millas 0.2.12-beta → 0.2.12-beta-2

package/src/admin/views/partials/form-widget.njk

@@ -0,0 +1,296 @@
+{#
+  partials/form-widget.njk
+  All widget HTML — one block per field type.
+  Expects in scope: field, val, hasError, isEdit
+#}
+
+{# ── Select ── #}
+{% if field.type == 'select' and field.options %}
+<select id="field-{{ field.name }}" name="{{ field.name }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  {% if not field.nullable %}data-required="true"{% endif %}>
+  <option value="">— Select —</option>
+  {% for opt in field.options %}
+  {% set optVal   = opt.value if opt.value is defined else opt %}
+  {% set optLabel = opt.label if opt.label is defined else opt %}
+  <option value="{{ optVal }}" {% if val == optVal %}selected{% endif %}>{{ optLabel }}</option>
+  {% endfor %}
+</select>
+
+{# ── FK — async paginated dropdown ── #}
+{% elif field.type == 'fk' %}
+<div class="fk-widget" id="fkw-{{ field.name }}"
+  data-name="{{ field.name }}"
+  data-resource="{{ field.fkResource }}"
+  data-nullable="{{ 'true' if field.nullable else 'false' }}"
+  data-required="{{ 'true' if not field.nullable else 'false' }}"
+  data-current-id="{{ val }}"
+  data-current-label="">
+  <input type="hidden"
+    id="field-{{ field.name }}"
+    name="{{ field.name }}"
+    value="{{ val }}"
+    {% if not field.nullable %}data-required="true"{% endif %}>
+  <button type="button"
+    class="fk-trigger form-control{% if hasError %} error{% endif %}"
+    id="fktrig-{{ field.name }}"
+    aria-haspopup="listbox"
+    aria-expanded="false"
+    aria-controls="fkpanel-{{ field.name }}">
+    <span class="fk-trigger-label">
+      {% if val %}
+        <span class="fk-id-chip">#{{ val }}</span>
+        <span class="fk-loading-label">Loading…</span>
+      {% else %}
+        <span class="fk-placeholder">— Select —</span>
+      {% endif %}
+    </span>
+    <svg class="fk-chevron" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="6 9 12 15 18 9"/></svg>
+  </button>
+  <div class="fk-panel" id="fkpanel-{{ field.name }}" role="listbox" style="display:none">
+    <div class="fk-search-wrap">
+      <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="11" cy="11" r="8"/><line x1="21" y1="21" x2="16.65" y2="16.65"/></svg>
+      <input type="text" class="fk-search" id="fksearch-{{ field.name }}"
+        placeholder="Search…" autocomplete="off" spellcheck="false">
+      <button type="button" class="fk-search-clear" hidden aria-label="Clear search">
+        <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+      </button>
+    </div>
+    <div class="fk-list" id="fklist-{{ field.name }}" role="listbox">
+      <div class="fk-spinner-row">
+        <svg class="fk-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12a9 9 0 11-6.219-8.56"/></svg>
+        Loading…
+      </div>
+    </div>
+    <div class="fk-footer" id="fkfoot-{{ field.name }}" hidden>
+      <span class="fk-count" id="fkcount-{{ field.name }}"></span>
+      <div class="fk-pages">
+        <button type="button" class="fk-page-btn" id="fkprev-{{ field.name }}" aria-label="Previous page" disabled>
+          <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="15 18 9 12 15 6"/></svg>
+        </button>
+        <span class="fk-page-info" id="fkpageinfo-{{ field.name }}"></span>
+        <button type="button" class="fk-page-btn" id="fknext-{{ field.name }}" aria-label="Next page">
+          <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="9 18 15 12 9 6"/></svg>
+        </button>
+      </div>
+    </div>
+    {% if field.nullable %}
+    <div class="fk-clear-row">
+      <button type="button" class="fk-clear-btn" id="fkclear-{{ field.name }}">
+        <svg width="11" height="11" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+        Clear selection
+      </button>
+    </div>
+    {% endif %}
+  </div>
+</div>
+
+{# ── M2M — dual list ── #}
+{% elif field.type == 'm2m' %}
+<div class="m2m-widget" id="m2m-{{ field.name }}">
+  <div style="display:flex;gap:8px;align-items:flex-start">
+    <div style="flex:1">
+      <div class="form-label" style="font-size:11px;color:var(--text-soft)">Available</div>
+      <select class="form-control" size="6" id="m2m-available-{{ field.name }}" style="width:100%" multiple></select>
+    </div>
+    <div style="display:flex;flex-direction:column;gap:6px;padding-top:24px">
+      <button type="button" class="btn btn-ghost btn-sm" onclick="m2mMove('{{ field.name }}','available','chosen')">→</button>
+      <button type="button" class="btn btn-ghost btn-sm" onclick="m2mMove('{{ field.name }}','chosen','available')">←</button>
+    </div>
+    <div style="flex:1">
+      <div class="form-label" style="font-size:11px;color:var(--text-soft)">Chosen</div>
+      <select class="form-control" name="{{ field.name }}[]" size="6"
+        id="m2m-chosen-{{ field.name }}" style="width:100%" multiple>
+        {% if val %}{% for v in val %}<option value="{{ v }}" selected>{{ v }}</option>{% endfor %}{% endif %}
+      </select>
+    </div>
+  </div>
+</div>
+
+{# ── Boolean — toggle switch ── #}
+{% elif field.type == 'checkbox' %}
+<div class="toggle-field">
+  <label class="toggle-wrap" for="field-{{ field.name }}">
+    <input type="checkbox"
+      id="field-{{ field.name }}"
+      name="{{ field.name }}"
+      class="toggle-input"
+      value="1"{{ ' checked' if val else '' }}>
+    <span class="toggle-track"><span class="toggle-thumb"></span></span>
+    <span class="toggle-label">{{ field.label }}</span>
+  </label>
+  {% if field.help %}
+  <div class="form-help" style="margin-top:4px;margin-left:52px">{{ field.help }}</div>
+  {% endif %}
+</div>
+
+{# ── Textarea ── #}
+{% elif field.type == 'textarea' %}
+<textarea id="field-{{ field.name }}" name="{{ field.name }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  placeholder="{{ field.placeholder or '' }}"
+  {% if not field.nullable %}data-required="true"{% endif %}
+  rows="4">{{ val }}</textarea>
+
+{# ── JSON — dialog editor ── #}
+{% elif field.type == 'json' %}
+{% include "partials/json-editor.njk" %}
+
+{# ── Richtext ── #}
+{% elif field.type == 'richtext' %}
+<div class="richtext-wrap">
+  <div class="richtext-toolbar">
+    <button type="button" onclick="rtCmd('bold')" title="Bold"><b>B</b></button>
+    <button type="button" onclick="rtCmd('italic')" title="Italic"><i>I</i></button>
+    <button type="button" onclick="rtCmd('underline')" title="Underline"><u>U</u></button>
+    <span class="rt-sep"></span>
+    <button type="button" onclick="rtCmd('insertUnorderedList')" title="Bullet list">≡</button>
+    <button type="button" onclick="rtCmd('insertOrderedList')" title="Numbered list">1.</button>
+    <span class="rt-sep"></span>
+    <button type="button" onclick="rtLink()" title="Link">🔗</button>
+  </div>
+  <div id="rt-{{ field.name }}" class="richtext-editor form-control{% if hasError %} error{% endif %}"
+    contenteditable="true"
+    style="min-height:120px;height:auto">{{ val | safe }}</div>
+  <input type="hidden" id="field-{{ field.name }}" name="{{ field.name }}" value="{{ val }}">
+</div>
+
+{# ── Password ── #}
+{% elif field.type == 'password' %}
+<div style="position:relative">
+  <input type="password" id="field-{{ field.name }}" name="{{ field.name }}"
+    class="form-control{% if hasError %} error{% endif %}"
+    placeholder="{{ 'Leave blank to keep current' if isEdit else '' }}"
+    {% if not field.nullable and not isEdit %}data-required="true"{% endif %}
+    style="padding-right:40px">
+  <button type="button" class="pw-toggle"
+    onclick="this.previousElementSibling.type=this.previousElementSibling.type==='password'?'text':'password'">
+    <svg width="15" height="15" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+      <path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z"/><circle cx="12" cy="12" r="3"/>
+    </svg>
+  </button>
+</div>
+
+{# ── Email ── #}
+{% elif field.type == 'email' %}
+<input type="email" id="field-{{ field.name }}" name="{{ field.name }}"
+  value="{{ val }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  placeholder="{{ field.placeholder or 'name@example.com' }}"
+  data-validate="email"
+  {% if not field.nullable %}data-required="true"{% endif %}>
+
+{# ── URL ── #}
+{% elif field.type == 'url' %}
+<input type="url" id="field-{{ field.name }}" name="{{ field.name }}"
+  value="{{ val }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  placeholder="{{ field.placeholder or 'https://' }}"
+  data-validate="url"
+  {% if not field.nullable %}data-required="true"{% endif %}>
+
+{# ── Phone ── #}
+{% elif field.type == 'phone' %}
+<input type="tel" id="field-{{ field.name }}" name="{{ field.name }}"
+  value="{{ val }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  placeholder="{{ field.placeholder or '+1 555 000 0000' }}"
+  {% if not field.nullable %}data-required="true"{% endif %}>
+
+{# ── Color ── #}
+{% elif field.type == 'color' %}
+<div class="flex items-center gap-2">
+  <input type="color" id="field-{{ field.name }}-picker"
+    value="{{ val or '#000000' }}"
+    style="width:40px;height:36px;border:1px solid var(--border);border-radius:var(--radius-sm);cursor:pointer;padding:2px"
+    oninput="document.getElementById('field-{{ field.name }}').value=this.value">
+  <input type="text" id="field-{{ field.name }}" name="{{ field.name }}"
+    value="{{ val }}"
+    class="form-control{% if hasError %} error{% endif %}"
+    placeholder="#000000"
+    style="width:120px"
+    oninput="if(/^#[0-9a-fA-F]{6}$/.test(this.value))document.getElementById('field-{{ field.name }}-picker').value=this.value">
+</div>
+
+{# ── Number ── #}
+{% elif field.type == 'number' %}
+<input type="number" id="field-{{ field.name }}" name="{{ field.name }}"
+  value="{{ val }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  placeholder="{{ field.placeholder or '0' }}"
+  {% if field.min is not none %}min="{{ field.min }}" data-min="{{ field.min }}"{% endif %}
+  {% if field.max is not none %}max="{{ field.max }}" data-max="{{ field.max }}"{% endif %}
+  {% if not field.nullable %}data-required="true"{% endif %}>
+
+{# ── Date — custom picker ── #}
+{% elif field.type == 'date' %}
+<div class="dp-wrap">
+  {# Hidden input carries the real ISO value on form submit #}
+  <input type="hidden" id="field-{{ field.name }}" name="{{ field.name }}"
+    value="{{ val }}"
+    {% if not field.nullable %}data-required="true"{% endif %}>
+  {# Visible trigger — readonly, opens the calendar via DatePicker #}
+  <input type="text"
+    class="form-control dp-trigger{% if hasError %} error{% endif %}"
+    id="dpt-{{ field.name }}"
+    placeholder="Select date…"
+    autocomplete="off"
+    data-target="field-{{ field.name }}"
+    data-mode="date">
+  <span class="dp-icon">
+    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+      <rect x="3" y="4" width="18" height="18" rx="2" ry="2"/><line x1="16" y1="2" x2="16" y2="6"/><line x1="8" y1="2" x2="8" y2="6"/><line x1="3" y1="10" x2="21" y2="10"/>
+    </svg>
+  </span>
+</div>
+
+{# ── Datetime — custom picker with time ── #}
+{% elif field.type == 'datetime' or field.type == 'datetime-local' %}
+<div class="dp-wrap">
+  <input type="hidden" id="field-{{ field.name }}" name="{{ field.name }}"
+    value="{{ val }}"
+    {% if not field.nullable %}data-required="true"{% endif %}>
+  <input type="text"
+    class="form-control dp-trigger{% if hasError %} error{% endif %}"
+    id="dpt-{{ field.name }}"
+    placeholder="Select date and time…"
+    autocomplete="off"
+    data-target="field-{{ field.name }}"
+    data-mode="datetime">
+  <span class="dp-icon">
+    <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+      <rect x="3" y="4" width="18" height="18" rx="2" ry="2"/><line x1="16" y1="2" x2="16" y2="6"/><line x1="8" y1="2" x2="8" y2="6"/><line x1="3" y1="10" x2="21" y2="10"/>
+    </svg>
+  </span>
+</div>
+
+{# ── Badge — display only, no input ── #}
+{% elif field.type == 'badge' %}
+{% set _bc = field.colors[val] if (field.colors and val and field.colors[val]) else 'gray' %}
+<div class="readonly-value">
+  {% if val %}<span class="badge badge-{{ _bc }}">{{ val }}</span>{% else %}<span class="cell-muted">—</span>{% endif %}
+</div>
+
+{# ── Image — display URL as text + preview ── #}
+{% elif field.type == 'image' %}
+<div>
+  {% if val %}
+  <img src="{{ val }}" style="width:64px;height:64px;object-fit:cover;border-radius:var(--radius-sm);border:1px solid var(--border);display:block;margin-bottom:8px" alt="">
+  {% endif %}
+  <input type="text" id="field-{{ field.name }}" name="{{ field.name }}"
+    value="{{ val }}"
+    class="form-control{% if hasError %} error{% endif %}"
+    placeholder="https://example.com/image.jpg"
+    {% if not field.nullable %}data-required="true"{% endif %}>
+</div>
+
+{# ── Default text ── #}
+{% else %}
+<input type="text" id="field-{{ field.name }}" name="{{ field.name }}"
+  value="{{ val }}"
+  class="form-control{% if hasError %} error{% endif %}"
+  placeholder="{{ field.placeholder or '' }}"
+  {% if field.max is not none %}maxlength="{{ field.max }}"{% endif %}
+  {% if not field.nullable %}data-required="true"{% endif %}
+  {% if field.prepopulate %}data-prepopulate="{{ field.prepopulate }}"{% endif %}>
+{% endif %}

package/src/admin/views/partials/json-dialog.njk

@@ -0,0 +1,80 @@
+{#
+  partials/json-dialog.njk  — Phase 6
+  Adds undo/redo buttons in the toolbar.
+#}
+<div id="je-dialog-content" style="display:none">
+
+  {# Toolbar #}
+  <div class="je-toolbar">
+    <div style="display:flex;align-items:center;gap:12px;flex:1;min-width:0">
+      <span class="je-toolbar-title" id="je-title">JSON</span>
+      <div id="je-root-type-wrap" class="je-root-type-wrap"></div>
+    </div>
+    <div class="je-toolbar-right">
+
+      {# Phase 6: undo / redo buttons #}
+      <div class="je-undo-wrap">
+        <button type="button" class="je-btn-icon" id="je-undo-btn"
+          onclick="JsonEditor._undo()" title="Undo (Ctrl+Z)" disabled>
+          <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor"
+            stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+            <polyline points="9 14 4 9 9 4"/>
+            <path d="M20 20v-7a4 4 0 00-4-4H4"/>
+          </svg>
+        </button>
+        <button type="button" class="je-btn-icon" id="je-redo-btn"
+          onclick="JsonEditor._redo()" title="Redo (Ctrl+Y)" disabled>
+          <svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor"
+            stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+            <polyline points="15 14 20 9 15 4"/>
+            <path d="M4 20v-7a4 4 0 014-4h12"/>
+          </svg>
+        </button>
+      </div>
+
+      <div class="je-view-tabs">
+        <button type="button" class="je-view-tab active" id="je-tab-pretty"
+          onclick="JsonEditor._setView('pretty')">Pretty</button>
+        <button type="button" class="je-view-tab" id="je-tab-raw"
+          onclick="JsonEditor._setView('raw')">Raw</button>
+      </div>
+      <button type="button" class="je-btn-icon" id="je-format-btn"
+        onclick="JsonEditor._format()" title="Format / beautify" style="display:none">
+        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor"
+          stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+          <line x1="21" y1="6" x2="3" y2="6"/>
+          <line x1="21" y1="10" x2="7" y2="10"/>
+          <line x1="21" y1="14" x2="3" y2="14"/>
+          <line x1="21" y1="18" x2="13" y2="18"/>
+        </svg>
+      </button>
+    </div>
+  </div>
+
+  {# Pretty view #}
+  <div id="je-pretty-view" class="je-pretty-view">
+    <div class="je-tree" id="je-tree"></div>
+  </div>
+
+  {# Raw view #}
+  <div id="je-raw-view" class="je-raw-view" style="display:none">
+    <textarea id="je-raw-ta" class="je-raw-ta" spellcheck="false"
+      placeholder='{"key": "value"}'></textarea>
+    <div class="je-raw-hint" id="je-raw-hint"></div>
+  </div>
+
+  {# Footer #}
+  <div class="je-footer">
+    <span class="je-count" id="je-count"></span>
+    <div style="display:flex;gap:8px;align-items:center">
+      <button type="button" class="btn btn-ghost btn-sm" onclick="JsonEditor._cancel()">Cancel</button>
+      <button type="button" class="btn btn-primary btn-sm" onclick="JsonEditor._apply()">
+        <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor"
+          stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+          <polyline points="20 6 9 17 4 12"/>
+        </svg>
+        Apply
+      </button>
+    </div>
+  </div>
+</div>

package/src/admin/views/partials/json-editor.njk

@@ -0,0 +1,37 @@
+{#
+  partials/json-editor.njk
+  Replaces the JSON textarea in the form with a compact trigger + preview.
+  Clicking opens the full Postman-style dialog.
+
+  Expects in scope: field, val, hasError, record
+#}
+{% set _jv = val | dump if (val is not none and val != '') else '{}' %}
+
+<input type="hidden"
+  id="field-{{ field.name }}"
+  name="{{ field.name }}"
+  value="{{ _jv | escape }}"
+  {% if not field.nullable %}data-required="true"{% endif %}>
+
+<div class="je-trigger {% if hasError %}error{% endif %}"
+     id="jet-{{ field.name }}"
+     tabindex="0"
+     role="button"
+     aria-label="Edit {{ field.label }} JSON"
+     data-field="{{ field.name }}"
+     onclick="JsonEditor.open('{{ field.name }}')"
+     onkeydown="if(event.key==='Enter'||event.key===' '){event.preventDefault();JsonEditor.open('{{ field.name }}');}">
+
+  <div class="je-preview-wrap" id="jep-{{ field.name }}">
+    <span class="je-preview-placeholder">Click to edit…</span>
+  </div>
+
+  <button type="button" class="je-open-btn" tabindex="-1"
+    onclick="event.stopPropagation();JsonEditor.open('{{ field.name }}')">
+    <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+      <path d="M11 4H4a2 2 0 00-2 2v14a2 2 0 002 2h14a2 2 0 002-2v-7"/>
+      <path d="M18.5 2.5a2.121 2.121 0 013 3L12 15l-4 1 1-4 9.5-9.5z"/>
+    </svg>
+    Edit JSON
+  </button>
+</div>

package/src/auth/Auth.js

@@ -80,7 +80,9 @@ class Auth {
     if (existing) throw new HttpError(422, 'Email already in use');
 
     const hashed = await Hasher.make(data.password);
-    return this._UserModel.create({ ...data, password: hashed });
+    // is_active defaults true — set explicitly so it is always present
+    // regardless of whether the model field has a DB default.
+    return this._UserModel.create({ is_active: true, ...data, password: hashed });
   }
 
   /**
@@ -98,8 +100,22 @@ class Auth {
     const user = await this._UserModel.findBy('email', email);
     if (!user) throw new HttpError(401, 'Invalid credentials');
 
+    // Check password before is_active — avoids leaking whether the account exists
     const ok = await Hasher.check(password, user.password);
-    if (!ok)  throw new HttpError(401, 'Invalid credentials');
+    if (!ok) throw new HttpError(401, 'Invalid credentials');
+
+    // Django: 'Please enter the correct email and password for a staff account.
+    //          Note that both fields may be case-sensitive.'
+    // Millas matches this — inactive check is after password so error message
+    // doesn't reveal which condition failed to a brute-force attacker.
+    if (user.is_active === false || user.is_active === 0) {
+      throw new HttpError(401, 'This account is inactive.');
+    }
+
+    // Record last login (fire-and-forget — never block the login response)
+    try {
+      await this._UserModel.where('id', user.id).update({ last_login: new Date().toISOString() });
+    } catch { /* non-fatal — table may not have last_login yet */ }
 
     const payload = this._buildTokenPayload(user);
     const token   = this._jwt.sign(payload);
@@ -230,13 +246,18 @@ class Auth {
   }
 
   _buildTokenPayload(user) {
-    return {
-      id:    user.id,
-      sub:   user.id,
-      email: user.email,
-      role:  user.role || null,
-      iat:   Math.floor(Date.now() / 1000),
-    };
+    // If the model defines tokenPayload(), use it — allows custom JWT claims.
+    // Otherwise fall back to the standard shape.
+    const base = typeof user.tokenPayload === 'function'
+      ? user.tokenPayload()
+      : {
+          id:    user.id,
+          sub:   user.id,
+          email: user.email,
+          role:  user.role || null,
+        };
+
+    return { ...base, iat: Math.floor(Date.now() / 1000) };
   }
 
   _requireUserModel() {
@@ -251,4 +272,4 @@ class Auth {
 
 // Singleton facade
 module.exports = new Auth();
-module.exports.Auth = Auth;
+module.exports.Auth = Auth;

package/src/auth/AuthController.js

@@ -87,6 +87,8 @@ class AuthController extends Controller {
 
   _safeUser(user) {
     if (!user) return null;
+    // Use the model's toSafeObject() if defined (AuthUser and subclasses provide this)
+    if (typeof user.toSafeObject === 'function') return user.toSafeObject();
     const data = user.toJSON ? user.toJSON() : { ...user };
     delete data.password;
     delete data.remember_token;
@@ -94,4 +96,4 @@ class AuthController extends Controller {
   }
 }
 
-module.exports = AuthController;
+module.exports = AuthController;

package/src/auth/AuthUser.js

@@ -0,0 +1,119 @@
+'use strict';
+
+const Model  = require('../orm/model/Model');
+const fields = require('../orm/fields/index').fields;
+
+/**
+ * AuthUser
+ *
+ * Base model for authentication. Ships with Millas.
+ * Covers the exact contract that Auth, AuthMiddleware, and AuthController expect.
+ *
+ * ── Fields ───────────────────────────────────────────────────────────────────
+ *
+ *   Core:
+ *     email       — unique login identifier
+ *     password    — bcrypt hash (set by Auth.register / Auth.hashPassword)
+ *     name        — display name
+ *     role        — API-level role enum, read by RoleMiddleware ('admin'|'user')
+ *
+ *   Django-style admin flags:
+ *     is_active     — false blocks login entirely (like Django's is_active)
+ *     is_staff      — true allows entry to the admin panel (like Django's is_staff)
+ *     is_superuser  — true bypasses all admin permission checks (like Django's is_superuser)
+ *     last_login    — updated by Auth.login() on each successful login
+ *
+ * ── Extending ────────────────────────────────────────────────────────────────
+ *
+ *   Because AuthUser is marked 'static abstract = true', its fields are
+ *   automatically merged into any subclass — no spread needed.
+ *
+ *   class User extends AuthUser {
+ *     static table = 'users';
+ *     static fields = {
+ *       // just declare what's new or overridden
+ *       phone:      fields.string({ nullable: true }),
+ *       avatar_url: fields.string({ nullable: true }),
+ *       role:       fields.enum(['tenant', 'landlord'], { default: 'tenant' }),
+ *     };
+ *     // User.fields → id, name, email, password, is_active, is_staff,
+ *     //               is_superuser, last_login, created_at, updated_at,
+ *     //               phone, avatar_url, role  (merged automatically)
+ *   }
+ *
+ * ── Customising the token payload ─────────────────────────────────────────
+ *
+ *   class User extends AuthUser {
+ *     tokenPayload() {
+ *       return { ...super.tokenPayload(), plan: this.plan };
+ *     }
+ *   }
+ */
+class AuthUser extends Model {
+  // Abstract — no table. The app's User model owns the table.
+  // Equivalent to Django's AbstractUser with class Meta: abstract = True.
+  static abstract = true;
+
+  static fields = {
+    id:           fields.id(),
+    name:         fields.string({ max: 100, nullable: true }),
+    email:        fields.string({ unique: true }),
+    password:     fields.string(),
+    role:         fields.enum(['admin', 'user'], { default: 'user' }),
+
+    // ── Django-style admin access flags ──────────────────────────────────
+    is_active:    fields.boolean({ default: true }),
+    is_staff:     fields.boolean({ default: false }),
+    is_superuser: fields.boolean({ default: false }),
+
+    last_login:   fields.timestamp(),
+    created_at:   fields.timestamp(),
+    updated_at:   fields.timestamp(),
+  };
+
+  // ── Auth contract helpers ──────────────────────────────────────────────────
+
+  /**
+   * Fields included in the JWT payload.
+   * Override to add custom claims.
+   */
+  tokenPayload() {
+    return {
+      id:           this.id,
+      sub:          this.id,
+      email:        this.email,
+      role:         this.role         || null,
+      is_staff:     this.is_staff     ?? false,
+      is_superuser: this.is_superuser ?? false,
+    };
+  }
+
+  /**
+   * Safe public representation — strips password and internal flags.
+   * Used by AuthController._safeUser() and API responses.
+   */
+  toSafeObject() {
+    const data = { ...this };
+    delete data.password;
+    delete data.remember_token;
+    return data;
+  }
+
+  /**
+   * Returns true if this user can access the admin panel.
+   * Mirrors Django's User.has_module_perms / is_staff check.
+   */
+  get canAccessAdmin() {
+    return !!(this.is_active && this.is_staff);
+  }
+
+  /**
+   * Returns true if this user bypasses all permission checks.
+   * Mirrors Django's User.is_superuser.
+   */
+  get isSuperuser() {
+    return !!(this.is_active && this.is_superuser);
+  }
+}
+
+module.exports = AuthUser;

package/src/cli.js

@@ -7,7 +7,7 @@ const program = new Command();
 program
   .name('millas')
   .description(chalk.cyan('⚡ Millas — A modern batteries-included Node.js framework'))
-  .version('0.1.0');
+  .version('0.2.12-beta-1');
 
 // Load all command modules
 require('./commands/new')(program);
@@ -16,6 +16,8 @@ require('./commands/make')(program);
 require('./commands/migrate')(program);
 require('./commands/route')(program);
 require('./commands/queue')(program);
+require('./commands/createsuperuser')(program);
+require('./commands/lang')(program);
 
 // Unknown command handler
 program.on('command:*', ([cmd]) => {
@@ -24,4 +26,4 @@ program.on('command:*', ([cmd]) => {
   process.exit(1);
 });
 
-module.exports = { program };
+module.exports = { program };