nuxt-auto-crud 1.13.0 → 1.15.2

package/README.md

@@ -2,7 +2,7 @@
 
 > **Note:** This module is currently in its alpha stage. However, you can use it to accelerate MVP development. It has not been tested thoroughly enough for production use; only happy-path testing is performed for each release.
 
-Auto-generate RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. Minimal configuration required.
+Auto-expose RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. Minimal configuration required.
 
 **Core Philosophy:**
 The main objective of this module is to **expose CRUD APIs without the need for writing code**. You define your database schema, and `nuxt-auto-crud` handles the rest.
@@ -44,7 +44,7 @@ bun run dev
 1.  **Fullstack App**: The template includes the `nuxt-auto-crud` module, providing both the backend APIs and the frontend UI. [Watch Demo](https://youtu.be/M9-koXmhB9k)
 2.  **Frontend Only**: You can use the template just for the frontend. In this case, you don't need to install the module in the frontend app. Instead, you would install `nuxt-auto-crud` in a separate backend setup (e.g., another Nuxt project acting as the API).
 
-Detailed instructions can be found in [https://auto-crud.clifland.in/](https://auto-crud.clifland.in/)
+Detailed instructions can be found in [https://auto-crud.clifland.in/docs](https://auto-crud.clifland.in/docs)
 
 ### 2. Manual Setup (Existing Project)
 
@@ -207,7 +207,7 @@ The new API endpoints (e.g., `/api/posts`) will be automatically available. [Wat
 
 ### 3. Backend-only App (API Mode)
 
-If you are using Nuxt as a backend for a separate client application (e.g., mobile app, SPA), you can use this module to quickly generate REST APIs.
+If you are using Nuxt as a backend for a separate client application (e.g., mobile app, SPA), you can use this module to quickly expose REST APIs.
 
 In this case, you might handle authentication differently (e.g., validating tokens in middleware) or disable the built-in auth checks if you have a global auth middleware.
 
@@ -467,12 +467,14 @@ You can customize hidden fields by modifying the `modelMapper.ts` utility.
 ## 🔗 Other Helpful Links
 
 - **Template:** [https://github.com/clifordpereira/nuxt-auto-crud_template](https://github.com/clifordpereira/nuxt-auto-crud_template)
-- **Docs:** [https://auto-crud.clifland.in/](https://auto-crud.clifland.in/)
+- **Docs:** [https://auto-crud.clifland.in/docs](https://auto-crud.clifland.in/docs)
 - **Repo:** [https://github.com/clifordpereira/nuxt-auto-crud](https://github.com/clifordpereira/nuxt-auto-crud)
-- **YouTube:** [https://youtu.be/M9-koXmhB9k](https://youtu.be/M9-koXmhB9k)
-- **YouTube 2:** [https://youtu.be/7gW0KW1KtN0](https://youtu.be/7gW0KW1KtN0)
+- **YouTube (Installation):** [https://youtu.be/M9-koXmhB9k](https://youtu.be/M9-koXmhB9k)
+- **YouTube (Add Schemas):** [https://youtu.be/7gW0KW1KtN0](https://youtu.be/7gW0KW1KtN0)
+- **YouTube (Various Permissions):** [https://www.youtube.com/watch?v=Yty3OCYbwOo](https://www.youtube.com/watch?v=Yty3OCYbwOo)
 - **npm:** [https://www.npmjs.com/package/nuxt-auto-crud](https://www.npmjs.com/package/nuxt-auto-crud)
-- **Discuss:** [https://discord.gg/hGgyEaGu](https://discord.gg/hGgyEaGu)
+- **Github Discussions:** [https://github.com/clifordpereira/nuxt-auto-crud/discussions/1](https://github.com/clifordpereira/nuxt-auto-crud/discussions/1)
+- **Discord:** [https://discord.gg/hGgyEaGu](https://discord.gg/hGgyEaGu)
 
 ## 🤝 Contributing
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.13.0",
+  "version": "1.15.2",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addServerHandler, addServerImportsDir, addImportsDir } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addImportsDir, addServerHandler, addServerImportsDir } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -22,52 +22,19 @@ const module$1 = defineNuxtModule({
       options.drizzlePath
     );
     nuxt.options.alias["#site/drizzle"] = drizzlePath;
-    const abilityPath = resolver.resolve(
-      nuxt.options.rootDir,
-      "shared/utils/abilities"
-    );
-    nuxt.options.alias["#site/ability"] = abilityPath;
-    nuxt.options.alias["#authorization"] = nuxt.options.alias["#authorization"] || "nuxt-authorization/utils";
+    addImportsDir(resolver.resolve(nuxt.options.rootDir, "shared/utils"));
+    nuxt.options.alias["#authorization"] ||= "nuxt-authorization/utils";
     const { loadConfig } = await import('c12');
     const { config: externalConfig } = await loadConfig({
       name: "autocrud",
       cwd: nuxt.options.rootDir
     });
-    let mergedAuth = {
-      authentication: false,
-      authorization: false,
-      type: "session"
-    };
-    if (options.auth === true) {
-      mergedAuth = {
-        authentication: true,
-        authorization: true,
-        type: "session",
-        ...typeof externalConfig?.auth === "object" ? externalConfig.auth : {}
-      };
-    } else if (options.auth === false) {
-      mergedAuth = {
-        authentication: false,
-        authorization: false,
-        type: "session"
-      };
-    } else {
-      mergedAuth = {
-        authentication: true,
-        // Default to true if object provided? Or undefined?
-        // If options.auth is undefined, we might want defaults.
-        // But if defaults say auth: false, then options.auth might be undefined.
-        // Let's stick to the plan: default is false.
-        ...typeof externalConfig?.auth === "object" ? externalConfig.auth : {},
-        ...typeof options.auth === "object" ? options.auth : {}
-      };
-      if (mergedAuth.authentication === void 0) {
-        mergedAuth.authentication = false;
-      }
-    }
-    const mergedResources = {
-      ...externalConfig?.resources,
-      ...options.resources
+    const mergedAuth = options.auth === false ? { authentication: false, authorization: false, type: "session" } : {
+      authentication: true,
+      authorization: options.auth === true,
+      type: "session",
+      ...typeof externalConfig?.auth === "object" ? externalConfig.auth : {},
+      ...typeof options.auth === "object" ? options.auth : {}
     };
     nuxt.options.runtimeConfig.autoCrud = {
       auth: {
@@ -76,7 +43,10 @@ const module$1 = defineNuxtModule({
         type: mergedAuth.type ?? "session",
         jwtSecret: mergedAuth.jwtSecret
       },
-      resources: mergedResources || {}
+      resources: {
+        ...externalConfig?.resources,
+        ...options.resources
+      }
     };
     const apiDir = resolver.resolve("./runtime/server/api");
     addServerHandler({

package/dist/runtime/server/api/[model]/[id].get.js

@@ -3,6 +3,7 @@ import { eq } from "drizzle-orm";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "read");
@@ -14,5 +15,14 @@ export default eventHandler(async (event) => {
       message: "Record not found"
     });
   }
+  if ("status" in record && record.status !== "active") {
+    const canListAll = await checkAdminAccess(event, model, "list_all");
+    if (!canListAll) {
+      throw createError({
+        statusCode: 404,
+        message: "Record not found"
+      });
+    }
+  }
   return formatResourceResult(model, record, isAdmin);
 });

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,13 +1,25 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { desc } from "drizzle-orm";
+import { desc, getTableColumns, eq } from "drizzle-orm";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   console.log("[GET] Request received", event.path);
   const { model } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "list");
+  let canListAll = false;
+  try {
+    canListAll = await checkAdminAccess(event, model, "list_all");
+  } catch {
+    canListAll = false;
+  }
   const table = getTableForModel(model);
-  const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all();
+  const columns = getTableColumns(table);
+  let query = useDrizzle().select().from(table);
+  if (!canListAll && "status" in columns) {
+    query = query.where(eq(table.status, "active"));
+  }
+  const results = await query.orderBy(desc(table.id)).all();
   return results.map((item) => formatResourceResult(model, item, isAdmin));
 });

package/dist/runtime/server/utils/auth.js

@@ -1,6 +1,5 @@
 import { createError } from "h3";
-import globalAbility from "#site/ability";
-import { requireUserSession, allows } from "#imports";
+import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from "#imports";
 import { useAutoCrudConfig } from "./config.js";
 import { verifyJwtToken } from "./jwt.js";
 export async function checkAdminAccess(event, model, action) {
@@ -15,42 +14,39 @@ export async function checkAdminAccess(event, model, action) {
     }
     return verifyJwtToken(event, auth.jwtSecret);
   }
+  let user = null;
   try {
-    await requireUserSession(event);
-    if (auth.authorization) {
-      const allowed = await allows(event, globalAbility, model, action);
+    const session = await getUserSession(event);
+    user = session.user;
+  } catch {
+  }
+  if (auth.authorization) {
+    try {
+      const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
+      const allowed = guestCheck ? await guestCheck(null, model, action) : await allows(event, globalAbility, model, action);
       if (!allowed) {
-        throw createError({
-          statusCode: 403,
-          message: "Forbidden"
-        });
+        if (user) throw createError({ statusCode: 403, message: "Forbidden" });
+        return false;
       }
+      return true;
+    } catch (err) {
+      if (err.statusCode === 403) throw err;
+      return false;
     }
+  }
+  if (user) {
     return true;
-  } catch (e) {
-    if (e.statusCode === 403) {
-      throw e;
-    }
-    return false;
   }
+  return false;
 }
 export async function ensureAuthenticated(event) {
   const { auth } = useAutoCrudConfig();
-  if (!auth?.authentication) {
-    return;
-  }
-  let isAuthenticated = false;
+  if (!auth?.authentication) return;
   if (auth.type === "jwt" && auth.jwtSecret) {
-    isAuthenticated = await verifyJwtToken(event, auth.jwtSecret);
-  } else {
-    try {
-      await requireUserSession(event);
-      isAuthenticated = true;
-    } catch {
-      isAuthenticated = false;
+    if (!await verifyJwtToken(event, auth.jwtSecret)) {
+      throw createError({ statusCode: 401, message: "Unauthorized" });
     }
+    return;
   }
-  if (!isAuthenticated) {
-    throw createError({ statusCode: 401, message: "Unauthorized" });
-  }
+  await requireUserSession(event);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.13.0",
+  "version": "1.15.2",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -61,6 +61,7 @@
     "@iconify-json/heroicons": "^1.2.3",
     "@iconify-json/lucide": "^1.2.77",
     "@iconify-json/simple-icons": "^1.2.61",
+    "@iconify-json/vscode-icons": "^1.2.37",
     "@nuxt/devtools": "^3.1.0",
     "@nuxt/eslint-config": "^1.10.0",
     "@nuxt/module-builder": "^1.0.2",

package/src/runtime/server/api/[model]/[id].get.ts

@@ -6,6 +6,7 @@ import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+import { checkAdminAccess } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
@@ -26,5 +27,17 @@ export default eventHandler(async (event) => {
     })
   }
 
+  // Filter inactive rows for non-admins (or those without list_all) if status field exists
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  if ('status' in record && (record as any).status !== 'active') {
+    const canListAll = await checkAdminAccess(event, model, 'list_all')
+    if (!canListAll) {
+      throw createError({
+        statusCode: 404,
+        message: 'Record not found',
+      })
+    }
+  }
+
   return formatResourceResult(model, record as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/[model]/index.get.ts

@@ -3,18 +3,38 @@ import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-import { desc } from 'drizzle-orm'
+import { desc, getTableColumns, eq } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
   const { model } = getRouterParams(event) as { model: string }
   const isAdmin = await ensureResourceAccess(event, model, 'list')
 
+  let canListAll = false
+  try {
+    canListAll = await checkAdminAccess(event, model, 'list_all')
+  }
+  catch {
+    canListAll = false
+  }
+
   const table = getTableForModel(model) as TableWithId
+  const columns = getTableColumns(table)
+
+  let query = useDrizzle().select().from(table)
+
+  // Filter active rows for non-admins (or those without list_all) if status field exists
+
+  if (!canListAll && 'status' in columns) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    query = query.where(eq((table as any).status, 'active')) as any
+  }
 
-  const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all()
+  const results = await query.orderBy(desc(table.id)).all()
 
   return results.map((item: Record<string, unknown>) => formatResourceResult(model, item, isAdmin))
 })

package/src/runtime/server/utils/auth.ts

@@ -2,9 +2,8 @@
 /// <reference path="../../auth.d.ts" />
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
-import globalAbility from '#site/ability'
 // @ts-expect-error - #imports is available in runtime
-import { requireUserSession, allows } from '#imports'
+import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
 
@@ -24,55 +23,55 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
   }
 
   // Session based (default)
+  let user = null
   try {
-    await requireUserSession(event)
+    const session = await getUserSession(event)
+    user = session.user
+  }
+  catch {
+    // No session or error fetching session
+  }
+
+  // Check authorization if enabled
+  if (auth.authorization) {
+    try {
+      const guestCheck = !user && (typeof abilityLogic === 'function' ? abilityLogic : (typeof globalAbility === 'function' ? globalAbility : null))
+
+      const allowed = guestCheck
+        ? await guestCheck(null, model, action)
+        : await allows(event, globalAbility, model, action)
 
-    // Check authorization if enabled
-    if (auth.authorization) {
-      const allowed = await allows(event, globalAbility, model, action)
       if (!allowed) {
-        throw createError({
-          statusCode: 403,
-          message: 'Forbidden',
-        })
+        if (user) throw createError({ statusCode: 403, message: 'Forbidden' })
+        return false
       }
+      return true
     }
+    catch (err) {
+      if ((err as { statusCode: number }).statusCode === 403) throw err
+      return false
+    }
+  }
 
+  // If authorization is NOT enabled, we rely on authentication only.
+  if (user) {
     return true
   }
-  catch (e: unknown) {
-    // If it's a 403 (Forbidden) from our ability check, rethrow it
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    if ((e as any).statusCode === 403) {
-      throw e
-    }
-    // Otherwise (401 from requireUserSession or function not available), return false (treat as guest)
-    return false
-  }
+
+  return false
 }
 
 export async function ensureAuthenticated(event: H3Event): Promise<void> {
   const { auth } = useAutoCrudConfig()
 
-  if (!auth?.authentication) {
-    return
-  }
+  if (!auth?.authentication) return
 
-  let isAuthenticated = false
   if (auth.type === 'jwt' && auth.jwtSecret) {
-    isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-  }
-  else {
-    try {
-      await requireUserSession(event)
-      isAuthenticated = true
-    }
-    catch {
-      isAuthenticated = false
+    if (!await verifyJwtToken(event, auth.jwtSecret)) {
+      throw createError({ statusCode: 401, message: 'Unauthorized' })
     }
+    return
   }
 
-  if (!isAuthenticated) {
-    throw createError({ statusCode: 401, message: 'Unauthorized' })
-  }
+  await requireUserSession(event)
 }