@rapidd/core 2.1.3 → 2.1.4

package/.env.example

@@ -40,10 +40,10 @@ DB_USER_PASSWORD_FIELD=
 # Auto-detected from unique string fields; comma-separated (default: email)
 DB_USER_IDENTIFIER_FIELDS=
 # Comma-separated: bearer, basic, cookie, header (default: bearer)
-AUTH_METHODS=bearer
-# Cookie name for cookie auth method (default: token)
+AUTH_STRATEGIES=bearer
+# Cookie name for cookie auth strategy (default: token)
 AUTH_COOKIE_NAME=token
-# Header name for header auth method (default: X-Auth-Token)
+# Header name for header auth strategy (default: X-Auth-Token)
 AUTH_CUSTOM_HEADER=X-Auth-Token
 
 # ── API Settings ───────────────────────────────────────

package/README.md

@@ -53,7 +53,7 @@ Every table gets full CRUD endpoints. Auth is enabled automatically when a user
 |---|:---:|:---:|:---:|:---:|:---:|
 | Full source code ownership | ✓ | — | — | — | ✓ |
 | Schema-first (no UI) | ✓ | ✓ | ✓ | ✓ | — |
-| REST API | ✓ | — | ✓ | ✓ | ✓ |
+| REST API | ✓ | partial | ✓ | ✓ | ✓ |
 | Multi-database | ✓ | ✓ | — | — | ✓ |
 | Built-in auth | ✓ | — | — | ✓ | ✓ |
 | Per-model ACL | ✓ | ✓ | — | — | ✓ |
@@ -94,24 +94,24 @@ POST /auth/refresh        { "refreshToken": "..." }
 GET  /auth/me             Authorization: Bearer <token>
 ```
 
-Four methods — **bearer** (default), **basic**, **cookie**, and **custom header** — configurable globally via `AUTH_METHODS` env var or per endpoint prefix in `config/app.json`:
+Four strategies — **bearer** (default), **basic**, **cookie**, and **custom header** — configurable globally via `AUTH_STRATEGIES` env var or per endpoint prefix in `config/app.json`:
 
 ```json
 {
-    "endpointAuthMethod": {
+    "endpointAuthStrategy": {
         "/api/v1": ["basic", "bearer"],
         "/api/v2": "bearer"
     }
 }
 ```
 
-Set `null` for the global default, a string for a single method, or an array for multiple. Route-level config takes highest priority, then prefix match, then global default.
+Set `null` for the global default, a string for a single strategy, or an array for multiple. Route-level config takes highest priority, then prefix match, then global default.
 
 Multi-identifier login lets users authenticate with any unique field (email, username, phone) in a single endpoint.
 
 **Production:** `JWT_SECRET` and `JWT_REFRESH_SECRET` must be set explicitly. The server refuses to start without them to prevent session invalidation on restart.
 
-> **[Authentication wiki](https://github.com/MertDalbudak/rapidd/wiki/Authentication)** — session stores, route protection, per-endpoint method overrides
+> **[Authentication wiki](https://github.com/MertDalbudak/rapidd/wiki/Authentication)** — session stores, route protection, per-endpoint strategy overrides
 
 ---
 

package/config/app.json

@@ -151,7 +151,7 @@
             "name": "Support Team"
         }
     },
-    "endpointAuthMethod": {
+    "endpointAuthStrategy": {
         "/api/v1": null
     },
     "languages": [

package/locales/ar_SA.json

@@ -175,5 +175,23 @@
     "token_missing_email": "الرمز لا يحتوي على معلومات البريد الإلكتروني",
     "oauth_config_missing": "يجب تكوين معرف التطبيق والسر الخاص بـ {provider} في متغيرات البيئة",
     "token_app_mismatch": "الرمز لا ينتمي إلى هذا التطبيق",
-    "oauth_email_permission_missing": "مستخدم {provider} لم يمنح إذن البريد الإلكتروني"
+    "oauth_email_permission_missing": "مستخدم {provider} لم يمنح إذن البريد الإلكتروني",
+    "internal_server_error": "حدث خطأ ما",
+    "duplicate_entry": "إدخال مكرر لـ {model}. السجل ذو {field}: '{value}' موجود بالفعل",
+    "authentication_not_available": "المصادقة غير متاحة",
+    "authentication_required": "المصادقة مطلوبة",
+    "user_and_password_required": "المستخدم وكلمة المرور مطلوبان",
+    "auth_not_configured": "المصادقة غير مهيأة",
+    "email_and_password_required": "البريد الإلكتروني وكلمة المرور مطلوبان",
+    "email_already_exists": "البريد الإلكتروني موجود بالفعل",
+    "user_registered": "تم تسجيل المستخدم بنجاح",
+    "invalid_composite_key": "مفتاح مركب غير صالح: متوقع {expected} حقول، تم استلام {received}",
+    "invalid_composite_key_format": "تنسيق مفتاح مركب غير صالح. متوقع كائن أو سلسلة نصية مفصولة بعلامة التلدة",
+    "no_permission_to_create": "لا توجد صلاحية لإنشاء {model}",
+    "no_permission_to_update": "لا توجد صلاحية لتحديث السجل",
+    "no_permission_to_delete": "لا توجد صلاحية لحذف السجل",
+    "field_not_nullable": "الحقل '{field}' لا يمكن أن يكون فارغاً",
+    "relation_not_included": "العلاقة '{relation}' مُشار إليها في الحقول لكنها غير مُضمّنة. {hint}",
+    "max_nesting_depth_exceeded": "تم تجاوز أقصى عمق تداخل وهو {depth}",
+    "no_file_uploaded": "لم يتم رفع أي ملف"
 }

package/locales/de_DE.json

@@ -175,5 +175,23 @@
     "token_missing_email": "Token enthält keine E-Mail-Informationen",
     "oauth_config_missing": "{provider} App-ID und Secret müssen in Umgebungsvariablen konfiguriert werden",
     "token_app_mismatch": "Token gehört nicht zu dieser Anwendung",
-    "oauth_email_permission_missing": "{provider}-Benutzer hat keine E-Mail-Berechtigung erteilt"
+    "oauth_email_permission_missing": "{provider}-Benutzer hat keine E-Mail-Berechtigung erteilt",
+    "internal_server_error": "Etwas ist schiefgelaufen",
+    "duplicate_entry": "Doppelter Eintrag für {model}. Datensatz mit {field}: '{value}' existiert bereits",
+    "authentication_not_available": "Authentifizierung ist nicht verfügbar",
+    "authentication_required": "Authentifizierung erforderlich",
+    "user_and_password_required": "Benutzer und Passwort sind erforderlich",
+    "auth_not_configured": "Authentifizierung ist nicht konfiguriert",
+    "email_and_password_required": "E-Mail und Passwort sind erforderlich",
+    "email_already_exists": "E-Mail existiert bereits",
+    "user_registered": "Benutzer erfolgreich registriert",
+    "invalid_composite_key": "Ungültiger zusammengesetzter Schlüssel: {expected} Felder erwartet, {received} erhalten",
+    "invalid_composite_key_format": "Ungültiges Format für zusammengesetzten Schlüssel. Erwartet wird ein Objekt oder ein durch Tilde getrennter String",
+    "no_permission_to_create": "Keine Berechtigung zum Erstellen von {model}",
+    "no_permission_to_update": "Keine Berechtigung zum Aktualisieren des Datensatzes",
+    "no_permission_to_delete": "Keine Berechtigung zum Löschen des Datensatzes",
+    "field_not_nullable": "Feld '{field}' darf nicht null sein",
+    "relation_not_included": "Relation '{relation}' wird in Feldern referenziert, aber nicht eingeschlossen. {hint}",
+    "max_nesting_depth_exceeded": "Maximale Verschachtelungstiefe von {depth} überschritten",
+    "no_file_uploaded": "Keine Datei hochgeladen"
 }

package/locales/en_US.json

@@ -176,5 +176,23 @@
     "token_missing_email": "Token does not contain email information",
     "oauth_config_missing": "{provider} App ID and Secret must be configured in environment variables",
     "token_app_mismatch": "Token does not belong to this application",
-    "oauth_email_permission_missing": "{provider} user does not have email permission granted"
+    "oauth_email_permission_missing": "{provider} user does not have email permission granted",
+    "internal_server_error": "Something went wrong",
+    "duplicate_entry": "Duplicate entry for {model}. Record with {field}: '{value}' already exists",
+    "authentication_not_available": "Authentication is not available",
+    "authentication_required": "Authentication required",
+    "user_and_password_required": "User and password are required",
+    "auth_not_configured": "Authentication is not configured",
+    "email_and_password_required": "Email and password are required",
+    "email_already_exists": "Email already exists",
+    "user_registered": "User registered successfully",
+    "invalid_composite_key": "Invalid composite key: expected {expected} fields, received {received}",
+    "invalid_composite_key_format": "Invalid composite key format. Expected an object or tilde-separated string",
+    "no_permission_to_create": "No permission to create {model}",
+    "no_permission_to_update": "No permission to update record",
+    "no_permission_to_delete": "No permission to delete record",
+    "field_not_nullable": "Field '{field}' cannot be null",
+    "relation_not_included": "Relation '{relation}' is referenced in fields but not included. {hint}",
+    "max_nesting_depth_exceeded": "Maximum nesting depth of {depth} exceeded",
+    "no_file_uploaded": "No file uploaded"
 }

package/locales/es_ES.json

@@ -175,5 +175,23 @@
     "token_missing_email": "El token no contiene información de correo electrónico",
     "oauth_config_missing": "El ID de aplicación y el secreto de {provider} deben configurarse en las variables de entorno",
     "token_app_mismatch": "El token no pertenece a esta aplicación",
-    "oauth_email_permission_missing": "El usuario de {provider} no ha otorgado permiso de correo electrónico"
+    "oauth_email_permission_missing": "El usuario de {provider} no ha otorgado permiso de correo electrónico",
+    "internal_server_error": "Algo salió mal",
+    "duplicate_entry": "Entrada duplicada para {model}. El registro con {field}: '{value}' ya existe",
+    "authentication_not_available": "La autenticación no está disponible",
+    "authentication_required": "Autenticación requerida",
+    "user_and_password_required": "Usuario y contraseña son requeridos",
+    "auth_not_configured": "La autenticación no está configurada",
+    "email_and_password_required": "Correo electrónico y contraseña son requeridos",
+    "email_already_exists": "El correo electrónico ya existe",
+    "user_registered": "Usuario registrado exitosamente",
+    "invalid_composite_key": "Clave compuesta inválida: se esperaban {expected} campos, se recibieron {received}",
+    "invalid_composite_key_format": "Formato de clave compuesta inválido. Se espera un objeto o una cadena separada por tildes",
+    "no_permission_to_create": "Sin permiso para crear {model}",
+    "no_permission_to_update": "Sin permiso para actualizar el registro",
+    "no_permission_to_delete": "Sin permiso para eliminar el registro",
+    "field_not_nullable": "El campo '{field}' no puede ser nulo",
+    "relation_not_included": "La relación '{relation}' está referenciada en los campos pero no incluida. {hint}",
+    "max_nesting_depth_exceeded": "Se excedió la profundidad máxima de anidación de {depth}",
+    "no_file_uploaded": "No se cargó ningún archivo"
 }

package/locales/fr_FR.json

@@ -175,5 +175,23 @@
     "token_missing_email": "Le jeton ne contient pas d'informations d'e-mail",
     "oauth_config_missing": "L'ID d'application et le secret de {provider} doivent être configurés dans les variables d'environnement",
     "token_app_mismatch": "Le jeton n'appartient pas à cette application",
-    "oauth_email_permission_missing": "L'utilisateur {provider} n'a pas accordé la permission d'accès à l'e-mail"
+    "oauth_email_permission_missing": "L'utilisateur {provider} n'a pas accordé la permission d'accès à l'e-mail",
+    "internal_server_error": "Une erreur est survenue",
+    "duplicate_entry": "Entrée en double pour {model}. L'enregistrement avec {field} : '{value}' existe déjà",
+    "authentication_not_available": "L'authentification n'est pas disponible",
+    "authentication_required": "Authentification requise",
+    "user_and_password_required": "Utilisateur et mot de passe sont requis",
+    "auth_not_configured": "L'authentification n'est pas configurée",
+    "email_and_password_required": "E-mail et mot de passe sont requis",
+    "email_already_exists": "L'e-mail existe déjà",
+    "user_registered": "Utilisateur enregistré avec succès",
+    "invalid_composite_key": "Clé composite invalide : {expected} champs attendus, {received} reçus",
+    "invalid_composite_key_format": "Format de clé composite invalide. Un objet ou une chaîne séparée par des tildes est attendu",
+    "no_permission_to_create": "Pas de permission pour créer {model}",
+    "no_permission_to_update": "Pas de permission pour mettre à jour l'enregistrement",
+    "no_permission_to_delete": "Pas de permission pour supprimer l'enregistrement",
+    "field_not_nullable": "Le champ '{field}' ne peut pas être nul",
+    "relation_not_included": "La relation '{relation}' est référencée dans les champs mais non incluse. {hint}",
+    "max_nesting_depth_exceeded": "Profondeur d'imbrication maximale de {depth} dépassée",
+    "no_file_uploaded": "Aucun fichier téléchargé"
 }

package/locales/it_IT.json

@@ -175,5 +175,23 @@
     "token_missing_email": "Il token non contiene informazioni e-mail",
     "oauth_config_missing": "L'ID applicazione e il segreto di {provider} devono essere configurati nelle variabili d'ambiente",
     "token_app_mismatch": "Il token non appartiene a questa applicazione",
-    "oauth_email_permission_missing": "L'utente {provider} non ha concesso il permesso e-mail"
+    "oauth_email_permission_missing": "L'utente {provider} non ha concesso il permesso e-mail",
+    "internal_server_error": "Qualcosa è andato storto",
+    "duplicate_entry": "Voce duplicata per {model}. Il record con {field}: '{value}' esiste già",
+    "authentication_not_available": "L'autenticazione non è disponibile",
+    "authentication_required": "Autenticazione richiesta",
+    "user_and_password_required": "Utente e password sono obbligatori",
+    "auth_not_configured": "L'autenticazione non è configurata",
+    "email_and_password_required": "E-mail e password sono obbligatori",
+    "email_already_exists": "L'e-mail esiste già",
+    "user_registered": "Utente registrato con successo",
+    "invalid_composite_key": "Chiave composita non valida: previsti {expected} campi, ricevuti {received}",
+    "invalid_composite_key_format": "Formato chiave composita non valido. Previsto un oggetto o una stringa separata da tilde",
+    "no_permission_to_create": "Nessun permesso per creare {model}",
+    "no_permission_to_update": "Nessun permesso per aggiornare il record",
+    "no_permission_to_delete": "Nessun permesso per eliminare il record",
+    "field_not_nullable": "Il campo '{field}' non può essere nullo",
+    "relation_not_included": "La relazione '{relation}' è referenziata nei campi ma non inclusa. {hint}",
+    "max_nesting_depth_exceeded": "Profondità massima di annidamento di {depth} superata",
+    "no_file_uploaded": "Nessun file caricato"
 }

package/locales/ja_JP.json

@@ -175,5 +175,23 @@
     "token_missing_email": "トークンにメール情報が含まれていません",
     "oauth_config_missing": "{provider}のアプリIDとシークレットを環境変数で設定する必要があります",
     "token_app_mismatch": "トークンはこのアプリケーションに属していません",
-    "oauth_email_permission_missing": "{provider}ユーザーがメール許可を付与していません"
+    "oauth_email_permission_missing": "{provider}ユーザーがメール許可を付与していません",
+    "internal_server_error": "問題が発生しました",
+    "duplicate_entry": "{model}の重複エントリ。{field}: '{value}'のレコードは既に存在します",
+    "authentication_not_available": "認証は利用できません",
+    "authentication_required": "認証が必要です",
+    "user_and_password_required": "ユーザーとパスワードが必要です",
+    "auth_not_configured": "認証が設定されていません",
+    "email_and_password_required": "メールアドレスとパスワードが必要です",
+    "email_already_exists": "メールアドレスは既に存在します",
+    "user_registered": "ユーザーが正常に登録されました",
+    "invalid_composite_key": "無効な複合キー: {expected}フィールドが必要ですが、{received}を受信しました",
+    "invalid_composite_key_format": "無効な複合キー形式。オブジェクトまたはチルダ区切りの文字列が必要です",
+    "no_permission_to_create": "{model}を作成する権限がありません",
+    "no_permission_to_update": "レコードを更新する権限がありません",
+    "no_permission_to_delete": "レコードを削除する権限がありません",
+    "field_not_nullable": "フィールド'{field}'はnullにできません",
+    "relation_not_included": "リレーション'{relation}'はフィールドで参照されていますが、含まれていません。{hint}",
+    "max_nesting_depth_exceeded": "最大ネスト深度{depth}を超えました",
+    "no_file_uploaded": "ファイルがアップロードされていません"
 }

package/locales/pt_BR.json

@@ -175,5 +175,23 @@
     "token_missing_email": "O token não contém informações de e-mail",
     "oauth_config_missing": "O ID do aplicativo e o segredo do {provider} devem ser configurados nas variáveis de ambiente",
     "token_app_mismatch": "O token não pertence a esta aplicação",
-    "oauth_email_permission_missing": "O usuário do {provider} não concedeu permissão de e-mail"
+    "oauth_email_permission_missing": "O usuário do {provider} não concedeu permissão de e-mail",
+    "internal_server_error": "Algo deu errado",
+    "duplicate_entry": "Entrada duplicada para {model}. Registro com {field}: '{value}' já existe",
+    "authentication_not_available": "A autenticação não está disponível",
+    "authentication_required": "Autenticação necessária",
+    "user_and_password_required": "Usuário e senha são obrigatórios",
+    "auth_not_configured": "A autenticação não está configurada",
+    "email_and_password_required": "E-mail e senha são obrigatórios",
+    "email_already_exists": "E-mail já existe",
+    "user_registered": "Usuário registrado com sucesso",
+    "invalid_composite_key": "Chave composta inválida: esperados {expected} campos, recebidos {received}",
+    "invalid_composite_key_format": "Formato de chave composta inválido. Esperado um objeto ou string separada por til",
+    "no_permission_to_create": "Sem permissão para criar {model}",
+    "no_permission_to_update": "Sem permissão para atualizar o registro",
+    "no_permission_to_delete": "Sem permissão para excluir o registro",
+    "field_not_nullable": "O campo '{field}' não pode ser nulo",
+    "relation_not_included": "A relação '{relation}' é referenciada nos campos mas não está incluída. {hint}",
+    "max_nesting_depth_exceeded": "Profundidade máxima de aninhamento de {depth} excedida",
+    "no_file_uploaded": "Nenhum arquivo enviado"
 }

package/locales/ru_RU.json

@@ -175,5 +175,23 @@
     "token_missing_email": "Токен не содержит информацию об электронной почте",
     "oauth_config_missing": "ID приложения и секрет {provider} должны быть настроены в переменных окружения",
     "token_app_mismatch": "Токен не принадлежит этому приложению",
-    "oauth_email_permission_missing": "Пользователь {provider} не предоставил разрешение на доступ к электронной почте"
+    "oauth_email_permission_missing": "Пользователь {provider} не предоставил разрешение на доступ к электронной почте",
+    "internal_server_error": "Что-то пошло не так",
+    "duplicate_entry": "Дублирующая запись для {model}. Запись с {field}: '{value}' уже существует",
+    "authentication_not_available": "Аутентификация недоступна",
+    "authentication_required": "Требуется аутентификация",
+    "user_and_password_required": "Пользователь и пароль обязательны",
+    "auth_not_configured": "Аутентификация не настроена",
+    "email_and_password_required": "Электронная почта и пароль обязательны",
+    "email_already_exists": "Электронная почта уже существует",
+    "user_registered": "Пользователь успешно зарегистрирован",
+    "invalid_composite_key": "Недопустимый составной ключ: ожидалось {expected} полей, получено {received}",
+    "invalid_composite_key_format": "Недопустимый формат составного ключа. Ожидается объект или строка, разделенная тильдой",
+    "no_permission_to_create": "Нет разрешения на создание {model}",
+    "no_permission_to_update": "Нет разрешения на обновление записи",
+    "no_permission_to_delete": "Нет разрешения на удаление записи",
+    "field_not_nullable": "Поле '{field}' не может быть пустым",
+    "relation_not_included": "Связь '{relation}' указана в полях, но не включена. {hint}",
+    "max_nesting_depth_exceeded": "Превышена максимальная глубина вложенности {depth}",
+    "no_file_uploaded": "Файл не загружен"
 }

package/locales/tr_TR.json

@@ -175,5 +175,23 @@
     "token_missing_email": "Token e-posta bilgisi içermiyor",
     "oauth_config_missing": "{provider} Uygulama ID'si ve Secret ortam değişkenlerinde yapılandırılmalıdır",
     "token_app_mismatch": "Token bu uygulamaya ait değil",
-    "oauth_email_permission_missing": "{provider} kullanıcısı e-posta izni vermemiş"
+    "oauth_email_permission_missing": "{provider} kullanıcısı e-posta izni vermemiş",
+    "internal_server_error": "Bir şeyler ters gitti",
+    "duplicate_entry": "{model} için yinelenen kayıt. {field}: '{value}' değerine sahip kayıt zaten mevcut",
+    "authentication_not_available": "Kimlik doğrulama kullanılamıyor",
+    "authentication_required": "Kimlik doğrulama gerekli",
+    "user_and_password_required": "Kullanıcı ve şifre gerekli",
+    "auth_not_configured": "Kimlik doğrulama yapılandırılmamış",
+    "email_and_password_required": "E-posta ve şifre gerekli",
+    "email_already_exists": "E-posta zaten mevcut",
+    "user_registered": "Kullanıcı başarıyla kaydedildi",
+    "invalid_composite_key": "Geçersiz bileşik anahtar: {expected} alan bekleniyor, {received} alındı",
+    "invalid_composite_key_format": "Geçersiz bileşik anahtar formatı. Bir nesne veya tilde ile ayrılmış bir dize bekleniyor",
+    "no_permission_to_create": "{model} oluşturma izni yok",
+    "no_permission_to_update": "Kaydı güncelleme izni yok",
+    "no_permission_to_delete": "Kaydı silme izni yok",
+    "field_not_nullable": "'{field}' alanı null olamaz",
+    "relation_not_included": "'{relation}' ilişkisi alanlarda referans ediliyor ancak dahil edilmemiş. {hint}",
+    "max_nesting_depth_exceeded": "Maksimum iç içe geçme derinliği {depth} aşıldı",
+    "no_file_uploaded": "Dosya yüklenmedi"
 }

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "2.1.3",
+  "version": "2.1.4",
   "description": "Code-first REST API framework for TypeScript. Database in, API out.",
   "main": "dist/main.js",
   "bin": {

package/src/app.ts

@@ -138,9 +138,35 @@ export async function buildApp(options: RapiddOptions = {}): Promise<FastifyInst
         await loadRoutes(app, routesPath);
     }
 
+    // ── Request Logging ─────────────────────────────
+    app.addHook('onSend', async (request, _reply, payload) => {
+        if (typeof payload === 'string') {
+            (request as any)._responsePayload = payload;
+        }
+        return payload;
+    });
+
+    app.addHook('onResponse', async (request, reply) => {
+        Logger.request({
+            method: request.method,
+            url: request.url,
+            status: reply.statusCode,
+            time: reply.elapsedTime,
+            ip: request.ip,
+            contentLength: request.headers['content-length'],
+            userId: request.user?.id,
+            userAgent: request.headers['user-agent'],
+            requestHeaders: request.headers,
+            requestBody: request.body,
+            responseHeaders: reply.getHeaders(),
+            responseBody: (request as any)._responsePayload,
+        });
+    });
+
     // ── 404 Handler ─────────────────────────────────
-    app.setNotFoundHandler((_request, reply) => {
-        reply.code(404).send({ status_code: 404, message: 'Not found' });
+    app.setNotFoundHandler((request, reply) => {
+        const language = request.language || 'en_US';
+        reply.code(404).send({ status_code: 404, message: LanguageDict.get('record_not_found', null, language) });
     });
 
     // ── Graceful Shutdown ───────────────────────────

package/src/auth/Auth.ts

@@ -6,7 +6,7 @@ import { ErrorResponse } from '../core/errors';
 import { createStore, SessionStoreManager } from './stores';
 import { loadDMMF, findUserModel, findIdentifierFields, findPasswordField } from '../core/dmmf';
 import { Logger } from '../utils/Logger';
-import type { RapiddUser, AuthOptions, AuthMethod, ISessionStore } from '../types';
+import type { RapiddUser, AuthOptions, AuthStrategy, ISessionStore } from '../types';
 
 /**
  * Authentication class for user login, logout, and session management
@@ -27,7 +27,7 @@ import type { RapiddUser, AuthOptions, AuthMethod, ISessionStore } from '../type
 export class Auth {
     options: Required<Pick<AuthOptions, 'passwordField' | 'saltRounds'>> & AuthOptions & {
         identifierFields: string[];
-        methods: AuthMethod[];
+        strategies: AuthStrategy[];
         cookieName: string;
         customHeaderName: string;
         session: { ttl: number; store?: string };
@@ -69,8 +69,8 @@ export class Auth {
                 ...options.jwt,
             },
             saltRounds: options.saltRounds || parseInt(process.env.AUTH_SALT_ROUNDS || '10', 10),
-            methods: options.methods
-                || (process.env.AUTH_METHODS?.split(',').map(s => s.trim()) as AuthMethod[])
+            strategies: options.strategies
+                || (process.env.AUTH_STRATEGIES?.split(',').map(s => s.trim()) as AuthStrategy[])
                 || ['bearer'],
             cookieName: options.cookieName || process.env.AUTH_COOKIE_NAME || 'token',
             customHeaderName: options.customHeaderName || process.env.AUTH_CUSTOM_HEADER || 'X-Auth-Token',

package/src/index.ts

@@ -74,7 +74,7 @@ export { buildApp } from './app';
 // ── Types ────────────────────────────────────────────────────────────────────
 export type {
     RapiddUser,
-    AuthMethod,
+    AuthStrategy,
     RouteAuthConfig,
     ModelOptions,
     GetManyResult,

package/src/orm/QueryBuilder.ts

@@ -1,5 +1,6 @@
 import { prisma, prismaTransaction, getAcl } from '../core/prisma';
 import { ErrorResponse } from '../core/errors';
+import { LanguageDict } from '../core/i18n';
 import { Logger } from '../utils/Logger';
 import * as dmmf from '../core/dmmf';
 import type {
@@ -2072,7 +2073,7 @@ class QueryBuilder {
         let statusCode: number = error.status_code || 500;
         let message: string = error instanceof ErrorResponse
             ? error.message
-            : (process.env.NODE_ENV === 'production' ? 'Something went wrong' : (error.message || String(error)));
+            : (process.env.NODE_ENV === 'production' ? LanguageDict.get('internal_server_error') : (error.message || String(error)));
 
         // Handle Prisma error codes
         if (error?.code && PRISMA_ERROR_MAP[error.code]) {
@@ -2083,7 +2084,7 @@ class QueryBuilder {
             if (error.code === 'P2002') {
                 const target = error.meta?.target;
                 const modelName = error.meta?.modelName;
-                message = `Duplicate entry for ${modelName}. Record with ${target}: '${data[target as string]}' already exists`;
+                message = LanguageDict.get('duplicate_entry', { model: modelName, field: target, value: data[target as string] });
             } else {
                 message = errorInfo.message!;
             }

package/src/plugins/auth.ts

@@ -3,7 +3,7 @@ import { FastifyPluginAsync, FastifyRequest } from 'fastify';
 import fp from 'fastify-plugin';
 import { Auth } from '../auth/Auth';
 import { ErrorResponse } from '../core/errors';
-import type { RapiddUser, AuthOptions, AuthMethod, RouteAuthConfig } from '../types';
+import type { RapiddUser, AuthOptions, AuthStrategy, RouteAuthConfig } from '../types';
 
 interface AuthPluginOptions {
     auth?: Auth;
@@ -36,42 +36,42 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
         return;
     }
 
-    // Load endpointAuthMethod from config/app.json (prefix → method(s) mapping)
-    let endpointAuthMethod: Record<string, AuthMethod | AuthMethod[] | null> = {};
+    // Load endpointAuthStrategy from config/app.json (prefix → strategy mapping)
+    let endpointAuthStrategy: Record<string, AuthStrategy | AuthStrategy[] | null> = {};
     try {
         const appConfig = require(path.join(process.cwd(), 'config', 'app.json'));
-        if (appConfig.endpointAuthMethod) {
-            endpointAuthMethod = appConfig.endpointAuthMethod;
+        if (appConfig.endpointAuthStrategy) {
+            endpointAuthStrategy = appConfig.endpointAuthStrategy;
         }
     } catch {
-        // No app.json or no endpointAuthMethod — use global default
+        // No app.json or no endpointAuthStrategy — use global default
     }
 
     // Pre-sort prefixes by length (longest first) for correct matching
-    const sortedPrefixes = Object.keys(endpointAuthMethod)
+    const sortedPrefixes = Object.keys(endpointAuthStrategy)
         .sort((a, b) => b.length - a.length);
 
-    // Parse auth on every request using configured methods (checked in order).
-    // Priority: route config > endpointAuthMethod prefix match > global default
+    // Parse auth on every request using configured strategies (checked in order).
+    // Priority: route config > endpointAuthStrategy prefix match > global default
     fastify.addHook('onRequest', async (request) => {
         const routeAuth = (request.routeOptions?.config as any)?.auth as RouteAuthConfig | undefined;
 
-        let methods: AuthMethod[];
-        if (routeAuth?.methods) {
-            methods = routeAuth.methods;
+        let strategies: AuthStrategy[];
+        if (routeAuth?.strategies) {
+            strategies = routeAuth.strategies;
         } else {
             const matchedPrefix = sortedPrefixes.find(p => request.url.startsWith(p));
             if (matchedPrefix) {
-                const value = endpointAuthMethod[matchedPrefix];
+                const value = endpointAuthStrategy[matchedPrefix];
                 if (value === null) {
-                    methods = auth.options.methods;
+                    strategies = auth.options.strategies;
                 } else if (typeof value === 'string') {
-                    methods = [value];
+                    strategies = [value];
                 } else {
-                    methods = value;
+                    strategies = value;
                 }
             } else {
-                methods = auth.options.methods;
+                strategies = auth.options.strategies;
             }
         }
 
@@ -80,10 +80,10 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
 
         let user: RapiddUser | null = null;
 
-        for (const method of methods) {
+        for (const strategy of strategies) {
             if (user) break;
 
-            switch (method) {
+            switch (strategy) {
                 case 'bearer': {
                     const h = request.headers.authorization;
                     if (h?.startsWith('Bearer ')) {
@@ -125,7 +125,7 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
     fastify.post('/auth/login', async (request, reply) => {
         const result = await auth.login(request.body as { user: string; password: string });
 
-        if (auth.options.methods.includes('cookie')) {
+        if (auth.options.strategies.includes('cookie')) {
             reply.setCookie(auth.options.cookieName, result.accessToken, {
                 path: '/',
                 httpOnly: true,
@@ -141,7 +141,7 @@ const authPlugin: FastifyPluginAsync<AuthPluginOptions> = async (fastify, option
     fastify.post('/auth/logout', async (request, reply) => {
         const result = await auth.logout(request.headers.authorization);
 
-        if (auth.options.methods.includes('cookie')) {
+        if (auth.options.strategies.includes('cookie')) {
             reply.clearCookie(auth.options.cookieName, { path: '/' });
         }
 

package/src/plugins/language.ts

@@ -37,22 +37,22 @@ function resolveLanguage(headerValue: string): string {
             .split(',')
             .map((lang: string) => {
                 const parts = lang.trim().split(';');
-                const code = parts[0].trim();
+                const code = parts[0].trim().replace(/-/g, '_');
                 const quality = parts[1] ? parseFloat(parts[1].replace('q=', '')) : 1.0;
                 return { code, quality };
             })
             .sort((a, b) => b.quality - a.quality);
 
-        // Exact match
+        // Exact match (e.g. "de_DE" header → "de_DE" locale)
         for (const lang of languages) {
             const match = ALLOWED_LANGUAGES.find((a: string) => a.toLowerCase() === lang.code);
             if (match) return match;
         }
 
-        // Language family match (e.g. "en-GB" → "en_US")
+        // Language family match (e.g. "en_GB" header → "en_US" locale)
         for (const lang of languages) {
-            const prefix = lang.code.split('-')[0];
-            const match = ALLOWED_LANGUAGES.find((a: string) => a.toLowerCase().startsWith(prefix + '-'));
+            const prefix = lang.code.split('_')[0];
+            const match = ALLOWED_LANGUAGES.find((a: string) => a.toLowerCase().startsWith(prefix + '_'));
             if (match) return match;
         }
     } catch {

package/src/plugins/response.ts

@@ -70,7 +70,7 @@ const responsePlugin: FastifyPluginAsync = async (fastify) => {
         const err = error as Error;
         const message =
             Object.getPrototypeOf(err).constructor === Error && process.env.NODE_ENV === 'production'
-                ? 'Something went wrong'
+                ? LanguageDict.get('internal_server_error', null, language)
                 : err.message || String(error);
 
         Logger.error(error);

package/src/plugins/upload.ts

@@ -5,6 +5,7 @@ import { pipeline } from 'stream/promises';
 import { Transform } from 'stream';
 import { randomUUID } from 'crypto';
 import path from 'path';
+import { ErrorResponse } from '../core/errors';
 
 // ── Types ────────────────────────────────────────────────────────────────────
 
@@ -85,9 +86,9 @@ function getAllowedTypes(option: UploadOptions['allowedTypes']): AllowedType[] {
 function validateFile(
     file: { mimetype: string; filename: string },
     allowedTypes: AllowedType[]
-): { valid: boolean; error?: string } {
+): { valid: boolean; errorKey?: string; errorData?: Record<string, unknown> } {
     if (file.filename.includes('..') || file.filename.includes('/') || file.filename.includes('\\')) {
-        return { valid: false, error: 'Invalid filename' };
+        return { valid: false, errorKey: 'invalid_file_name' };
     }
 
     if (allowedTypes.length === 0) {
@@ -98,11 +99,11 @@ function validateFile(
     const allowedType = allowedTypes.find(t => t.mime === file.mimetype);
 
     if (!allowedType) {
-        return { valid: false, error: `File type '${file.mimetype}' not allowed` };
+        return { valid: false, errorKey: 'file_type_not_allowed', errorData: { mimetype: file.mimetype } };
     }
 
     if (!allowedType.extensions.includes(ext)) {
-        return { valid: false, error: `Extension '${ext}' does not match MIME type '${file.mimetype}'` };
+        return { valid: false, errorKey: 'file_extension_not_allowed', errorData: { extension: ext, mimetype: file.mimetype } };
     }
 
     return { valid: true };
@@ -114,7 +115,7 @@ function createSizeTracker(maxSize: number): { tracker: Transform; getSize: () =
         transform(chunk, encoding, callback) {
             size += chunk.length;
             if (size > maxSize) {
-                callback(new Error(`File size exceeds limit of ${Math.round(maxSize / 1024 / 1024)}MB`));
+                callback(new ErrorResponse(400, 'file_size_exceeds_limit', { limit: Math.round(maxSize / 1024 / 1024) }));
                 return;
             }
             callback(null, chunk);
@@ -229,7 +230,7 @@ async function uploadPluginImpl(
 
             const validation = validateFile(data, allowedTypes);
             if (!validation.valid) {
-                throw new Error(validation.error);
+                throw new ErrorResponse(400, validation.errorKey!, validation.errorData);
             }
 
             const { tempPath, size } = await saveToTemp(data.file, tempDir, data.filename, maxFileSize);
@@ -260,7 +261,7 @@ async function uploadPluginImpl(
 
                 const validation = validateFile(part, allowedTypes);
                 if (!validation.valid) {
-                    throw new Error(validation.error);
+                    throw new ErrorResponse(400, validation.errorKey!, validation.errorData);
                 }
 
                 const { tempPath, size } = await saveToTemp(part.file, tempDir, part.filename, maxFileSize);

package/src/types.ts

@@ -10,10 +10,10 @@ export interface RapiddUser {
     [key: string]: unknown;
 }
 
-export type AuthMethod = 'bearer' | 'basic' | 'cookie' | 'header';
+export type AuthStrategy = 'bearer' | 'basic' | 'cookie' | 'header';
 
 export interface RouteAuthConfig {
-    methods?: AuthMethod[];
+    strategies?: AuthStrategy[];
     cookieName?: string;
     customHeaderName?: string;
 }
@@ -32,7 +32,7 @@ export interface AuthOptions {
         refreshExpiry?: string;
     };
     saltRounds?: number;
-    methods?: AuthMethod[];
+    strategies?: AuthStrategy[];
     cookieName?: string;
     customHeaderName?: string;
 }

package/src/utils/Logger.ts

@@ -76,6 +76,32 @@ function formatDataPretty(data: unknown[]): string {
     return '\n' + parts.join('\n');
 }
 
+function formatHeaders(headers: Record<string, unknown>): string {
+    return Object.entries(headers)
+        .filter(([, v]) => v !== undefined)
+        .map(([k, v]) => `  ${k}: ${Array.isArray(v) ? v.join(', ') : v}`)
+        .join('\n');
+}
+
+function formatBody(body: unknown): string {
+    if (body === null || body === undefined) return '  (empty)';
+    if (typeof body === 'string') {
+        try {
+            return '  ' + JSON.stringify(JSON.parse(body), null, 2).replace(/\n/g, '\n  ');
+        } catch {
+            return '  ' + body;
+        }
+    }
+    if (typeof body === 'object') {
+        try {
+            return '  ' + JSON.stringify(body, null, 2).replace(/\n/g, '\n  ');
+        } catch {
+            return '  ' + String(body);
+        }
+    }
+    return '  ' + String(body);
+}
+
 function formatError(error: Error | string | unknown): { message: string; toString: string; stack: string } {
     if (error instanceof Error) {
         return {
@@ -152,6 +178,60 @@ export const Logger = {
         console.error(output);
         writeToFile('error.log', output);
     },
+
+    request(info: {
+        method: string;
+        url: string;
+        status: number;
+        time: number;
+        ip?: string;
+        contentLength?: string;
+        userId?: string | number;
+        userAgent?: string;
+        requestHeaders?: Record<string, unknown>;
+        requestBody?: unknown;
+        responseHeaders?: Record<string, unknown>;
+        responseBody?: unknown;
+    }): void {
+        if (_silent) return;
+
+        const { method, url, status, time } = info;
+        const timeStr = `${time.toFixed(0)}ms`;
+        let output: string;
+
+        switch (_level) {
+            case 'essential':
+                output = `[${timestamp()}] ${method} ${url} ${status} ${timeStr}`;
+                break;
+            case 'fine':
+                output = `[${timestamp()}] ${method} ${url} ${status} ${timeStr} | ${info.ip || '-'}${info.userId ? ` | user:${info.userId}` : ''}`;
+                break;
+            case 'finest': {
+                const lines = [`[${timestamp()}] ${method} ${url} ${status} ${timeStr} | ${info.ip || '-'}${info.userId ? ` | user:${info.userId}` : ''}`];
+                if (info.requestHeaders) {
+                    lines.push('  ── Request Headers');
+                    lines.push(formatHeaders(info.requestHeaders));
+                }
+                if (info.requestBody !== undefined && info.requestBody !== null) {
+                    lines.push('  ── Request Body');
+                    lines.push(formatBody(info.requestBody));
+                }
+                if (info.responseHeaders) {
+                    lines.push('  ── Response Headers');
+                    lines.push(formatHeaders(info.responseHeaders));
+                }
+                if (info.responseBody !== undefined && info.responseBody !== null) {
+                    lines.push('  ── Response Body');
+                    lines.push(formatBody(info.responseBody));
+                }
+                output = lines.join('\n');
+                break;
+            }
+        }
+
+        console.log(output);
+        writeToFile('access.log', output);
+    },
 };
 
 export default Logger;