@rapidd/build 1.0.2 → 1.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rapidd/build",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Dynamic code generator that transforms Prisma schemas into Express.js CRUD APIs with PostgreSQL RLS-to-JavaScript translation",
   "main": "index.js",
   "bin": {

package/src/commands/build.js

@@ -12,7 +12,8 @@ const { generateAllRoutes } = require('../generators/routeGenerator');
  */
 function generateBaseModelFile(modelJsPath) {
   const content = `const { QueryBuilder, prisma } = require("./QueryBuilder");
-const {ErrorResponse, getTranslation} = require('./Api');
+const {rls} = require('../../rapidd/rapidd');
+const {ErrorResponse} = require('./Api');
 
 class Model {
     /**
@@ -21,17 +22,23 @@ class Model {
          */
     constructor(name, options){
         this.modelName = name;
+        this.queryBuilder = new QueryBuilder(name);
+        this.rls = rls.model[name] || {};
         this.options = options || {}
         this.user = this.options.user || {'id': 1, 'role': 'application'};
         this.user_id = this.user ? this.user.id : null;
     }
 
-    _select = (fields) => this.constructor.queryBuilder.select(fields);
-    _filter = (q) => this.constructor.queryBuilder.filter(q);
-    _include = (include) => this.constructor.queryBuilder.include(include, this.user);
-    _getAccessFilter = () => this.constructor.getAccessFilter(this.user);
-    _hasAccess = (data) => this.constructor.hasAccess(data, this.user) || false;
-    _omit = () => this.constructor.queryBuilder.omit(this.user);
+    _select = (fields) => this.queryBuilder.select(fields);
+    _filter = (q) => this.queryBuilder.filter(q);
+    _include = (include) => this.queryBuilder.include(include, this.user);
+    // RLS METHODS
+    _canCreate = () => this.rls.canCreate?.(this.user) || false;
+    _hasAccess = (data) => this.rls.hasAccess?.(data, this.user) || false;
+    _getAccessFilter = () => this.rls.getAccessFilter?.(this.user);
+    _getUpdateFilter = () => this.rls.getUpdateFilter?.(this.user);
+    _getDeleteFilter = () => this.rls.getDeleteFilter?.(this.user);
+    _omit = () => this.queryBuilder.omit(this.user);
 
     /**
      *
@@ -50,8 +57,7 @@ class Model {
         sortBy = sortBy.trim();
         sortOrder = sortOrder.trim();
         if (!sortBy.includes('.') && this.fields[sortBy] == undefined) {
-            const message = getTranslation("invalid_sort_field", {sortBy, modelName: this.constructor.name});
-            throw new ErrorResponse(message, 400);
+            throw new ErrorResponse(400, "invalid_sort_field", {sortBy, modelName: this.constructor.name});
         }
 
         // Query the database using Prisma with filters, pagination, and limits
@@ -114,8 +120,13 @@ class Model {
      * @returns {Promise<Object>}
      */
     _create = async (data, options = {}) => {
+        // CHECK CREATE PERMISSION
+        if (!this.canCreate()) {
+            throw new ErrorResponse(403, "no_permission_to_create");
+        }
+
         // VALIDATE PASSED FIELDS AND RELATIONSHIPS
-        this.constructor.queryBuilder.create(data, this.user_id);
+        this.queryBuilder.create(data, this.user_id);
 
         // CREATE
         return await this.prisma.create({
@@ -132,11 +143,32 @@ class Model {
      */
     _update = async (id, data, options = {}) => {
         id = Number(id);
-        // GET DATA FIRST
+
+        // CHECK UPDATE PERMISSION
+        const updateFilter = this.getUpdateFilter();
+        if (updateFilter === false) {
+            throw new ErrorResponse(403, "no_permission_to_update");
+        }
+
+        // GET DATA FIRST (also checks read access)
         const current_data = await this._get(id, "ALL");
 
+        // If updateFilter is not empty, verify the record matches the filter
+        if (Object.keys(updateFilter).length > 0) {
+            const canUpdate = await this.prisma.findUnique({
+                'where': {
+                    'id': id,
+                    ...updateFilter
+                },
+                'select': { 'id': true }
+            });
+            if (!canUpdate) {
+                throw new ErrorResponse(403, "no_permission_to_update");
+            }
+        }
+
         // VALIDATE PASSED FIELDS AND RELATIONSHIPS
-        this.constructor.queryBuilder.update(id, data, this.user_id);
+        this.queryBuilder.update(id, data, this.user_id);
         return await this.prisma.update({
             'where': {
                 'id': id
@@ -163,9 +195,31 @@ class Model {
      * @returns {Promise<Object>}
      */
     _delete = async (id, options = {}) => {
-        // GET DATA FIRST
+        id = Number(id);
+
+        // CHECK DELETE PERMISSION
+        const deleteFilter = this.getDeleteFilter();
+        if (deleteFilter === false) {
+            throw new ErrorResponse(403, "no_permission_to_delete");
+        }
+
+        // GET DATA FIRST (also checks read access)
         const current_data = await this._get(id);
 
+        // If deleteFilter is not empty, verify the record matches the filter
+        if (Object.keys(deleteFilter).length > 0) {
+            const canDelete = await this.prisma.findUnique({
+                'where': {
+                    'id': id,
+                    ...deleteFilter
+                },
+                'select': { 'id': true }
+            });
+            if (!canDelete) {
+                throw new ErrorResponse(403, "no_permission_to_delete");
+            }
+        }
+
         return await this.prisma.delete({
             'where': {
                 id: parseInt(id)
@@ -233,10 +287,10 @@ class Model {
         return this._include(include);
     }
     sort(sortBy, sortOrder) {
-        return this.constructor.queryBuilder.sort(sortBy, sortOrder);
+        return this.queryBuilder.sort(sortBy, sortOrder);
     }
     take(limit){
-        return this.constructor.queryBuilder.take(Number(limit));
+        return this.queryBuilder.take(Number(limit));
     }
     skip(offset){
         const parsed = parseInt(offset);
@@ -267,6 +321,39 @@ class Model {
         return this.user.role == "application" ? true : this._hasAccess(data, this.user);
     }
 
+    /**
+     * Check if user can create records
+     * @returns {boolean}
+     */
+    canCreate() {
+        if(this.user.role == "application") return true;
+        return this._canCreate();
+    }
+
+    /**
+     * Get update filter for RLS
+     * @returns {Object|false}
+     */
+    getUpdateFilter(){
+        const filter = this._getUpdateFilter();
+        if(this.user.role == "application" || filter == true){
+            return {};
+        }
+        return filter;
+    }
+
+    /**
+     * Get delete filter for RLS
+     * @returns {Object|false}
+     */
+    getDeleteFilter(){
+        const filter = this._getDeleteFilter();
+        if(this.user.role == "application" || filter == true){
+            return {};
+        }
+        return filter;
+    }
+
     set modelName (name){
         this.name = name;
         this.prisma = prisma[name];

package/src/generators/modelGenerator.js

@@ -12,21 +12,10 @@ function generateModelFile(modelName, modelInfo) {
   const className = modelName.charAt(0).toUpperCase() + modelName.slice(1);
 
   return `const {Model, QueryBuilder, prisma} = require('../Model');
-const {rls} = require('../../rapidd/rapidd');
 
 class ${className} extends Model {
     constructor(options){
-        super('${modelName}', options);
-    }
-
-    static queryBuilder = new QueryBuilder('${modelName}', rls.model.${modelName} || {});
-
-    static getAccessFilter(user) {
-        return rls.model.${modelName}?.getAccessFilter?.(user) || {};
-    }
-
-    static hasAccess(data, user) {
-        return rls.model.${modelName}?.hasAccess?.(data, user) || true;
+        super('${className}', options);
     }
 
     /**
@@ -150,7 +139,7 @@ function generateAllModels(models, modelDir, modelJsPath) {
 
   // Copy rapidd.js to output if it exists
   const sourceRapiddJs = path.join(process.cwd(), 'rapidd', 'rapidd.js');
-  const outputRapiddDir = path.dirname(modelDir.replace(/src[\/\\]Model$/, 'rapidd'));
+  const outputRapiddDir = modelDir.replace(/src[\/\\]Model$/, 'rapidd');
   const outputRapiddJs = path.join(outputRapiddDir, 'rapidd.js');
 
   if (fs.existsSync(sourceRapiddJs)) {

package/src/generators/rlsGenerator.js

@@ -34,10 +34,10 @@ function detectUserTable(models, userTableOption) {
 /**
  * Extract RLS policies from PostgreSQL
  * @param {string} databaseUrl - PostgreSQL connection URL
- * @param {Array} modelNames - Array of model names
- * @returns {Object} - RLS policies for each table
+ * @param {Object} models - Models object with dbName mapping
+ * @returns {Object} - RLS policies for each model
  */
-async function extractPostgreSQLPolicies(databaseUrl, modelNames) {
+async function extractPostgreSQLPolicies(databaseUrl, models) {
   const client = new Client({ connectionString: databaseUrl });
 
   try {
@@ -45,8 +45,11 @@ async function extractPostgreSQLPolicies(databaseUrl, modelNames) {
 
     const policies = {};
 
-    // Initialize all models with empty policies
-    for (const modelName of modelNames) {
+    // Create mapping from database table name to model name
+    const tableToModelMap = {};
+    for (const [modelName, modelData] of Object.entries(models)) {
+      const dbName = modelData.dbName || modelName.toLowerCase();
+      tableToModelMap[dbName] = modelName;
       policies[modelName] = [];
     }
 
@@ -65,11 +68,13 @@ async function extractPostgreSQLPolicies(databaseUrl, modelNames) {
       ORDER BY tablename, policyname
     `);
 
-    // Group policies by table
+    // Group policies by model (using table to model mapping)
     for (const row of result.rows) {
       const tableName = row.tablename;
-      if (policies[tableName] !== undefined) {
-        policies[tableName].push({
+      const modelName = tableToModelMap[tableName];
+
+      if (modelName && policies[modelName] !== undefined) {
+        policies[modelName].push({
           name: row.policyname,
           permissive: row.permissive === 'PERMISSIVE',
           roles: row.roles,
@@ -290,7 +295,7 @@ async function generateRLS(models, outputPath, databaseUrl, isPostgreSQL, userTa
 
     console.log('Extracting RLS policies from database...');
     try {
-      policies = await extractPostgreSQLPolicies(databaseUrl, modelNames);
+      policies = await extractPostgreSQLPolicies(databaseUrl, models);
       const totalPolicies = Object.values(policies).reduce((sum, p) => sum + p.length, 0);
       console.log(`✓ Extracted ${totalPolicies} RLS policies from PostgreSQL`);
     } catch (error) {

package/src/generators/rlsGeneratorV2.js

@@ -32,7 +32,7 @@ function detectUserTable(models, userTableOption) {
 /**
  * Extract RLS policies from PostgreSQL
  */
-async function extractPostgreSQLPolicies(databaseUrl, modelNames) {
+async function extractPostgreSQLPolicies(databaseUrl, models) {
   const client = new Client({ connectionString: databaseUrl });
 
   try {
@@ -40,8 +40,11 @@ async function extractPostgreSQLPolicies(databaseUrl, modelNames) {
 
     const policies = {};
 
-    // Initialize all models with empty policies
-    for (const modelName of modelNames) {
+    // Create mapping from database table name to model name
+    const tableToModelMap = {};
+    for (const [modelName, modelData] of Object.entries(models)) {
+      const dbName = modelData.dbName || modelName.toLowerCase();
+      tableToModelMap[dbName] = modelName;
       policies[modelName] = [];
     }
 
@@ -60,11 +63,13 @@ async function extractPostgreSQLPolicies(databaseUrl, modelNames) {
       ORDER BY tablename, policyname
     `);
 
-    // Group policies by table
+    // Group policies by model (using table to model mapping)
     for (const row of result.rows) {
       const tableName = row.tablename;
-      if (policies[tableName] !== undefined) {
-        policies[tableName].push({
+      const modelName = tableToModelMap[tableName];
+
+      if (modelName && policies[modelName] !== undefined) {
+        policies[modelName].push({
           name: row.policyname,
           permissive: row.permissive === 'PERMISSIVE',
           roles: row.roles,
@@ -165,9 +170,12 @@ function generateFunction(policies, expressionField, converter, modelName) {
     if (expr) {
       try {
         const jsExpr = converter.convertToJavaScript(expr, 'data', 'user', modelName);
+        console.log(`✓ Policy '${policy.name}': ${expr.substring(0, 50)}... -> ${jsExpr.substring(0, 80)}`);
         conditions.push(jsExpr);
       } catch (e) {
-        conditions.push(`true /* Error: ${e.message} */`);
+        console.warn(`⚠ Failed to convert RLS policy '${policy.name}' for ${modelName}: ${e.message}`);
+        console.warn(`  SQL: ${expr}`);
+        conditions.push(`true /* TODO: Manual conversion needed for policy '${policy.name}' */`);
       }
     }
   }
@@ -176,6 +184,11 @@ function generateFunction(policies, expressionField, converter, modelName) {
     return 'return true;';
   }
 
+  // If any condition is 'true', the entire expression is true
+  if (conditions.some(c => c === 'true' || c.startsWith('true /*'))) {
+    return 'return true;';
+  }
+
   // Policies are OR'd together (any policy allows)
   return `return ${conditions.join(' || ')};`;
 }
@@ -208,7 +221,9 @@ function generateFilter(policies, expressionField, converter, modelName) {
           hasDataFilter: prismaFilter !== '{}'
         });
       } catch (e) {
-        // On error, skip filter
+        console.warn(`⚠ Failed to convert RLS filter policy '${policy.name}' for ${modelName}: ${e.message}`);
+        console.warn(`  SQL: ${expr}`);
+        // On error, skip filter (fail-safe - no access)
       }
     }
   }
@@ -341,7 +356,7 @@ ${Object.entries(functionAnalysis.userContextRequirements)
 
     // Step 2: Extract policies
     try {
-      policies = await extractPostgreSQLPolicies(databaseUrl, modelNames);
+      policies = await extractPostgreSQLPolicies(databaseUrl, models);
       const totalPolicies = Object.values(policies).reduce((sum, p) => sum + p.length, 0);
       console.log(`✓ Extracted ${totalPolicies} RLS policies from PostgreSQL`);
     } catch (error) {

package/src/parsers/deepSQLAnalyzer.js

@@ -180,8 +180,8 @@ class DeepSQLAnalyzer {
    * Extract direct field comparisons
    */
   extractDirectComparisons(sql, analysis) {
-    // Pattern: field = 'value'
-    const stringPattern = /(\w+)\s*=\s*'([^']+)'/gi;
+    // Pattern: field = 'value' (with or without quotes on field name)
+    const stringPattern = /(?:"?(\w+)"?)\s*=\s*'([^']+)'/gi;
     let match;
     while ((match = stringPattern.exec(sql)) !== null) {
       const field = match[1];
@@ -200,8 +200,8 @@ class DeepSQLAnalyzer {
       });
     }
 
-    // Pattern: field = number
-    const numberPattern = /(\w+)\s*=\s*(\d+)(?!\s*\))/gi;
+    // Pattern: field = number (with or without quotes on field name)
+    const numberPattern = /(?:"?(\w+)"?)\s*=\s*(\d+)(?!\s*\))/gi;
     while ((match = numberPattern.exec(sql)) !== null) {
       const field = match[1];
       const value = match[2];
@@ -219,8 +219,22 @@ class DeepSQLAnalyzer {
       });
     }
 
+    // Pattern: field = true/false (with or without quotes on field name)
+    const booleanPattern = /(?:"?(\w+)"?)\s*=\s*(true|false)/gi;
+    while ((match = booleanPattern.exec(sql)) !== null) {
+      const field = match[1];
+      const value = match[2].toLowerCase();
+
+      analysis.filters.push({
+        type: 'equal',
+        field: field,
+        value: value,
+        prisma: `{ ${field}: ${value} }`
+      });
+    }
+
     // Pattern: field IS NULL
-    const isNullPattern = /(\w+)\s+IS\s+NULL/gi;
+    const isNullPattern = /(?:"?(\w+)"?)\s+IS\s+NULL/gi;
     while ((match = isNullPattern.exec(sql)) !== null) {
       analysis.filters.push({
         type: 'is_null',
@@ -244,10 +258,10 @@ class DeepSQLAnalyzer {
    * Extract function-based comparisons
    */
   extractFunctionComparisons(sql, analysis) {
-    // Pattern: field = function()
+    // Pattern: field = function() (with or without quotes on field name)
     const patterns = [
-      /(\w+)\s*=\s*([\w.]+)\s*\(\s*\)/gi,  // field = function()
-      /([\w.]+)\s*\(\s*\)\s*=\s*(\w+)/gi   // function() = field
+      /(?:"?(\w+)"?)\s*=\s*([\w.]+)\s*\(\s*\)/gi,  // field = function()
+      /([\w.]+)\s*\(\s*\)\s*=\s*(?:"?(\w+)"?)/gi   // function() = field
     ];
 
     // Normalize dots in function names for lookup

package/src/parsers/dynamicRLSConverter.js

@@ -13,6 +13,23 @@ function convertToJavaScript(sql, dataVar = 'data', userVar = 'user') {
 
   sql = sql.trim();
 
+  // Strip outer parentheses if they wrap the entire expression
+  if (sql.startsWith('(') && sql.endsWith(')')) {
+    let depth = 0;
+    let matchesOuter = true;
+    for (let i = 0; i < sql.length; i++) {
+      if (sql[i] === '(') depth++;
+      if (sql[i] === ')') depth--;
+      if (depth === 0 && i < sql.length - 1) {
+        matchesOuter = false;
+        break;
+      }
+    }
+    if (matchesOuter) {
+      sql = sql.substring(1, sql.length - 1).trim();
+    }
+  }
+
   // Normalize whitespace
   sql = sql.replace(/\s+/g, ' ').replace(/\n/g, ' ');
 
@@ -48,8 +65,8 @@ function convertToJavaScript(sql, dataVar = 'data', userVar = 'user') {
     return `[${arrayValues}].includes(${userVar}?.${userProperty})`;
   }
 
-  // Handle field = function() comparisons
-  const funcCompareMatch = sql.match(/(\w+)\s*=\s*(\w+)\s*\([^)]*\)/i);
+  // Handle field = function() comparisons (with or without quotes)
+  const funcCompareMatch = sql.match(/(?:"?(\w+)"?)\s*=\s*(\w+)\s*\([^)]*\)/i);
   if (funcCompareMatch) {
     const field = funcCompareMatch[1];
     const funcName = funcCompareMatch[2];
@@ -60,7 +77,7 @@ function convertToJavaScript(sql, dataVar = 'data', userVar = 'user') {
   }
 
   // Handle field = (current_setting(...))
-  const currentSettingMatch = sql.match(/(\w+)\s*=\s*\(\s*current_setting\s*\(\s*'([^']+)'/i);
+  const currentSettingMatch = sql.match(/(?:"?(\w+)"?)\s*=\s*\(\s*current_setting\s*\(\s*'([^']+)'/i);
   if (currentSettingMatch) {
     const field = currentSettingMatch[1];
     const setting = currentSettingMatch[2];
@@ -70,6 +87,14 @@ function convertToJavaScript(sql, dataVar = 'data', userVar = 'user') {
     return `${dataVar}?.${field} === ${userVar}?.${userProperty}`;
   }
 
+  // Handle field = literal value (true, false, numbers, strings)
+  const literalMatch = sql.match(/(?:"?(\w+)"?)\s*=\s*(true|false|\d+|'[^']+')/i);
+  if (literalMatch) {
+    const field = literalMatch[1];
+    const value = literalMatch[2];
+    return `${dataVar}?.${field} === ${value}`;
+  }
+
   // Handle EXISTS subqueries
   if (sql.includes('EXISTS')) {
     return handleExistsSubquery(sql, dataVar, userVar);
@@ -80,6 +105,7 @@ function convertToJavaScript(sql, dataVar = 'data', userVar = 'user') {
   if (sql.toLowerCase() === 'false') return 'false';
 
   // Unhandled pattern
+  console.warn(`⚠ Unhandled RLS pattern: ${sql}`);
   return `true /* Unhandled RLS pattern: ${sql.substring(0, 60)}... */`;
 }
 

package/src/parsers/prismaParser.js

@@ -46,6 +46,7 @@ function parsePrismaSchema(schemaPath) {
   for (const { name, body } of modelBlocks) {
     const fields = parseModelFields(body);
     const compositeKeyFields = parseCompositeKey(body);
+    const dbName = parseMapDirective(body);
 
     // Mark composite key fields with isId
     if (compositeKeyFields) {
@@ -60,7 +61,8 @@ function parsePrismaSchema(schemaPath) {
       name,
       fields,
       relations: parseModelRelations(body),
-      compositeKey: compositeKeyFields
+      compositeKey: compositeKeyFields,
+      dbName: dbName || name.toLowerCase() // Default to lowercase model name
     };
   }
 
@@ -94,6 +96,25 @@ function parseCompositeKey(modelBody) {
   return null;
 }
 
+/**
+ * Parse @@map directive to get database table name
+ * @param {string} modelBody - The content inside model braces
+ * @returns {string|null} - Database table name, or null if no @@map directive
+ */
+function parseMapDirective(modelBody) {
+  const lines = modelBody.split('\n').map(line => line.trim());
+
+  for (const line of lines) {
+    // Match @@map("table_name") or @@map('table_name')
+    const match = line.match(/^@@map\(["']([^"']+)["']\)/);
+    if (match) {
+      return match[1];
+    }
+  }
+
+  return null;
+}
+
 /**
  * Parse model fields from model body
  * @param {string} modelBody - The content inside model braces
@@ -206,7 +227,8 @@ async function parsePrismaDMMF(prismaClientPath) {
         name: model.name,
         fields: {},
         relations: [],
-        compositeKey
+        compositeKey,
+        dbName: model.dbName || model.name.toLowerCase() // Use dbName from DMMF or default to lowercase
       };
 
       for (const field of model.fields) {