@questpie/admin 3.0.4 → 3.0.6

package/dist/server/modules/admin/routes/translations.d.mts

@@ -1,4 +1,4 @@
-import * as questpie464 from "questpie";
+import * as questpie434 from "questpie";
 
 //#region src/server/modules/admin/routes/translations.d.ts
 
@@ -17,10 +17,10 @@ import * as questpie464 from "questpie";
  * Bundle of translation-related functions.
  */
 declare const translationFunctions: {
-  readonly getAdminTranslations: questpie464.JsonRouteDefinition<{
+  readonly getAdminTranslations: questpie434.JsonRouteDefinition<{
     locale: string;
-  }, any, questpie464.JsonRouteParams>;
-  readonly getAdminLocales: questpie464.JsonRouteDefinition<Record<string, never> | undefined, any, questpie464.JsonRouteParams>;
+  }, any, questpie434.JsonRouteParams>;
+  readonly getAdminLocales: questpie434.JsonRouteDefinition<Record<string, never> | undefined, any, questpie434.JsonRouteParams>;
 };
 //#endregion
 export { translationFunctions };

package/dist/server/modules/admin/routes/widget-data.d.mts

@@ -1,4 +1,4 @@
-import * as questpie93 from "questpie";
+import * as questpie69 from "questpie";
 
 //#region src/server/modules/admin/routes/widget-data.d.ts
 
@@ -20,13 +20,13 @@ import * as questpie93 from "questpie";
  * const data = await client.routes.fetchWidgetData({ widgetId: "my-widget" });
  * ```
  */
-declare const fetchWidgetData: questpie93.JsonRouteDefinition<{
+declare const fetchWidgetData: questpie69.JsonRouteDefinition<{
   widgetId: string;
-}, any, questpie93.JsonRouteParams>;
+}, any, questpie69.JsonRouteParams>;
 declare const widgetDataFunctions: {
-  readonly fetchWidgetData: questpie93.JsonRouteDefinition<{
+  readonly fetchWidgetData: questpie69.JsonRouteDefinition<{
     widgetId: string;
-  }, any, questpie93.JsonRouteParams>;
+  }, any, questpie69.JsonRouteParams>;
 };
 //#endregion
 export { fetchWidgetData, widgetDataFunctions };

package/dist/server/modules/admin-preferences/collections/saved-views.d.mts

@@ -1,6 +1,6 @@
 import { FilterOperator, FilterRule, SortConfig, ViewConfiguration } from "../../../../shared/types/saved-views.types.mjs";
 import * as questpie_shared15 from "questpie/shared";
-import * as questpie107 from "questpie";
+import * as questpie89 from "questpie";
 import * as questpie_src_server_modules_core_fields_email_js2 from "questpie/src/server/modules/core/fields/email.js";
 import * as questpie_src_server_modules_core_fields_json_js2 from "questpie/src/server/modules/core/fields/json.js";
 import * as drizzle_orm_pg_core22 from "drizzle-orm/pg-core";
@@ -33,22 +33,22 @@ import * as drizzle_orm5 from "drizzle-orm";
  * });
  * ```
  */
-declare const savedViewsCollection: questpie107.CollectionBuilder<questpie_shared15.Override<questpie_shared15.Override<questpie107.EmptyCollectionState<"admin_saved_views", undefined, {
-  readonly text: typeof questpie107.text;
-  readonly textarea: typeof questpie107.textarea;
+declare const savedViewsCollection: questpie89.CollectionBuilder<questpie_shared15.Override<questpie_shared15.Override<questpie89.EmptyCollectionState<"admin_saved_views", undefined, {
+  readonly text: typeof questpie89.text;
+  readonly textarea: typeof questpie89.textarea;
   readonly email: typeof questpie_src_server_modules_core_fields_email_js2.email;
-  readonly url: typeof questpie107.url;
-  readonly number: typeof questpie107.number;
-  readonly boolean: typeof questpie107.boolean;
-  readonly date: typeof questpie107.date;
-  readonly datetime: typeof questpie107.datetime;
-  readonly time: typeof questpie107.time;
-  readonly select: typeof questpie107.select;
-  readonly upload: typeof questpie107.upload;
-  readonly relation: typeof questpie107.relation;
-  readonly object: typeof questpie107.object;
+  readonly url: typeof questpie89.url;
+  readonly number: typeof questpie89.number;
+  readonly boolean: typeof questpie89.boolean;
+  readonly date: typeof questpie89.date;
+  readonly datetime: typeof questpie89.datetime;
+  readonly time: typeof questpie89.time;
+  readonly select: typeof questpie89.select;
+  readonly upload: typeof questpie89.upload;
+  readonly relation: typeof questpie89.relation;
+  readonly object: typeof questpie89.object;
   readonly json: typeof questpie_src_server_modules_core_fields_json_js2.json;
-  readonly from: typeof questpie107.from;
+  readonly from: typeof questpie89.from;
 }>, {
   fields: {
     readonly userId: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
@@ -59,31 +59,31 @@ declare const savedViewsCollection: questpie107.CollectionBuilder<questpie_share
   };
   localized: readonly string[];
   fieldDefinitions: {
-    readonly userId: questpie107.FieldWithMethods<Omit<questpie107.TextFieldState, "notNull" | "column"> & {
+    readonly userId: questpie89.FieldWithMethods<Omit<questpie89.TextFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
     } & {
       label: questpie_shared15.I18nText;
-    }, questpie107.TextFieldMethods>;
-    readonly collectionName: questpie107.FieldWithMethods<Omit<questpie107.TextFieldState, "notNull" | "column"> & {
+    }, questpie89.TextFieldMethods>;
+    readonly collectionName: questpie89.FieldWithMethods<Omit<questpie89.TextFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
     } & {
       label: questpie_shared15.I18nText;
-    }, questpie107.TextFieldMethods>;
-    readonly name: questpie107.FieldWithMethods<Omit<questpie107.TextFieldState, "notNull" | "column"> & {
+    }, questpie89.TextFieldMethods>;
+    readonly name: questpie89.FieldWithMethods<Omit<questpie89.TextFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
     } & {
       label: questpie_shared15.I18nText;
-    }, questpie107.TextFieldMethods>;
-    readonly configuration: questpie107.Field<Omit<questpie107.JsonFieldState, "notNull" | "column"> & {
+    }, questpie89.TextFieldMethods>;
+    readonly configuration: questpie89.Field<Omit<questpie89.JsonFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgJsonbBuilder>;
     } & {
       label: questpie_shared15.I18nText;
     }>;
-    readonly isDefault: questpie107.Field<Omit<questpie107.BooleanFieldState, "column" | "hasDefault"> & {
+    readonly isDefault: questpie89.Field<Omit<questpie89.BooleanFieldState, "column" | "hasDefault"> & {
       hasDefault: true;
       column: drizzle_orm5.HasDefault<drizzle_orm_pg_core22.PgBooleanBuilder>;
     } & {

package/dist/server.d.mts

@@ -6,10 +6,6 @@ import { ServerSidebarCollectionItem, ServerSidebarConfig, ServerSidebarDividerI
 import { ActionsConfigContext, BuiltinActionType, ServerActionContext, ServerActionDefinition, ServerActionDownload, ServerActionEffects, ServerActionError, ServerActionForm, ServerActionFormField, ServerActionHandler, ServerActionRedirect, ServerActionResult, ServerActionSuccess, ServerActionsConfig } from "./server/augmentation/actions.mjs";
 import { AdminConfigInput, adminConfig } from "./server/augmentation/index.mjs";
 import "./server/augmentation.mjs";
-import { adminPlugin } from "./server/plugin.mjs";
-import { AuthSession, GetAdminSessionOptions, RequireAdminAuthOptions, getAdminSession, isAdminUser, requireAdminAuth } from "./server/modules/admin/auth-helpers.mjs";
-import { NextAuthMiddlewareOptions, createNextAuthMiddleware, getNextAdminSession } from "./server/adapters/nextjs.mjs";
-import { BeforeLoadContext, TanStackAuthGuardOptions, createTanStackAuthGuard, createTanStackSessionLoader } from "./server/adapters/tanstack.mjs";
 import { BlockNode, BlockValues, BlocksDocument, BlocksFieldMeta } from "./server/fields/blocks.mjs";
 import { RichTextFeature, RichTextFieldMeta, TipTapDocument, TipTapNode } from "./server/fields/rich-text.mjs";
 import { adminFields } from "./server/fields/index.mjs";
@@ -17,6 +13,10 @@ import { AnyBlockBuilder, AnyBlockDefinition, BlockBuilder, BlockBuilderState, B
 import { BlockSchema, getBlocksByCategory, introspectBlock, introspectBlocks } from "./server/modules/admin/block/introspection.mjs";
 import { BlocksPrefetchContext, createBlocksPrefetchHook, processBlocksDocument, processDocumentBlocksPrefetch } from "./server/modules/admin/block/prefetch.mjs";
 import "./server/block/index.mjs";
+import { adminPlugin } from "./server/plugin.mjs";
+import { AuthSession, GetAdminSessionOptions, RequireAdminAuthOptions, getAdminSession, isAdminUser, requireAdminAuth } from "./server/modules/admin/auth-helpers.mjs";
+import { NextAuthMiddlewareOptions, createNextAuthMiddleware, getNextAdminSession } from "./server/adapters/nextjs.mjs";
+import { BeforeLoadContext, TanStackAuthGuardOptions, createTanStackAuthGuard, createTanStackSessionLoader } from "./server/adapters/tanstack.mjs";
 import { ExecuteActionRequest, ExecuteActionResponse, actionFunctions, executeAction, executeActionFn, getActionsConfig, getActionsConfigFn } from "./server/modules/admin/routes/execute-action.mjs";
 import { PreviewTokenPayload, createPreviewFunctions, createPreviewTokenVerifier, verifyPreviewTokenDirect } from "./server/modules/admin/routes/preview.mjs";
 import { batchReactive, fieldOptions, reactiveFunctions } from "./server/modules/admin/routes/reactive.mjs";

package/dist/shared/preview-utils.d.mts

@@ -10,6 +10,39 @@
  * Set by /api/preview route, checked by page loaders.
  */
 declare const DRAFT_MODE_COOKIE = "__draft_mode";
+/**
+ * URL prefix used by the admin SPA when mounted at the conventional
+ * `/admin` path. Kept for reference and as a fallback signal for setups
+ * that pre-date the header-based detection.
+ */
+declare const ADMIN_API_PREFIX = "/admin/api/";
+/**
+ * Whether the given request originates from the admin panel.
+ *
+ * Detection strategy (in order):
+ * 1. Presence of the `X-Questpie-Admin` request header — the canonical
+ *    signal, injected by `createAdminClient` / `withAdminRequestHeader`.
+ * 2. URL path starts with {@link ADMIN_API_PREFIX} — fallback for clients
+ *    that don't inject the header (e.g. pre-3.0.6 admin SDK consumers, or
+ *    direct `curl` calls to `/admin/api/...`).
+ *
+ * Use inside collection/global `.access()` rules to grant admin-only
+ * scope (e.g. master counselor sees everything in the admin, but stays
+ * scoped to their own data on the frontend).
+ *
+ * @example
+ * ```ts
+ * import { isAdminRequest } from "@questpie/admin/shared";
+ *
+ * .access({
+ *   read: ({ session, request }) => {
+ *     if (isAdminRequest(request) && isAdmin(session?.user)) return true;
+ *     return { createdById: session?.user?.id };
+ *   },
+ * })
+ * ```
+ */
+declare function isAdminRequest(request?: Request | null): boolean;
 /**
  * Check if draft mode is enabled from cookie header.
  *
@@ -50,4 +83,4 @@ declare function createDraftModeCookie(enabled: boolean, maxAge?: number): strin
  */
 declare function getPreviewSecret(): string;
 //#endregion
-export { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode };
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode };

package/dist/shared/preview-utils.mjs

@@ -11,6 +11,84 @@
 */
 const DRAFT_MODE_COOKIE = "__draft_mode";
 /**
+* Header injected by `createAdminClient` (and `withAdminRequestHeader`) on
+* every admin SPA request. Inspected by {@link isAdminRequest} so access
+* rules can branch on caller intent without depending on URL structure.
+*/
+const ADMIN_REQUEST_HEADER = "x-questpie-admin";
+/**
+* URL prefix used by the admin SPA when mounted at the conventional
+* `/admin` path. Kept for reference and as a fallback signal for setups
+* that pre-date the header-based detection.
+*/
+const ADMIN_API_PREFIX = "/admin/api/";
+/**
+* Whether the given request originates from the admin panel.
+*
+* Detection strategy (in order):
+* 1. Presence of the `X-Questpie-Admin` request header — the canonical
+*    signal, injected by `createAdminClient` / `withAdminRequestHeader`.
+* 2. URL path starts with {@link ADMIN_API_PREFIX} — fallback for clients
+*    that don't inject the header (e.g. pre-3.0.6 admin SDK consumers, or
+*    direct `curl` calls to `/admin/api/...`).
+*
+* Use inside collection/global `.access()` rules to grant admin-only
+* scope (e.g. master counselor sees everything in the admin, but stays
+* scoped to their own data on the frontend).
+*
+* @example
+* ```ts
+* import { isAdminRequest } from "@questpie/admin/shared";
+*
+* .access({
+*   read: ({ session, request }) => {
+*     if (isAdminRequest(request) && isAdmin(session?.user)) return true;
+*     return { createdById: session?.user?.id };
+*   },
+* })
+* ```
+*/
+function isAdminRequest(request) {
+	if (!request) return false;
+	if (request.headers?.get?.(ADMIN_REQUEST_HEADER)) return true;
+	try {
+		return new URL(request.url).pathname.startsWith(ADMIN_API_PREFIX);
+	} catch {
+		return false;
+	}
+}
+/**
+* Wrap a `fetch` implementation so every outbound request carries the
+* `X-Questpie-Admin` header. Used internally by
+* `createAdminClient` — apps building a custom admin client (or using
+* an alternate HTTP layer) can compose the wrapper themselves.
+*
+* @param baseFetch - The fetch implementation to wrap. Defaults to
+*   `globalThis.fetch`.
+*
+* @example
+* ```ts
+* import { createClient } from "questpie/client";
+* import { withAdminRequestHeader } from "@questpie/admin/shared";
+*
+* export const adminCmsClient = createClient<AppConfig>({
+*   baseURL: window.location.origin,
+*   basePath: "/api",
+*   fetch: withAdminRequestHeader(),
+* });
+* ```
+*/
+function withAdminRequestHeader(baseFetch = globalThis.fetch) {
+	return ((input, init) => {
+		const headers = new Headers(init?.headers);
+		if (!headers.has(ADMIN_REQUEST_HEADER)) headers.set(ADMIN_REQUEST_HEADER, "1");
+		return baseFetch(input, {
+			...init,
+			headers
+		});
+	});
+}
+/**
 * Check if draft mode is enabled from cookie header.
 *
 * @param cookieHeader - The Cookie header value from request
@@ -61,4 +139,4 @@ function getPreviewSecret() {
 }
 
 //#endregion
-export { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode };
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode, withAdminRequestHeader };

package/dist/shared.d.mts

@@ -1,3 +1,3 @@
 import { FilterOperator, FilterRule, SortConfig, ViewConfiguration } from "./shared/types/saved-views.types.mjs";
-import { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode } from "./shared/preview-utils.mjs";
-export { DRAFT_MODE_COOKIE, type FilterOperator, type FilterRule, type SortConfig, type ViewConfiguration, createDraftModeCookie, getPreviewSecret, isDraftMode };
+import { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode } from "./shared/preview-utils.mjs";
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, type FilterOperator, type FilterRule, type SortConfig, type ViewConfiguration, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode };

package/dist/shared.mjs

@@ -1,3 +1,3 @@
-import { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode } from "./shared/preview-utils.mjs";
+import { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode } from "./shared/preview-utils.mjs";
 
-export { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode };
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@questpie/admin",
-	"version": "3.0.4",
+	"version": "3.0.6",
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/questpie/questpie.git",
@@ -62,7 +62,7 @@
 		"@fontsource-variable/jetbrains-mono": "^5.2.8",
 		"@hookform/resolvers": "^5.1.0",
 		"@iconify/react": "^6.0.2",
-		"@questpie/tanstack-query": "^3.0.4",
+		"@questpie/tanstack-query": "^3.0.6",
 		"@tailwindcss/vite": "^4.0.6",
 		"@tiptap/core": "^2.x",
 		"@tiptap/extension-character-count": "^2.x",
@@ -88,7 +88,7 @@
 		"date-fns": "^4.1.0",
 		"lowlight": "^3.x",
 		"next-themes": "^0.4.6",
-		"questpie": "^3.0.4",
+		"questpie": "^3.0.6",
 		"react-day-picker": "^9.12.0",
 		"react-hook-form": "^7.54.0",
 		"react-resizable-panels": "^4.4.2",