nuxt-auto-crud 1.17.3 → 1.19.1

package/README.md

@@ -51,13 +51,13 @@ Detailed instructions can be found in [https://auto-crud.clifland.in/docs/auto-c
 
 If you want to add `nuxt-auto-crud` to an existing project, follow these steps:
 
-> **Note:** These instructions assume you are using NuxtHub. If you are using a custom SQLite setup (e.g. better-sqlite3, Turso), please see [Custom Setup](./custom-setup.md).
+> **Note:** These instructions have been simplified for NuxtHub.
 
 #### Install dependencies
 
 ```bash
 # Install module and required dependencies
-npm install nuxt-auto-crud @nuxthub/core@latest drizzle-orm
+npm install nuxt-auto-crud @nuxthub/core@^0.10.0 drizzle-orm
 
 # Optional: Install auth dependencies if using Session Auth (Recommended)
 npm install nuxt-auth-utils nuxt-authorization
@@ -80,11 +80,11 @@ export default defineNuxtConfig({
   modules: ['@nuxthub/core', 'nuxt-auto-crud'],
 
   hub: {
-    database: true,
+    db: 'sqlite',
   },
 
   autoCrud: {
-    schemaPath: 'server/database/schema',
+    schemaPath: 'server/db/schema',
     // auth: false,
     auth: {
       type: 'session', // for Normal Authentication with nuxt-auth-utils
@@ -102,7 +102,7 @@ Add the generation script to your `package.json`:
 ```json
 {
   "scripts": {
-    "db:generate": "drizzle-kit generate"
+    "db:generate": "nuxt db generate"
   }
   // ...
 }
@@ -116,37 +116,19 @@ import { defineConfig } from 'drizzle-kit'
 
 export default defineConfig({
   dialect: 'sqlite',
-  schema: './server/database/schema/index.ts', // Point to your schema index file
-  out: './server/database/migrations'
+  schema: './server/db/schema/index.ts', // Point to your schema index file
+  out: './server/db/migrations'
 })
 ```
 
-#### Setup Database Connection
 
-Create `server/utils/drizzle.ts` to export the database instance:
-
-```typescript
-// server/utils/drizzle.ts
-import { drizzle } from 'drizzle-orm/d1'
-export { sql, eq, and, or } from 'drizzle-orm'
-
-import * as schema from '../database/schema'
-
-export const tables = schema
-
-export function useDrizzle() {
-  return drizzle(hubDatabase(), { schema })
-}
-
-export type User = typeof schema.users.$inferSelect
-```
 
 #### Define your database schema
 
-Create your schema files in `server/database/schema/`. For example, `server/database/schema/users.ts`:
+Create your schema files in `server/db/schema/`. For example, `server/db/schema/users.ts`:
 
 ```typescript
-// server/database/schema/users.ts
+// server/db/schema/users.ts
 import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
 
 export const users = sqliteTable('users', {
@@ -174,7 +156,7 @@ That's it! 🎉 Your CRUD APIs are now available at `/api/users`.
 To add a new table (e.g., `posts`), simply create a new file in your schema directory:
 
 ```typescript
-// server/database/schema/posts.ts
+// server/db/schema/posts.ts
 import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core'
 import { users } from './users'
 
@@ -187,10 +169,10 @@ export const posts = sqliteTable('posts', {
 })
 ```
 
-Then, ensure it is exported in your `server/database/schema/index.ts` (if you are using an index file) or that your `drizzle.config.ts` is pointing to the correct location.
+Then, ensure it is exported in your `server/db/schema/index.ts` (if you are using an index file) or that your `drizzle.config.ts` is pointing to the correct location.
 
 ```typescript
-// server/database/schema/index.ts
+// server/db/schema/index.ts
 export * from './users'
 export * from './posts'
 ```
@@ -217,7 +199,7 @@ In this case, you might handle authentication differently (e.g., validating toke
 export default defineNuxtConfig({
   modules: ['nuxt-auto-crud'],
   autoCrud: {
-    schemaPath: 'server/database/schema',
+    schemaPath: 'server/db/schema',
     // auth: false, // Uncomment this line for testing APIs without auth   
     auth: {
       type: 'jwt', // for app providing backend apis only
@@ -239,8 +221,8 @@ import { defineConfig } from 'drizzle-kit'
 
 export default defineConfig({
   dialect: 'sqlite',
-  schema: './server/database/schema/index.ts',
-  out: './server/database/migrations',
+  schema: './server/db/schema/index.ts',
+  out: './server/db/migrations',
   tablesFilter: ['!_hub_migrations'],
 })
 ```
@@ -423,7 +405,7 @@ await $fetch("/api/users/1", {
 export default defineNuxtConfig({
   autoCrud: {
     // Path to your database schema file (relative to project root)
-    schemaPath: "server/database/schema", // default
+    schemaPath: "server/db/schema", // default
     
     // Authentication configuration (see "Authentication Configuration" section)
     auth: {
@@ -464,7 +446,7 @@ You can customize hidden fields by modifying the `modelMapper.ts` utility.
 
 - Nuxt 3 or 4
 - Drizzle ORM (SQLite)
-- NuxtHub (Recommended) or [Custom SQLite Setup](./custom-setup.md)
+- NuxtHub >= 0.10.0
 
 ## 🔗 Other Helpful Links
 

package/dist/module.d.mts

@@ -6,11 +6,6 @@ interface ModuleOptions {
      * @default 'server/database/schema'
      */
     schemaPath?: string;
-    /**
-     * Path to the drizzle instance file (must export useDrizzle)
-     * @default 'server/utils/drizzle'
-     */
-    drizzlePath?: string;
     /**
      * Authentication configuration
      */
@@ -22,6 +17,11 @@ interface ModuleOptions {
     resources?: {
         [modelName: string]: string[];
     };
+    /**
+     * Fields that should be automatically hashed before storage
+     * @default ['password']
+     */
+    hashedFields?: string[];
 }
 interface AuthOptions {
     /**

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.17.3",
+  "version": "1.19.1",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addImportsDir, addServerHandler, addServerImportsDir } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addImportsDir, hasNuxtModule, addServerImports, addServerHandler, addServerImportsDir } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -6,8 +6,7 @@ const module$1 = defineNuxtModule({
     configKey: "autoCrud"
   },
   defaults: {
-    schemaPath: "server/database/schema",
-    drizzlePath: "server/utils/drizzle",
+    schemaPath: "server/db/schema",
     auth: false
   },
   async setup(options, nuxt) {
@@ -17,12 +16,22 @@ const module$1 = defineNuxtModule({
       options.schemaPath
     );
     nuxt.options.alias["#site/schema"] = schemaPath;
-    const drizzlePath = resolver.resolve(
-      nuxt.options.rootDir,
-      options.drizzlePath
-    );
-    nuxt.options.alias["#site/drizzle"] = drizzlePath;
     addImportsDir(resolver.resolve(nuxt.options.rootDir, "shared/utils"));
+    const stubsPath = resolver.resolve("./runtime/server/stubs/auth");
+    if (!hasNuxtModule("nuxt-auth-utils")) {
+      addServerImports([
+        { name: "requireUserSession", from: stubsPath },
+        { name: "getUserSession", from: stubsPath },
+        { name: "hashPassword", from: stubsPath }
+      ]);
+    }
+    if (!hasNuxtModule("nuxt-authorization")) {
+      addServerImports([
+        { name: "allows", from: stubsPath },
+        { name: "abilities", from: stubsPath },
+        { name: "abilityLogic", from: stubsPath }
+      ]);
+    }
     nuxt.options.alias["#authorization"] ||= "nuxt-authorization/utils";
     const mergedAuth = options.auth === false ? { authentication: false, authorization: false, type: "session" } : {
       authentication: true,
@@ -39,7 +48,8 @@ const module$1 = defineNuxtModule({
       },
       resources: {
         ...options.resources
-      }
+      },
+      hashedFields: options.hashedFields ?? ["password"]
     };
     const apiDir = resolver.resolve("./runtime/server/api");
     addServerHandler({

package/dist/runtime/server/api/[model]/[id].delete.js

@@ -1,14 +1,14 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel, getModelSingularName } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
+import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "delete");
   const table = getTableForModel(model);
   const singularName = getModelSingularName(model);
-  const deletedRecord = await useDrizzle().delete(table).where(eq(table.id, Number(id))).returning().get();
+  const deletedRecord = await db.delete(table).where(eq(table.id, Number(id))).returning().get();
   if (!deletedRecord) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/[model]/[id].get.js

@@ -1,14 +1,14 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
+import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "read");
   const table = getTableForModel(model);
-  const record = await useDrizzle().select().from(table).where(eq(table.id, Number(id))).get();
+  const record = await db.select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,18 +1,19 @@
 import { eventHandler, getRouterParams, readBody, createError } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
-import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { db } from "hub:db";
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "update");
+  const isAdmin = await ensureResourceAccess(event, model, "update", { id });
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
+  await hashPayloadFields(payload);
   if ("updatedAt" in table) {
     payload.updatedAt = /* @__PURE__ */ new Date();
   }
-  const updatedRecord = await useDrizzle().update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
+  const updatedRecord = await db.update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
   if (!updatedRecord) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,6 +1,6 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
+import { db } from "hub:db";
 import { desc, getTableColumns, eq } from "drizzle-orm";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 import { checkAdminAccess } from "../../utils/auth.js";
@@ -16,7 +16,7 @@ export default eventHandler(async (event) => {
   }
   const table = getTableForModel(model);
   const columns = getTableColumns(table);
-  let query = useDrizzle().select().from(table);
+  let query = db.select().from(table);
   if (!canListAll && "status" in columns) {
     query = query.where(eq(table.status, "active"));
   }

package/dist/runtime/server/api/[model]/index.post.js

@@ -1,13 +1,14 @@
 import { eventHandler, getRouterParams, readBody } from "h3";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
-import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { db } from "hub:db";
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "create");
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
-  const newRecord = await useDrizzle().insert(table).values(payload).returning().get();
+  await hashPayloadFields(payload);
+  const newRecord = await db.insert(table).values(payload).returning().get();
   return formatResourceResult(model, newRecord, isAdmin);
 });

package/dist/runtime/server/stubs/auth.d.ts

@@ -0,0 +1,8 @@
+export declare const requireUserSession: () => never;
+export declare const getUserSession: () => Promise<{
+    user: null;
+}>;
+export declare const hashPassword: (password: string) => Promise<string>;
+export declare const allows: () => Promise<boolean>;
+export declare const abilities: null;
+export declare const abilityLogic: null;

package/dist/runtime/server/stubs/auth.js

@@ -0,0 +1,11 @@
+export const requireUserSession = () => {
+  throw new Error("nuxt-auth-utils not installed");
+};
+export const getUserSession = () => Promise.resolve({ user: null });
+export const hashPassword = (password) => {
+  console.warn("nuxt-auth-utils not installed. Password not hashed!");
+  return Promise.resolve(password);
+};
+export const allows = () => Promise.resolve(true);
+export const abilities = null;
+export const abilityLogic = null;

package/dist/runtime/server/utils/auth.d.ts

@@ -1,3 +1,3 @@
 import type { H3Event } from 'h3';
-export declare function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean>;
+export declare function checkAdminAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean>;
 export declare function ensureAuthenticated(event: H3Event): Promise<void>;

package/dist/runtime/server/utils/auth.js

@@ -2,7 +2,7 @@ import { createError } from "h3";
 import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from "#imports";
 import { useAutoCrudConfig } from "./config.js";
 import { verifyJwtToken } from "./jwt.js";
-export async function checkAdminAccess(event, model, action) {
+export async function checkAdminAccess(event, model, action, context) {
   const { auth } = useAutoCrudConfig();
   if (!auth?.authentication) {
     return true;
@@ -23,14 +23,38 @@ export async function checkAdminAccess(event, model, action) {
   if (auth.authorization) {
     try {
       const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
-      const allowed = guestCheck ? await guestCheck(null, model, action) : await allows(event, globalAbility, model, action);
+      const allowed = guestCheck ? await guestCheck(null, model, action, context) : await allows(event, globalAbility, model, action, context);
       if (!allowed) {
+        if (user && (action === "update" || action === "delete") && context && typeof context === "object" && "id" in context) {
+          const ownAction = `${action}_own`;
+          const userPermissions = user.permissions?.[model];
+          if (userPermissions && userPermissions.includes(ownAction)) {
+            const { db } = await import("hub:db");
+            const { getTableForModel } = await import("./modelMapper.js");
+            const { eq } = await import("drizzle-orm");
+            try {
+              const table = getTableForModel(model);
+              if (model === "users" && String(context.id) === String(user.id)) {
+                return true;
+              }
+              if ("userId" in table) {
+                const record = await db.select({ userId: table.userId }).from(table).where(eq(table.id, context.id)).get();
+                if (record && String(record.userId) === String(user.id)) {
+                  return true;
+                }
+              }
+            } catch (e) {
+              console.error("[checkAdminAccess] Ownership check failed", e);
+            }
+          }
+        }
         if (user) throw createError({ statusCode: 403, message: "Forbidden" });
         return false;
       }
       return true;
     } catch (err) {
       if (err.statusCode === 403) throw err;
+      console.error("[checkAdminAccess] Error", err);
       return false;
     }
   }

package/dist/runtime/server/utils/handler.d.ts

@@ -1,3 +1,4 @@
 import type { H3Event } from 'h3';
-export declare function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean>;
+export declare function ensureResourceAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean>;
+export declare function hashPayloadFields(payload: Record<string, unknown>): Promise<void>;
 export declare function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean): Record<string, unknown>;

package/dist/runtime/server/utils/handler.js

@@ -1,22 +1,27 @@
 import { createError } from "h3";
-import { useAutoCrudConfig } from "./config.js";
 import { checkAdminAccess } from "./auth.js";
 import { filterHiddenFields, filterPublicColumns } from "./modelMapper.js";
-import { getUserSession } from "#imports";
-export async function ensureResourceAccess(event, model, action) {
-  const { auth } = useAutoCrudConfig();
-  const isAuthorized = await checkAdminAccess(event, model, action);
+import { useAutoCrudConfig } from "./config.js";
+export async function ensureResourceAccess(event, model, action, context) {
+  const isAuthorized = await checkAdminAccess(event, model, action, context);
   if (!isAuthorized) {
     throw createError({
       statusCode: 401,
       message: "Unauthorized"
     });
   }
-  if (!auth?.authentication) {
-    return true;
+  return true;
+}
+export async function hashPayloadFields(payload) {
+  const { hashedFields } = useAutoCrudConfig();
+  if (hashedFields) {
+    console.log("[hashPayloadFields] Configured hashedFields:", hashedFields);
+    for (const field of hashedFields) {
+      if (payload[field] && typeof payload[field] === "string") {
+        payload[field] = await hashPassword(payload[field]);
+      }
+    }
   }
-  const session = await getUserSession(event);
-  return !!session.user;
 }
 export function formatResourceResult(model, data, isAdmin) {
   if (isAdmin) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.17.3",
+  "version": "1.19.1",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -63,12 +63,13 @@
     "@iconify-json/lucide": "^1.2.77",
     "@iconify-json/simple-icons": "^1.2.61",
     "@iconify-json/vscode-icons": "^1.2.37",
+    "@libsql/client": "^0.15.15",
     "@nuxt/devtools": "^3.1.0",
     "@nuxt/eslint-config": "^1.10.0",
     "@nuxt/module-builder": "^1.0.2",
     "@nuxt/schema": "^4.2.1",
     "@nuxt/test-utils": "^3.20.1",
-    "@nuxthub/core": "^0.9.1",
+    "@nuxthub/core": "^0.10.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "latest",
     "better-sqlite3": "^12.5.0",

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -3,8 +3,8 @@ import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
@@ -14,7 +14,7 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model) as TableWithId
   const singularName = getModelSingularName(model)
 
-  const deletedRecord = await useDrizzle()
+  const deletedRecord = await db
     .delete(table)
     .where(eq(table.id, Number(id)))
     .returning()

package/src/runtime/server/api/[model]/[id].get.ts

@@ -3,8 +3,8 @@ import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 import { checkAdminAccess } from '../../utils/auth'
 
@@ -14,7 +14,7 @@ export default eventHandler(async (event) => {
 
   const table = getTableForModel(model) as TableWithId
 
-  const record = await useDrizzle()
+  const record = await db
     .select()
     .from(table)
     .where(eq(table.id, Number(id)))

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -3,26 +3,32 @@ import { eventHandler, getRouterParams, readBody, createError } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
-import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'update')
+  // Pass the ID as context for row-level security checks (e.g. self-update)
+  const isAdmin = await ensureResourceAccess(event, model, 'update', { id })
 
   const table = getTableForModel(model) as TableWithId
 
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
+  // Auto-hash fields based on config (default: ['password'])
+  // Auto-hash fields based on config (default: ['password'])
+  await hashPayloadFields(payload)
+
   // Automatically update updatedAt if it exists
   if ('updatedAt' in table) {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (payload as any).updatedAt = new Date()
   }
 
-  const updatedRecord = await useDrizzle()
+  const updatedRecord = await db
     .update(table)
     .set(payload)
     .where(eq(table.id, Number(id)))

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,8 +1,8 @@
 // server/api/[model]/index.get.ts
 import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
 import { desc, getTableColumns, eq } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
@@ -25,7 +25,7 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model) as TableWithId
   const columns = getTableColumns(table)
 
-  let query = useDrizzle().select().from(table)
+  let query = db.select().from(table)
 
   // Filter active rows for non-admins (or those without list_all) if status field exists
 

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,9 +1,9 @@
 // server/api/[model]/index.post.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
-import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   const { model } = getRouterParams(event) as { model: string }
@@ -14,7 +14,10 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
-  const newRecord = await useDrizzle().insert(table).values(payload).returning().get()
+  // Auto-hash fields based on config (default: ['password'])
+  await hashPayloadFields(payload)
+
+  const newRecord = await db.insert(table).values(payload).returning().get()
 
   return formatResourceResult(model, newRecord as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/stubs/auth.ts

@@ -0,0 +1,11 @@
+export const requireUserSession = () => {
+  throw new Error('nuxt-auth-utils not installed')
+}
+export const getUserSession = () => Promise.resolve({ user: null })
+export const hashPassword = (password: string) => {
+  console.warn('nuxt-auth-utils not installed. Password not hashed!')
+  return Promise.resolve(password)
+}
+export const allows = () => Promise.resolve(true)
+export const abilities = null
+export const abilityLogic = null

package/src/runtime/server/utils/auth.ts

@@ -2,12 +2,12 @@
 /// <reference path="../../auth.d.ts" />
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
-// @ts-expect-error - #imports is available in runtime
+
 import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
 
-export async function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean> {
+export async function checkAdminAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean> {
   const { auth } = useAutoCrudConfig()
 
   if (!auth?.authentication) {
@@ -25,7 +25,7 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
   // Session based (default)
   let user = null
   try {
-    const session = await getUserSession(event)
+    const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number, permissions?: Record<string, string[]> } | null }>)(event)
     user = session.user
   }
   catch {
@@ -38,10 +38,49 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
       const guestCheck = !user && (typeof abilityLogic === 'function' ? abilityLogic : (typeof globalAbility === 'function' ? globalAbility : null))
 
       const allowed = guestCheck
-        ? await guestCheck(null, model, action)
-        : await allows(event, globalAbility, model, action)
+        ? await (guestCheck as (user: unknown, model: string, action: string, context?: unknown) => Promise<boolean>)(null, model, action, context)
+        : await (allows as (event: H3Event, ability: unknown, model: string, action: string, context?: unknown) => Promise<boolean>)(event, globalAbility, model, action, context)
 
       if (!allowed) {
+        // Fallback: Check for "Own Record" permission (e.g. update_own, delete_own)
+        if (user && (action === 'update' || action === 'delete') && context && typeof context === 'object' && 'id' in context) {
+          const ownAction = `${action}_own`
+          const userPermissions = user.permissions?.[model] as string[] | undefined
+
+          if (userPermissions && userPermissions.includes(ownAction)) {
+            // Verify ownership via DB
+            // @ts-expect-error - hub:db virtual alias
+            const { db } = await import('hub:db')
+            const { getTableForModel } = await import('./modelMapper')
+            const { eq } = await import('drizzle-orm')
+
+            try {
+              const table = getTableForModel(model)
+
+              // Special case: User updating their own profile (record.id === user.id)
+              if (model === 'users' && String((context as { id: string | number }).id) === String(user.id)) {
+                return true
+              }
+
+              // Standard case: Check 'userId' column for ownership
+              // We need to check if table has userId column.
+              // We cast to any to check property exist roughly or just try query
+              if ('userId' in table) {
+                // @ts-expect-error - dyanmic table access
+                const record = await db.select({ userId: table.userId }).from(table).where(eq(table.id, context.id)).get()
+
+                // If record exists and userId matches session user id
+                if (record && String(record.userId) === String(user.id)) {
+                  return true
+                }
+              }
+            }
+            catch (e) {
+              console.error('[checkAdminAccess] Ownership check failed', e)
+            }
+          }
+        }
+
         if (user) throw createError({ statusCode: 403, message: 'Forbidden' })
         return false
       }
@@ -49,6 +88,7 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
     }
     catch (err) {
       if ((err as { statusCode: number }).statusCode === 403) throw err
+      console.error('[checkAdminAccess] Error', err)
       return false
     }
   }
@@ -73,5 +113,5 @@ export async function ensureAuthenticated(event: H3Event): Promise<void> {
     return
   }
 
-  await requireUserSession(event)
+  await (requireUserSession as (event: H3Event) => Promise<void>)(event)
 }

package/src/runtime/server/utils/handler.ts

@@ -1,17 +1,13 @@
 import { createError } from 'h3'
 import type { H3Event } from 'h3'
-import { useAutoCrudConfig } from './config'
+
 import { checkAdminAccess } from './auth'
 import { filterHiddenFields, filterPublicColumns } from './modelMapper'
+import { useAutoCrudConfig } from './config'
 
-// @ts-expect-error - #imports is available in runtime
-import { getUserSession } from '#imports'
-
-export async function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean> {
-  const { auth } = useAutoCrudConfig()
-
+export async function ensureResourceAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean> {
   // This throws 403 if not authorized
-  const isAuthorized = await checkAdminAccess(event, model, action)
+  const isAuthorized = await checkAdminAccess(event, model, action, context)
   if (!isAuthorized) {
     throw createError({
       statusCode: 401,
@@ -19,14 +15,22 @@ export async function ensureResourceAccess(event: H3Event, model: string, action
     })
   }
 
-  // If authentication is disabled, treated as fully inclusive access
-  if (!auth?.authentication) {
-    return true
-  }
+  return true
+}
 
-  // Check if user is authenticated
-  const session = await getUserSession(event)
-  return !!session.user
+export async function hashPayloadFields(payload: Record<string, unknown>): Promise<void> {
+  // Auto-hash fields based on config (default: ['password'])
+  const { hashedFields } = useAutoCrudConfig()
+
+  if (hashedFields) {
+    console.log('[hashPayloadFields] Configured hashedFields:', hashedFields)
+    for (const field of hashedFields) {
+      if (payload[field] && typeof payload[field] === 'string') {
+        // @ts-expect-error - hashPassword is auto-imported from nuxt-auth-utils or stub
+        payload[field] = await hashPassword(payload[field])
+      }
+    }
+  }
 }
 
 export function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean) {