db-model-router 1.0.7 → 1.0.9

package/src/cli/init/generators.js

@@ -172,6 +172,7 @@ function buildEnvContent(answers, mode, secrets) {
   lines.push("API_BASE_PATH=/api");
   lines.push("");
   lines.push("# Database");
+  lines.push(`DB_TYPE=${answers.database}`);
 
   const vars = DB_ENV_MAP[answers.database] || [];
   for (const v of vars) {
@@ -358,83 +359,6 @@ app.use(session({
 }));`;
 }
 
-/**
- * Generate the app.js file content.
- * @param {import('./types').InitAnswers} answers
- * @returns {string}
- */
-function generateAppJs(answers) {
-  const frameworkPkg =
-    answers.framework === "ultimate-express" ? "ultimate-express" : "express";
-
-  // Imports
-  let imports = `import express from "${frameworkPkg}";
-import { init, db } from "db-model-router";
-import session from "express-session";`;
-
-  if (answers.session === "redis") {
-    imports += `\nimport RedisStore from "connect-redis";
-import { Redis } from "ioredis";`;
-  }
-  if (answers.rateLimiting) {
-    imports += `\nimport rateLimit from "express-rate-limit";`;
-  }
-  if (answers.helmet) {
-    imports += `\nimport helmet from "helmet";`;
-  }
-  imports += `\nimport logger from "./middleware/logger.js";`;
-
-  // Rate limiting block
-  const rateLimitBlock = answers.rateLimiting
-    ? `app.use(rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 100,
-  standardHeaders: true,
-  legacyHeaders: false,
-}));`
-    : "";
-
-  const helmetBlock = answers.helmet ? `app.use(helmet());` : "";
-
-  return `${imports}
-import "dotenv/config";
-
-// Initialize database adapter
-init("${answers.database}");
-${dbConnectBlock(answers.database)}
-
-const app = express();
-const PORT = process.env.PORT || 3000;
-
-// Middleware
-app.use(express.json());
-app.use(express.urlencoded({ extended: true }));
-${helmetBlock ? helmetBlock + "\n" : ""}${rateLimitBlock ? rateLimitBlock + "\n" : ""}${sessionBlock(answers)}
-app.use(logger);
-
-// Routes
-import routes from "#routes/index.js";
-app.use(process.env.API_BASE_PATH || "/api", routes);
-
-// Health check
-app.get("/health", (req, res) => {
-  res.json({ status: "ok", timestamp: new Date().toISOString() });
-});
-
-// Error handler
-app.use((err, req, res, next) => {
-  console.error(err.stack);
-  res.status(500).json({ type: "danger", message: "Internal Server Error" });
-});
-
-app.listen(PORT, () => {
-  console.log(\`Server running on port \${PORT}\`);
-});
-
-export default app;
-`;
-}
-
 // ---------------------------------------------------------------------------
 // Logger middleware generator
 // ---------------------------------------------------------------------------
@@ -1720,7 +1644,7 @@ export default db;
  * @param {string} [outputDir] - relative output directory for source files (e.g. "backend")
  * @returns {string}
  */
-function generateAppJsV2(answers, outputDir) {
+function generateAppJs(answers, outputDir) {
   const frameworkPkg =
     answers.framework === "ultimate-express" ? "ultimate-express" : "express";
 
@@ -1735,7 +1659,7 @@ import "${commonsPrefix}/db.js";
 import configureSession from "${commonsPrefix}/session.js";
 import applySecurity from "${commonsPrefix}/security.js";
 import logger from "${middlewarePrefix}/logger.js";
-import route from "${routePrefix}/index.js";
+import routes from "${routePrefix}/index.js";
 import { fileURLToPath } from 'node:url';
 import path from "path";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -1756,7 +1680,7 @@ app.use(configureSession());
 app.use(logger);
 
 // Routes
-app.use(route);
+app.use(process.env.API_BASE_PATH || "/api", routes);
 
 // Error handler
 app.use((err, req, res, next) => {
@@ -1777,7 +1701,6 @@ module.exports = {
   isSql,
   randomPassword,
   generateAppJs,
-  generateAppJsV2,
   generateEnvFile,
   generateEnvExample,
   generateLoggerMiddleware,

package/src/cli/init.js

@@ -7,7 +7,6 @@ const { execSync } = require("child_process");
 
 const {
   generateAppJs,
-  generateAppJsV2,
   generateEnvFile,
   generateEnvExample,
   generateLoggerMiddleware,
@@ -109,7 +108,7 @@ function generateFiles(answers, outputDir) {
 
   // Root-level files (always in cwd, not in outputDir)
   // app.js uses the v2 generator that links commons/route modules
-  if (safeWriteFile("app.js", generateAppJsV2(answers, outputDir || "")))
+  if (safeWriteFile("app.js", generateAppJs(answers, outputDir || "")))
     files.push("app.js");
   if (safeWriteFile(".env", generateEnvFile(answers, secrets)))
     files.push(".env");

package/src/cli/saas/generate-saas-middleware.js

@@ -49,6 +49,8 @@ function generateTenantIsolationMiddleware() {
 function tenantIsolation(req, res, next) {
   const hasGlobal = req.session.permission.some((p) => p.scope === "global");
   if (!hasGlobal) {
+    if (!req.query) req.query = {};
+    if (!req.body) req.body = {};
     req.query.tenant_id = req.session.user.tenant_id;
     req.body.tenant_id = req.session.user.tenant_id;
   }

package/src/cli/saas/generate-saas-routes.js

@@ -370,19 +370,16 @@ function generateRoutesIndex(tableNames, relationships, options) {
   code += `import saasPermissionsRoute from "#routes/roles/permissions/index.js";\n\n`;
 
   // --- dbmr schema-generated route imports (folder-based, skip SaaS-owned tables) ---
+  // Child routes are mounted inside their parent's index.js, not here
   const dbmrTables = tableNames.filter(
     (t) => !saasRouteModules.has(t) && !nestedChildren.has(t),
   );
-  if (dbmrTables.length > 0 || relationships.length > 0) {
+  if (dbmrTables.length > 0) {
     code += `// Schema-generated routes\n`;
   }
   for (const table of dbmrTables) {
     code += `import ${safeVarName(table)}Route from "#routes/${table}/index.js";\n`;
   }
-  for (const rel of relationships) {
-    if (saasRouteModules.has(rel.child)) continue;
-    code += `import ${safeVarName(rel.child)}ChildRoute from "#routes/${rel.parent}/${rel.child}/index.js";\n`;
-  }
 
   if (options.includeDocs) {
     code += `import docsRoute from "#routes/docs.js";\n`;
@@ -403,14 +400,7 @@ function generateRoutesIndex(tableNames, relationships, options) {
     code += `router.use("/docs", docsRoute);\n`;
   }
 
-  // --- Mount dbmr child routes before parent routes ---
-  for (const rel of relationships) {
-    if (saasRouteModules.has(rel.child)) continue;
-    const childVar = safeVarName(rel.child);
-    code += `router.use("/${rel.parent}/:${rel.foreignKey}/${rel.child}", ${childVar}ChildRoute);\n`;
-  }
-
-  // --- Mount dbmr top-level routes ---
+  // --- Mount dbmr top-level routes (children are inside parent's index.js) ---
   if (dbmrTables.length > 0) {
     code += `\n// Schema-generated routes\n`;
   }

package/src/cli/saas/generate-saas-tests.js

@@ -0,0 +1,473 @@
+"use strict";
+
+/**
+ * SaaS test generators.
+ *
+ * Generates test files for SaaS routes: auth (login/logout), users, tenants, roles, permissions.
+ * Tests use supertest with a mock session to bypass authentication middleware.
+ * Generated code uses ES6 module syntax.
+ */
+
+/**
+ * Generate all SaaS test files.
+ *
+ * @returns {Array<{ relPath: string, content: string }>}
+ */
+function generateSaasTests() {
+  return [
+    { relPath: "test/auth.test.js", content: generateAuthTest() },
+    { relPath: "test/users.test.js", content: generateUsersTest() },
+    { relPath: "test/tenants.test.js", content: generateTenantsTest() },
+    { relPath: "test/roles.test.js", content: generateRolesTest() },
+    { relPath: "test/permissions.test.js", content: generatePermissionsTest() },
+  ];
+}
+
+function generateAuthTest() {
+  return `import assert from "assert";
+import express from "express";
+import request from "supertest";
+
+// Import the auth route
+import authRoute from "#routes/auth/index.js";
+
+function createApp() {
+  const app = express();
+  app.use(express.json());
+  // Mock session object on each request
+  app.use((req, res, next) => {
+    req.session = {};
+    next();
+  });
+  app.use("/auth", authRoute);
+  return app;
+}
+
+describe("Auth Routes", function () {
+  let app;
+
+  before(function () {
+    app = createApp();
+  });
+
+  describe("POST /auth/login", function () {
+    it("should return 401 when email is missing", async function () {
+      const res = await request(app)
+        .post("/auth/login")
+        .send({ password: "test123" });
+      assert.strictEqual(res.status, 401);
+      assert.ok(res.body.message);
+    });
+
+    it("should return 401 when password is missing", async function () {
+      const res = await request(app)
+        .post("/auth/login")
+        .send({ email: "admin@system.local" });
+      assert.strictEqual(res.status, 401);
+      assert.ok(res.body.message);
+    });
+
+    it("should return 401 with empty body", async function () {
+      const res = await request(app)
+        .post("/auth/login")
+        .send({});
+      assert.strictEqual(res.status, 401);
+    });
+
+    it("should return 401 for non-existent user", async function () {
+      const res = await request(app)
+        .post("/auth/login")
+        .send({ email: "nobody@example.com", password: "wrong" });
+      assert.ok([401, 500].includes(res.status));
+    });
+  });
+
+  describe("POST /auth/logout", function () {
+    it("should return 401 when not authenticated", async function () {
+      const res = await request(app)
+        .post("/auth/logout");
+      assert.strictEqual(res.status, 401);
+    });
+  });
+});
+`;
+}
+
+function generateUsersTest() {
+  return `import assert from "assert";
+import express from "express";
+import request from "supertest";
+
+import usersRoute from "#routes/users/index.js";
+
+/**
+ * Create a test app with a pre-populated session (bypasses real auth).
+ * Injects session data via middleware before the route.
+ */
+function createApp(sessionData) {
+  const app = express();
+  app.use(express.json());
+  // Mock session injection (no real session store needed for testing)
+  app.use((req, res, next) => {
+    req.session = {
+      user: sessionData.user,
+      role: sessionData.role,
+      permission: sessionData.permission,
+    };
+    next();
+  });
+  app.use("/users", usersRoute);
+  return app;
+}
+
+const mockSession = {
+  user: { user_id: 1, email: "admin@system.local", name: "Admin", tenant_id: null },
+  role: { role_id: 1, name: "Super Admin", tenant_id: null },
+  permission: [
+    { module: "users", action: "global", scope: "global" },
+  ],
+};
+
+describe("Users Routes (SaaS)", function () {
+  let app;
+
+  before(function () {
+    app = createApp(mockSession);
+  });
+
+  describe("GET /users/", function () {
+    it("should list users", async function () {
+      const res = await request(app).get("/users/");
+      assert.ok([200, 500].includes(res.status));
+    });
+  });
+
+  describe("POST /users/", function () {
+    it("should create a user", async function () {
+      const res = await request(app)
+        .post("/users/")
+        .send({
+          email: "test@example.com",
+          name: "Test User",
+          password_hash: "hashed",
+          unique_attribute: "test-unique",
+          role_id: 1,
+        });
+      assert.ok([200, 201, 400, 500].includes(res.status));
+    });
+  });
+
+  describe("PUT /users/:id", function () {
+    it("should update a user", async function () {
+      const res = await request(app)
+        .put("/users/1")
+        .send({ name: "Updated" });
+      assert.ok([200, 400, 404, 500].includes(res.status));
+    });
+  });
+
+  describe("DELETE /users/:id", function () {
+    it("should delete a user", async function () {
+      const res = await request(app).delete("/users/1");
+      assert.ok([200, 204, 404, 500].includes(res.status));
+    });
+  });
+
+  describe("Permission enforcement", function () {
+    it("should return 403 without proper permissions", async function () {
+      const noPermApp = createApp({
+        user: { user_id: 2, email: "user@test.com", name: "User", tenant_id: 1 },
+        role: { role_id: 2, name: "Viewer", tenant_id: 1 },
+        permission: [{ module: "tenants", action: "read", scope: "tenant" }],
+      });
+      const res = await request(noPermApp).get("/users/");
+      assert.strictEqual(res.status, 403);
+    });
+  });
+});
+`;
+}
+
+function generateTenantsTest() {
+  return `import assert from "assert";
+import express from "express";
+import request from "supertest";
+
+import tenantsRoute from "#routes/tenants/index.js";
+
+function createApp(sessionData) {
+  const app = express();
+  app.use(express.json());
+  app.use((req, res, next) => {
+    req.session = {
+      user: sessionData.user,
+      role: sessionData.role,
+      permission: sessionData.permission,
+    };
+    next();
+  });
+  app.use("/tenants", tenantsRoute);
+  return app;
+}
+
+const mockSession = {
+  user: { user_id: 1, email: "admin@system.local", name: "Admin", tenant_id: null },
+  role: { role_id: 1, name: "Super Admin", tenant_id: null },
+  permission: [
+    { module: "tenants", action: "global", scope: "global" },
+  ],
+};
+
+describe("Tenants Routes (SaaS)", function () {
+  let app;
+
+  before(function () {
+    app = createApp(mockSession);
+  });
+
+  describe("GET /tenants/", function () {
+    it("should list tenants", async function () {
+      const res = await request(app).get("/tenants/");
+      assert.ok([200, 500].includes(res.status));
+    });
+  });
+
+  describe("POST /tenants/", function () {
+    it("should create a tenant", async function () {
+      const res = await request(app)
+        .post("/tenants/")
+        .send({ name: "Acme Corp", slug: "acme-corp" });
+      assert.ok([200, 201, 400, 500].includes(res.status));
+    });
+  });
+
+  describe("PUT /tenants/:id", function () {
+    it("should update a tenant", async function () {
+      const res = await request(app)
+        .put("/tenants/1")
+        .send({ name: "Acme Updated" });
+      assert.ok([200, 400, 404, 500].includes(res.status));
+    });
+  });
+
+  describe("DELETE /tenants/:id", function () {
+    it("should delete a tenant", async function () {
+      const res = await request(app).delete("/tenants/1");
+      assert.ok([200, 204, 404, 500].includes(res.status));
+    });
+  });
+
+  describe("Permission enforcement", function () {
+    it("should return 403 without tenants permission", async function () {
+      const noPermApp = createApp({
+        user: { user_id: 2, email: "user@test.com", name: "User", tenant_id: 1 },
+        role: { role_id: 2, name: "Viewer", tenant_id: 1 },
+        permission: [{ module: "users", action: "read", scope: "tenant" }],
+      });
+      const res = await request(noPermApp).get("/tenants/");
+      assert.strictEqual(res.status, 403);
+    });
+  });
+});
+`;
+}
+
+function generateRolesTest() {
+  return `import assert from "assert";
+import express from "express";
+import request from "supertest";
+
+import rolesRoute from "#routes/roles/index.js";
+
+function createApp(sessionData) {
+  const app = express();
+  app.use(express.json());
+  app.use((req, res, next) => {
+    req.session = {
+      user: sessionData.user,
+      role: sessionData.role,
+      permission: sessionData.permission,
+    };
+    next();
+  });
+  app.use("/roles", rolesRoute);
+  return app;
+}
+
+const globalSession = {
+  user: { user_id: 1, email: "admin@system.local", name: "Admin", tenant_id: null },
+  role: { role_id: 1, name: "Super Admin", tenant_id: null },
+  permission: [
+    { module: "roles", action: "global", scope: "global" },
+  ],
+};
+
+const tenantSession = {
+  user: { user_id: 2, email: "tenant@test.com", name: "Tenant Admin", tenant_id: 1 },
+  role: { role_id: 2, name: "Tenant Admin", tenant_id: 1 },
+  permission: [
+    { module: "roles", action: "read", scope: "tenant" },
+    { module: "roles", action: "write", scope: "tenant" },
+    { module: "roles", action: "update", scope: "tenant" },
+    { module: "roles", action: "delete", scope: "tenant" },
+  ],
+};
+
+describe("Roles Routes (SaaS)", function () {
+  describe("with global permissions", function () {
+    let app;
+
+    before(function () {
+      app = createApp(globalSession);
+    });
+
+    describe("GET /roles/", function () {
+      it("should list roles", async function () {
+        const res = await request(app).get("/roles/");
+        assert.ok([200, 500].includes(res.status));
+      });
+    });
+
+    describe("POST /roles/", function () {
+      it("should create a role", async function () {
+        const res = await request(app)
+          .post("/roles/")
+          .send({ name: "Editor", tenant_id: 1 });
+        assert.ok([200, 201, 400, 500].includes(res.status));
+      });
+
+      it("should allow creating role with global permissions for global user", async function () {
+        const res = await request(app)
+          .post("/roles/")
+          .send({
+            name: "Global Role",
+            tenant_id: null,
+            permissions: [{ module: "users", action: "read", scope: "global" }],
+          });
+        assert.ok([200, 201, 400, 500].includes(res.status));
+        // Should NOT be 403 for global user
+        assert.notStrictEqual(res.status, 403);
+      });
+    });
+  });
+
+  describe("with tenant permissions", function () {
+    let app;
+
+    before(function () {
+      app = createApp(tenantSession);
+    });
+
+    describe("POST /roles/", function () {
+      it("should return 403 when creating role with global permissions", async function () {
+        const res = await request(app)
+          .post("/roles/")
+          .send({
+            name: "Escalated Role",
+            permissions: [{ module: "users", action: "read", scope: "global" }],
+          });
+        assert.strictEqual(res.status, 403);
+      });
+    });
+  });
+
+  describe("Permission enforcement", function () {
+    it("should return 403 without roles permission", async function () {
+      const noPermApp = createApp({
+        user: { user_id: 3, email: "noperm@test.com", name: "No Perm", tenant_id: 1 },
+        role: { role_id: 3, name: "None", tenant_id: 1 },
+        permission: [{ module: "tenants", action: "read", scope: "tenant" }],
+      });
+      const res = await request(noPermApp).get("/roles/");
+      assert.strictEqual(res.status, 403);
+    });
+  });
+});
+`;
+}
+
+function generatePermissionsTest() {
+  return `import assert from "assert";
+import express from "express";
+import request from "supertest";
+
+import permissionsRoute from "#routes/roles/permissions/index.js";
+
+function createApp(sessionData) {
+  const app = express();
+  app.use(express.json());
+  app.use((req, res, next) => {
+    req.session = {
+      user: sessionData.user,
+      role: sessionData.role,
+      permission: sessionData.permission,
+    };
+    next();
+  });
+  app.use("/roles/:role_id/permissions", permissionsRoute);
+  return app;
+}
+
+const mockSession = {
+  user: { user_id: 1, email: "admin@system.local", name: "Admin", tenant_id: null },
+  role: { role_id: 1, name: "Super Admin", tenant_id: null },
+  permission: [
+    { module: "permissions", action: "global", scope: "global" },
+  ],
+};
+
+describe("Permissions Routes (SaaS)", function () {
+  let app;
+
+  before(function () {
+    app = createApp(mockSession);
+  });
+
+  describe("GET /roles/:role_id/permissions/", function () {
+    it("should list permissions for a role", async function () {
+      const res = await request(app).get("/roles/1/permissions/");
+      assert.ok([200, 500].includes(res.status));
+    });
+  });
+
+  describe("POST /roles/:role_id/permissions/", function () {
+    it("should create a permission entry", async function () {
+      const res = await request(app)
+        .post("/roles/1/permissions/")
+        .send({ permission: { module: "users", action: "read", scope: "tenant" } });
+      assert.ok([200, 201, 400, 500].includes(res.status));
+    });
+  });
+
+  describe("PUT /roles/:role_id/permissions/:permission_id", function () {
+    it("should update a permission entry", async function () {
+      const res = await request(app)
+        .put("/roles/1/permissions/1")
+        .send({ permission: { module: "users", action: "write", scope: "tenant" } });
+      assert.ok([200, 400, 404, 500].includes(res.status));
+    });
+  });
+
+  describe("DELETE /roles/:role_id/permissions/:permission_id", function () {
+    it("should delete a permission entry", async function () {
+      const res = await request(app).delete("/roles/1/permissions/1");
+      assert.ok([200, 204, 404, 500].includes(res.status));
+    });
+  });
+
+  describe("Permission enforcement", function () {
+    it("should return 403 without permissions module access", async function () {
+      const noPermApp = createApp({
+        user: { user_id: 2, email: "user@test.com", name: "User", tenant_id: 1 },
+        role: { role_id: 2, name: "Viewer", tenant_id: 1 },
+        permission: [{ module: "users", action: "read", scope: "tenant" }],
+      });
+      const res = await request(noPermApp).get("/roles/1/permissions/");
+      assert.strictEqual(res.status, 403);
+    });
+  });
+});
+`;
+}
+
+module.exports = { generateSaasTests };