@questpie/admin 3.0.5 → 3.0.7

package/dist/server/modules/admin-preferences/collections/saved-views.d.mts

@@ -1,6 +1,6 @@
 import { FilterOperator, FilterRule, SortConfig, ViewConfiguration } from "../../../../shared/types/saved-views.types.mjs";
 import * as questpie_shared15 from "questpie/shared";
-import * as questpie73 from "questpie";
+import * as questpie69 from "questpie";
 import * as questpie_src_server_modules_core_fields_email_js1 from "questpie/src/server/modules/core/fields/email.js";
 import * as questpie_src_server_modules_core_fields_json_js1 from "questpie/src/server/modules/core/fields/json.js";
 import * as drizzle_orm_pg_core22 from "drizzle-orm/pg-core";
@@ -33,22 +33,22 @@ import * as drizzle_orm5 from "drizzle-orm";
  * });
  * ```
  */
-declare const savedViewsCollection: questpie73.CollectionBuilder<questpie_shared15.Override<questpie_shared15.Override<questpie73.EmptyCollectionState<"admin_saved_views", undefined, {
-  readonly text: typeof questpie73.text;
-  readonly textarea: typeof questpie73.textarea;
+declare const savedViewsCollection: questpie69.CollectionBuilder<questpie_shared15.Override<questpie_shared15.Override<questpie69.EmptyCollectionState<"admin_saved_views", undefined, {
+  readonly text: typeof questpie69.text;
+  readonly textarea: typeof questpie69.textarea;
   readonly email: typeof questpie_src_server_modules_core_fields_email_js1.email;
-  readonly url: typeof questpie73.url;
-  readonly number: typeof questpie73.number;
-  readonly boolean: typeof questpie73.boolean;
-  readonly date: typeof questpie73.date;
-  readonly datetime: typeof questpie73.datetime;
-  readonly time: typeof questpie73.time;
-  readonly select: typeof questpie73.select;
-  readonly upload: typeof questpie73.upload;
-  readonly relation: typeof questpie73.relation;
-  readonly object: typeof questpie73.object;
+  readonly url: typeof questpie69.url;
+  readonly number: typeof questpie69.number;
+  readonly boolean: typeof questpie69.boolean;
+  readonly date: typeof questpie69.date;
+  readonly datetime: typeof questpie69.datetime;
+  readonly time: typeof questpie69.time;
+  readonly select: typeof questpie69.select;
+  readonly upload: typeof questpie69.upload;
+  readonly relation: typeof questpie69.relation;
+  readonly object: typeof questpie69.object;
   readonly json: typeof questpie_src_server_modules_core_fields_json_js1.json;
-  readonly from: typeof questpie73.from;
+  readonly from: typeof questpie69.from;
 }>, {
   fields: {
     readonly userId: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
@@ -59,31 +59,31 @@ declare const savedViewsCollection: questpie73.CollectionBuilder<questpie_shared
   };
   localized: readonly string[];
   fieldDefinitions: {
-    readonly userId: questpie73.FieldWithMethods<Omit<questpie73.TextFieldState, "notNull" | "column"> & {
+    readonly userId: questpie69.FieldWithMethods<Omit<questpie69.TextFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
     } & {
       label: questpie_shared15.I18nText;
-    }, questpie73.TextFieldMethods>;
-    readonly collectionName: questpie73.FieldWithMethods<Omit<questpie73.TextFieldState, "notNull" | "column"> & {
+    }, questpie69.TextFieldMethods>;
+    readonly collectionName: questpie69.FieldWithMethods<Omit<questpie69.TextFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
     } & {
       label: questpie_shared15.I18nText;
-    }, questpie73.TextFieldMethods>;
-    readonly name: questpie73.FieldWithMethods<Omit<questpie73.TextFieldState, "notNull" | "column"> & {
+    }, questpie69.TextFieldMethods>;
+    readonly name: questpie69.FieldWithMethods<Omit<questpie69.TextFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgVarcharBuilder<[string, ...string[]]>>;
     } & {
       label: questpie_shared15.I18nText;
-    }, questpie73.TextFieldMethods>;
-    readonly configuration: questpie73.Field<Omit<questpie73.JsonFieldState, "notNull" | "column"> & {
+    }, questpie69.TextFieldMethods>;
+    readonly configuration: questpie69.Field<Omit<questpie69.JsonFieldState, "notNull" | "column"> & {
       notNull: true;
       column: drizzle_orm5.NotNull<drizzle_orm_pg_core22.PgJsonbBuilder>;
     } & {
       label: questpie_shared15.I18nText;
     }>;
-    readonly isDefault: questpie73.Field<Omit<questpie73.BooleanFieldState, "column" | "hasDefault"> & {
+    readonly isDefault: questpie69.Field<Omit<questpie69.BooleanFieldState, "column" | "hasDefault"> & {
       hasDefault: true;
       column: drizzle_orm5.HasDefault<drizzle_orm_pg_core22.PgBooleanBuilder>;
     } & {

package/dist/server.d.mts

@@ -6,10 +6,6 @@ import { ServerSidebarCollectionItem, ServerSidebarConfig, ServerSidebarDividerI
 import { ActionsConfigContext, BuiltinActionType, ServerActionContext, ServerActionDefinition, ServerActionDownload, ServerActionEffects, ServerActionError, ServerActionForm, ServerActionFormField, ServerActionHandler, ServerActionRedirect, ServerActionResult, ServerActionSuccess, ServerActionsConfig } from "./server/augmentation/actions.mjs";
 import { AdminConfigInput, adminConfig } from "./server/augmentation/index.mjs";
 import "./server/augmentation.mjs";
-import { adminPlugin } from "./server/plugin.mjs";
-import { AuthSession, GetAdminSessionOptions, RequireAdminAuthOptions, getAdminSession, isAdminUser, requireAdminAuth } from "./server/modules/admin/auth-helpers.mjs";
-import { NextAuthMiddlewareOptions, createNextAuthMiddleware, getNextAdminSession } from "./server/adapters/nextjs.mjs";
-import { BeforeLoadContext, TanStackAuthGuardOptions, createTanStackAuthGuard, createTanStackSessionLoader } from "./server/adapters/tanstack.mjs";
 import { BlockNode, BlockValues, BlocksDocument, BlocksFieldMeta } from "./server/fields/blocks.mjs";
 import { RichTextFeature, RichTextFieldMeta, TipTapDocument, TipTapNode } from "./server/fields/rich-text.mjs";
 import { adminFields } from "./server/fields/index.mjs";
@@ -17,6 +13,10 @@ import { AnyBlockBuilder, AnyBlockDefinition, BlockBuilder, BlockBuilderState, B
 import { BlockSchema, getBlocksByCategory, introspectBlock, introspectBlocks } from "./server/modules/admin/block/introspection.mjs";
 import { BlocksPrefetchContext, createBlocksPrefetchHook, processBlocksDocument, processDocumentBlocksPrefetch } from "./server/modules/admin/block/prefetch.mjs";
 import "./server/block/index.mjs";
+import { adminPlugin } from "./server/plugin.mjs";
+import { AuthSession, GetAdminSessionOptions, RequireAdminAuthOptions, getAdminSession, isAdminUser, requireAdminAuth } from "./server/modules/admin/auth-helpers.mjs";
+import { NextAuthMiddlewareOptions, createNextAuthMiddleware, getNextAdminSession } from "./server/adapters/nextjs.mjs";
+import { BeforeLoadContext, TanStackAuthGuardOptions, createTanStackAuthGuard, createTanStackSessionLoader } from "./server/adapters/tanstack.mjs";
 import { ExecuteActionRequest, ExecuteActionResponse, actionFunctions, executeAction, executeActionFn, getActionsConfig, getActionsConfigFn } from "./server/modules/admin/routes/execute-action.mjs";
 import { PreviewTokenPayload, createPreviewFunctions, createPreviewTokenVerifier, verifyPreviewTokenDirect } from "./server/modules/admin/routes/preview.mjs";
 import { batchReactive, fieldOptions, reactiveFunctions } from "./server/modules/admin/routes/reactive.mjs";

package/dist/shared/preview-utils.d.mts

@@ -10,6 +10,39 @@
  * Set by /api/preview route, checked by page loaders.
  */
 declare const DRAFT_MODE_COOKIE = "__draft_mode";
+/**
+ * URL prefix used by the admin SPA when mounted at the conventional
+ * `/admin` path. Kept for reference and as a fallback signal for setups
+ * that pre-date the header-based detection.
+ */
+declare const ADMIN_API_PREFIX = "/admin/api/";
+/**
+ * Whether the given request originates from the admin panel.
+ *
+ * Detection strategy (in order):
+ * 1. Presence of the `X-Questpie-Admin` request header — the canonical
+ *    signal, injected by `createAdminClient` / `withAdminRequestHeader`.
+ * 2. URL path starts with {@link ADMIN_API_PREFIX} — fallback for clients
+ *    that don't inject the header (e.g. pre-3.0.6 admin SDK consumers, or
+ *    direct `curl` calls to `/admin/api/...`).
+ *
+ * Use inside collection/global `.access()` rules to grant admin-only
+ * scope (e.g. master counselor sees everything in the admin, but stays
+ * scoped to their own data on the frontend).
+ *
+ * @example
+ * ```ts
+ * import { isAdminRequest } from "@questpie/admin/shared";
+ *
+ * .access({
+ *   read: ({ session, request }) => {
+ *     if (isAdminRequest(request) && isAdmin(session?.user)) return true;
+ *     return { createdById: session?.user?.id };
+ *   },
+ * })
+ * ```
+ */
+declare function isAdminRequest(request?: Request | null): boolean;
 /**
  * Check if draft mode is enabled from cookie header.
  *
@@ -50,4 +83,4 @@ declare function createDraftModeCookie(enabled: boolean, maxAge?: number): strin
  */
 declare function getPreviewSecret(): string;
 //#endregion
-export { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode };
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode };

package/dist/shared/preview-utils.mjs

@@ -11,6 +11,84 @@
 */
 const DRAFT_MODE_COOKIE = "__draft_mode";
 /**
+* Header injected by `createAdminClient` (and `withAdminRequestHeader`) on
+* every admin SPA request. Inspected by {@link isAdminRequest} so access
+* rules can branch on caller intent without depending on URL structure.
+*/
+const ADMIN_REQUEST_HEADER = "x-questpie-admin";
+/**
+* URL prefix used by the admin SPA when mounted at the conventional
+* `/admin` path. Kept for reference and as a fallback signal for setups
+* that pre-date the header-based detection.
+*/
+const ADMIN_API_PREFIX = "/admin/api/";
+/**
+* Whether the given request originates from the admin panel.
+*
+* Detection strategy (in order):
+* 1. Presence of the `X-Questpie-Admin` request header — the canonical
+*    signal, injected by `createAdminClient` / `withAdminRequestHeader`.
+* 2. URL path starts with {@link ADMIN_API_PREFIX} — fallback for clients
+*    that don't inject the header (e.g. pre-3.0.6 admin SDK consumers, or
+*    direct `curl` calls to `/admin/api/...`).
+*
+* Use inside collection/global `.access()` rules to grant admin-only
+* scope (e.g. master counselor sees everything in the admin, but stays
+* scoped to their own data on the frontend).
+*
+* @example
+* ```ts
+* import { isAdminRequest } from "@questpie/admin/shared";
+*
+* .access({
+*   read: ({ session, request }) => {
+*     if (isAdminRequest(request) && isAdmin(session?.user)) return true;
+*     return { createdById: session?.user?.id };
+*   },
+* })
+* ```
+*/
+function isAdminRequest(request) {
+	if (!request) return false;
+	if (request.headers?.get?.(ADMIN_REQUEST_HEADER)) return true;
+	try {
+		return new URL(request.url).pathname.startsWith(ADMIN_API_PREFIX);
+	} catch {
+		return false;
+	}
+}
+/**
+* Wrap a `fetch` implementation so every outbound request carries the
+* `X-Questpie-Admin` header. Used internally by
+* `createAdminClient` — apps building a custom admin client (or using
+* an alternate HTTP layer) can compose the wrapper themselves.
+*
+* @param baseFetch - The fetch implementation to wrap. Defaults to
+*   `globalThis.fetch`.
+*
+* @example
+* ```ts
+* import { createClient } from "questpie/client";
+* import { withAdminRequestHeader } from "@questpie/admin/shared";
+*
+* export const adminCmsClient = createClient<AppConfig>({
+*   baseURL: window.location.origin,
+*   basePath: "/api",
+*   fetch: withAdminRequestHeader(),
+* });
+* ```
+*/
+function withAdminRequestHeader(baseFetch = globalThis.fetch) {
+	return ((input, init) => {
+		const headers = new Headers(init?.headers);
+		if (!headers.has(ADMIN_REQUEST_HEADER)) headers.set(ADMIN_REQUEST_HEADER, "1");
+		return baseFetch(input, {
+			...init,
+			headers
+		});
+	});
+}
+/**
 * Check if draft mode is enabled from cookie header.
 *
 * @param cookieHeader - The Cookie header value from request
@@ -61,4 +139,4 @@ function getPreviewSecret() {
 }
 
 //#endregion
-export { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode };
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode, withAdminRequestHeader };

package/dist/shared.d.mts

@@ -1,3 +1,3 @@
 import { FilterOperator, FilterRule, SortConfig, ViewConfiguration } from "./shared/types/saved-views.types.mjs";
-import { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode } from "./shared/preview-utils.mjs";
-export { DRAFT_MODE_COOKIE, type FilterOperator, type FilterRule, type SortConfig, type ViewConfiguration, createDraftModeCookie, getPreviewSecret, isDraftMode };
+import { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode } from "./shared/preview-utils.mjs";
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, type FilterOperator, type FilterRule, type SortConfig, type ViewConfiguration, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode };

package/dist/shared.mjs

@@ -1,3 +1,3 @@
-import { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode } from "./shared/preview-utils.mjs";
+import { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode } from "./shared/preview-utils.mjs";
 
-export { DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isDraftMode };
+export { ADMIN_API_PREFIX, DRAFT_MODE_COOKIE, createDraftModeCookie, getPreviewSecret, isAdminRequest, isDraftMode };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@questpie/admin",
-	"version": "3.0.5",
+	"version": "3.0.7",
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/questpie/questpie.git",
@@ -62,7 +62,7 @@
 		"@fontsource-variable/jetbrains-mono": "^5.2.8",
 		"@hookform/resolvers": "^5.1.0",
 		"@iconify/react": "^6.0.2",
-		"@questpie/tanstack-query": "^3.0.5",
+		"@questpie/tanstack-query": "^3.0.7",
 		"@tailwindcss/vite": "^4.0.6",
 		"@tiptap/core": "^2.x",
 		"@tiptap/extension-character-count": "^2.x",
@@ -88,7 +88,7 @@
 		"date-fns": "^4.1.0",
 		"lowlight": "^3.x",
 		"next-themes": "^0.4.6",
-		"questpie": "^3.0.5",
+		"questpie": "^3.0.7",
 		"react-day-picker": "^9.12.0",
 		"react-hook-form": "^7.54.0",
 		"react-resizable-panels": "^4.4.2",