@opensaas/stack-core 0.1.6 → 0.3.0

package/src/context/index.ts

@@ -14,6 +14,7 @@ import {
   executeAfterOperation,
   validateFieldRules,
   ValidationError,
+  DatabaseError,
 } from '../hooks/index.js'
 import { processNestedOperations } from './nested-operations.js'
 import { getDbKey } from '../lib/case-utils.js'
@@ -130,6 +131,69 @@ export type ServerActionProps =
   | { listKey: string; action: 'create'; data: Record<string, unknown> }
   | { listKey: string; action: 'update'; id: string; data: Record<string, unknown> }
   | { listKey: string; action: 'delete'; id: string }
+
+/**
+ * Parse Prisma error and convert to user-friendly DatabaseError
+ */
+function parsePrismaError(error: unknown, listConfig: ListConfig): Error {
+  // Check if it's a Prisma error
+  if (
+    error &&
+    typeof error === 'object' &&
+    'code' in error &&
+    'meta' in error &&
+    typeof error.code === 'string'
+  ) {
+    const prismaError = error as { code: string; meta?: { target?: string[] }; message?: string }
+
+    // Handle unique constraint violation
+    if (prismaError.code === 'P2002') {
+      const target = prismaError.meta?.target
+      const fieldErrors: Record<string, string> = {}
+
+      if (target && Array.isArray(target)) {
+        // Get field names from the constraint target
+        for (const fieldName of target) {
+          // Get the field config to get a better label
+          const fieldConfig = listConfig.fields[fieldName]
+          const label = fieldName.charAt(0).toUpperCase() + fieldName.slice(1)
+
+          if (fieldConfig) {
+            fieldErrors[fieldName] = `This ${label.toLowerCase()} is already in use`
+          } else {
+            fieldErrors[fieldName] = `This value is already in use`
+          }
+        }
+
+        // Create a user-friendly general message
+        const fieldLabels = target.map((f) => f.charAt(0).toUpperCase() + f.slice(1)).join(', ')
+        return new DatabaseError(
+          `${fieldLabels} must be unique. The value you entered is already in use.`,
+          fieldErrors,
+          prismaError.code,
+        )
+      }
+
+      return new DatabaseError('A record with this value already exists', {}, prismaError.code)
+    }
+
+    // Handle other Prisma errors - return generic message
+    return new DatabaseError(
+      prismaError.message || 'A database error occurred',
+      {},
+      prismaError.code,
+    )
+  }
+
+  // Not a Prisma error, return as-is if it's already an Error
+  if (error instanceof Error) {
+    return error
+  }
+
+  // Unknown error type
+  return new Error('An unknown error occurred')
+}
+
 /**
  * Create an access-controlled context
  *
@@ -144,14 +208,27 @@ export function getContext<
 >(
   config: TConfig,
   prisma: TPrisma,
-  session: Session,
+  session: Session | null,
   storage?: StorageUtils,
+  _isSudo: boolean = false,
 ): {
   db: AccessControlledDB<TPrisma>
-  session: Session
+  session: Session | null
   prisma: TPrisma
   storage: StorageUtils
+  plugins: Record<string, unknown>
   serverAction: (props: ServerActionProps) => Promise<unknown>
+  _isSudo: boolean
+  sudo: () => {
+    db: AccessControlledDB<TPrisma>
+    session: Session | null
+    prisma: TPrisma
+    storage: StorageUtils
+    plugins: Record<string, unknown>
+    serverAction: (props: ServerActionProps) => Promise<unknown>
+    sudo: () => unknown
+    _isSudo: boolean
+  }
 } {
   // Initialize db object - will be populated with access-controlled operations
   // Type is intentionally broad to allow dynamic model access
@@ -185,6 +262,8 @@ export function getContext<
         )
       },
     },
+    plugins: {}, // Will be populated with plugin runtime services
+    _isSudo,
   }
 
   // Create access-controlled operations for each list
@@ -201,29 +280,113 @@ export function getContext<
     }
   }
 
+  // Execute plugin runtime functions and populate context.plugins
+  // Use _plugins (sorted by dependencies) if available, otherwise fall back to plugins array
+  const pluginsToExecute = config._plugins || config.plugins || []
+  for (const plugin of pluginsToExecute) {
+    if (plugin.runtime) {
+      try {
+        context.plugins[plugin.name] = plugin.runtime(context)
+      } catch (error) {
+        console.error(`Error executing runtime for plugin "${plugin.name}":`, error)
+        // Continue with other plugins even if one fails
+      }
+    }
+  }
+
   // Generic server action handler with discriminated union for type safety
-  async function serverAction(props: ServerActionProps): Promise<unknown> {
+  // Returns a result object instead of throwing to work properly in Next.js production
+  async function serverAction(
+    props: ServerActionProps,
+  ): Promise<
+    | { success: true; data: unknown }
+    | { success: false; error: string; fieldErrors?: Record<string, string> }
+  > {
     const dbKey = getDbKey(props.listKey)
+    const listConfig = config.lists[props.listKey]
+
+    if (!listConfig) {
+      return {
+        success: false,
+        error: `List "${props.listKey}" not found in configuration`,
+      }
+    }
+
     const model = db[dbKey] as {
       create: (args: { data: Record<string, unknown> }) => Promise<unknown>
       update: (args: { where: { id: string }; data: Record<string, unknown> }) => Promise<unknown>
       delete: (args: { where: { id: string } }) => Promise<unknown>
     }
 
-    if (props.action === 'create') {
-      return await model.create({ data: props.data })
-    } else if (props.action === 'update') {
-      return await model.update({
-        where: { id: props.id },
-        data: props.data,
-      })
-    } else if (props.action === 'delete') {
-      return await model.delete({
-        where: { id: props.id },
-      })
+    try {
+      let result: unknown = null
+
+      if (props.action === 'create') {
+        result = await model.create({ data: props.data })
+      } else if (props.action === 'update') {
+        result = await model.update({
+          where: { id: props.id },
+          data: props.data,
+        })
+      } else if (props.action === 'delete') {
+        result = await model.delete({
+          where: { id: props.id },
+        })
+      }
+
+      // Check for access denial (null return from access-controlled operations)
+      if (result === null) {
+        return {
+          success: false,
+          error: 'Access denied or operation failed',
+        }
+      }
+
+      return {
+        success: true,
+        data: result,
+      }
+    } catch (error) {
+      // Handle ValidationError (has fieldErrors)
+      if (error instanceof ValidationError) {
+        return {
+          success: false,
+          error: error.message,
+          fieldErrors: error.fieldErrors,
+        }
+      }
+
+      // Handle DatabaseError (has fieldErrors)
+      if (error instanceof DatabaseError) {
+        return {
+          success: false,
+          error: error.message,
+          fieldErrors: error.fieldErrors,
+        }
+      }
+
+      // Parse and convert Prisma errors to user-friendly DatabaseError
+      const dbError = parsePrismaError(error, listConfig)
+      if (dbError instanceof DatabaseError) {
+        return {
+          success: false,
+          error: dbError.message,
+          fieldErrors: dbError.fieldErrors,
+        }
+      }
+
+      // Generic error fallback
+      return {
+        success: false,
+        error: dbError.message,
+      }
     }
+  }
 
-    return null
+  // Sudo function - creates a new context that bypasses access control
+  // but still executes all hooks and validation
+  function sudo() {
+    return getContext(config, prisma, session, context.storage, true)
   }
 
   return {
@@ -231,7 +394,10 @@ export function getContext<
     session,
     prisma,
     storage: context.storage,
+    plugins: context.plugins,
     serverAction,
+    sudo,
+    _isSudo,
   }
 }
 
@@ -242,25 +408,29 @@ function createFindUnique<TPrisma extends PrismaClientLike>(
   listName: string,
   listConfig: ListConfig,
   prisma: TPrisma,
-  context: AccessContext,
+  context: AccessContext<TPrisma>,
   config: OpenSaasConfig,
 ) {
   return async (args: { where: { id: string }; include?: Record<string, unknown> }) => {
-    // Check query access
-    const queryAccess = listConfig.access?.operation?.query
-    const accessResult = await checkAccess(queryAccess, {
-      session: context.session,
-      context,
-    })
+    // Check query access (skip if sudo mode)
+    let where: Record<string, unknown> = args.where
+    if (!context._isSudo) {
+      const queryAccess = listConfig.access?.operation?.query
+      const accessResult = await checkAccess(queryAccess, {
+        session: context.session,
+        context,
+      })
 
-    if (accessResult === false) {
-      return null
-    }
+      if (accessResult === false) {
+        return null
+      }
 
-    // Merge access filter with where clause
-    const where = mergeFilters(args.where, accessResult)
-    if (where === null) {
-      return null
+      // Merge access filter with where clause
+      const mergedWhere = mergeFilters(args.where, accessResult)
+      if (mergedWhere === null) {
+        return null
+      }
+      where = mergedWhere
     }
 
     // Build include with access control filters
@@ -290,12 +460,13 @@ function createFindUnique<TPrisma extends PrismaClientLike>(
     }
 
     // Filter readable fields and apply resolveOutput hooks (including nested relationships)
+    // Pass sudo flag through context to skip field-level access checks
     const filtered = await filterReadableFields(
       item,
       listConfig.fields,
       {
         session: context.session,
-        context,
+        context: { ...context, _isSudo: context._isSudo },
       },
       config,
       0,
@@ -323,7 +494,7 @@ function createFindMany<TPrisma extends PrismaClientLike>(
   listName: string,
   listConfig: ListConfig,
   prisma: TPrisma,
-  context: AccessContext,
+  context: AccessContext<TPrisma>,
   config: OpenSaasConfig,
 ) {
   return async (args?: {
@@ -332,21 +503,25 @@ function createFindMany<TPrisma extends PrismaClientLike>(
     skip?: number
     include?: Record<string, unknown>
   }) => {
-    // Check query access
-    const queryAccess = listConfig.access?.operation?.query
-    const accessResult = await checkAccess(queryAccess, {
-      session: context.session,
-      context,
-    })
+    // Check query access (skip if sudo mode)
+    let where: Record<string, unknown> | undefined = args?.where
+    if (!context._isSudo) {
+      const queryAccess = listConfig.access?.operation?.query
+      const accessResult = await checkAccess(queryAccess, {
+        session: context.session,
+        context,
+      })
 
-    if (accessResult === false) {
-      return []
-    }
+      if (accessResult === false) {
+        return []
+      }
 
-    // Merge access filter with where clause
-    const where = mergeFilters(args?.where, accessResult)
-    if (where === null) {
-      return []
+      // Merge access filter with where clause
+      const mergedWhere = mergeFilters(args?.where, accessResult)
+      if (mergedWhere === null) {
+        return []
+      }
+      where = mergedWhere
     }
 
     // Build include with access control filters
@@ -374,6 +549,7 @@ function createFindMany<TPrisma extends PrismaClientLike>(
     })
 
     // Filter readable fields for each item and apply resolveOutput hooks (including nested relationships)
+    // Pass sudo flag through context to skip field-level access checks
     const filtered = await Promise.all(
       items.map((item: Record<string, unknown>) =>
         filterReadableFields(
@@ -381,7 +557,7 @@ function createFindMany<TPrisma extends PrismaClientLike>(
           listConfig.fields,
           {
             session: context.session,
-            context,
+            context: { ...context, _isSudo: context._isSudo },
           },
           config,
           0,
@@ -415,19 +591,21 @@ function createCreate<TPrisma extends PrismaClientLike>(
   listName: string,
   listConfig: ListConfig,
   prisma: TPrisma,
-  context: AccessContext,
+  context: AccessContext<TPrisma>,
   config: OpenSaasConfig,
 ) {
   return async (args: { data: Record<string, unknown> }) => {
-    // 1. Check create access
-    const createAccess = listConfig.access?.operation?.create
-    const accessResult = await checkAccess(createAccess, {
-      session: context.session,
-      context,
-    })
+    // 1. Check create access (skip if sudo mode)
+    if (!context._isSudo) {
+      const createAccess = listConfig.access?.operation?.create
+      const accessResult = await checkAccess(createAccess, {
+        session: context.session,
+        context,
+      })
 
-    if (accessResult === false) {
-      return null
+      if (accessResult === false) {
+        return null
+      }
     }
 
     // 2. Execute list-level resolveInput hook
@@ -459,10 +637,10 @@ function createCreate<TPrisma extends PrismaClientLike>(
       throw new ValidationError(validation.errors, validation.fieldErrors)
     }
 
-    // 5. Filter writable fields (field-level access control)
+    // 5. Filter writable fields (field-level access control, skip if sudo mode)
     const filteredData = await filterWritableFields(resolvedData, listConfig.fields, 'create', {
       session: context.session,
-      context,
+      context: { ...context, _isSudo: context._isSudo },
     })
 
     // 5.5. Process nested relationship operations
@@ -509,12 +687,13 @@ function createCreate<TPrisma extends PrismaClientLike>(
     )
 
     // 11. Filter readable fields and apply resolveOutput hooks (including nested relationships)
+    // Pass sudo flag through context to skip field-level access checks
     const filtered = await filterReadableFields(
       item,
       listConfig.fields,
       {
         session: context.session,
-        context,
+        context: { ...context, _isSudo: context._isSudo },
       },
       config,
       0,
@@ -532,7 +711,7 @@ function createUpdate<TPrisma extends PrismaClientLike>(
   listName: string,
   listConfig: ListConfig,
   prisma: TPrisma,
-  context: AccessContext,
+  context: AccessContext<TPrisma>,
   config: OpenSaasConfig,
 ) {
   return async (args: { where: { id: string }; data: Record<string, unknown> }) => {
@@ -548,27 +727,29 @@ function createUpdate<TPrisma extends PrismaClientLike>(
       return null
     }
 
-    // 2. Check update access
-    const updateAccess = listConfig.access?.operation?.update
-    const accessResult = await checkAccess(updateAccess, {
-      session: context.session,
-      item,
-      context,
-    })
-
-    if (accessResult === false) {
-      return null
-    }
-
-    // If access returns a filter, check if item matches
-    if (typeof accessResult === 'object') {
-      const matchesFilter = await model.findFirst({
-        where: mergeFilters(args.where, accessResult),
+    // 2. Check update access (skip if sudo mode)
+    if (!context._isSudo) {
+      const updateAccess = listConfig.access?.operation?.update
+      const accessResult = await checkAccess(updateAccess, {
+        session: context.session,
+        item,
+        context,
       })
 
-      if (!matchesFilter) {
+      if (accessResult === false) {
         return null
       }
+
+      // If access returns a filter, check if item matches
+      if (typeof accessResult === 'object') {
+        const matchesFilter = await model.findFirst({
+          where: mergeFilters(args.where, accessResult),
+        })
+
+        if (!matchesFilter) {
+          return null
+        }
+      }
     }
 
     // 3. Execute list-level resolveInput hook
@@ -603,11 +784,11 @@ function createUpdate<TPrisma extends PrismaClientLike>(
       throw new ValidationError(validation.errors, validation.fieldErrors)
     }
 
-    // 6. Filter writable fields (field-level access control)
+    // 6. Filter writable fields (field-level access control, skip if sudo mode)
     const filteredData = await filterWritableFields(resolvedData, listConfig.fields, 'update', {
       session: context.session,
       item,
-      context,
+      context: { ...context, _isSudo: context._isSudo },
     })
 
     // 6.5. Process nested relationship operations
@@ -660,12 +841,13 @@ function createUpdate<TPrisma extends PrismaClientLike>(
     )
 
     // 12. Filter readable fields and apply resolveOutput hooks (including nested relationships)
+    // Pass sudo flag through context to skip field-level access checks
     const filtered = await filterReadableFields(
       updated,
       listConfig.fields,
       {
         session: context.session,
-        context,
+        context: { ...context, _isSudo: context._isSudo },
       },
       config,
       0,
@@ -683,7 +865,7 @@ function createDelete<TPrisma extends PrismaClientLike>(
   listName: string,
   listConfig: ListConfig,
   prisma: TPrisma,
-  context: AccessContext,
+  context: AccessContext<TPrisma>,
 ) {
   return async (args: { where: { id: string } }) => {
     // 1. Fetch the item to pass to access control and hooks
@@ -698,27 +880,29 @@ function createDelete<TPrisma extends PrismaClientLike>(
       return null
     }
 
-    // 2. Check delete access
-    const deleteAccess = listConfig.access?.operation?.delete
-    const accessResult = await checkAccess(deleteAccess, {
-      session: context.session,
-      item,
-      context,
-    })
-
-    if (accessResult === false) {
-      return null
-    }
-
-    // If access returns a filter, check if item matches
-    if (typeof accessResult === 'object') {
-      const matchesFilter = await model.findFirst({
-        where: mergeFilters(args.where, accessResult),
+    // 2. Check delete access (skip if sudo mode)
+    if (!context._isSudo) {
+      const deleteAccess = listConfig.access?.operation?.delete
+      const accessResult = await checkAccess(deleteAccess, {
+        session: context.session,
+        item,
+        context,
       })
 
-      if (!matchesFilter) {
+      if (accessResult === false) {
         return null
       }
+
+      // If access returns a filter, check if item matches
+      if (typeof accessResult === 'object') {
+        const matchesFilter = await model.findFirst({
+          where: mergeFilters(args.where, accessResult),
+        })
+
+        if (!matchesFilter) {
+          return null
+        }
+      }
     }
 
     // 3. Execute field-level beforeOperation hooks (side effects only)
@@ -764,24 +948,28 @@ function createCount<TPrisma extends PrismaClientLike>(
   listName: string,
   listConfig: ListConfig,
   prisma: TPrisma,
-  context: AccessContext,
+  context: AccessContext<TPrisma>,
 ) {
   return async (args?: { where?: Record<string, unknown> }) => {
-    // Check query access
-    const queryAccess = listConfig.access?.operation?.query
-    const accessResult = await checkAccess(queryAccess, {
-      session: context.session,
-      context,
-    })
+    // Check query access (skip if sudo mode)
+    let where: Record<string, unknown> | undefined = args?.where
+    if (!context._isSudo) {
+      const queryAccess = listConfig.access?.operation?.query
+      const accessResult = await checkAccess(queryAccess, {
+        session: context.session,
+        context,
+      })
 
-    if (accessResult === false) {
-      return 0
-    }
+      if (accessResult === false) {
+        return 0
+      }
 
-    // Merge access filter with where clause
-    const where = mergeFilters(args?.where, accessResult)
-    if (where === null) {
-      return 0
+      // Merge access filter with where clause
+      const mergedWhere = mergeFilters(args?.where, accessResult)
+      if (mergedWhere === null) {
+        return 0
+      }
+      where = mergedWhere
     }
 
     // Execute count

package/src/fields/index.ts

@@ -59,7 +59,7 @@ export function text(options?: Omit<TextField, 'type'>): TextField {
         return z.union([withMax, z.undefined()])
       }
 
-      return !isRequired ? withMax.optional() : withMax
+      return !isRequired ? withMax.optional().nullable() : withMax
     },
     getPrismaType: () => {
       const validation = options?.validation
@@ -122,7 +122,7 @@ export function integer(options?: Omit<IntegerField, 'type'>): IntegerField {
           : withMin
 
       return !options?.validation?.isRequired || operation === 'update'
-        ? withMax.optional()
+        ? withMax.optional().nullable()
         : withMax
     },
     getPrismaType: () => {
@@ -152,7 +152,7 @@ export function checkbox(options?: Omit<CheckboxField, 'type'>): CheckboxField {
     type: 'checkbox',
     ...options,
     getZodSchema: () => {
-      return z.boolean().optional()
+      return z.boolean().optional().nullable()
     },
     getPrismaType: () => {
       const hasDefault = options?.defaultValue !== undefined
@@ -184,7 +184,7 @@ export function timestamp(options?: Omit<TimestampField, 'type'>): TimestampFiel
     type: 'timestamp',
     ...options,
     getZodSchema: () => {
-      return z.union([z.date(), z.iso.datetime()]).optional()
+      return z.union([z.date(), z.iso.datetime()]).optional().nullable()
     },
     getPrismaType: () => {
       let modifiers = '?'
@@ -347,6 +347,7 @@ export function password(options?: Omit<PasswordField, 'type'>): PasswordField {
             message: `${formatFieldName(fieldName)} must be text`,
           })
           .optional()
+          .nullable()
       }
     },
     getPrismaType: () => {
@@ -386,7 +387,7 @@ export function select(options: Omit<SelectField, 'type'>): SelectField {
       })
 
       if (!options.validation?.isRequired || operation === 'update') {
-        schema = schema.optional()
+        schema = schema.optional().nullable()
       }
 
       return schema
@@ -499,8 +500,8 @@ export function json(options?: Omit<JsonField, 'type'>): JsonField {
         // Required in update mode: can be undefined for partial updates
         return z.union([baseSchema, z.undefined()])
       } else {
-        // Not required: can be undefined
-        return baseSchema.optional()
+        // Not required: can be undefined or null
+        return baseSchema.optional().nullable()
       }
     },
     getPrismaType: () => {