chadstart 1.0.0 → 1.0.2

package/.devcontainer/devcontainer.json

@@ -0,0 +1,34 @@
+{
+  "name": "chadstart",
+  "image": "mcr.microsoft.com/devcontainers/javascript-node:24-trixie",
+  "features": {},
+  "onCreateCommand": "sudo apt-get update && sudo apt-get install -y python3 make g++ curl wget && npm ci",
+  "postCreateCommand": "cp -n .env.example .env || true",
+  "forwardPorts": [3000],
+  "portsAttributes": {
+    "3000": {
+      "label": "chadstart API",
+      "onAutoForward": "notify"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "redhat.vscode-yaml",
+        "humao.rest-client",
+        "rangav.vscode-thunder-client",
+        "pkief.material-icon-theme"
+      ],
+      "settings": {
+        "editor.formatOnSave": true,
+        "editor.defaultFormatter": "esbenp.prettier-vscode",
+        "files.eol": "\n"
+      }
+    }
+  },
+  "remoteEnv": {
+    "NODE_ENV": "development"
+  }
+}

package/.env.example

@@ -14,7 +14,16 @@ TOKEN_SECRET_KEY=replace-with-a-long-random-secret
 # CHADSTART_FUNCTIONS_FOLDER=functions
 
 # Database (SQLite default)
-# DB_PATH=data/chadstart.db
+# DB_ENGINE=sqlite           # sqlite (default), postgres, or mysql
+# DB_PATH=/data/chadstart.db # SQLite: path to database file
+
+# PostgreSQL / MySQL / MariaDB (set DB_ENGINE=postgres or mysql to activate)
+# DB_HOST=localhost
+# DB_PORT=5432               # 5432 for PostgreSQL, 3306 for MySQL/MariaDB
+# DB_USERNAME=postgres
+# DB_PASSWORD=postgres
+# DB_DATABASE=manifest
+# DB_SSL=false               # Set to true for remote managed databases
 
 # Optional: S3-compatible storage (when set, files are stored in S3 instead of the local filesystem)
 # S3_BUCKET=my-bucket-name
@@ -44,3 +53,23 @@ TOKEN_SECRET_KEY=replace-with-a-long-random-secret
 # 💡 Bugsink (https://www.bugsink.com) is a self-hosted alternative to Sentry
 #    that uses the same Sentry SDK — just point SENTRY_DSN at your Bugsink instance.
 # SENTRY_DSN=https://xxxxx@oXXXXX.ingest.sentry.io/XXXXXXX
+
+# Optional: OAuth / Social Login (powered by grant)
+# For each provider, set OAUTH_<PROVIDER>_KEY and OAUTH_<PROVIDER>_SECRET.
+# Provider names must be uppercase (e.g. GOOGLE, GITHUB, FACEBOOK).
+# See docs/oauth.md for the full list of 200+ supported providers.
+#
+# OAUTH_GOOGLE_KEY=your-google-client-id
+# OAUTH_GOOGLE_SECRET=your-google-client-secret
+# OAUTH_GITHUB_KEY=your-github-client-id
+# OAUTH_GITHUB_SECRET=your-github-client-secret
+# OAUTH_FACEBOOK_KEY=your-facebook-app-id
+# OAUTH_FACEBOOK_SECRET=your-facebook-app-secret
+# OAUTH_DISCORD_KEY=your-discord-client-id
+# OAUTH_DISCORD_SECRET=your-discord-client-secret
+# OAUTH_APPLE_KEY=your-apple-client-id
+# OAUTH_APPLE_SECRET=your-apple-client-secret
+# OAUTH_MICROSOFT_KEY=your-microsoft-client-id
+# OAUTH_MICROSOFT_SECRET=your-microsoft-client-secret
+# OAUTH_TWITTER_KEY=your-twitter-api-key
+# OAUTH_TWITTER_SECRET=your-twitter-api-secret

package/.github/workflows/db-integration.yml

@@ -0,0 +1,139 @@
+name: DB Integration Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  # ── PostgreSQL ──────────────────────────────────────────────────────────────
+  test-postgres:
+    name: Integration – PostgreSQL
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: chadstart_test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run integration tests
+        run: npm run test:integration
+        env:
+          DB_ENGINE: postgres
+          DB_HOST: localhost
+          DB_PORT: 5432
+          DB_USERNAME: postgres
+          DB_PASSWORD: postgres
+          DB_DATABASE: chadstart_test
+
+  # ── MySQL ───────────────────────────────────────────────────────────────────
+  test-mysql:
+    name: Integration – MySQL
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    services:
+      mysql:
+        image: mysql:8
+        env:
+          MYSQL_ROOT_PASSWORD: root
+          MYSQL_DATABASE: chadstart_test
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd "mysqladmin ping -h localhost -u root -proot"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run integration tests
+        run: npm run test:integration
+        env:
+          DB_ENGINE: mysql
+          DB_HOST: 127.0.0.1
+          DB_PORT: 3306
+          DB_USERNAME: root
+          DB_PASSWORD: root
+          DB_DATABASE: chadstart_test
+
+  # ── MariaDB ─────────────────────────────────────────────────────────────────
+  test-mariadb:
+    name: Integration – MariaDB
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    services:
+      mariadb:
+        image: mariadb:11
+        env:
+          MARIADB_ROOT_PASSWORD: root
+          MARIADB_DATABASE: chadstart_test
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd "healthcheck.sh --connect --innodb_initialized"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run integration tests
+        run: npm run test:integration
+        env:
+          DB_ENGINE: mysql
+          DB_HOST: 127.0.0.1
+          DB_PORT: 3306
+          DB_USERNAME: root
+          DB_PASSWORD: root
+          DB_DATABASE: chadstart_test

package/.github/workflows/npm-chadstart.yml

@@ -9,7 +9,7 @@ jobs:
     name: NPM Publish
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       id-token: write  # required for npm provenance
     steps:
       - name: Checkout repository
@@ -21,6 +21,17 @@ jobs:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Bump patch version
+        run: npm version patch --message "v%s [skip ci]"
+
+      - name: Push version bump
+        run: git push --follow-tags
+
       - name: Publish to npm
         run: npm publish --access public --provenance
         env:

package/.github/workflows/npm-sdk.yml

@@ -14,7 +14,7 @@ jobs:
       run:
         working-directory: sdk
     permissions:
-      contents: read
+      contents: write
       id-token: write  # required for npm provenance
     steps:
       - name: Checkout repository
@@ -32,6 +32,17 @@ jobs:
       - name: Run SDK tests
         run: node test/sdk.test.cjs
 
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Bump patch version
+        run: npm version patch --message "v%s [skip ci]"
+
+      - name: Push version bump
+        run: git push --follow-tags
+
       - name: Publish to npm
         run: npm publish --access public --provenance
         env:

package/chadstart.example.yml

@@ -414,3 +414,55 @@ sentry:
   environment: production     # Label sent to Sentry. Defaults to NODE_ENV.
   tracesSampleRate: 1.0       # Fraction of transactions to sample (0.0–1.0)
   debug: false                # Enable Sentry SDK debug logging
+
+# ── OAuth / Social Login ─────────────────────────────────────────────────────
+# Powered by the "grant" library — supports 200+ OAuth providers.
+# Secrets (client keys / secrets) MUST be set via environment variables:
+#   OAUTH_<PROVIDER>_KEY    — client / app ID
+#   OAUTH_<PROVIDER>_SECRET — client / app secret
+# See docs/oauth.md for the full provider list and setup guides.
+
+oauth:
+  # Which authenticable entity to create/find users in (default: first authenticable entity).
+  entity: User
+
+  # Where to redirect after successful login. The JWT token is appended as ?token=...
+  # If omitted, the callback returns JSON instead.
+  successRedirect: /login?success=true
+
+  # Where to redirect on error. The error message is appended as ?error=...
+  errorRedirect: /login?error=true
+
+  # Default settings applied to all providers.
+  defaults:
+    transport: querystring
+
+  # Configure each provider you want to support.
+  # The provider names must match grant's provider names (lowercase).
+  # Full list: https://github.com/simov/grant#200-supported-providers
+  providers:
+    google:
+      scope:
+        - openid
+        - email
+        - profile
+      custom_params:
+        access_type: offline
+      # key and secret via: OAUTH_GOOGLE_KEY, OAUTH_GOOGLE_SECRET
+
+    github:
+      scope:
+        - user:email
+      # key and secret via: OAUTH_GITHUB_KEY, OAUTH_GITHUB_SECRET
+
+    # facebook:
+    #   scope:
+    #     - email
+    #     - public_profile
+    #   key and secret via: OAUTH_FACEBOOK_KEY, OAUTH_FACEBOOK_SECRET
+
+    # discord:
+    #   scope:
+    #     - identify
+    #     - email
+    #   key and secret via: OAUTH_DISCORD_KEY, OAUTH_DISCORD_SECRET

package/chadstart.schema.json

@@ -124,6 +124,43 @@
           "description": "Enable Sentry SDK debug logging."
         }
       }
+    },
+    "oauth": {
+      "type": "object",
+      "description": "OAuth / social login configuration powered by the grant library. Secrets (client keys and secrets) must be supplied via OAUTH_<PROVIDER>_KEY and OAUTH_<PROVIDER>_SECRET environment variables.",
+      "additionalProperties": false,
+      "properties": {
+        "entity": {
+          "type": "string",
+          "description": "Name of the authenticable entity to use for OAuth users (e.g. 'User'). Defaults to the first authenticable entity."
+        },
+        "successRedirect": {
+          "type": "string",
+          "description": "URL to redirect to after successful OAuth login. The JWT token is appended as a ?token= query parameter. If omitted, returns JSON."
+        },
+        "errorRedirect": {
+          "type": "string",
+          "description": "URL to redirect to on OAuth error. The error message is appended as an ?error= query parameter. If omitted, returns JSON error."
+        },
+        "defaults": {
+          "type": "object",
+          "description": "Default settings applied to all providers (e.g. transport, scope).",
+          "properties": {
+            "transport": {
+              "type": "string",
+              "enum": ["querystring", "session"],
+              "default": "querystring"
+            }
+          }
+        },
+        "providers": {
+          "type": "object",
+          "description": "Map of OAuth provider names to their configuration. Provider names must match grant's supported provider list (e.g. google, github, facebook). See https://www.npmjs.com/package/grant for all 200+ supported providers.",
+          "additionalProperties": {
+            "$ref": "#/$defs/oauthProvider"
+          }
+        }
+      }
     }
   },
   "$defs": {
@@ -362,6 +399,31 @@
         "limit": { "type": "integer", "description": "Maximum number of requests allowed in the time window." },
         "ttl":   { "type": "integer", "description": "Time window in milliseconds." }
       }
+    },
+    "oauthProvider": {
+      "type": "object",
+      "description": "Configuration for a single OAuth provider. The key and secret should be set via OAUTH_<PROVIDER>_KEY and OAUTH_<PROVIDER>_SECRET environment variables.",
+      "properties": {
+        "key":            { "type": "string", "description": "OAuth client/app ID. Prefer using OAUTH_<PROVIDER>_KEY env var instead." },
+        "secret":         { "type": "string", "description": "OAuth client/app secret. Prefer using OAUTH_<PROVIDER>_SECRET env var instead." },
+        "scope":          {
+          "oneOf": [
+            { "type": "string" },
+            { "type": "array", "items": { "type": "string" } }
+          ],
+          "description": "OAuth scopes to request (e.g. 'openid email profile')."
+        },
+        "callback":       { "type": "string", "description": "Custom callback URL path. Defaults to /api/auth/oauth/callback." },
+        "custom_params":  { "type": "object", "description": "Extra query parameters to send to the authorization URL." },
+        "subdomain":      { "type": "string", "description": "Subdomain for providers that require one (e.g. Shopify)." },
+        "nonce":          { "type": "boolean", "description": "Enable nonce generation (required by some OIDC providers)." },
+        "pkce":           { "type": "boolean", "description": "Enable PKCE (Proof Key for Code Exchange) for enhanced security." },
+        "response":       {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Data to include in the callback (e.g. ['tokens', 'profile'])."
+        }
+      }
     }
   }
 }

package/core/api-generator.js

@@ -38,17 +38,17 @@ function createBackendSdk(core) {
       if (!entity) throw new Error(`Single entity not found for slug: ${slug}`);
       const table = entity.tableName;
       return {
-        get() {
-          const rows = db.findAllSimple(table);
+        async get() {
+          const rows = await db.findAllSimple(table);
           return rows[0] || null;
         },
-        update(data) {
-          const rows = db.findAllSimple(table);
+        async update(data) {
+          const rows = await db.findAllSimple(table);
           if (!rows[0]) return null;
           return db.update(table, rows[0].id, data);
         },
-        patch(data) {
-          const rows = db.findAllSimple(table);
+        async patch(data) {
+          const rows = await db.findAllSimple(table);
           if (!rows[0]) return null;
           return db.update(table, rows[0].id, data);
         },
@@ -82,9 +82,9 @@ function registerApiRoutes(app, core, emit) {
       };
 
       // GET single
-      router.get(base, mw.read, (_req, res) => {
+      router.get(base, mw.read, async (_req, res) => {
         try {
-          const rows = db.findAllSimple(table);
+          const rows = await db.findAllSimple(table);
           const row = rows[0];
           if (!row) return res.status(404).json({ error: 'Not found' });
           res.json(hide(row));
@@ -94,7 +94,7 @@ function registerApiRoutes(app, core, emit) {
       // PUT single (full replace)
       router.put(base, mw.update, async (req, res) => {
         try {
-          const rows = db.findAllSimple(table);
+          const rows = await db.findAllSimple(table);
           const row = rows[0];
           if (!row) return res.status(404).json({ error: 'Not found' });
           if (!await runMiddlewares('beforeUpdate', entity, req, res, sdk)) return;
@@ -102,7 +102,7 @@ function registerApiRoutes(app, core, emit) {
           if (v.errors) return res.status(400).json(v.errors);
           fireWebhooks(entity, 'beforeUpdate', req.body);
           const sanitized = sanitizeBody(req.body, entity, true);
-          const updated = db.update(table, row.id, sanitized);
+          const updated = await db.update(table, row.id, sanitized);
           fireWebhooks(entity, 'afterUpdate', updated);
           await runMiddlewares('afterUpdate', entity, req, res, sdk);
           emit(`${entity.name}.updated`, hide(updated));
@@ -113,14 +113,14 @@ function registerApiRoutes(app, core, emit) {
       // PATCH single (partial)
       router.patch(base, mw.update, async (req, res) => {
         try {
-          const rows = db.findAllSimple(table);
+          const rows = await db.findAllSimple(table);
           const row = rows[0];
           if (!row) return res.status(404).json({ error: 'Not found' });
           if (!await runMiddlewares('beforeUpdate', entity, req, res, sdk)) return;
           const v = validateBody(req.body, entity, core.groups, { partial: true });
           if (v.errors) return res.status(400).json(v.errors);
           fireWebhooks(entity, 'beforeUpdate', req.body);
-          const updated = db.update(table, row.id, sanitizeBody(req.body, entity));
+          const updated = await db.update(table, row.id, sanitizeBody(req.body, entity));
           fireWebhooks(entity, 'afterUpdate', updated);
           await runMiddlewares('afterUpdate', entity, req, res, sdk);
           emit(`${entity.name}.updated`, hide(updated));
@@ -140,37 +140,37 @@ function registerApiRoutes(app, core, emit) {
       };
 
       // GET list (paginated)
-      router.get(base, mw.read, (req, res) => {
+      router.get(base, mw.read, async (req, res) => {
         try {
           // Ownership filter: condition: self forces a FK filter on the current user
           const query = req._selfFilter
             ? { ...req.query, [req._selfFilter.fk]: req._selfFilter.userId }
             : req.query;
-          const result = db.findAll(table, query, {
+          const result = await db.findAll(table, query, {
             page: req.query.page,
             perPage: req.query.perPage,
             orderBy: req.query.orderBy,
             order: req.query.order,
           });
           const relations = req.query.relations;
-          result.data = result.data.map((row) => {
-            if (relations) db.loadRelations(row, entity, relations);
-            return hide(row);
-          });
+          for (const row of result.data) {
+            if (relations) await db.loadRelations(row, entity, relations);
+          }
+          result.data = result.data.map((row) => hide(row));
           res.json(result);
         } catch (e) { res.status(500).json({ error: e.message }); }
       });
 
       // GET single by id
-      router.get(`${base}/:id`, mw.read, (req, res) => {
+      router.get(`${base}/:id`, mw.read, async (req, res) => {
         try {
-          const row = db.findById(table, req.params.id);
+          const row = await db.findById(table, req.params.id);
           if (!row) return res.status(404).json({ error: 'Not found' });
           // Ownership check for read with condition: self
           if (req._selfFilter && row[req._selfFilter.fk] !== req._selfFilter.userId) {
             return res.status(403).json({ error: 'Access denied' });
           }
-          if (req.query.relations) db.loadRelations(row, entity, req.query.relations);
+          if (req.query.relations) await db.loadRelations(row, entity, req.query.relations);
           res.json(hide(row));
         } catch (e) { res.status(500).json({ error: e.message }); }
       });
@@ -183,8 +183,8 @@ function registerApiRoutes(app, core, emit) {
           const v = validateBody(body, entity, core.groups);
           if (v.errors) return res.status(400).json(v.errors);
           fireWebhooks(entity, 'beforeCreate', body);
-          const row = db.create(table, sanitizeBody(body, entity));
-          db.saveBelongsToMany(entity, row.id, req.body);
+          const row = await db.create(table, sanitizeBody(body, entity));
+          await db.saveBelongsToMany(entity, row.id, req.body);
           fireWebhooks(entity, 'afterCreate', row);
           await runMiddlewares('afterCreate', entity, req, res, sdk);
           emit(`${entity.name}.created`, hide(row));
@@ -195,14 +195,14 @@ function registerApiRoutes(app, core, emit) {
       // PUT full replace
       router.put(`${base}/:id`, mw.update, async (req, res) => {
         try {
-          if (!db.findById(table, req.params.id)) return res.status(404).json({ error: 'Not found' });
+          if (!await db.findById(table, req.params.id)) return res.status(404).json({ error: 'Not found' });
           if (!await runMiddlewares('beforeUpdate', entity, req, res, sdk)) return;
           const v = validateBody(req.body, entity, core.groups);
           if (v.errors) return res.status(400).json(v.errors);
           fireWebhooks(entity, 'beforeUpdate', req.body);
           const sanitized = sanitizeBody(req.body, entity, true);
-          const row = db.update(table, req.params.id, sanitized);
-          db.saveBelongsToMany(entity, row.id, req.body);
+          const row = await db.update(table, req.params.id, sanitized);
+          await db.saveBelongsToMany(entity, row.id, req.body);
           fireWebhooks(entity, 'afterUpdate', row);
           await runMiddlewares('afterUpdate', entity, req, res, sdk);
           emit(`${entity.name}.updated`, hide(row));
@@ -213,13 +213,13 @@ function registerApiRoutes(app, core, emit) {
       // PATCH partial update
       router.patch(`${base}/:id`, mw.update, async (req, res) => {
         try {
-          if (!db.findById(table, req.params.id)) return res.status(404).json({ error: 'Not found' });
+          if (!await db.findById(table, req.params.id)) return res.status(404).json({ error: 'Not found' });
           if (!await runMiddlewares('beforeUpdate', entity, req, res, sdk)) return;
           const v = validateBody(req.body, entity, core.groups, { partial: true });
           if (v.errors) return res.status(400).json(v.errors);
           fireWebhooks(entity, 'beforeUpdate', req.body);
-          const row = db.update(table, req.params.id, sanitizeBody(req.body, entity));
-          db.saveBelongsToMany(entity, row.id, req.body);
+          const row = await db.update(table, req.params.id, sanitizeBody(req.body, entity));
+          await db.saveBelongsToMany(entity, row.id, req.body);
           fireWebhooks(entity, 'afterUpdate', row);
           await runMiddlewares('afterUpdate', entity, req, res, sdk);
           emit(`${entity.name}.updated`, hide(row));
@@ -230,11 +230,11 @@ function registerApiRoutes(app, core, emit) {
       // DELETE
       router.delete(`${base}/:id`, mw.delete, async (req, res) => {
         try {
-          const existing = db.findById(table, req.params.id);
+          const existing = await db.findById(table, req.params.id);
           if (!existing) return res.status(404).json({ error: 'Not found' });
           if (!await runMiddlewares('beforeDelete', entity, req, res, sdk)) return;
           fireWebhooks(entity, 'beforeDelete', existing);
-          const row = db.remove(table, req.params.id);
+          const row = await db.remove(table, req.params.id);
           fireWebhooks(entity, 'afterDelete', row);
           await runMiddlewares('afterDelete', entity, req, res, sdk);
           emit(`${entity.name}.deleted`, hide(row));
@@ -267,8 +267,8 @@ function policyMiddleware(rule, entity, core) {
         break;
       }
       const allowed = Array.isArray(p.allow) ? p.allow : [p.allow];
-      middlewares = [(req, res, next) => {
-        const { user, apiKeyPermissions, error } = resolveAuthHeader(req.headers.authorization);
+      middlewares = [async (req, res, next) => {
+        const { user, apiKeyPermissions, error } = await resolveAuthHeader(req.headers.authorization);
         if (!user) return res.status(401).json({ error: 'Authorization required' });
         if (error === 'invalid_token') return res.status(401).json({ error: 'Invalid or expired token' });
         if (!allowed.includes(user.entity)) return res.status(403).json({ error: 'Access denied' });
@@ -277,7 +277,7 @@ function policyMiddleware(rule, entity, core) {
         try {
           // Ownership-based access: condition: self
           if (p.condition === 'self') {
-            enforceSelfCondition(rule, entity, req, core);
+            await enforceSelfCondition(rule, entity, req, core);
           }
           next();
         } catch (e) {
@@ -328,7 +328,7 @@ function _apiKeyPermGuard(operation, entity) {
  * - update: ensure the record belongs to the user, disallow ownership change
  * - delete: ensure the record belongs to the user
  */
-function enforceSelfCondition(rule, entity, req, core) {
+async function enforceSelfCondition(rule, entity, req, core) {
   const userId = req.user.id;
   const userEntity = req.user.entity;
 
@@ -351,7 +351,7 @@ function enforceSelfCondition(rule, entity, req, core) {
   } else if (rule === 'update' || rule === 'delete') {
     // Verify the record belongs to the user
     if (req.params && req.params.id) {
-      const row = db.findById(entity.tableName, req.params.id);
+      const row = await db.findById(entity.tableName, req.params.id);
       if (row && row[fk] !== userId) {
         const err = new Error('Access denied: record does not belong to you');
         err.status = 403;