npm - @rapidd/core - Versions diffs - 2.1.0 → 2.1.1 - Mend

@rapidd/core 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/.env.example CHANGED Viewed

@@ -40,10 +40,10 @@ DB_USER_PASSWORD_FIELD=
 # Auto-detected from unique string fields; comma-separated (default: email)
 DB_USER_IDENTIFIER_FIELDS=
 # Comma-separated: bearer, basic, cookie, header (default: bearer)
-AUTH_STRATEGIES=bearer
-# Cookie name for cookie strategy (default: token)
+AUTH_METHODS=bearer
+# Cookie name for cookie auth method (default: token)
 AUTH_COOKIE_NAME=token
-# Header name for header strategy (default: X-Auth-Token)
+# Header name for header auth method (default: X-Auth-Token)
 AUTH_CUSTOM_HEADER=X-Auth-Token
 # ── API Settings ───────────────────────────────────────

package/README.md CHANGED Viewed

@@ -4,6 +4,7 @@
 Code-first REST API framework for TypeScript. Database in, API out.
+[![npm](https://img.shields.io/npm/v/@rapidd/core?color=cb3837&logo=npm&logoColor=white)](https://www.npmjs.com/package/@rapidd/core)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.x-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
 [![Fastify](https://img.shields.io/badge/Fastify-5.x-000000?logo=fastify&logoColor=white)](https://fastify.dev/)
 [![Prisma](https://img.shields.io/badge/Prisma-7.x-2D3748?logo=prisma&logoColor=white)](https://www.prisma.io/)
@@ -29,7 +30,9 @@ Rapidd generates a fully-featured REST API from your database schema — then ge
 ## Quick Start
 ```bash
-npm install @rapidd/build
+mkdir my-api && cd my-api
+npx rapidd create-project # scaffold project files
+npm install
 ```
 ```env
@@ -44,7 +47,7 @@ npm run dev               # http://localhost:3000
 Every table gets full CRUD endpoints. Auth is enabled automatically when a user table is detected. Every auto-detected value — auth fields, password hashing, JWT secrets, session store — is overridable via env vars. See [`.env.example`](.env.example) for the full list.
-> 📖 **[Getting Started guide →](https://github.com/MertDalbudak/rapidd/wiki/Getting-Started)** — full walkthrough with project structure
+> **[Getting Started guide](https://github.com/MertDalbudak/rapidd/wiki/Getting-Started)** — full walkthrough with project structure
 ---
@@ -56,7 +59,7 @@ Every table gets full CRUD endpoints. Auth is enabled automatically when a user
 | Query filtering (20+ operators) | ✓ | ✓ |
 | Relations & deep includes | ✓ | ✓ |
 | Field selection | ✓ | ✓ |
-| JWT authentication (4 strategies) | ✓ | ✓ |
+| JWT authentication (4 methods) | ✓ | ✓ |
 | Per-model ACL | ✓ | ✓ |
 | Row-Level Security (database-enforced) | ✓ | — |
 | Rate limiting (Redis + memory fallback) | ✓ | ✓ |
@@ -83,7 +86,7 @@ GET /api/v1/posts?sortBy=createdAt&sortOrder=desc&limit=10&offset=20
 20+ filter operators for strings, numbers, dates, arrays, nulls, and nested relation fields. Responses include pagination metadata with `total`, `count`, `limit`, `offset`, and `hasMore`.
-> 📖 **[Query API wiki →](https://github.com/MertDalbudak/rapidd/wiki/Query-API)** — all operators, composite PKs, relation filtering
+> **[Query API wiki](https://github.com/MertDalbudak/rapidd/wiki/Query-API)** — all operators, composite PKs, relation filtering
 ---
@@ -98,11 +101,24 @@ POST /auth/refresh        { "refreshToken": "..." }
 GET  /auth/me             Authorization: Bearer <token>
 ```
-Four strategies — **bearer** (default), **basic**, **cookie**, and **custom header** — configurable per-route. Multi-identifier login lets users authenticate with any unique field (email, username, phone) in a single endpoint.
+Four methods — **bearer** (default), **basic**, **cookie**, and **custom header** — configurable globally via `AUTH_METHODS` env var or per endpoint prefix in `config/app.json`:
-⚠️ **Production:** `JWT_SECRET` and `JWT_REFRESH_SECRET` must be set explicitly. The server refuses to start without them to prevent session invalidation on restart.
+```json
+{
+    "endpointAuthMethod": {
+        "/api/v1": ["basic", "bearer"],
+        "/api/v2": "bearer"
+    }
+}
+```
+Set `null` for the global default, a string for a single method, or an array for multiple. Route-level config takes highest priority, then prefix match, then global default.
+Multi-identifier login lets users authenticate with any unique field (email, username, phone) in a single endpoint.
-> 📖 **[Authentication wiki →](https://github.com/MertDalbudak/rapidd/wiki/Authentication)** — session stores, route protection, per-endpoint strategy overrides
+**Production:** `JWT_SECRET` and `JWT_REFRESH_SECRET` must be set explicitly. The server refuses to start without them to prevent session invalidation on restart.
+> **[Authentication wiki](https://github.com/MertDalbudak/rapidd/wiki/Authentication)** — session stores, route protection, per-endpoint method overrides
 ---
@@ -126,7 +142,7 @@ const acl: AclConfig = {
 Return `{}` for full access, a filter object to scope records, or `false` to deny.
-> 📖 **[Access Control wiki →](https://github.com/MertDalbudak/rapidd/wiki/Access-Control-(ACL))** — all 5 ACL methods, relation ACL, 404 vs 403 distinction
+> **[Access Control wiki](https://github.com/MertDalbudak/rapidd/wiki/Access-Control-(ACL))** — all 5 ACL methods, relation ACL, 404 vs 403 distinction
 ---
@@ -152,7 +168,7 @@ Model.middleware.use('before', 'delete', async (ctx) => {
 Supports `create`, `update`, `upsert`, `upsertMany`, `delete`, `get`, `getMany`, and `count`. Middleware can abort operations, modify data, and short-circuit with cached results.
-> 📖 **[Model Middleware wiki →](https://github.com/MertDalbudak/rapidd/wiki/Model-Middleware)** — all hooks, context object, patterns (soft delete, validation, caching)
+> **[Model Middleware wiki](https://github.com/MertDalbudak/rapidd/wiki/Model-Middleware)** — all hooks, context object, patterns (soft delete, validation, caching)
 ---
@@ -173,7 +189,7 @@ CREATE POLICY tenant_isolation ON orders
     USING (tenant_id = current_setting('app.current_tenant_id')::int);
 ```
-> 📖 **[Row-Level Security wiki →](https://github.com/MertDalbudak/rapidd/wiki/Row%E2%80%90Level-Security-(RLS))** — policy examples, RLS vs ACL comparison
+> **[Row-Level Security wiki](https://github.com/MertDalbudak/rapidd/wiki/Row%E2%80%90Level-Security-(RLS))** — policy examples, RLS vs ACL comparison
 ---
@@ -181,11 +197,11 @@ CREATE POLICY tenant_isolation ON orders
 | Utility | Description | Docs |
 |---------|-------------|------|
-| **ApiClient** | Config-driven HTTP client with Bearer, Basic, API Key, and OAuth2 auth. Automatic token caching, retries, and fluent builder. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/ApiClient) |
-| **Mailer** | SMTP email with EJS template rendering, layout wrappers, i18n support, batch sending, and attachments. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/Mailer) |
-| **File Uploads** | Multipart uploads with MIME validation, size limits, and type presets (`images`, `documents`, etc.). | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/File-Uploads) |
-| **Rate Limiting** | Redis-backed with automatic memory fallback. Per-path configuration via `config/rate-limit.json`. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/Rate-Limiting) |
-| **i18n** | 10 languages included. Auto-detected from `Accept-Language` header. Parameter interpolation in error messages. | [Wiki →](https://github.com/MertDalbudak/rapidd/wiki/Internationalization-(i18n)) |
+| **ApiClient** | Config-driven HTTP client with Bearer, Basic, API Key, and OAuth2 auth. Automatic token caching, retries, and fluent builder. | [Wiki](https://github.com/MertDalbudak/rapidd/wiki/ApiClient) |
+| **Mailer** | SMTP email with EJS template rendering, layout wrappers, i18n support, batch sending, and attachments. | [Wiki](https://github.com/MertDalbudak/rapidd/wiki/Mailer) |
+| **File Uploads** | Multipart uploads with MIME validation, size limits, and type presets (`images`, `documents`, etc.). | [Wiki](https://github.com/MertDalbudak/rapidd/wiki/File-Uploads) |
+| **Rate Limiting** | Redis-backed with automatic memory fallback. Per-path configuration via `config/rate-limit.json`. | [Wiki](https://github.com/MertDalbudak/rapidd/wiki/Rate-Limiting) |
+| **i18n** | 10 languages included. Auto-detected from `Accept-Language` header. Parameter interpolation in error messages. | [Wiki](https://github.com/MertDalbudak/rapidd/wiki/Internationalization-(i18n)) |
 ---
@@ -203,12 +219,28 @@ TRUST_PROXY=true
 npm run build && npm start
 # or Docker
-docker build -t rapidd . && docker run -p 3000:3000 --env-file .env rapidd
+docker build -t my-api . && docker run -p 3000:3000 --env-file .env my-api
 ```
 **Security defaults in production:** HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, and CORS with explicit origin whitelisting — all enabled automatically.
-> 📖 **[Deployment wiki →](https://github.com/MertDalbudak/rapidd/wiki/Deployment-&-Production)** — Docker Compose, nginx reverse proxy, production checklist, horizontal scaling
+> **[Deployment wiki](https://github.com/MertDalbudak/rapidd/wiki/Deployment-&-Production)** — Docker Compose, nginx reverse proxy, production checklist, horizontal scaling
+---
+## Packages
+| Package | Description |
+|---------|-------------|
+| [`@rapidd/core`](https://www.npmjs.com/package/@rapidd/core) | Framework runtime, project scaffolding, and unified `npx rapidd` CLI |
+| [`@rapidd/build`](https://www.npmjs.com/package/@rapidd/build) | Code generation — models, routes, and ACL from your Prisma schema |
+All commands go through `npx rapidd`:
+```bash
+npx rapidd create-project   # scaffold a new project (@rapidd/core)
+npx rapidd build             # generate from schema  (@rapidd/build)
+```
 ---

package/bin/cli.js CHANGED Viewed

@@ -2,20 +2,40 @@
 const fs = require('fs');
 const path = require('path');
+const { execFileSync } = require('child_process');
 const COMMANDS = { 'create-project': createProject };
 const args = process.argv.slice(2);
 const command = args[0];
-if (!command || !COMMANDS[command]) {
+if (!command) {
     console.log('Usage: npx rapidd <command>\n');
     console.log('Commands:');
     console.log('  create-project   Scaffold a new Rapidd project in the current directory');
-    process.exit(command ? 1 : 0);
+    console.log('  build            Generate models, routes & ACL from Prisma schema (@rapidd/build)');
+    process.exit(0);
 }
-COMMANDS[command](args.slice(1));
+if (COMMANDS[command]) {
+    COMMANDS[command](args.slice(1));
+} else if (command === 'build') {
+    // Proxy to @rapidd/build
+    try {
+        const buildBin = require.resolve('@rapidd/build/bin/cli.js');
+        execFileSync(process.execPath, [buildBin, ...args], { stdio: 'inherit' });
+    } catch (err) {
+        if (err.code === 'MODULE_NOT_FOUND') {
+            console.error('@rapidd/build is not installed.\n');
+            console.error('  npm install -D @rapidd/build');
+            process.exit(1);
+        }
+        process.exit(err.status ?? 1);
+    }
+} else {
+    console.error(`Unknown command: ${command}`);
+    process.exit(1);
+}
 function createProject() {
     const targetDir = process.cwd();

package/config/app.json CHANGED Viewed

@@ -151,6 +151,9 @@
             "name": "Support Team"
         }
     },
+    "endpointAuthMethod": {
+        "/api/v1": null
+    },
     "languages": [
         "en_US",
         "es_ES",

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Code-first REST API framework for TypeScript. Database in, API out.",
   "main": "dist/main.js",
   "bin": {

package/routes/api/v1/index.ts CHANGED Viewed

@@ -1,12 +1,11 @@
 import { FastifyPluginAsync, FastifyRequest, FastifyReply } from 'fastify';
-import { Auth } from '../../../src/auth/Auth';
 import { ErrorResponse } from '../../../src/core/errors';
 /**
  * Auth routes — /register, /login, /logout, /refresh, /me
  */
 const rootRoutes: FastifyPluginAsync = async (fastify) => {
-    const auth = fastify.auth ?? new Auth();
+    const auth = fastify.auth;
     /**
      * POST /register

package/src/auth/Auth.ts CHANGED Viewed

@@ -5,7 +5,7 @@ import { authPrisma } from '../core/prisma';
 import { ErrorResponse } from '../core/errors';
 import { createStore, SessionStoreManager } from './stores';
 import { loadDMMF, findUserModel, findIdentifierFields, findPasswordField } from '../core/dmmf';
-import type { RapiddUser, AuthOptions, AuthStrategy, ISessionStore } from '../types';
+import type { RapiddUser, AuthOptions, AuthMethod, ISessionStore } from '../types';
 /**
  * Authentication class for user login, logout, and session management
@@ -26,7 +26,7 @@ import type { RapiddUser, AuthOptions, AuthStrategy, ISessionStore } from '../ty
 export class Auth {
     options: Required<Pick<AuthOptions, 'passwordField' | 'saltRounds'>> & AuthOptions & {
         identifierFields: string[];
-        strategies: AuthStrategy[];
+        methods: AuthMethod[];
         cookieName: string;
         customHeaderName: string;
         session: { ttl: number; store?: string };
@@ -68,8 +68,8 @@ export class Auth {
                 ...options.jwt,
             },
             saltRounds: options.saltRounds || parseInt(process.env.AUTH_SALT_ROUNDS || '10', 10),
-            strategies: options.strategies
-                || (process.env.AUTH_STRATEGIES?.split(',').map(s => s.trim()) as AuthStrategy[])
+            methods: options.methods
+                || (process.env.AUTH_METHODS?.split(',').map(s => s.trim()) as AuthMethod[])
                 || ['bearer'],
             cookieName: options.cookieName || process.env.AUTH_COOKIE_NAME || 'token',
             customHeaderName: options.customHeaderName || process.env.AUTH_CUSTOM_HEADER || 'X-Auth-Token',

package/src/index.ts CHANGED Viewed

@@ -73,7 +73,7 @@ export { buildApp } from './app';
 // ── Types ────────────────────────────────────────────────────────────────────
 export type {
     RapiddUser,
-    AuthStrategy,
+    AuthMethod,
     RouteAuthConfig,
     ModelOptions,
     GetManyResult,

package/src/plugins/auth.ts CHANGED Viewed

@@ -1,8 +1,9 @@
+import path from 'path';
 import { FastifyPluginAsync, FastifyRequest } from 'fastify';
 import fp from 'fastify-plugin';
 import { Auth } from '../auth/Auth';
 import { ErrorResponse } from '../core/errors';
-import type { RapiddUser, AuthOptions, AuthStrategy, RouteAuthConfig } from '../types';
+import type { RapiddUser, AuthOptions, AuthMethod, RouteAuthConfig } from '../types';
 interface AuthPluginOptions {
     auth?: Auth;
@@ -35,20 +36,54 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
         return;
     }
-    // Parse auth on every request using configured strategies (checked in order).
-    // Routes can override via config.auth: { strategies, cookieName, customHeaderName }
+    // Load endpointAuthMethod from config/app.json (prefix → method(s) mapping)
+    let endpointAuthMethod: Record<string, AuthMethod | AuthMethod[] | null> = {};
+    try {
+        const appConfig = require(path.join(process.cwd(), 'config', 'app.json'));
+        if (appConfig.endpointAuthMethod) {
+            endpointAuthMethod = appConfig.endpointAuthMethod;
+        }
+    } catch {
+        // No app.json or no endpointAuthMethod — use global default
+    }
+    // Pre-sort prefixes by length (longest first) for correct matching
+    const sortedPrefixes = Object.keys(endpointAuthMethod)
+        .sort((a, b) => b.length - a.length);
+    // Parse auth on every request using configured methods (checked in order).
+    // Priority: route config > endpointAuthMethod prefix match > global default
     fastify.addHook('onRequest', async (request) => {
         const routeAuth = (request.routeOptions?.config as any)?.auth as RouteAuthConfig | undefined;
-        const strategies = routeAuth?.strategies || auth.options.strategies;
+        let methods: AuthMethod[];
+        if (routeAuth?.methods) {
+            methods = routeAuth.methods;
+        } else {
+            const matchedPrefix = sortedPrefixes.find(p => request.url.startsWith(p));
+            if (matchedPrefix) {
+                const value = endpointAuthMethod[matchedPrefix];
+                if (value === null) {
+                    methods = auth.options.methods;
+                } else if (typeof value === 'string') {
+                    methods = [value];
+                } else {
+                    methods = value;
+                }
+            } else {
+                methods = auth.options.methods;
+            }
+        }
         const cookieName = routeAuth?.cookieName || auth.options.cookieName;
         const customHeaderName = routeAuth?.customHeaderName || auth.options.customHeaderName;
         let user: RapiddUser | null = null;
-        for (const strategy of strategies) {
+        for (const method of methods) {
             if (user) break;
-            switch (strategy) {
+            switch (method) {
                 case 'bearer': {
                     const h = request.headers.authorization;
                     if (h?.startsWith('Bearer ')) {
@@ -90,7 +125,7 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
     fastify.post('/auth/login', async (request, reply) => {
         const result = await auth.login(request.body as { user: string; password: string });
-        if (auth.options.strategies.includes('cookie')) {
+        if (auth.options.methods.includes('cookie')) {
             reply.setCookie(auth.options.cookieName, result.accessToken, {
                 path: '/',
                 httpOnly: true,
@@ -106,7 +141,7 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
     fastify.post('/auth/logout', async (request, reply) => {
         const result = await auth.logout(request.headers.authorization);
-        if (auth.options.strategies.includes('cookie')) {
+        if (auth.options.methods.includes('cookie')) {
             reply.clearCookie(auth.options.cookieName, { path: '/' });
         }

package/src/types.ts CHANGED Viewed

@@ -10,10 +10,10 @@ export interface RapiddUser {
     [key: string]: unknown;
 }
-export type AuthStrategy = 'bearer' | 'basic' | 'cookie' | 'header';
+export type AuthMethod = 'bearer' | 'basic' | 'cookie' | 'header';
 export interface RouteAuthConfig {
-    strategies?: AuthStrategy[];
+    methods?: AuthMethod[];
     cookieName?: string;
     customHeaderName?: string;
 }
@@ -32,7 +32,7 @@ export interface AuthOptions {
         refreshExpiry?: string;
     };
     saltRounds?: number;
-    strategies?: AuthStrategy[];
+    methods?: AuthMethod[];
     cookieName?: string;
     customHeaderName?: string;
 }