
398
+ many: true,
399
+ },
400
+ },
401
+ },
402
+ Post: {
403
+ fields: {
404
+ title: { type: 'text' },
405
+ },
406
+ access: {
407
+ operation: {
408
+ query: () => true,
409
+ },
410
+ },
411
+ },
412
+ },
413
+ }
414
+
415
+ const user = {
416
+ id: '1',
417
+ name: 'John Doe',
418
+ posts: [],
419
+ }
420
+
421
+ const result = await filterReadableFields(
422
+ user,
423
+ config.lists.User.fields,
424
+ {
425
+ session: null,
426
+ context: mockContext,
427
+ },
428
+ config,
429
+ )
430
+
431
+ expect(result.posts).toEqual([])
432
+ })
433
+ })
434
+
435
+ describe('session-based access for relationships', () => {
436
+ it('should apply session-based access to relationships (via buildIncludeWithAccessControl)', async () => {
437
+ const config: OpenSaasConfig = {
438
+ db: {
439
+ provider: 'postgresql',
440
+ url: 'postgresql://localhost:5432/test',
441
+ },
442
+ lists: {
443
+ User: {
444
+ fields: {
445
+ name: { type: 'text' },
446
+ posts: {
447
+ type: 'relationship',
448
+ ref: 'Post.author',
449
+ many: true,
450
+ },
451
+ },
452
+ },
453
+ Post: {
454
+ fields: {
455
+ title: { type: 'text' },
456
+ authorId: { type: 'text' },
457
+ },
458
+ access: {
459
+ operation: {
460
+ // Only show posts owned by current user
461
+ query: ({ session }) => {
462
+ if (!session) return false
463
+ return { authorId: { equals: session.userId } }
464
+ },
465
+ },
466
+ },
467
+ },
468
+ },
469
+ }
470
+
471
+ // Test that buildIncludeWithAccessControl creates session-based where clause
472
+ const { buildIncludeWithAccessControl } = await import('../src/access/engine.js')
473
+
474
+ const include = await buildIncludeWithAccessControl(
475
+ config.lists.User.fields,
476
+ {
477
+ session: { userId: '1' },
478
+ context: mockContext,
479
+ },
480
+ config,
481
+ )
482
+
483
+ // Should include posts with session-based where filter
484
+ expect(include).toBeDefined()
485
+ expect(include?.posts).toBeDefined()
486
+ // @ts-expect-error the test
487
+ expect(include?.posts.where).toEqual({ authorId: { equals: '1' } })
488
+ })
489
+ })
490
+
491
+ describe('depth limiting', () => {
492
+ it('should prevent infinite recursion with depth limit', async () => {
493
+ const config: OpenSaasConfig = {
494
+ db: {
495
+ provider: 'postgresql',
496
+ url: 'postgresql://localhost:5432/test',
497
+ },
498
+ lists: {
499
+ User: {
500
+ fields: {
501
+ name: { type: 'text' },
502
+ posts: {
503
+ type: 'relationship',
504
+ ref: 'Post.author',
505
+ many: true,
506
+ },
507
+ },
508
+ access: {
509
+ operation: {
510
+ query: () => true,
511
+ },
512
+ },
513
+ },
514
+ Post: {
515
+ fields: {
516
+ title: { type: 'text' },
517
+ author: {
518
+ type: 'relationship',
519
+ ref: 'User.posts',
520
+ },
521
+ },
522
+ access: {
523
+ operation: {
524
+ query: () => true,
525
+ },
526
+ },
527
+ },
528
+ },
529
+ }
530
+
531
+ // Create circular reference structure
532
+ const user = {
533
+ id: '1',
534
+ name: 'John Doe',
535
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
536
+ posts: [] as any[],
537
+ }
538
+
539
+ const post = {
540
+ id: '1',
541
+ title: 'Test Post',
542
+ author: user,
543
+ }
544
+
545
+ user.posts = [post]
546
+
547
+ const result = await filterReadableFields(
548
+ user,
549
+ config.lists.User.fields,
550
+ {
551
+ session: null,
552
+ context: mockContext,
553
+ },
554
+ config,
555
+ )
556
+
557
+ // Should not throw stack overflow error
558
+ expect(result).toBeDefined()
559
+ expect(result.posts).toBeDefined()
560
+ })
561
+ })
562
+
563
+ describe('null and undefined relationships', () => {
564
+ it('should handle null single relationships', async () => {
565
+ const config: OpenSaasConfig = {
566
+ db: {
567
+ provider: 'postgresql',
568
+ url: 'postgresql://localhost:5432/test',
569
+ },
570
+ lists: {
571
+ User: {
572
+ fields: {
573
+ name: { type: 'text' },
574
+ },
575
+ access: {
576
+ operation: {
577
+ query: () => true,
578
+ },
579
+ },
580
+ },
581
+ Post: {
582
+ fields: {
583
+ title: { type: 'text' },
584
+ author: {
585
+ type: 'relationship',
586
+ ref: 'User.posts',
587
+ },
588
+ },
589
+ },
590
+ },
591
+ }
592
+
593
+ const post = {
594
+ id: '1',
595
+ title: 'Test Post',
596
+ author: null,
597
+ }
598
+
599
+ const result = await filterReadableFields(
600
+ post,
601
+ config.lists.Post.fields,
602
+ {
603
+ session: null,
604
+ context: mockContext,
605
+ },
606
+ config,
607
+ )
608
+
609
+ expect(result.author).toBeNull()
610
+ })
611
+ })
612
+ })
613
+ })