befly 3.35.0 → 3.37.0

package/apis/tongJi/onlineStats.js

@@ -1,177 +1,55 @@
-import { getDateYmdNumber } from "#befly/utils/datetime.js";
+import { getOnlineStatsActiveProductKey } from "./_tongJi.js";
 
-import { getTongJiMonthStartDate, getTongJiNumber, getTongJiRecentDateList, getTongJiWeekStartDate } from "./_tongJi.js";
-
-const ONLINE_STATS_DAY_LIMIT = 30;
 const ONLINE_STATS_ACTIVE_KEY = "online:active";
 
-// 构造全量统计的 Redis 键。
-function getPeriodKeys(periodType, periodValue) {
-    return {
-        pv: `online:${periodType}:${periodValue}:pv`,
-        members: `online:${periodType}:${periodValue}:members`,
-        reportTime: `online:${periodType}:${periodValue}:reportTime`
-    };
-}
-
-// 构造单产品统计的 Redis 键。
-function getOnlineStatsProductPeriodKeys(periodType, periodValue, productName) {
-    const productKey = encodeURIComponent(productName);
-
-    return {
-        pv: `online:${periodType}:${periodValue}:product:${productKey}:pv`,
-        members: `online:${periodType}:${periodValue}:product:${productKey}:members`,
-        reportTime: `online:${periodType}:${periodValue}:product:${productKey}:reportTime`
-    };
-}
-
-// 构造单产品实时在线集合的 Redis 键。
-function getOnlineStatsActiveProductKey(productName) {
-    const productKey = encodeURIComponent(productName);
-
-    return `online:active:product:${productKey}`;
-}
-
-// 读取 Redis 字符串并转成统计数字。
-async function getRedisNumber(befly, key) {
-    return getTongJiNumber(await befly.redis.getString(key));
-}
-
-// 读取某个周期的全量统计数据。
-async function getOnlineStatsPeriodData(befly, periodType, periodValue) {
-    const keys = getPeriodKeys(periodType, periodValue);
-    return {
-        reportTime: await getRedisNumber(befly, keys.reportTime),
-        pv: await getRedisNumber(befly, keys.pv),
-        uv: getTongJiNumber(await befly.redis.scard(keys.members))
-    };
-}
-
-// 读取某个周期的单产品统计数据。
-async function getOnlineStatsProductPeriodData(befly, periodType, periodValue, productName) {
-    const keys = getOnlineStatsProductPeriodKeys(periodType, periodValue, productName);
-
-    return {
-        reportTime: await getRedisNumber(befly, keys.reportTime),
-        pv: await getRedisNumber(befly, keys.pv),
-        uv: getTongJiNumber(await befly.redis.scard(keys.members))
-    };
-}
-
-// 清理过期成员后返回全站实时在线人数。
-async function getOnlineStatsTotalOnlineCount(befly) {
-    const now = Date.now();
-
+async function getOnlineStatsTotalOnlineCount(befly, now) {
     await befly.redis.zremrangebyscore(ONLINE_STATS_ACTIVE_KEY, "-inf", now);
     return await befly.redis.zcard(ONLINE_STATS_ACTIVE_KEY);
 }
 
-// 清理过期成员后返回单产品实时在线人数。
-async function getOnlineStatsProductOnlineCount(befly, productName) {
-    const now = Date.now();
-    const productKey = getOnlineStatsActiveProductKey(productName);
+async function getOnlineStatsProductOnlineCount(befly, productCode, now) {
+    const productKey = getOnlineStatsActiveProductKey(productCode);
 
     await befly.redis.zremrangebyscore(productKey, "-inf", now);
     return await befly.redis.zcard(productKey);
 }
 
-// 构造全量统计的按天趋势列表。
-async function buildOnlineStatsDays(befly, recentDateList) {
-    const days = [];
-
-    for (const item of recentDateList) {
-        const dayData = await getOnlineStatsPeriodData(befly, "day", item);
-
-        if (dayData.reportTime <= 0) {
-            continue;
-        }
+async function buildOnlineStatsProducts(befly, projectLists, now) {
+    const products = [];
 
-        days.push({
-            reportDate: item,
-            reportTime: dayData.reportTime,
-            pv: dayData.pv,
-            uv: dayData.uv
+    for (const item of projectLists) {
+        products.push({
+            key: item.productCode,
+            productName: item.productName,
+            productCode: item.productCode,
+            productVersion: item.productVersion || "",
+            onlineCount: await getOnlineStatsProductOnlineCount(befly, item.productCode, now)
         });
     }
 
-    return days;
-}
-
-// 构造单产品统计的按天趋势列表。
-async function buildOnlineStatsProductDays(befly, recentDateList, productName) {
-    const days = [];
-
-    for (const item of recentDateList) {
-        const dayData = await getOnlineStatsProductPeriodData(befly, "day", item, productName);
-
-        if (dayData.reportTime <= 0) {
-            continue;
+    return products.toSorted((a, b) => {
+        if (b.onlineCount !== a.onlineCount) {
+            return b.onlineCount - a.onlineCount;
         }
 
-        days.push({
-            reportDate: item,
-            reportTime: dayData.reportTime,
-            pv: dayData.pv,
-            uv: dayData.uv
-        });
-    }
-
-    return days;
+        return String(a.productName).localeCompare(String(b.productName), "zh-CN");
+    });
 }
 
-// 按配置项目列表构造项目统计，并按近 30 天 PV 排序。
-async function buildOnlineStatsProducts(befly, recentDateList, reportDate, weekStartDate, monthStartDate, projectLists) {
+function buildEmptyOnlineStatsProducts(projectLists) {
     const products = [];
 
     for (const item of projectLists) {
-        const productDays = await buildOnlineStatsProductDays(befly, recentDateList, item.productName);
-        let totalPv = 0;
-
-        for (const productDay of productDays) {
-            totalPv += productDay.pv;
-        }
-
-        const productToday = await getOnlineStatsProductPeriodData(befly, "day", reportDate, item.productName);
-        const productWeek = await getOnlineStatsProductPeriodData(befly, "week", weekStartDate, item.productName);
-        const productMonth = await getOnlineStatsProductPeriodData(befly, "month", monthStartDate, item.productName);
-        const productOnlineCount = await getOnlineStatsProductOnlineCount(befly, item.productName);
-
         products.push({
             key: item.productCode,
             productName: item.productName,
             productCode: item.productCode,
             productVersion: item.productVersion || "",
-            onlineCount: productOnlineCount,
-            today: {
-                pv: productToday.pv,
-                uv: productToday.uv
-            },
-            week: {
-                pv: productWeek.pv,
-                uv: productWeek.uv
-            },
-            month: {
-                pv: productMonth.pv,
-                uv: productMonth.uv
-            },
-            days: productDays,
-            totalPv: totalPv
+            onlineCount: 0
         });
     }
 
-    const sortedProducts = products.toSorted((a, b) => {
-        if (b.totalPv !== a.totalPv) {
-            return b.totalPv - a.totalPv;
-        }
-
-        return String(a.productName).localeCompare(String(b.productName), "zh-CN");
-    });
-
-    for (const item of sortedProducts) {
-        delete item.totalPv;
-    }
-
-    return sortedProducts;
+    return products;
 }
 
 export default {
@@ -180,64 +58,29 @@ export default {
     body: "none",
     auth: true,
     fields: {
-        productName: { name: "产品名称", input: "string", min: 0, max: 100 }
+        productCode: { name: "产品代号", input: "string", min: 0, max: 100 }
     },
     required: [],
-    // 汇总当前查询范围的在线统计，并在未筛选产品时附带配置项目统计。
     handler: async (befly, ctx) => {
         const now = Date.now();
-        const reportDate = getDateYmdNumber(now);
-        const weekStartDate = getTongJiWeekStartDate(now);
-        const monthStartDate = getTongJiMonthStartDate(now);
-        const recentDateList = getTongJiRecentDateList(now, ONLINE_STATS_DAY_LIMIT);
-        const productName = ctx?.body?.productName ?? "";
-        const hasProductFilter = productName.length > 0;
-        const days = hasProductFilter ? await buildOnlineStatsProductDays(befly, recentDateList, productName) : await buildOnlineStatsDays(befly, recentDateList);
-
-        let currentDay;
-        let weekCurrent;
-        let monthCurrent;
-        let onlineCount;
-
-        if (hasProductFilter) {
-            currentDay = await getOnlineStatsProductPeriodData(befly, "day", reportDate, productName);
-            weekCurrent = await getOnlineStatsProductPeriodData(befly, "week", weekStartDate, productName);
-            monthCurrent = await getOnlineStatsProductPeriodData(befly, "month", monthStartDate, productName);
-            onlineCount = await getOnlineStatsProductOnlineCount(befly, productName);
-        } else {
-            currentDay = await getOnlineStatsPeriodData(befly, "day", reportDate);
-            weekCurrent = await getOnlineStatsPeriodData(befly, "week", weekStartDate);
-            monthCurrent = await getOnlineStatsPeriodData(befly, "month", monthStartDate);
-            onlineCount = await getOnlineStatsTotalOnlineCount(befly);
+        const productCode = ctx?.body?.productCode ?? "";
+        const hasProductFilter = productCode.length > 0;
+        const projectLists = hasProductFilter ? [] : befly.config?.projectLists || [];
+
+        if (!befly.redis) {
+            return befly.tool.Yes("获取成功", {
+                queryTime: now,
+                onlineCount: 0,
+                products: buildEmptyOnlineStatsProducts(projectLists)
+            });
         }
 
-        const projectLists = hasProductFilter ? [] : befly.config.projectLists;
-        const products = await buildOnlineStatsProducts(befly, recentDateList, reportDate, weekStartDate, monthStartDate, projectLists);
+        const onlineCount = hasProductFilter ? await getOnlineStatsProductOnlineCount(befly, productCode, now) : await getOnlineStatsTotalOnlineCount(befly, now);
+        const products = await buildOnlineStatsProducts(befly, projectLists, now);
 
         return befly.tool.Yes("获取成功", {
             queryTime: now,
             onlineCount: onlineCount,
-            today: {
-                reportDate: reportDate,
-                reportTime: currentDay.reportTime,
-                pv: currentDay.pv,
-                uv: currentDay.uv
-            },
-            week: {
-                startDate: weekStartDate,
-                endDate: reportDate,
-                reportTime: weekCurrent.reportTime,
-                pv: weekCurrent.pv,
-                uv: weekCurrent.uv
-            },
-            month: {
-                startDate: monthStartDate,
-                endDate: reportDate,
-                reportTime: monthCurrent.reportTime,
-                pv: monthCurrent.pv,
-                uv: monthCurrent.uv
-            },
-            days: days,
             products: products
         });
     }

package/apis/upload/file.js

@@ -14,7 +14,7 @@ export default {
     required: [],
     handler: async (befly, ctx) => {
         try {
-            const maxFileSizeMb = Number(befly.config?.uploadMaxSize || 20);
+            const maxFileSizeMb = Number(befly.config.upload.maxSize);
             const maxFileSize = maxFileSizeMb * 1024 * 1024;
             const requestContentType = ctx.req.headers.get("content-type") || "";
 
@@ -22,6 +22,11 @@ export default {
                 return befly.tool.No("请使用 FormData 上传文件");
             }
 
+            const requestContentLength = Number(ctx.req.headers.get("content-length") || 0);
+            if (Number.isFinite(requestContentLength) && requestContentLength > maxFileSize) {
+                return befly.tool.No(`文件不能超过${maxFileSizeMb}MB`);
+            }
+
             if (!ctx.userId) {
                 return befly.tool.No("用户未登录");
             }
@@ -33,6 +38,22 @@ export default {
                 return befly.tool.No("缺少上传文件");
             }
 
+            const originalFileName = file.name || "未命名文件";
+            const extension = extname(originalFileName).toLowerCase();
+            const mimeType = String(file.type || "").toLowerCase();
+
+            if (!extension) {
+                return befly.tool.No("上传文件缺少扩展名");
+            }
+
+            if (!befly.config.upload.allowedExtensions.split(",").includes(extension)) {
+                return befly.tool.No(`不允许上传 ${extension} 类型文件`);
+            }
+
+            if (!befly.config.upload.allowedMimeTypes.split(",").includes(mimeType)) {
+                return befly.tool.No("不允许上传该文件类型");
+            }
+
             const rawBuffer = await file.arrayBuffer();
 
             if (!rawBuffer || rawBuffer.byteLength <= 0) {
@@ -43,9 +64,6 @@ export default {
                 return befly.tool.No(`文件不能超过${maxFileSizeMb}MB`);
             }
 
-            const originalFileName = file.name || "未命名文件";
-            const extension = extname(originalFileName).toLowerCase();
-            const mimeType = String(file.type || "").toLowerCase();
             const mimeTypeGroup = mimeType.split("/")[0];
             const fileType = ["image", "video", "audio"].includes(mimeTypeGroup) ? mimeTypeGroup : "file";
 
@@ -54,9 +72,9 @@ export default {
             const monthDir = getMonthDir(now, befly.config?.tz);
             const fileKey = Bun.randomUUIDv7();
             const savedFileName = extension ? `${fileKey}${extension}` : fileKey;
-            const uploadDir = join(getAppPublicDir(befly.config?.publicDir || "./public"), categoryDir, monthDir);
+            const uploadDir = join(getAppPublicDir(befly.config.upload.publicDir), categoryDir, monthDir);
             const relativeFilePath = `/public/${categoryDir}/${monthDir}/${savedFileName}`;
-            const absoluteFileUrl = `${befly.config.publicHost}${relativeFilePath}`;
+            const absoluteFileUrl = `${befly.config.upload.publicHost}${relativeFilePath}`;
             const isImage = fileType === "image" ? 1 : 0;
 
             mkdirSync(uploadDir, { recursive: true });

package/checks/api.js

@@ -93,7 +93,18 @@ const apiSchema = z
         fields: fieldsSchema,
         required: z.array(noTrimString)
     })
-    .strict();
+    .strict()
+    .superRefine((value, context) => {
+        if (value.source !== "app") {
+            return;
+        }
+
+        if (value.relativePath.split("/")[0] !== "core") {
+            return;
+        }
+
+        addIssue(context, ["relativePath"], "app API 不能使用 core 作为一级目录，避免占用 /api/core 命名空间");
+    });
 
 const apiListSchema = z.array(apiSchema);
 

package/checks/config.js

@@ -10,6 +10,8 @@ z.config(z.locales.zhCN());
 const boolIntSchema = z.union([z.literal(0), z.literal(1), z.literal(true), z.literal(false)]);
 const noTrimString = z.string().refine(isNoTrimStringAllowEmpty, "不允许首尾空格");
 const beflyModeSchema = z.union([z.literal("manual"), z.literal("auto")]);
+const uploadExtensionListSchema = noTrimString.regex(/^\.[a-z0-9]+(?:,\.[a-z0-9]+)*$/);
+const uploadMimeTypeListSchema = noTrimString.regex(/^[a-z0-9][a-z0-9.+-]*\/[a-z0-9][a-z0-9.+-]*(?:,[a-z0-9][a-z0-9.+-]*\/[a-z0-9][a-z0-9.+-]*)*$/);
 const projectListCodeSchema = z.string().regex(/^[a-z][a-zA-Z0-9]*$/, "必须是小驼峰命名");
 const projectListItemSchema = z
     .object({
@@ -30,7 +32,7 @@ const projectListsSchema = z.array(projectListItemSchema).superRefine((projectLi
 
         if (codeSet.has(code)) {
             ctx.addIssue({
-                code: z.ZodIssueCode.custom,
+                code: "custom",
                 message: `projectLists[${index}].code 重复`,
                 path: [index, "code"]
             });
@@ -41,7 +43,7 @@ const projectListsSchema = z.array(projectListItemSchema).superRefine((projectLi
 
         if (productCodeSet.has(productCode)) {
             ctx.addIssue({
-                code: z.ZodIssueCode.custom,
+                code: "custom",
                 message: `projectLists[${index}].productCode 重复`,
                 path: [index, "productCode"]
             });
@@ -59,13 +61,20 @@ const configSchema = z
         appPort: z.int().min(1).max(65535),
         appHost: noTrimString,
         apiHost: noTrimString,
-        publicHost: noTrimString,
         devEmail: z.union([z.literal(""), z.email()]),
         devPassword: z.string().min(6),
         bodyLimit: z.int().min(1),
-        uploadMaxSize: z.int().min(1),
+        upload: z
+            .object({
+                maxSize: z.int().min(1),
+                publicDir: noTrimString.min(1),
+                publicHost: noTrimString,
+                allowedExtensions: uploadExtensionListSchema,
+                allowedMimeTypes: uploadMimeTypeListSchema,
+                forceDownloadExtensions: z.union([z.literal(""), uploadExtensionListSchema])
+            })
+            .strict(),
         tz: z.string().refine((value) => isValidTimeZone(value), "无效的时区"),
-        publicDir: noTrimString.min(1),
         excludeApisLog: z.array(noTrimString),
 
         logger: z
@@ -128,7 +137,18 @@ const configSchema = z
                 maxAge: z.int().min(0),
                 credentials: z.union([z.literal("true"), z.literal("false"), z.literal(true), z.literal(false)])
             })
-            .strict(),
+            .strict()
+            .superRefine((cors, ctx) => {
+                if (cors.origin !== "*" || (cors.credentials !== true && cors.credentials !== "true")) {
+                    return;
+                }
+
+                ctx.addIssue({
+                    code: "custom",
+                    message: "cors.credentials 为 true 时 cors.origin 不能为 *",
+                    path: ["credentials"]
+                });
+            }),
 
         rateLimit: z
             .object({

package/checks/menu.js

@@ -36,7 +36,7 @@ const menuListSchema = z.array(menuSchema).superRefine((menuList, refineCtx) =>
             const childFullPath = `${menu.path}${child.path}`;
             if (!fullMenuPathRegex.test(childFullPath)) {
                 refineCtx.addIssue({
-                    code: z.ZodIssueCode.custom,
+                    code: "custom",
                     message: "菜单完整路径必须是 /core/xxx 或无前缀路径",
                     path: [menuIndex, "children", childIndex, "path"]
                 });

package/configs/beflyConfig.json

@@ -6,11 +6,16 @@
     "devEmail": "dev@qq.com",
     "devPassword": "111111",
     "bodyLimit": 1048576,
-    "uploadMaxSize": 20,
+    "upload": {
+        "maxSize": 20,
+        "publicDir": "./public",
+        "publicHost": "http://127.0.0.1:3000",
+        "allowedExtensions": ".jpg,.jpeg,.png,.gif,.webp,.bmp,.mp4,.webm,.mp3,.wav,.pdf,.txt,.doc,.docx,.xls,.xlsx,.ppt,.pptx,.zip",
+        "allowedMimeTypes": "image/jpeg,image/png,image/gif,image/webp,image/bmp,video/mp4,video/webm,audio/mpeg,audio/wav,audio/x-wav,application/pdf,text/plain,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.ms-powerpoint,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/zip,application/x-zip-compressed",
+        "forceDownloadExtensions": ".html,.htm,.js,.mjs,.css,.svg,.xml,.xhtml,.wasm,.json,.map"
+    },
     "tz": "Asia/Shanghai",
     "apiHost": "http://127.0.0.1",
-    "publicDir": "./public",
-    "publicHost": "http://127.0.0.1:3000",
     "excludeApisLog": ["/api/core/tongJi/*Report"],
     "logger": {
         "debug": 1,
@@ -58,7 +63,7 @@
         "allowedHeaders": "Content-Type,Authorization",
         "exposedHeaders": "",
         "maxAge": 86400,
-        "credentials": "true"
+        "credentials": "false"
     },
 
     "rateLimit": {
@@ -71,10 +76,10 @@
     },
     "projectLists": [
         {
-            "code": "beflyCore",
+            "code": "beflyAdmin",
             "name": "后台管理",
             "productName": "后台管理",
-            "productCode": "beflyCore",
+            "productCode": "beflyAdmin",
             "productVersion": "1.0.0"
         }
     ]

package/index.js

@@ -214,7 +214,7 @@ export class Befly {
 
             // 启动 HTTP服务器
             const apiFetch = apiHandler(this.apis, this.hooks, this.context);
-            const staticFetch = staticHandler(this.context.config.cors, this.context.config.publicDir);
+            const staticFetch = staticHandler(this.context.config.cors, this.context.config.upload);
 
             const server = Bun.serve({
                 port: this.context.config.appPort || 3000,

package/lib/dbHelper.js

@@ -154,6 +154,42 @@ function assertWriteDataHasFields(data, message, table) {
     });
 }
 
+function getTableFieldNames(tableInfo) {
+    return Object.keys(tableInfo)
+        .map((fieldName) => snakeCase(fieldName))
+        .toSorted();
+}
+
+function assertWriteFieldNamesDefined(tableInfo, fieldNames, table, label) {
+    const allowedFields = getTableFieldNames(tableInfo);
+    const allowedFieldSet = new Set(allowedFields);
+    const invalidFields = [];
+
+    for (const fieldName of fieldNames) {
+        const snakeFieldName = snakeCase(fieldName);
+
+        if (!allowedFieldSet.has(snakeFieldName)) {
+            invalidFields.push(snakeFieldName);
+        }
+    }
+
+    if (invalidFields.length < 1) {
+        return;
+    }
+
+    throw new Error(`${label} 包含表 ${table} 未定义字段: ${invalidFields.join(", ")}`, {
+        cause: null,
+        code: "validation",
+        table: table,
+        invalidFields: invalidFields,
+        allowedFields: allowedFields
+    });
+}
+
+function assertWriteFieldsDefined(tableInfo, data, table, label) {
+    assertWriteFieldNamesDefined(tableInfo, Object.keys(data), table, label);
+}
+
 function assertNoUndefinedInRecord(row, label) {
     for (const [key, value] of Object.entries(row)) {
         if (value === undefined) {
@@ -744,6 +780,7 @@ class DbHelper {
     async insData(options) {
         const parsed = this.createDbParse().parseInsert(options);
         const { table, snakeTable, data } = parsed;
+        const tableInfo = this.getTableDef(table);
         const inputData = this.prepareWriteInputData(data);
         assertWriteDataHasFields(inputData, "插入数据必须至少有一个字段", snakeTable);
         const now = Date.now();
@@ -751,6 +788,7 @@ class DbHelper {
         const processed = insertRows.processedList[0];
 
         assertWriteDataHasFields(processed, "插入数据必须至少有一个字段", snakeTable);
+        assertWriteFieldsDefined(tableInfo, processed, table, "insData.data");
 
         assertNoUndefinedInRecord(processed, `insData 插入数据 (table: ${snakeTable})`);
 
@@ -779,11 +817,13 @@ class DbHelper {
         assertInsertBatchSize(dataList.length, MAX_BATCH_SIZE);
 
         const snakeTable = parsed.snakeTable;
+        const tableInfo = this.getTableDef(table);
         const now = Date.now();
         const insertRows = await this.createInsertRows(table, snakeTable, dataList, now);
         const processedList = insertRows.processedList;
 
         const insertFields = assertBatchInsertRowsConsistent(processedList, { table: snakeTable });
+        assertWriteFieldNamesDefined(tableInfo, insertFields, table, "insBatch.dataList");
         const builder = this.createSqlBuilder();
         const { sql, params } = builder.toInsertSql(snakeTable, processedList);
 
@@ -851,6 +891,7 @@ class DbHelper {
         }
 
         const snakeTable = parsed.snakeTable;
+        const tableInfo = this.getTableDef(table);
         const now = Date.now();
 
         const processedList = [];
@@ -873,6 +914,11 @@ class DbHelper {
                 sql: { sql: "", params: [], duration: 0 }
             };
         }
+        const writeFields = fields.slice();
+        if (this.beflyMode === "auto") {
+            writeFields.push("updated_at");
+        }
+        assertWriteFieldNamesDefined(tableInfo, writeFields, table, "updBatch.dataList");
 
         const query = SqlBuilder.toUpdateCaseByIdSql({
             table: snakeTable,
@@ -896,6 +942,7 @@ class DbHelper {
 
     async updData(options) {
         const parsed = this.createDbParse().parseUpdate(options);
+        const tableInfo = this.getTableDef(parsed.table);
         const inputData = this.prepareWriteInputData(parsed.data);
         assertWriteDataHasFields(inputData, "更新数据必须至少有一个字段", parsed.snakeTable);
 
@@ -906,6 +953,7 @@ class DbHelper {
             beflyMode: this.beflyMode
         });
         assertWriteDataHasFields(processed, "更新数据必须至少有一个字段", parsed.snakeTable);
+        assertWriteFieldsDefined(tableInfo, processed, parsed.table, "updData.data");
         const builder = this.createSqlBuilder().where(parsed.where);
         const { sql, params } = builder.toUpdateSql(parsed.snakeTable, processed);
 
@@ -919,6 +967,7 @@ class DbHelper {
 
     async delData(options) {
         const parsed = this.createDbParse().parseDelete(options, false);
+        const tableInfo = this.getTableDef(parsed.table);
         let processed;
 
         if (parsed.deleteMode === "manual") {
@@ -932,6 +981,7 @@ class DbHelper {
                 updated_at: now
             };
         }
+        assertWriteFieldsDefined(tableInfo, processed, parsed.table, "delData.data");
 
         const builder = this.createSqlBuilder().where(parsed.where);
         const { sql, params } = builder.toUpdateSql(parsed.snakeTable, processed);
@@ -960,6 +1010,8 @@ class DbHelper {
 
     async increment(table, field, where, value = 1) {
         const parsed = this.createDbParse().parseIncrement(table, field, where, value, "increment");
+        const tableInfo = this.getTableDef(table);
+        assertWriteFieldNamesDefined(tableInfo, [parsed.snakeField], table, "increment.field");
 
         const builder = this.createSqlBuilder().where(parsed.where);
         const { sql: whereClause, params: whereParams } = builder.getWhereConditions();

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "befly",
-    "version": "3.35.0",
+    "version": "3.37.0",
     "gitHead": "49c39d36695036e85fc64083cc43c1652fff96cb",
     "private": false,
     "description": "Befly - 为 Bun 专属打造的 JavaScript API 接口框架核心引擎",

package/paths.js

@@ -113,7 +113,7 @@ export const appTableDir = join(appDir, "tables");
 
 /**
  * 项目上传/公共文件目录
- * @description 默认 {appDir}/public，可通过 config.publicDir 覆盖
+ * @description 默认 {appDir}/public，可通过 config.upload.publicDir 覆盖
  * @usage 用于本地上传文件保存目录解析，不承担 HTTP 静态托管职责
  */
 export function getAppPublicDir(publicDir = "./public") {