nuxt-auto-crud 1.10.0 → 1.12.0

package/README.md

@@ -57,10 +57,15 @@ If you want to add `nuxt-auto-crud` to an existing project, follow these steps:
 ```bash
 # Install module and required dependencies
 npm install nuxt-auto-crud @nuxthub/core@latest drizzle-orm
+
+# Optional: Install auth dependencies if using Session Auth (Recommended)
+npm install nuxt-auth-utils nuxt-authorization
+
 npm install --save-dev wrangler drizzle-kit
 
 # Or using bun
 bun add nuxt-auto-crud @nuxthub/core@latest drizzle-orm
+bun add nuxt-auth-utils nuxt-authorization
 bun add --dev wrangler drizzle-kit
 ```
 
@@ -245,10 +250,19 @@ The module enables authentication by default. To test APIs without authenticatio
 
 ### Session Auth (Default)
 
-Requires `nuxt-auth-utils` and `nuxt-authorization`.
+Requires `nuxt-auth-utils` and `nuxt-authorization` to be installed in your project.
+
+```bash
+npm install nuxt-auth-utils nuxt-authorization
+```
 
 ```typescript
 export default defineNuxtConfig({
+  modules: [
+    'nuxt-auth-utils',
+    'nuxt-authorization',
+    'nuxt-auto-crud'
+  ],
   autoCrud: {
     auth: {
       type: 'session',
@@ -261,7 +275,7 @@ export default defineNuxtConfig({
 
 ### JWT Auth
 
-Useful for backend-only apps.
+Useful for backend-only apps. Does **not** require `nuxt-auth-utils`.
 
 ```typescript
 export default defineNuxtConfig({
@@ -276,6 +290,36 @@ export default defineNuxtConfig({
 })
 ```
 
+### Disabling Auth
+
+You can disable authentication entirely for testing or public APIs.
+
+```typescript
+export default defineNuxtConfig({
+  autoCrud: {
+    auth: {
+      authentication: false,
+      authorization: false
+    }
+    // OR simply:
+    // auth: false
+  }
+})
+```
+
+## 🧪 Testing
+
+This module is tested using **Vitest**.
+
+- **Unit Tests:** We cover utility functions and helpers.
+- **E2E Tests:** We verify the API endpoints using a real Nuxt server instance.
+
+To run the tests locally:
+
+```bash
+npm run test
+```
+
 ## 🛡️ Resource Configuration (RBAC)
 
 You can define fine-grained access control and resource policies using `autocrud.config.ts` in your project root. This file is optional and useful when you need specific rules per resource.
@@ -302,6 +346,7 @@ export default {
 ## ⚠️ Known Issues
 
 - **Foreign Key Naming:** Currently, if you have multiple foreign keys referring to the same table (e.g., `customer_id` and `author_id` both referring to the `users` table), the automatic relation handling might assume `user_id` for both. This is a known limitation in the current alpha version.
+- **Sidebar Visibility:** For non-admin users, the sidebar resource list might not be fully visible or populated in the current playground implementation. This is a known limitation.
 
 ## 🎮 Try the Playground
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addServerHandler, addServerImportsDir, addImportsDir, addServerPlugin } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addServerHandler, addServerImportsDir, addImportsDir } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -22,6 +22,11 @@ const module$1 = defineNuxtModule({
       options.drizzlePath
     );
     nuxt.options.alias["#site/drizzle"] = drizzlePath;
+    const abilityPath = resolver.resolve(
+      nuxt.options.rootDir,
+      "server/utils/ability"
+    );
+    nuxt.options.alias["#site/ability"] = abilityPath;
     nuxt.options.alias["#authorization"] = nuxt.options.alias["#authorization"] || "nuxt-authorization/utils";
     const { loadConfig } = await import('c12');
     const { config: externalConfig } = await loadConfig({
@@ -116,7 +121,6 @@ const module$1 = defineNuxtModule({
     });
     addServerImportsDir(resolver.resolve("./runtime/server/utils"));
     addImportsDir(resolver.resolve("./runtime/composables"));
-    addServerPlugin(resolver.resolve("./runtime/server/plugins/seed"));
   }
 });
 

package/dist/runtime/auth.d.ts

@@ -0,0 +1,6 @@
+declare module '#site/ability' {
+  import type { Ability } from 'nuxt-authorization/utils'
+
+  const ability: Ability
+  export default ability
+}

package/dist/runtime/server/api/[model]/[id].delete.js

@@ -1,23 +1,11 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
-import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
+import { getTableForModel, getModelSingularName } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { checkAdminAccess } from "../../utils/auth.js";
+import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig();
   const { model, id } = getRouterParams(event);
-  const isAdmin = await checkAdminAccess(event, model, "delete");
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model];
-    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("delete");
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: "Unauthorized"
-      });
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, "delete");
   const table = getTableForModel(model);
   const singularName = getModelSingularName(model);
   const deletedRecord = await useDrizzle().delete(table).where(eq(table.id, Number(id))).returning().get();
@@ -27,9 +15,5 @@ export default eventHandler(async (event) => {
       message: `${singularName} not found`
     });
   }
-  if (isAdmin) {
-    return filterHiddenFields(model, deletedRecord);
-  } else {
-    return filterPublicColumns(model, deletedRecord);
-  }
+  return formatResourceResult(model, deletedRecord, isAdmin);
 });

package/dist/runtime/server/api/[model]/[id].get.js

@@ -1,23 +1,11 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
-import { getTableForModel, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
+import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { checkAdminAccess } from "../../utils/auth.js";
+import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig();
   const { model, id } = getRouterParams(event);
-  const isAdmin = await checkAdminAccess(event, model, "read");
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model];
-    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("read");
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: "Unauthorized"
-      });
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, "read");
   const table = getTableForModel(model);
   const record = await useDrizzle().select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
@@ -26,9 +14,5 @@ export default eventHandler(async (event) => {
       message: "Record not found"
     });
   }
-  if (isAdmin) {
-    return filterHiddenFields(model, record);
-  } else {
-    return filterPublicColumns(model, record);
-  }
+  return formatResourceResult(model, record, isAdmin);
 });

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,23 +1,11 @@
 import { eventHandler, getRouterParams, readBody, createError } from "h3";
 import { eq } from "drizzle-orm";
-import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
+import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { checkAdminAccess } from "../../utils/auth.js";
+import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig();
   const { model, id } = getRouterParams(event);
-  const isAdmin = await checkAdminAccess(event, model, "update");
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model];
-    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("update");
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: "Unauthorized"
-      });
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, "update");
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
@@ -31,9 +19,5 @@ export default eventHandler(async (event) => {
       message: "Record not found"
     });
   }
-  if (isAdmin) {
-    return filterHiddenFields(model, updatedRecord);
-  } else {
-    return filterPublicColumns(model, updatedRecord);
-  }
+  return formatResourceResult(model, updatedRecord, isAdmin);
 });

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,31 +1,13 @@
-import { eventHandler, getRouterParams, createError } from "h3";
-import { getTableForModel, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
+import { eventHandler, getRouterParams } from "h3";
+import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { checkAdminAccess } from "../../utils/auth.js";
 import { desc } from "drizzle-orm";
+import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   console.log("[GET] Request received", event.path);
-  const { resources } = useAutoCrudConfig();
   const { model } = getRouterParams(event);
-  const isAdmin = await checkAdminAccess(event, model, "list");
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model];
-    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("list");
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: "Unauthorized"
-      });
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, "list");
   const table = getTableForModel(model);
   const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all();
-  return results.map((item) => {
-    if (isAdmin) {
-      return filterHiddenFields(model, item);
-    } else {
-      return filterPublicColumns(model, item);
-    }
-  });
+  return results.map((item) => formatResourceResult(model, item, isAdmin));
 });

package/dist/runtime/server/api/[model]/index.post.js

@@ -1,29 +1,13 @@
-import { eventHandler, getRouterParams, readBody, createError } from "h3";
-import { getTableForModel, filterHiddenFields, filterUpdatableFields, filterPublicColumns } from "../../utils/modelMapper.js";
+import { eventHandler, getRouterParams, readBody } from "h3";
+import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { checkAdminAccess } from "../../utils/auth.js";
+import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig();
   const { model } = getRouterParams(event);
-  const isAdmin = await checkAdminAccess(event, model, "create");
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model];
-    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("create");
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: "Unauthorized"
-      });
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, "create");
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
   const newRecord = await useDrizzle().insert(table).values(payload).returning().get();
-  if (isAdmin) {
-    return filterHiddenFields(model, newRecord);
-  } else {
-    return filterPublicColumns(model, newRecord);
-  }
+  return formatResourceResult(model, newRecord, isAdmin);
 });

package/dist/runtime/server/api/_relations.get.js

@@ -1,25 +1,7 @@
-import { eventHandler, createError } from "h3";
-import { requireUserSession } from "#imports";
+import { eventHandler } from "h3";
 import { getRelations } from "../utils/schema.js";
-import { useAutoCrudConfig } from "../utils/config.js";
-import { verifyJwtToken } from "../utils/jwt.js";
+import { ensureAuthenticated } from "../utils/auth.js";
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig();
-  if (auth?.authentication) {
-    let isAuthenticated = false;
-    if (auth.type === "jwt" && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret);
-    } else {
-      try {
-        await requireUserSession(event);
-        isAuthenticated = true;
-      } catch {
-        isAuthenticated = false;
-      }
-    }
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: "Unauthorized" });
-    }
-  }
+  await ensureAuthenticated(event);
   return getRelations();
 });

package/dist/runtime/server/api/_schema/[table].get.d.ts

@@ -4,7 +4,7 @@ declare const _default: import("h3").EventHandler<import("h3").EventHandlerReque
         name: string;
         type: string;
         required: any;
-        selectOptions: undefined;
+        selectOptions: string[] | undefined;
     }[];
 }>>;
 export default _default;

package/dist/runtime/server/api/_schema/[table].get.js

@@ -1,27 +1,9 @@
 import { eventHandler, createError, getRouterParam } from "h3";
-import { requireUserSession } from "#imports";
 import { getSchema } from "../../utils/schema.js";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { verifyJwtToken } from "../../utils/jwt.js";
+import { ensureAuthenticated } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig();
+  await ensureAuthenticated(event);
   const tableName = getRouterParam(event, "table");
-  if (auth?.authentication) {
-    let isAuthenticated = false;
-    if (auth.type === "jwt" && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret);
-    } else {
-      try {
-        await requireUserSession(event);
-        isAuthenticated = true;
-      } catch {
-        isAuthenticated = false;
-      }
-    }
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: "Unauthorized" });
-    }
-  }
   if (!tableName) {
     throw createError({ statusCode: 400, message: "Table name is required" });
   }

package/dist/runtime/server/api/_schema/index.get.js

@@ -1,25 +1,7 @@
-import { eventHandler, createError } from "h3";
-import { requireUserSession } from "#imports";
+import { eventHandler } from "h3";
 import { getAllSchemas } from "../../utils/schema.js";
-import { useAutoCrudConfig } from "../../utils/config.js";
-import { verifyJwtToken } from "../../utils/jwt.js";
+import { ensureAuthenticated } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig();
-  if (auth?.authentication) {
-    let isAuthenticated = false;
-    if (auth.type === "jwt" && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret);
-    } else {
-      try {
-        await requireUserSession(event);
-        isAuthenticated = true;
-      } catch {
-        isAuthenticated = false;
-      }
-    }
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: "Unauthorized" });
-    }
-  }
+  await ensureAuthenticated(event);
   return getAllSchemas();
 });

package/dist/runtime/server/utils/auth.d.ts

@@ -1,2 +1,4 @@
+import '../../auth.d.ts.js';
 import type { H3Event } from 'h3';
 export declare function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean>;
+export declare function ensureAuthenticated(event: H3Event): Promise<void>;

package/dist/runtime/server/utils/auth.js

@@ -1,5 +1,7 @@
+import "../../auth.d.ts";
 import { createError } from "h3";
-import { requireUserSession } from "#imports";
+import globalAbility from "#site/ability";
+import { requireUserSession, allows } from "#imports";
 import { useAutoCrudConfig } from "./config.js";
 import { verifyJwtToken } from "./jwt.js";
 export async function checkAdminAccess(event, model, action) {
@@ -17,14 +19,12 @@ export async function checkAdminAccess(event, model, action) {
   try {
     await requireUserSession(event);
     if (auth.authorization) {
-      if (event.context.ability) {
-        const can = event.context.ability.can(action, model);
-        if (!can) {
-          throw createError({
-            statusCode: 403,
-            message: "Forbidden"
-          });
-        }
+      const allowed = await allows(event, globalAbility, model, action);
+      if (!allowed) {
+        throw createError({
+          statusCode: 403,
+          message: "Forbidden"
+        });
       }
     }
     return true;
@@ -35,3 +35,23 @@ export async function checkAdminAccess(event, model, action) {
     return false;
   }
 }
+export async function ensureAuthenticated(event) {
+  const { auth } = useAutoCrudConfig();
+  if (!auth?.authentication) {
+    return;
+  }
+  let isAuthenticated = false;
+  if (auth.type === "jwt" && auth.jwtSecret) {
+    isAuthenticated = await verifyJwtToken(event, auth.jwtSecret);
+  } else {
+    try {
+      await requireUserSession(event);
+      isAuthenticated = true;
+    } catch {
+      isAuthenticated = false;
+    }
+  }
+  if (!isAuthenticated) {
+    throw createError({ statusCode: 401, message: "Unauthorized" });
+  }
+}

package/dist/runtime/server/utils/handler.d.ts

@@ -0,0 +1,3 @@
+import type { H3Event } from 'h3';
+export declare function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean>;
+export declare function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean): Record<string, unknown>;

package/dist/runtime/server/utils/handler.js

@@ -0,0 +1,26 @@
+import { createError } from "h3";
+import { useAutoCrudConfig } from "./config.js";
+import { checkAdminAccess } from "./auth.js";
+import { filterHiddenFields, filterPublicColumns } from "./modelMapper.js";
+export async function ensureResourceAccess(event, model, action) {
+  const { resources } = useAutoCrudConfig();
+  const isAdmin = await checkAdminAccess(event, model, action);
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model];
+    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes(action);
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized"
+      });
+    }
+  }
+  return isAdmin;
+}
+export function formatResourceResult(model, data, isAdmin) {
+  if (isAdmin) {
+    return filterHiddenFields(model, data);
+  } else {
+    return filterPublicColumns(model, data);
+  }
+}

package/dist/runtime/server/utils/schema.d.ts

@@ -4,7 +4,7 @@ export declare function drizzleTableToFields(table: any, resourceName: string):
         name: string;
         type: string;
         required: any;
-        selectOptions: undefined;
+        selectOptions: string[] | undefined;
     }[];
 };
 export declare function getRelations(): Promise<Record<string, Record<string, string>>>;
@@ -15,6 +15,6 @@ export declare function getSchema(tableName: string): Promise<{
         name: string;
         type: string;
         required: any;
-        selectOptions: undefined;
+        selectOptions: string[] | undefined;
     }[];
 } | undefined>;

package/dist/runtime/server/utils/schema.js

@@ -7,18 +7,7 @@ export function drizzleTableToFields(table, resourceName) {
   for (const [key, col] of Object.entries(columns)) {
     const column = col;
     const isRequired = column.notNull;
-    let type = "string";
-    const selectOptions = void 0;
-    if (column.dataType === "number" || column.columnType === "SQLiteInteger" || column.columnType === "SQLiteReal") {
-      type = "number";
-      if (column.name.endsWith("_at") || column.name.endsWith("At")) {
-        type = "date";
-      }
-    } else if (column.dataType === "boolean") {
-      type = "boolean";
-    } else if (column.dataType === "date" || column.dataType === "string" && (column.name.endsWith("_at") || column.name.endsWith("At"))) {
-      type = "date";
-    }
+    const { type, selectOptions } = mapColumnType(column);
     fields.push({
       name: key,
       type,
@@ -31,6 +20,25 @@ export function drizzleTableToFields(table, resourceName) {
     fields
   };
 }
+function mapColumnType(column) {
+  const enumValues = column.enumValues || column.config?.enumValues;
+  if (enumValues) {
+    return { type: "enum", selectOptions: enumValues };
+  }
+  if (column.dataType === "boolean") {
+    return { type: "boolean" };
+  }
+  if (column.dataType === "date" || column.dataType === "string" && (column.name.endsWith("_at") || column.name.endsWith("At"))) {
+    return { type: "date" };
+  }
+  if (column.dataType === "number" || column.columnType === "SQLiteInteger" || column.columnType === "SQLiteReal") {
+    if (column.name.endsWith("_at") || column.name.endsWith("At")) {
+      return { type: "date" };
+    }
+    return { type: "number" };
+  }
+  return { type: "string" };
+}
 export async function getRelations() {
   const relations = {};
   for (const [tableName, table] of Object.entries(modelTableMap)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",

package/src/runtime/auth.d.ts

@@ -0,0 +1,6 @@
+declare module '#site/ability' {
+  import type { Ability } from 'nuxt-authorization/utils'
+
+  const ability: Ability
+  export default ability
+}

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -1,36 +1,17 @@
 // server/api/[model]/[id].delete.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'delete')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('delete'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'delete')
 
   const table = getTableForModel(model) as TableWithId
-
   const singularName = getModelSingularName(model)
 
   const deletedRecord = await useDrizzle()
@@ -46,10 +27,5 @@ export default eventHandler(async (event) => {
     })
   }
 
-  if (isAdmin) {
-    return filterHiddenFields(model, deletedRecord as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, deletedRecord as Record<string, unknown>)
-  }
+  return formatResourceResult(model, deletedRecord as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/[model]/[id].get.ts

@@ -1,33 +1,15 @@
 // server/api/[model]/[id].get.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { getTableForModel } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'read')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('read'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'read')
 
   const table = getTableForModel(model) as TableWithId
 
@@ -44,10 +26,5 @@ export default eventHandler(async (event) => {
     })
   }
 
-  if (isAdmin) {
-    return filterHiddenFields(model, record as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, record as Record<string, unknown>)
-  }
+  return formatResourceResult(model, record as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,33 +1,15 @@
 // server/api/[model]/[id].patch.ts
 import { eventHandler, getRouterParams, readBody, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'update')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('update'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'update')
 
   const table = getTableForModel(model) as TableWithId
 
@@ -36,7 +18,8 @@ export default eventHandler(async (event) => {
 
   // Automatically update updatedAt if it exists
   if ('updatedAt' in table) {
-    payload.updatedAt = new Date()
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (payload as any).updatedAt = new Date()
   }
 
   const updatedRecord = await useDrizzle()
@@ -53,10 +36,5 @@ export default eventHandler(async (event) => {
     })
   }
 
-  if (isAdmin) {
-    return filterHiddenFields(model, updatedRecord as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, updatedRecord as Record<string, unknown>)
-  }
+  return formatResourceResult(model, updatedRecord as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,46 +1,20 @@
 // server/api/[model]/index.get.ts
-import { eventHandler, getRouterParams, createError } from 'h3'
-import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { eventHandler, getRouterParams } from 'h3'
+import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
-
 import { desc } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
-  const { resources } = useAutoCrudConfig()
   const { model } = getRouterParams(event) as { model: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'list')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('list'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'list')
 
   const table = getTableForModel(model) as TableWithId
 
   const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all()
 
-  return results.map((item: Record<string, unknown>) => {
-    if (isAdmin) {
-      return filterHiddenFields(model, item as Record<string, unknown>)
-    }
-    else {
-      return filterPublicColumns(model, item as Record<string, unknown>)
-    }
-  })
+  return results.map((item: Record<string, unknown>) => formatResourceResult(model, item, isAdmin))
 })

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,31 +1,13 @@
 // server/api/[model]/index.post.ts
-import { eventHandler, getRouterParams, readBody, createError } from 'h3'
-import { getTableForModel, filterHiddenFields, filterUpdatableFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { eventHandler, getRouterParams, readBody } from 'h3'
+import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model } = getRouterParams(event) as { model: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'create')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('create'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'create')
 
   const table = getTableForModel(model)
 
@@ -34,10 +16,5 @@ export default eventHandler(async (event) => {
 
   const newRecord = await useDrizzle().insert(table).values(payload).returning().get()
 
-  if (isAdmin) {
-    return filterHiddenFields(model, newRecord as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, newRecord as Record<string, unknown>)
-  }
+  return formatResourceResult(model, newRecord as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/_relations.get.ts

@@ -1,32 +1,9 @@
-import { eventHandler, createError } from 'h3'
-// @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+import { eventHandler } from 'h3'
+
 import { getRelations } from '../utils/schema'
-import { useAutoCrudConfig } from '../utils/config'
-import { verifyJwtToken } from '../utils/jwt'
+import { ensureAuthenticated } from '../utils/auth'
 
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig()
-
-  if (auth?.authentication) {
-    let isAuthenticated = false
-    if (auth.type === 'jwt' && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-    }
-    else {
-      try {
-        await requireUserSession(event)
-        isAuthenticated = true
-      }
-      catch {
-        isAuthenticated = false
-      }
-    }
-
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
-  }
-
+  await ensureAuthenticated(event)
   return getRelations()
 })

package/src/runtime/server/api/_schema/[table].get.ts

@@ -1,34 +1,12 @@
 import { eventHandler, createError, getRouterParam } from 'h3'
-// @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+
 import { getSchema } from '../../utils/schema'
-import { useAutoCrudConfig } from '../../utils/config'
-import { verifyJwtToken } from '../../utils/jwt'
+import { ensureAuthenticated } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig()
+  await ensureAuthenticated(event)
   const tableName = getRouterParam(event, 'table')
 
-  if (auth?.authentication) {
-    let isAuthenticated = false
-    if (auth.type === 'jwt' && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-    }
-    else {
-      try {
-        await requireUserSession(event)
-        isAuthenticated = true
-      }
-      catch {
-        isAuthenticated = false
-      }
-    }
-
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
-  }
-
   if (!tableName) {
     throw createError({ statusCode: 400, message: 'Table name is required' })
   }

package/src/runtime/server/api/_schema/index.get.ts

@@ -1,32 +1,9 @@
-import { eventHandler, createError } from 'h3'
-// @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+import { eventHandler } from 'h3'
+
 import { getAllSchemas } from '../../utils/schema'
-import { useAutoCrudConfig } from '../../utils/config'
-import { verifyJwtToken } from '../../utils/jwt'
+import { ensureAuthenticated } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig()
-
-  if (auth?.authentication) {
-    let isAuthenticated = false
-    if (auth.type === 'jwt' && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-    }
-    else {
-      try {
-        await requireUserSession(event)
-        isAuthenticated = true
-      }
-      catch {
-        isAuthenticated = false
-      }
-    }
-
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
-  }
-
+  await ensureAuthenticated(event)
   return getAllSchemas()
 })

package/src/runtime/server/utils/auth.ts

@@ -1,7 +1,9 @@
+import '../../auth.d.ts'
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
+import globalAbility from '#site/ability'
 // @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+import { requireUserSession, allows } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
 
@@ -26,14 +28,12 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
 
     // Check authorization if enabled
     if (auth.authorization) {
-      if (event.context.ability) {
-        const can = event.context.ability.can(action, model)
-        if (!can) {
-          throw createError({
-            statusCode: 403,
-            message: 'Forbidden',
-          })
-        }
+      const allowed = await allows(event, globalAbility, model, action)
+      if (!allowed) {
+        throw createError({
+          statusCode: 403,
+          message: 'Forbidden',
+        })
       }
     }
 
@@ -49,3 +49,29 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
     return false
   }
 }
+
+export async function ensureAuthenticated(event: H3Event): Promise<void> {
+  const { auth } = useAutoCrudConfig()
+
+  if (!auth?.authentication) {
+    return
+  }
+
+  let isAuthenticated = false
+  if (auth.type === 'jwt' && auth.jwtSecret) {
+    isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
+  }
+  else {
+    try {
+      await requireUserSession(event)
+      isAuthenticated = true
+    }
+    catch {
+      isAuthenticated = false
+    }
+  }
+
+  if (!isAuthenticated) {
+    throw createError({ statusCode: 401, message: 'Unauthorized' })
+  }
+}

package/src/runtime/server/utils/handler.ts

@@ -0,0 +1,36 @@
+import { createError } from 'h3'
+import type { H3Event } from 'h3'
+import { useAutoCrudConfig } from './config'
+import { checkAdminAccess } from './auth'
+import { filterHiddenFields, filterPublicColumns } from './modelMapper'
+
+export async function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean> {
+  const { resources } = useAutoCrudConfig()
+  const isAdmin = await checkAdminAccess(event, model, action)
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const resourceConfig = (resources as any)?.[model]
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && (resourceConfig.public as any[]).includes(action))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
+  return isAdmin
+}
+
+export function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean) {
+  if (isAdmin) {
+    return filterHiddenFields(model, data)
+  }
+  else {
+    return filterPublicColumns(model, data)
+  }
+}

package/src/runtime/server/utils/schema.ts

@@ -11,23 +11,8 @@ export function drizzleTableToFields(table: any, resourceName: string) {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const column = col as any
     const isRequired = column.notNull
-    let type = 'string'
-    const selectOptions: string[] | undefined = undefined
-
-    // Map Drizzle types to frontend types
-    if (column.dataType === 'number' || column.columnType === 'SQLiteInteger' || column.columnType === 'SQLiteReal') {
-      type = 'number'
-      // Check if it is a timestamp
-      if (column.name.endsWith('_at') || column.name.endsWith('At')) {
-        type = 'date'
-      }
-    }
-    else if (column.dataType === 'boolean') {
-      type = 'boolean'
-    }
-    else if (column.dataType === 'date' || (column.dataType === 'string' && (column.name.endsWith('_at') || column.name.endsWith('At')))) {
-      type = 'date'
-    }
+
+    const { type, selectOptions } = mapColumnType(column)
 
     fields.push({
       name: key,
@@ -43,6 +28,34 @@ export function drizzleTableToFields(table: any, resourceName: string) {
   }
 }
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function mapColumnType(column: any): { type: string, selectOptions?: string[] } {
+  // Check for enum values (Drizzle stores them in enumValues or config.enumValues)
+  const enumValues = column.enumValues || column.config?.enumValues
+
+  if (enumValues) {
+    return { type: 'enum', selectOptions: enumValues }
+  }
+
+  if (column.dataType === 'boolean') {
+    return { type: 'boolean' }
+  }
+
+  if (column.dataType === 'date' || (column.dataType === 'string' && (column.name.endsWith('_at') || column.name.endsWith('At')))) {
+    return { type: 'date' }
+  }
+
+  if (column.dataType === 'number' || column.columnType === 'SQLiteInteger' || column.columnType === 'SQLiteReal') {
+    // Check if it is a timestamp
+    if (column.name.endsWith('_at') || column.name.endsWith('At')) {
+      return { type: 'date' }
+    }
+    return { type: 'number' }
+  }
+
+  return { type: 'string' }
+}
+
 export async function getRelations() {
   const relations: Record<string, Record<string, string>> = {}
 

package/dist/runtime/server/plugins/seed.d.ts

@@ -1,2 +0,0 @@
-declare const _default: any;
-export default _default;

package/dist/runtime/server/plugins/seed.js

@@ -1,29 +0,0 @@
-import { eq } from "drizzle-orm";
-import { useDrizzle } from "#site/drizzle";
-import * as tables from "#site/schema";
-import { useAutoCrudConfig } from "../utils/config.js";
-import { defineNitroPlugin, hashPassword, onHubReady } from "#imports";
-export default defineNitroPlugin(async () => {
-  onHubReady(async () => {
-    const { auth } = useAutoCrudConfig();
-    if (!auth?.authentication || !tables.users) {
-      return;
-    }
-    const db = useDrizzle();
-    const existingAdmin = await db.select().from(tables.users).where(eq(tables.users.email, "admin@example.com")).get();
-    if (!existingAdmin) {
-      console.log("Seeding admin user...");
-      const hashedPassword = await hashPassword("$1Password");
-      await db.insert(tables.users).values({
-        email: "admin@example.com",
-        password: hashedPassword,
-        name: "Admin User",
-        avatar: "https://i.pravatar.cc/150?u=admin",
-        role: "admin",
-        createdAt: /* @__PURE__ */ new Date(),
-        updatedAt: /* @__PURE__ */ new Date()
-      });
-      console.log("Admin user seeded.");
-    }
-  });
-});

package/src/runtime/server/plugins/seed.ts

@@ -1,41 +0,0 @@
-import { eq } from 'drizzle-orm'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
-// @ts-expect-error - #site/schema is an alias defined by the module
-import * as tables from '#site/schema'
-import { useAutoCrudConfig } from '../utils/config'
-// @ts-expect-error - #imports is available in runtime
-import { defineNitroPlugin, hashPassword, onHubReady } from '#imports'
-
-export default defineNitroPlugin(async () => {
-  onHubReady(async () => {
-    const { auth } = useAutoCrudConfig()
-
-    // Only seed if auth is enabled and we have a users table
-    if (!auth?.authentication || !tables.users) {
-      return
-    }
-
-    const db = useDrizzle()
-
-    // Check if admin exists
-    const existingAdmin = await db.select().from(tables.users).where(eq(tables.users.email, 'admin@example.com')).get()
-
-    if (!existingAdmin) {
-      console.log('Seeding admin user...')
-
-      const hashedPassword = await hashPassword('$1Password')
-
-      await db.insert(tables.users).values({
-        email: 'admin@example.com',
-        password: hashedPassword,
-        name: 'Admin User',
-        avatar: 'https://i.pravatar.cc/150?u=admin',
-        role: 'admin',
-        createdAt: new Date(),
-        updatedAt: new Date(),
-      })
-      console.log('Admin user seeded.')
-    }
-  })
-})