@rebasepro/server-core 0.0.1-canary.eae7889 → 0.1.0

package/packages/utils/node_modules/esbuild/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "esbuild",
+  "version": "0.21.5",
+  "description": "An extremely fast JavaScript and CSS bundler and minifier.",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/evanw/esbuild.git"
+  },
+  "scripts": {
+    "postinstall": "node install.js"
+  },
+  "main": "lib/main.js",
+  "types": "lib/main.d.ts",
+  "engines": {
+    "node": ">=12"
+  },
+  "bin": {
+    "esbuild": "bin/esbuild"
+  },
+  "optionalDependencies": {
+    "@esbuild/aix-ppc64": "0.21.5",
+    "@esbuild/android-arm": "0.21.5",
+    "@esbuild/android-arm64": "0.21.5",
+    "@esbuild/android-x64": "0.21.5",
+    "@esbuild/darwin-arm64": "0.21.5",
+    "@esbuild/darwin-x64": "0.21.5",
+    "@esbuild/freebsd-arm64": "0.21.5",
+    "@esbuild/freebsd-x64": "0.21.5",
+    "@esbuild/linux-arm": "0.21.5",
+    "@esbuild/linux-arm64": "0.21.5",
+    "@esbuild/linux-ia32": "0.21.5",
+    "@esbuild/linux-loong64": "0.21.5",
+    "@esbuild/linux-mips64el": "0.21.5",
+    "@esbuild/linux-ppc64": "0.21.5",
+    "@esbuild/linux-riscv64": "0.21.5",
+    "@esbuild/linux-s390x": "0.21.5",
+    "@esbuild/linux-x64": "0.21.5",
+    "@esbuild/netbsd-x64": "0.21.5",
+    "@esbuild/openbsd-x64": "0.21.5",
+    "@esbuild/sunos-x64": "0.21.5",
+    "@esbuild/win32-arm64": "0.21.5",
+    "@esbuild/win32-ia32": "0.21.5",
+    "@esbuild/win32-x64": "0.21.5"
+  },
+  "license": "MIT"
+}

package/src/api/errors.ts

@@ -120,10 +120,11 @@ export const errorHandler: ErrorHandler = (err, c) => {
         `❌ [API] ${c.req.method} ${c.req.path} → ${statusCode} ${code}: ${logMessage}`
     );
 
-    // Suppress the huge stack trace for known missing schema errors (it's noisy and not a code bug)
+    // Suppress the huge stack trace for known DB errors (it's noisy and leaks SQL)
     const causePg = (error.cause && typeof error.cause === "object") ? (error.cause as PgLikeError) : undefined;
     const pgErrorCode = causePg?.code || error.code;
-    if (pgErrorCode !== "42703" && pgErrorCode !== "42P01") {
+    const suppressStack = pgErrorCode === "42703" || pgErrorCode === "42P01" || (statusCode < 500 && code === "BAD_REQUEST");
+    if (!suppressStack) {
         console.error(error.stack || error);
     }
 

package/src/api/rest/api-generator-count.test.ts

@@ -0,0 +1,113 @@
+import { jest } from "@jest/globals";
+import { RestApiGenerator } from "./api-generator";
+import type { DataDriver, EntityCollection, FetchCollectionProps } from "@rebasepro/types";
+
+/**
+ * Minimal mock DataDriver for testing.
+ */
+function createMockDriver(overrides?: Partial<DataDriver>): DataDriver {
+    return {
+        fetchCollection: jest.fn().mockResolvedValue([]),
+        fetchEntity: jest.fn().mockResolvedValue(null),
+        saveEntity: jest.fn().mockResolvedValue({ id: "1", path: "test", values: {} }),
+        deleteEntity: jest.fn().mockResolvedValue(undefined),
+        countEntities: jest.fn().mockResolvedValue(0),
+        ...overrides,
+    } as unknown as DataDriver;
+}
+
+function createTestCollection(slug: string): EntityCollection {
+    return {
+        slug,
+        name: slug.charAt(0).toUpperCase() + slug.slice(1),
+        path: slug,
+        properties: {},
+    } as unknown as EntityCollection;
+}
+
+describe("RestApiGenerator - Count Endpoint", () => {
+    let driver: DataDriver;
+    let collection: EntityCollection;
+
+    beforeEach(() => {
+        driver = createMockDriver({
+            countEntities: jest.fn().mockResolvedValue(42),
+        });
+        collection = createTestCollection("products");
+    });
+
+    it("GET /products/count should return a count object", async () => {
+        const generator = new RestApiGenerator([collection], driver);
+        const app = generator.generateRoutes();
+
+        const res = await app.request("/products/count");
+        expect(res.status).toBe(200);
+
+        const json = await res.json() as { count: number };
+        expect(json.count).toBe(42);
+    });
+
+    it("should pass filters to countEntities driver", async () => {
+        const generator = new RestApiGenerator([collection], driver);
+        const app = generator.generateRoutes();
+
+        const res = await app.request("/products/count?status=eq.active");
+        expect(res.status).toBe(200);
+
+        const json = await res.json() as { count: number };
+        expect(json.count).toBe(42);
+
+        // Verify countEntities was called with the filter
+        expect(driver.countEntities).toHaveBeenCalled();
+        const callArgs = (driver.countEntities as ReturnType<typeof jest.fn>).mock.calls[0][0] as FetchCollectionProps;
+        expect(callArgs.path).toBe("products");
+        expect(callArgs.filter).toHaveProperty("status");
+    });
+
+    it("should pass searchString to countEntities driver", async () => {
+        const generator = new RestApiGenerator([collection], driver);
+        const app = generator.generateRoutes();
+
+        const res = await app.request("/products/count?searchString=widget");
+        expect(res.status).toBe(200);
+
+        const json = await res.json() as { count: number };
+        expect(json.count).toBe(42);
+
+        expect(driver.countEntities).toHaveBeenCalled();
+        const callArgs = (driver.countEntities as ReturnType<typeof jest.fn>).mock.calls[0][0] as FetchCollectionProps;
+        expect(callArgs.searchString).toBe("widget");
+    });
+
+    it("should return 0 when countEntities is not available on driver", async () => {
+        const driverWithoutCount = createMockDriver({ countEntities: undefined });
+        const generator = new RestApiGenerator([collection], driverWithoutCount);
+        const app = generator.generateRoutes();
+
+        const res = await app.request("/products/count");
+        expect(res.status).toBe(200);
+
+        const json = await res.json() as { count: number };
+        expect(json.count).toBe(0);
+    });
+
+    it("GET /products/count should not be confused with GET /products/:id", async () => {
+        // Ensure the count route is registered before the :id route
+        const fetchEntity = jest.fn().mockResolvedValue(null);
+        const driverCustom = createMockDriver({
+            countEntities: jest.fn().mockResolvedValue(99),
+            fetchEntity,
+        });
+        const generator = new RestApiGenerator([collection], driverCustom);
+        const app = generator.generateRoutes();
+
+        const res = await app.request("/products/count");
+        expect(res.status).toBe(200);
+
+        const json = await res.json() as { count: number };
+        expect(json.count).toBe(99);
+
+        // fetchEntity should NOT have been called (i.e. "count" was not treated as an entity ID)
+        expect(fetchEntity).not.toHaveBeenCalled();
+    });
+});

package/src/api/rest/api-generator.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import { DataDriver, Entity, EntityCollection, FetchCollectionProps } from "@rebasepro/types";
+import { DataDriver, Entity, EntityCollection, FetchCollectionProps, DataHooks, BackendHookContext, RestFetchService } from "@rebasepro/types";
 import { QueryOptions, HonoEnv } from "../types";
 import { ApiError } from "../errors";
 import { parseQueryOptions } from "./query-parser";
@@ -13,13 +13,24 @@ export class RestApiGenerator {
     private collections: EntityCollection[];
     private router: Hono<HonoEnv>;
     private driver: DataDriver;
+    private dataHooks?: DataHooks;
 
-    constructor(collections: EntityCollection[], driver: DataDriver) {
+    constructor(collections: EntityCollection[], driver: DataDriver, dataHooks?: DataHooks) {
         this.collections = collections;
         this.driver = driver;
+        this.dataHooks = dataHooks;
         this.router = new Hono<HonoEnv>();
     }
 
+    /** Build a BackendHookContext from a Hono context */
+    private buildHookContext(c: { get: (key: string) => unknown }, method: BackendHookContext["method"]): BackendHookContext {
+        const user = c.get("user") as { userId: string; roles?: string[] } | undefined;
+        return {
+            requestUser: user ? { userId: user.userId, roles: user.roles ?? [] } : undefined,
+            method
+        };
+    }
+
     /**
      * Generate REST routes using existing DataDriver
      */
@@ -37,16 +48,10 @@ export class RestApiGenerator {
     }
 
     /**
-     * Get the EntityFetchService from a driver if it exposes one (for include support)
+     * Get the typed RestFetchService from a driver if it exposes one (for include support).
      */
-    private getFetchService(driver: DataDriver): Record<string, (...args: unknown[]) => unknown> | null {
-        if ("entityService" in driver && typeof driver.entityService === "object" && driver.entityService) {
-            const es = driver.entityService as Record<string, unknown>;
-            if (typeof es.getFetchService === "function") {
-                return es.getFetchService();
-            }
-        }
-        return null;
+    private getFetchService(driver: DataDriver): RestFetchService | undefined {
+        return driver.restFetchService;
     }
 
     /**
@@ -56,6 +61,17 @@ export class RestApiGenerator {
         const basePath = `/${collection.slug}`;
         const resolvedCollection = collection;
 
+        // GET /collection/count - Count entities (with optional filters)
+        this.router.get(`${basePath}/count`, async (c) => {
+            const queryDict = c.req.query();
+            const queryOptions = parseQueryOptions(queryDict);
+            const searchString = queryDict.searchString as string | undefined;
+            const driver = c.get("driver") || this.driver;
+
+            const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
+            return c.json({ count: total });
+        });
+
         // GET /collection - List entities
         this.router.get(basePath, async (c) => {
             const queryDict = c.req.query();
@@ -64,11 +80,12 @@ export class RestApiGenerator {
 
             const driver = c.get("driver") || this.driver;
             const fetchService = this.getFetchService(driver);
+            const hookCtx = this.buildHookContext(c, "GET");
 
             // Use include-aware path when available
             if (fetchService) {
                 const collectionPath = collection.slug;
-                const entities = await fetchService.fetchCollectionForRest(
+                let entities = await fetchService.fetchCollectionForRest(
                     collectionPath,
                     {
                         filter: queryOptions.where as FetchCollectionProps["filter"],
@@ -81,6 +98,8 @@ export class RestApiGenerator {
                     queryOptions.include
                 );
 
+                entities = await this.applyAfterReadBatch(collection.slug, entities, hookCtx);
+
                 const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
 
                 return c.json({
@@ -89,13 +108,15 @@ export class RestApiGenerator {
                         total,
                         limit: queryOptions.limit,
                         offset: queryOptions.offset,
-                        hasMore: (queryOptions.offset || 0) + (entities as unknown[]).length < total
+                        hasMore: (queryOptions.offset || 0) + entities.length < total
                     }
                 });
             }
 
             // Fallback path
-            const entities = await this.fetchRawCollection(driver, resolvedCollection, queryOptions, searchString);
+            let entities = await this.fetchRawCollection(driver, resolvedCollection, queryOptions, searchString);
+
+            entities = await this.applyAfterReadBatch(collection.slug, entities, hookCtx);
 
             const total = await this.countRawEntities(driver, resolvedCollection, queryOptions, searchString);
 
@@ -105,7 +126,7 @@ export class RestApiGenerator {
                     total,
                     limit: queryOptions.limit,
                     offset: queryOptions.offset,
-                    hasMore: (queryOptions.offset || 0) + (entities as unknown[]).length < total
+                    hasMore: (queryOptions.offset || 0) + entities.length < total
                 }
             });
         });
@@ -117,11 +138,12 @@ export class RestApiGenerator {
             const queryOptions = parseQueryOptions(queryDict);
             const driver = c.get("driver") || this.driver;
             const fetchService = this.getFetchService(driver);
+            const hookCtx = this.buildHookContext(c, "GET");
 
             // Use include-aware path when available
             if (fetchService) {
                 const collectionPath = collection.slug;
-                const entity = await fetchService.fetchEntityForRest(
+                let entity = await fetchService.fetchEntityForRest(
                     collectionPath,
                     String(id),
                     queryOptions.include
@@ -131,16 +153,26 @@ export class RestApiGenerator {
                     throw ApiError.notFound("Entity not found");
                 }
 
+                entity = await this.applyAfterRead(collection.slug, entity, hookCtx);
+                if (!entity) {
+                    throw ApiError.notFound("Entity not found");
+                }
+
                 return c.json(entity);
             }
 
             // Fallback
-            const entity = await this.fetchRawEntity(driver, resolvedCollection, String(id));
+            let entity = await this.fetchRawEntity(driver, resolvedCollection, String(id));
 
             if (!entity) {
                 throw ApiError.notFound("Entity not found");
             }
 
+            entity = await this.applyAfterRead(collection.slug, entity, hookCtx);
+            if (!entity) {
+                throw ApiError.notFound("Entity not found");
+            }
+
             return c.json(entity);
         });
 
@@ -149,8 +181,13 @@ export class RestApiGenerator {
             try {
                 const driver = c.get("driver") || this.driver;
                 const path = collection.slug;
+                const hookCtx = this.buildHookContext(c, "POST");
 
-                const body = await c.req.json().catch(() => ({}));
+                let body = await c.req.json().catch(() => ({}));
+
+                if (this.dataHooks?.beforeSave) {
+                    body = await this.dataHooks.beforeSave(path, body, undefined, hookCtx);
+                }
 
                 const entity = await driver.saveEntity({
                     path,
@@ -159,7 +196,15 @@ export class RestApiGenerator {
                     status: "new"
                 });
 
-                return c.json(this.formatResponse(entity), 201);
+                const response = this.formatResponse(entity);
+
+                if (this.dataHooks?.afterSave) {
+                    Promise.resolve(this.dataHooks.afterSave(path, response as Record<string, unknown>, hookCtx)).catch(err => {
+                        console.error("[BackendHooks] data.afterSave error:", err instanceof Error ? err.message : err);
+                    });
+                }
+
+                return c.json(response, 201);
             } catch (error) {
                 const err = error as Error & { code?: string };
                 err.code = err.code || "BAD_REQUEST";
@@ -172,6 +217,7 @@ export class RestApiGenerator {
             try {
                 const id = c.req.param("id");
                 const driver = c.get("driver") || this.driver;
+                const hookCtx = this.buildHookContext(c, "PUT");
 
                 const existingEntity = await driver.fetchEntity({
                     path: collection.slug,
@@ -183,7 +229,11 @@ export class RestApiGenerator {
                     throw ApiError.notFound("Entity not found");
                 }
 
-                const body = await c.req.json().catch(() => ({}));
+                let body = await c.req.json().catch(() => ({}));
+
+                if (this.dataHooks?.beforeSave) {
+                    body = await this.dataHooks.beforeSave(collection.slug, body, String(id), hookCtx);
+                }
 
                 const entity = await driver.saveEntity({
                     path: collection.slug,
@@ -193,7 +243,15 @@ export class RestApiGenerator {
                     status: "existing"
                 });
 
-                return c.json(this.formatResponse(entity));
+                const response = this.formatResponse(entity);
+
+                if (this.dataHooks?.afterSave) {
+                    Promise.resolve(this.dataHooks.afterSave(collection.slug, response as Record<string, unknown>, hookCtx)).catch(err => {
+                        console.error("[BackendHooks] data.afterSave error:", err instanceof Error ? err.message : err);
+                    });
+                }
+
+                return c.json(response);
             } catch (error) {
                 const err = error as Error & { code?: string };
                 err.code = err.code || "BAD_REQUEST";
@@ -205,6 +263,7 @@ export class RestApiGenerator {
         this.router.delete(`${basePath}/:id`, async (c) => {
             const id = c.req.param("id");
             const driver = c.get("driver") || this.driver;
+            const hookCtx = this.buildHookContext(c, "DELETE");
 
             const existingEntity = await driver.fetchEntity({
                 path: collection.slug,
@@ -216,11 +275,21 @@ export class RestApiGenerator {
                 throw ApiError.notFound("Entity not found");
             }
 
+            if (this.dataHooks?.beforeDelete) {
+                await this.dataHooks.beforeDelete(collection.slug, String(id), hookCtx);
+            }
+
             await driver.deleteEntity({
                 entity: existingEntity,
                 collection: resolvedCollection
             });
 
+            if (this.dataHooks?.afterDelete) {
+                Promise.resolve(this.dataHooks.afterDelete(collection.slug, String(id), hookCtx)).catch(err => {
+                    console.error("[BackendHooks] data.afterDelete error:", err instanceof Error ? err.message : err);
+                });
+            }
+
             return new Response(null, { status: 204 });
         });
     }
@@ -285,7 +354,19 @@ entityId };
 
             const driver = c.get("driver") || this.driver;
 
-            if (parsed.entityId) {
+            if (parsed.entityId === "count") {
+                // GET /parent/:parentId/child/count — count child entities
+                const queryDict = c.req.query();
+                const queryOptions = parseQueryOptions(queryDict);
+                
+                const total = driver.countEntities ? await driver.countEntities({
+                    path: parsed.collectionPath,
+                    filter: queryOptions.where as FetchCollectionProps["filter"],
+                    searchString: queryDict.searchString as string | undefined
+                }) : 0;
+                
+                return c.json({ count: total });
+            } else if (parsed.entityId) {
                 // GET /parent/:parentId/child/:id — single entity
                 const entity = await driver.fetchEntity({
                     path: parsed.collectionPath,
@@ -469,4 +550,24 @@ entityId };
 
         return entity ? this.flattenEntity(entity) : null;
     }
+
+    /**
+     * Apply data.afterRead hook to a single entity.
+     * Returns the transformed entity, or null to filter it out.
+     */
+    private async applyAfterRead(slug: string, entity: Record<string, unknown>, ctx: BackendHookContext): Promise<Record<string, unknown> | null> {
+        if (!this.dataHooks?.afterRead) return entity;
+        return this.dataHooks.afterRead(slug, entity, ctx);
+    }
+
+    /**
+     * Apply data.afterRead hook to an array of entities, filtering out nulls.
+     */
+    private async applyAfterReadBatch(slug: string, entities: Record<string, unknown>[], ctx: BackendHookContext): Promise<Record<string, unknown>[]> {
+        if (!this.dataHooks?.afterRead) return entities;
+        const results = await Promise.all(
+            entities.map(e => this.applyAfterRead(slug, e, ctx))
+        );
+        return results.filter((e): e is Record<string, unknown> => e !== null);
+    }
 }

package/src/api/server.ts

@@ -69,8 +69,11 @@ export class RebaseApiServer {
      * Setup Hono middleware
      */
     private setupMiddleware(): void {
-        // Security headers
-        this.router.use("/*", secureHeaders());
+        // Security headers — use same-origin-allow-popups for COOP so that
+        // OAuth popup flows (Google, etc.) can postMessage back to the opener.
+        this.router.use("/*", secureHeaders({
+            crossOriginOpenerPolicy: "same-origin-allow-popups"
+        }));
 
         // CORS — only applied if explicitly configured via `cors` option.
         // If omitted, the user is expected to configure CORS on their own
@@ -178,10 +181,11 @@ export class RebaseApiServer {
             if (process.env.NODE_ENV === "production") {
                 console.warn("[RebaseApiServer] Schema Editor is disabled in production environments for security.");
             } else {
-                const schemaEditorRoutes = createSchemaEditorRoutes(this.config.collectionsDir);
-                this.router.route(`${basePath}/schema-editor`, schemaEditorRoutes);
                 // Auth middlewares applied to schema-editor via the router prefix
+                // MUST be declared before .route() so they execute first
                 this.router.use(`${basePath}/schema-editor/*`, requireAuth, requireAdmin);
+                const schemaEditorRoutes = createSchemaEditorRoutes(this.config.collectionsDir);
+                this.router.route(`${basePath}/schema-editor`, schemaEditorRoutes);
             }
         }