nuxt-auto-crud 1.14.1 → 1.16.1

package/README.md

@@ -1,6 +1,6 @@
 # Nuxt Auto CRUD
 
-> **Note:** This module is currently in its alpha stage. However, you can use it to accelerate MVP development. It has not been tested thoroughly enough for production use; only happy-path testing is performed for each release.
+> **Note:** This module is widely used in MVP development and is rapidly maturing. While currently in **Beta**, the core API (CRUD) is stable. Breaking changes may still occur in configuration or advanced features. Production use is encouraged with version pinning.
 
 Auto-expose RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. Minimal configuration required.
 
@@ -13,6 +13,7 @@ And you don't need a separate Strapi or Supabase setup to automate your CRUD pro
 While this module exposes CRUD APIs, you are expected to build your own frontend application to consume them.
 
 - [✨ Release Notes](/CHANGELOG.md)
+- [🗺️ Roadmap](/ROADMAP.md)
 - [🎮 Try the Playground](/playground)
 
 ## 🚀 CRUD APIs are ready to use without code
@@ -320,33 +321,29 @@ To run the tests locally:
 npm run test
 ```
 
-## 🛡️ Resource Configuration (RBAC)
+## 🛡️ Public View Configuration (Field Visibility)
 
-You can define fine-grained access control and resource policies using `autocrud.config.ts` in your project root. This file is optional and useful when you need specific rules per resource.
+You can define which fields are visible to unauthenticated (guest) users in your `nuxt.config.ts`.
+> **Note:** Access control (RBAC) - determining *who* can access *what* - is expected to be handled by your database/permissions system (using `nuxt-authorization`). This configuration only controls the *serialization* of the response for guests.
 
 ```typescript
-// autocrud.config.ts
-export default {
-  resources: {
-    users: {
-      // Access Control
-      auth: {
-        // Admin has full access
-        admin: true,
-        // Public (unauthenticated) users can only list and read
-        public: ['list', 'read'],
-      },
-      // Field Visibility
-      publicColumns: ['id', 'name', 'avatar'], // Only these columns are returned to public users
+// nuxt.config.ts
+export default defineNuxtConfig({
+  autoCrud: {
+    resources: {
+      // Guest View: Only these columns are visible to unauthenticated users.
+      // Access control (who can list/read) is managed by your DB permissions.
+      users: ['id', 'name', 'avatar'], 
     },
-  }
-}
+  },
+})
 ```
 
 ## ⚠️ Known Issues
 
-- **Foreign Key Naming:** Currently, if you have multiple foreign keys referring to the same table (e.g., `customer_id` and `author_id` both referring to the `users` table), the automatic relation handling might assume `user_id` for both. This is a known limitation in the current alpha version.
-- **Sidebar Visibility:** For non-admin users, the sidebar resource list might not be fully visible or populated in the current playground implementation. This is a known limitation.
+- **Automatic Relation Expansion:** The module tries to automatically expand foreign keys (e.g., `user_id` -> `user: { name: ... }`). However, this relies on the foreign key column name matching the target table name (e.g., `user_id` for `users`).
+  - **Limitation:** If you have custom FK names like `customer_id` or `author_id` pointing to `users`, the automatic expansion will not work yet.
+  - **Workaround:** Ensure your FK columns follow the `tablename_id` convention where possible for now.
 
 ## 🎮 Try the Playground
 
@@ -431,7 +428,12 @@ export default defineNuxtConfig({
     // Authentication configuration (see "Authentication Configuration" section)
     auth: {
         // ...
-    }
+    },
+
+    // Public Guest View Configuration (Field Visibility)
+    resources: {
+        users: ['id', 'name', 'avatar'],
+    },
   },
 });
 ```
@@ -472,6 +474,7 @@ You can customize hidden fields by modifying the `modelMapper.ts` utility.
 - **YouTube (Installation):** [https://youtu.be/M9-koXmhB9k](https://youtu.be/M9-koXmhB9k)
 - **YouTube (Add Schemas):** [https://youtu.be/7gW0KW1KtN0](https://youtu.be/7gW0KW1KtN0)
 - **YouTube (Various Permissions):** [https://www.youtube.com/watch?v=Yty3OCYbwOo](https://www.youtube.com/watch?v=Yty3OCYbwOo)
+- **YouTube (Dynamic RBAC):** [https://www.youtube.com/watch?v=W0ju4grRC9M](https://www.youtube.com/watch?v=W0ju4grRC9M)
 - **npm:** [https://www.npmjs.com/package/nuxt-auto-crud](https://www.npmjs.com/package/nuxt-auto-crud)
 - **Github Discussions:** [https://github.com/clifordpereira/nuxt-auto-crud/discussions/1](https://github.com/clifordpereira/nuxt-auto-crud/discussions/1)
 - **Discord:** [https://discord.gg/hGgyEaGu](https://discord.gg/hGgyEaGu)

package/dist/module.d.mts

@@ -17,22 +17,10 @@ interface ModuleOptions {
     auth?: boolean | AuthOptions;
     /**
      * Resource-specific configuration
-     * Define public access and column visibility
+     * Define column visibility for unauthenticated users
      */
     resources?: {
-        [modelName: string]: {
-            /**
-             * Actions allowed without authentication
-             * true = all actions
-             * array = specific actions ('list', 'create', 'read', 'update', 'delete')
-             */
-            public?: boolean | ('list' | 'create' | 'read' | 'update' | 'delete')[];
-            /**
-             * Columns to return for unauthenticated requests
-             * If not specified, all columns (except hidden ones) are returned
-             */
-            publicColumns?: string[];
-        };
+        [modelName: string]: string[];
     };
 }
 interface AuthOptions {

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.14.1",
+  "version": "1.16.1",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -24,16 +24,10 @@ const module$1 = defineNuxtModule({
     nuxt.options.alias["#site/drizzle"] = drizzlePath;
     addImportsDir(resolver.resolve(nuxt.options.rootDir, "shared/utils"));
     nuxt.options.alias["#authorization"] ||= "nuxt-authorization/utils";
-    const { loadConfig } = await import('c12');
-    const { config: externalConfig } = await loadConfig({
-      name: "autocrud",
-      cwd: nuxt.options.rootDir
-    });
     const mergedAuth = options.auth === false ? { authentication: false, authorization: false, type: "session" } : {
       authentication: true,
       authorization: options.auth === true,
       type: "session",
-      ...typeof externalConfig?.auth === "object" ? externalConfig.auth : {},
       ...typeof options.auth === "object" ? options.auth : {}
     };
     nuxt.options.runtimeConfig.autoCrud = {
@@ -44,7 +38,6 @@ const module$1 = defineNuxtModule({
         jwtSecret: mergedAuth.jwtSecret
       },
       resources: {
-        ...externalConfig?.resources,
         ...options.resources
       }
     };

package/dist/runtime/server/api/[model]/[id].get.js

@@ -3,6 +3,7 @@ import { eq } from "drizzle-orm";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "read");
@@ -14,5 +15,14 @@ export default eventHandler(async (event) => {
       message: "Record not found"
     });
   }
+  if ("status" in record && record.status !== "active") {
+    const canListAll = await checkAdminAccess(event, model, "list_all");
+    if (!canListAll) {
+      throw createError({
+        statusCode: 404,
+        message: "Record not found"
+      });
+    }
+  }
   return formatResourceResult(model, record, isAdmin);
 });

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,13 +1,25 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
-import { desc } from "drizzle-orm";
+import { desc, getTableColumns, eq } from "drizzle-orm";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   console.log("[GET] Request received", event.path);
   const { model } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "list");
+  let canListAll = false;
+  try {
+    canListAll = await checkAdminAccess(event, model, "list_all");
+  } catch {
+    canListAll = false;
+  }
   const table = getTableForModel(model);
-  const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all();
+  const columns = getTableColumns(table);
+  let query = useDrizzle().select().from(table);
+  if (!canListAll && "status" in columns) {
+    query = query.where(eq(table.status, "active"));
+  }
+  const results = await query.orderBy(desc(table.id)).all();
   return results.map((item) => formatResourceResult(model, item, isAdmin));
 });

package/dist/runtime/server/utils/auth.js

@@ -1,5 +1,5 @@
 import { createError } from "h3";
-import { requireUserSession, allows, getUserSession, abilities as globalAbility } from "#imports";
+import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from "#imports";
 import { useAutoCrudConfig } from "./config.js";
 import { verifyJwtToken } from "./jwt.js";
 export async function checkAdminAccess(event, model, action) {
@@ -22,7 +22,7 @@ export async function checkAdminAccess(event, model, action) {
   }
   if (auth.authorization) {
     try {
-      const guestCheck = !user && (typeof globalAbility === "function" ? globalAbility : null);
+      const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
       const allowed = guestCheck ? await guestCheck(null, model, action) : await allows(event, globalAbility, model, action);
       if (!allowed) {
         if (user) throw createError({ statusCode: 403, message: "Forbidden" });

package/dist/runtime/server/utils/handler.js

@@ -2,20 +2,21 @@ import { createError } from "h3";
 import { useAutoCrudConfig } from "./config.js";
 import { checkAdminAccess } from "./auth.js";
 import { filterHiddenFields, filterPublicColumns } from "./modelMapper.js";
+import { getUserSession } from "#imports";
 export async function ensureResourceAccess(event, model, action) {
-  const { resources } = useAutoCrudConfig();
-  const isAdmin = await checkAdminAccess(event, model, action);
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model];
-    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes(action);
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: "Unauthorized"
-      });
-    }
+  const { auth } = useAutoCrudConfig();
+  const isAuthorized = await checkAdminAccess(event, model, action);
+  if (!isAuthorized) {
+    throw createError({
+      statusCode: 401,
+      message: "Unauthorized"
+    });
   }
-  return isAdmin;
+  if (!auth?.authentication) {
+    return true;
+  }
+  const session = await getUserSession(event);
+  return !!session.user;
 }
 export function formatResourceResult(model, data, isAdmin) {
   if (isAdmin) {

package/dist/runtime/server/utils/modelMapper.js

@@ -93,7 +93,7 @@ export function getHiddenFields(modelName) {
 }
 export function getPublicColumns(modelName) {
   const { resources } = useRuntimeConfig().autoCrud;
-  return resources?.[modelName]?.publicColumns;
+  return resources?.[modelName];
 }
 export function filterPublicColumns(modelName, data) {
   const publicColumns = getPublicColumns(modelName);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.14.1",
+  "version": "1.16.1",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -49,10 +49,10 @@
   "dependencies": {
     "@nuxt/kit": "^4.2.1",
     "@types/pluralize": "^0.0.33",
-    "pluralize": "^8.0.0",
-    "scule": "^1.0.0",
     "c12": "^2.0.1",
-    "jose": "^5.9.6"
+    "jose": "^5.9.6",
+    "pluralize": "^8.0.0",
+    "scule": "^1.0.0"
   },
   "peerDependencies": {
     "drizzle-orm": ">=0.30.0"
@@ -68,8 +68,9 @@
     "@nuxt/schema": "^4.2.1",
     "@nuxt/test-utils": "^3.20.1",
     "@nuxthub/core": "^0.9.1",
+    "@types/better-sqlite3": "^7.6.13",
     "@types/node": "latest",
-    "better-sqlite3": "^12.4.6",
+    "better-sqlite3": "^12.5.0",
     "changelogen": "^0.6.2",
     "drizzle-kit": "^0.31.7",
     "drizzle-orm": "^0.38.3",

package/src/runtime/server/api/[model]/[id].get.ts

@@ -6,6 +6,7 @@ import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+import { checkAdminAccess } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
@@ -26,5 +27,17 @@ export default eventHandler(async (event) => {
     })
   }
 
+  // Filter inactive rows for non-admins (or those without list_all) if status field exists
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  if ('status' in record && (record as any).status !== 'active') {
+    const canListAll = await checkAdminAccess(event, model, 'list_all')
+    if (!canListAll) {
+      throw createError({
+        statusCode: 404,
+        message: 'Record not found',
+      })
+    }
+  }
+
   return formatResourceResult(model, record as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/api/[model]/index.get.ts

@@ -3,18 +3,38 @@ import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-import { desc } from 'drizzle-orm'
+import { desc, getTableColumns, eq } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
   const { model } = getRouterParams(event) as { model: string }
   const isAdmin = await ensureResourceAccess(event, model, 'list')
 
+  let canListAll = false
+  try {
+    canListAll = await checkAdminAccess(event, model, 'list_all')
+  }
+  catch {
+    canListAll = false
+  }
+
   const table = getTableForModel(model) as TableWithId
+  const columns = getTableColumns(table)
+
+  let query = useDrizzle().select().from(table)
+
+  // Filter active rows for non-admins (or those without list_all) if status field exists
+
+  if (!canListAll && 'status' in columns) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    query = query.where(eq((table as any).status, 'active')) as any
+  }
 
-  const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all()
+  const results = await query.orderBy(desc(table.id)).all()
 
   return results.map((item: Record<string, unknown>) => formatResourceResult(model, item, isAdmin))
 })

package/src/runtime/server/utils/auth.ts

@@ -3,7 +3,7 @@
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
 // @ts-expect-error - #imports is available in runtime
-import { requireUserSession, allows, getUserSession, abilities as globalAbility } from '#imports'
+import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
 
@@ -35,7 +35,8 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
   // Check authorization if enabled
   if (auth.authorization) {
     try {
-      const guestCheck = !user && (typeof globalAbility === 'function' ? globalAbility : null)
+      const guestCheck = !user && (typeof abilityLogic === 'function' ? abilityLogic : (typeof globalAbility === 'function' ? globalAbility : null))
+
       const allowed = guestCheck
         ? await guestCheck(null, model, action)
         : await allows(event, globalAbility, model, action)

package/src/runtime/server/utils/handler.ts

@@ -4,26 +4,29 @@ import { useAutoCrudConfig } from './config'
 import { checkAdminAccess } from './auth'
 import { filterHiddenFields, filterPublicColumns } from './modelMapper'
 
+// @ts-expect-error - #imports is available in runtime
+import { getUserSession } from '#imports'
+
 export async function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean> {
-  const { resources } = useAutoCrudConfig()
-  const isAdmin = await checkAdminAccess(event, model, action)
+  const { auth } = useAutoCrudConfig()
 
-  // Check public access if not admin
-  if (!isAdmin) {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const resourceConfig = (resources as any)?.[model]
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && (resourceConfig.public as any[]).includes(action))
+  // This throws 403 if not authorized
+  const isAuthorized = await checkAdminAccess(event, model, action)
+  if (!isAuthorized) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized',
+    })
+  }
 
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
+  // If authentication is disabled, treated as fully inclusive access
+  if (!auth?.authentication) {
+    return true
   }
 
-  return isAdmin
+  // Check if user is authenticated
+  const session = await getUserSession(event)
+  return !!session.user
 }
 
 export function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean) {

package/src/runtime/server/utils/modelMapper.ts

@@ -213,7 +213,8 @@ export function getHiddenFields(modelName: string): string[] {
  */
 export function getPublicColumns(modelName: string): string[] | undefined {
   const { resources } = useRuntimeConfig().autoCrud
-  return resources?.[modelName]?.publicColumns
+  // Runtime config structure now matches simple key-value
+  return resources?.[modelName]
 }
 
 /**