nuxt-auto-crud 1.18.1 → 1.20.0

package/README.md

@@ -51,7 +51,7 @@ Detailed instructions can be found in [https://auto-crud.clifland.in/docs/auto-c
 
 If you want to add `nuxt-auto-crud` to an existing project, follow these steps:
 
-> **Note:** These instructions assume you are using NuxtHub. If you are using a custom SQLite setup (e.g. better-sqlite3, Turso), please see [Custom Setup](./custom-setup.md).
+> **Note:** These instructions have been simplified for NuxtHub.
 
 #### Install dependencies
 
@@ -121,23 +121,7 @@ export default defineConfig({
 })
 ```
 
-#### Setup Database Connection
 
-Create `server/utils/drizzle.ts` to export the database instance:
-
-```typescript
-// server/utils/drizzle.ts
-import { db, schema } from 'hub:db'
-export { sql, eq, and, or } from 'drizzle-orm'
-
-export const tables = schema
-
-export function useDrizzle() {
-  return db
-}
-
-export type User = typeof schema.users.$inferSelect
-```
 
 #### Define your database schema
 
@@ -462,7 +446,7 @@ You can customize hidden fields by modifying the `modelMapper.ts` utility.
 
 - Nuxt 3 or 4
 - Drizzle ORM (SQLite)
-- NuxtHub >= 0.10.0 (Recommended) or [Custom SQLite Setup](./custom-setup.md)
+- NuxtHub >= 0.10.0
 
 ## 🔗 Other Helpful Links
 

package/dist/module.d.mts

@@ -6,11 +6,6 @@ interface ModuleOptions {
      * @default 'server/database/schema'
      */
     schemaPath?: string;
-    /**
-     * Path to the drizzle instance file (must export useDrizzle)
-     * @default 'server/utils/drizzle'
-     */
-    drizzlePath?: string;
     /**
      * Authentication configuration
      */
@@ -22,6 +17,11 @@ interface ModuleOptions {
     resources?: {
         [modelName: string]: string[];
     };
+    /**
+     * Fields that should be automatically hashed before storage
+     * @default ['password']
+     */
+    hashedFields?: string[];
 }
 interface AuthOptions {
     /**

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.18.1",
+  "version": "1.20.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -7,7 +7,6 @@ const module$1 = defineNuxtModule({
   },
   defaults: {
     schemaPath: "server/db/schema",
-    drizzlePath: "server/utils/drizzle",
     auth: false
   },
   async setup(options, nuxt) {
@@ -17,17 +16,13 @@ const module$1 = defineNuxtModule({
       options.schemaPath
     );
     nuxt.options.alias["#site/schema"] = schemaPath;
-    const drizzlePath = resolver.resolve(
-      nuxt.options.rootDir,
-      options.drizzlePath
-    );
-    nuxt.options.alias["#site/drizzle"] = drizzlePath;
     addImportsDir(resolver.resolve(nuxt.options.rootDir, "shared/utils"));
     const stubsPath = resolver.resolve("./runtime/server/stubs/auth");
     if (!hasNuxtModule("nuxt-auth-utils")) {
       addServerImports([
         { name: "requireUserSession", from: stubsPath },
-        { name: "getUserSession", from: stubsPath }
+        { name: "getUserSession", from: stubsPath },
+        { name: "hashPassword", from: stubsPath }
       ]);
     }
     if (!hasNuxtModule("nuxt-authorization")) {
@@ -53,7 +48,8 @@ const module$1 = defineNuxtModule({
       },
       resources: {
         ...options.resources
-      }
+      },
+      hashedFields: options.hashedFields ?? ["password"]
     };
     const apiDir = resolver.resolve("./runtime/server/api");
     addServerHandler({

package/dist/runtime/server/api/[model]/[id].delete.js

@@ -1,14 +1,14 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel, getModelSingularName } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
+import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "delete");
+  const isAdmin = await ensureResourceAccess(event, model, "delete", { id });
   const table = getTableForModel(model);
   const singularName = getModelSingularName(model);
-  const deletedRecord = await useDrizzle().delete(table).where(eq(table.id, Number(id))).returning().get();
+  const deletedRecord = await db.delete(table).where(eq(table.id, Number(id))).returning().get();
   if (!deletedRecord) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/[model]/[id].get.js

@@ -1,14 +1,14 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
+import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "read");
   const table = getTableForModel(model);
-  const record = await useDrizzle().select().from(table).where(eq(table.id, Number(id))).get();
+  const record = await db.select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,18 +1,29 @@
 import { eventHandler, getRouterParams, readBody, createError } from "h3";
+import { getUserSession } from "#imports";
 import { eq } from "drizzle-orm";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
-import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { db } from "hub:db";
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "update");
+  const isAdmin = await ensureResourceAccess(event, model, "update", { id });
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
+  await hashPayloadFields(payload);
   if ("updatedAt" in table) {
     payload.updatedAt = /* @__PURE__ */ new Date();
   }
-  const updatedRecord = await useDrizzle().update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
+  try {
+    const session = await getUserSession(event);
+    if (session?.user?.id) {
+      if ("updatedBy" in table) {
+        payload.updatedBy = session.user.id;
+      }
+    }
+  } catch {
+  }
+  const updatedRecord = await db.update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
   if (!updatedRecord) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,6 +1,6 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
+import { db } from "hub:db";
 import { desc, getTableColumns, eq } from "drizzle-orm";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 import { checkAdminAccess } from "../../utils/auth.js";
@@ -16,7 +16,7 @@ export default eventHandler(async (event) => {
   }
   const table = getTableForModel(model);
   const columns = getTableColumns(table);
-  let query = useDrizzle().select().from(table);
+  let query = db.select().from(table);
   if (!canListAll && "status" in columns) {
     query = query.where(eq(table.status, "active"));
   }

package/dist/runtime/server/api/[model]/index.post.js

@@ -1,13 +1,27 @@
 import { eventHandler, getRouterParams, readBody } from "h3";
+import { getUserSession } from "#imports";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
-import { useDrizzle } from "#site/drizzle";
-import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { db } from "hub:db";
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
 export default eventHandler(async (event) => {
   const { model } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "create");
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
-  const newRecord = await useDrizzle().insert(table).values(payload).returning().get();
+  await hashPayloadFields(payload);
+  try {
+    const session = await getUserSession(event);
+    if (session?.user?.id) {
+      if ("createdBy" in table) {
+        payload.createdBy = session.user.id;
+      }
+      if ("updatedBy" in table) {
+        payload.updatedBy = session.user.id;
+      }
+    }
+  } catch {
+  }
+  const newRecord = await db.insert(table).values(payload).returning().get();
   return formatResourceResult(model, newRecord, isAdmin);
 });

package/dist/runtime/server/stubs/auth.d.ts

@@ -2,6 +2,7 @@ export declare const requireUserSession: () => never;
 export declare const getUserSession: () => Promise<{
     user: null;
 }>;
+export declare const hashPassword: (password: string) => Promise<string>;
 export declare const allows: () => Promise<boolean>;
 export declare const abilities: null;
 export declare const abilityLogic: null;

package/dist/runtime/server/stubs/auth.js

@@ -2,6 +2,10 @@ export const requireUserSession = () => {
   throw new Error("nuxt-auth-utils not installed");
 };
 export const getUserSession = () => Promise.resolve({ user: null });
+export const hashPassword = (password) => {
+  console.warn("nuxt-auth-utils not installed. Password not hashed!");
+  return Promise.resolve(password);
+};
 export const allows = () => Promise.resolve(true);
 export const abilities = null;
 export const abilityLogic = null;

package/dist/runtime/server/utils/auth.d.ts

@@ -1,3 +1,3 @@
 import type { H3Event } from 'h3';
-export declare function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean>;
+export declare function checkAdminAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean>;
 export declare function ensureAuthenticated(event: H3Event): Promise<void>;

package/dist/runtime/server/utils/auth.js

@@ -2,7 +2,7 @@ import { createError } from "h3";
 import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from "#imports";
 import { useAutoCrudConfig } from "./config.js";
 import { verifyJwtToken } from "./jwt.js";
-export async function checkAdminAccess(event, model, action) {
+export async function checkAdminAccess(event, model, action, context) {
   const { auth } = useAutoCrudConfig();
   if (!auth?.authentication) {
     return true;
@@ -23,14 +23,46 @@ export async function checkAdminAccess(event, model, action) {
   if (auth.authorization) {
     try {
       const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
-      const allowed = guestCheck ? await guestCheck(null, model, action) : await allows(event, globalAbility, model, action);
+      const allowed = guestCheck ? await guestCheck(null, model, action, context) : await allows(event, globalAbility, model, action, context);
       if (!allowed) {
+        if (user && (action === "update" || action === "delete") && context && typeof context === "object" && "id" in context) {
+          const ownAction = `${action}_own`;
+          const userPermissions = user.permissions?.[model];
+          if (userPermissions && userPermissions.includes(ownAction)) {
+            const { db } = await import("hub:db");
+            const { getTableForModel } = await import("./modelMapper.js");
+            const { eq } = await import("drizzle-orm");
+            try {
+              const table = getTableForModel(model);
+              if (model === "users" && String(context.id) === String(user.id)) {
+                return true;
+              }
+              const hasCreatedBy = "createdBy" in table;
+              const hasUserId = "userId" in table;
+              if (hasCreatedBy || hasUserId) {
+                const query = db.select().from(table).where(eq(table.id, Number(context.id)));
+                const record = await query.get();
+                if (record) {
+                  if (hasCreatedBy) {
+                    if (String(record.createdBy) === String(user.id)) return true;
+                  }
+                  if (hasUserId) {
+                    if (String(record.userId) === String(user.id)) return true;
+                  }
+                }
+              }
+            } catch (e) {
+              console.error("[checkAdminAccess] Ownership check failed", e);
+            }
+          }
+        }
         if (user) throw createError({ statusCode: 403, message: "Forbidden" });
         return false;
       }
       return true;
     } catch (err) {
       if (err.statusCode === 403) throw err;
+      console.error("[checkAdminAccess] Error", err);
       return false;
     }
   }

package/dist/runtime/server/utils/handler.d.ts

@@ -1,3 +1,4 @@
 import type { H3Event } from 'h3';
-export declare function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean>;
+export declare function ensureResourceAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean>;
+export declare function hashPayloadFields(payload: Record<string, unknown>): Promise<void>;
 export declare function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean): Record<string, unknown>;

package/dist/runtime/server/utils/handler.js

@@ -1,8 +1,9 @@
 import { createError } from "h3";
 import { checkAdminAccess } from "./auth.js";
 import { filterHiddenFields, filterPublicColumns } from "./modelMapper.js";
-export async function ensureResourceAccess(event, model, action) {
-  const isAuthorized = await checkAdminAccess(event, model, action);
+import { useAutoCrudConfig } from "./config.js";
+export async function ensureResourceAccess(event, model, action, context) {
+  const isAuthorized = await checkAdminAccess(event, model, action, context);
   if (!isAuthorized) {
     throw createError({
       statusCode: 401,
@@ -11,6 +12,17 @@ export async function ensureResourceAccess(event, model, action) {
   }
   return true;
 }
+export async function hashPayloadFields(payload) {
+  const { hashedFields } = useAutoCrudConfig();
+  if (hashedFields) {
+    console.log("[hashPayloadFields] Configured hashedFields:", hashedFields);
+    for (const field of hashedFields) {
+      if (payload[field] && typeof payload[field] === "string") {
+        payload[field] = await hashPassword(payload[field]);
+      }
+    }
+  }
+}
 export function formatResourceResult(model, data, isAdmin) {
   if (isAdmin) {
     return filterHiddenFields(model, data);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.18.1",
+  "version": "1.20.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -3,18 +3,18 @@ import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'delete')
+  const isAdmin = await ensureResourceAccess(event, model, 'delete', { id })
 
   const table = getTableForModel(model) as TableWithId
   const singularName = getModelSingularName(model)
 
-  const deletedRecord = await useDrizzle()
+  const deletedRecord = await db
     .delete(table)
     .where(eq(table.id, Number(id)))
     .returning()

package/src/runtime/server/api/[model]/[id].get.ts

@@ -3,8 +3,8 @@ import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 import { checkAdminAccess } from '../../utils/auth'
 
@@ -14,7 +14,7 @@ export default eventHandler(async (event) => {
 
   const table = getTableForModel(model) as TableWithId
 
-  const record = await useDrizzle()
+  const record = await db
     .select()
     .from(table)
     .where(eq(table.id, Number(id)))

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,28 +1,50 @@
 // server/api/[model]/[id].patch.ts
 import { eventHandler, getRouterParams, readBody, createError } from 'h3'
+import type { H3Event } from 'h3'
+import { getUserSession } from '#imports'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
-import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'update')
+  // Pass the ID as context for row-level security checks (e.g. self-update)
+  const isAdmin = await ensureResourceAccess(event, model, 'update', { id })
 
   const table = getTableForModel(model) as TableWithId
 
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
+  // Auto-hash fields based on config (default: ['password'])
+  // Auto-hash fields based on config (default: ['password'])
+  await hashPayloadFields(payload)
+
   // Automatically update updatedAt if it exists
   if ('updatedAt' in table) {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (payload as any).updatedAt = new Date()
   }
 
-  const updatedRecord = await useDrizzle()
+  // Inject updatedBy if user is authenticated
+  try {
+    const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number } | null }>)(event)
+    if (session?.user?.id) {
+      if ('updatedBy' in table) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (payload as any).updatedBy = session.user.id
+      }
+    }
+  }
+  catch {
+    // No session available
+  }
+
+  const updatedRecord = await db
     .update(table)
     .set(payload)
     .where(eq(table.id, Number(id)))

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,8 +1,8 @@
 // server/api/[model]/index.get.ts
 import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
 import { desc, getTableColumns, eq } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
@@ -25,7 +25,7 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model) as TableWithId
   const columns = getTableColumns(table)
 
-  let query = useDrizzle().select().from(table)
+  let query = db.select().from(table)
 
   // Filter active rows for non-admins (or those without list_all) if status field exists
 

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,9 +1,11 @@
 // server/api/[model]/index.post.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
+import type { H3Event } from 'h3'
+import { getUserSession } from '#imports'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
-// @ts-expect-error - #site/drizzle is an alias defined by the module
-import { useDrizzle } from '#site/drizzle'
-import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+// @ts-expect-error - hub:db is a virtual alias
+import { db } from 'hub:db'
+import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   const { model } = getRouterParams(event) as { model: string }
@@ -14,7 +16,31 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
-  const newRecord = await useDrizzle().insert(table).values(payload).returning().get()
+  // Auto-hash fields based on config (default: ['password'])
+  await hashPayloadFields(payload)
+
+  // Inject createdBy/updatedBy if user is authenticated
+  try {
+    const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number } | null }>)(event)
+    if (session?.user?.id) {
+      // Check if table has columns before assigning (optional but safer if we had strict types)
+      // Since we are passing payload to .values(), extra keys might be ignored or cause error depending on driver
+      // Using 'in' table check is good practice
+      if ('createdBy' in table) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (payload as any).createdBy = session.user.id
+      }
+      if ('updatedBy' in table) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (payload as any).updatedBy = session.user.id
+      }
+    }
+  }
+  catch {
+    // No session available
+  }
+
+  const newRecord = await db.insert(table).values(payload).returning().get()
 
   return formatResourceResult(model, newRecord as Record<string, unknown>, isAdmin)
 })

package/src/runtime/server/stubs/auth.ts

@@ -2,6 +2,10 @@ export const requireUserSession = () => {
   throw new Error('nuxt-auth-utils not installed')
 }
 export const getUserSession = () => Promise.resolve({ user: null })
+export const hashPassword = (password: string) => {
+  console.warn('nuxt-auth-utils not installed. Password not hashed!')
+  return Promise.resolve(password)
+}
 export const allows = () => Promise.resolve(true)
 export const abilities = null
 export const abilityLogic = null

package/src/runtime/server/utils/auth.ts

@@ -2,12 +2,12 @@
 /// <reference path="../../auth.d.ts" />
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
-// @ts-expect-error - #imports is available in runtime
+
 import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
 
-export async function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean> {
+export async function checkAdminAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean> {
   const { auth } = useAutoCrudConfig()
 
   if (!auth?.authentication) {
@@ -25,7 +25,7 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
   // Session based (default)
   let user = null
   try {
-    const session = await getUserSession(event)
+    const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number, permissions?: Record<string, string[]> } | null }>)(event)
     user = session.user
   }
   catch {
@@ -38,10 +38,60 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
       const guestCheck = !user && (typeof abilityLogic === 'function' ? abilityLogic : (typeof globalAbility === 'function' ? globalAbility : null))
 
       const allowed = guestCheck
-        ? await guestCheck(null, model, action)
-        : await allows(event, globalAbility, model, action)
+        ? await (guestCheck as (user: unknown, model: string, action: string, context?: unknown) => Promise<boolean>)(null, model, action, context)
+        : await (allows as (event: H3Event, ability: unknown, model: string, action: string, context?: unknown) => Promise<boolean>)(event, globalAbility, model, action, context)
 
       if (!allowed) {
+        // Fallback: Check for "Own Record" permission (e.g. update_own, delete_own)
+        if (user && (action === 'update' || action === 'delete') && context && typeof context === 'object' && 'id' in context) {
+          const ownAction = `${action}_own`
+          const userPermissions = user.permissions?.[model] as string[] | undefined
+
+          if (userPermissions && userPermissions.includes(ownAction)) {
+            // Verify ownership via DB
+            // @ts-expect-error - hub:db virtual alias
+            const { db } = await import('hub:db')
+            const { getTableForModel } = await import('./modelMapper')
+            const { eq } = await import('drizzle-orm')
+
+            try {
+              const table = getTableForModel(model)
+
+              // Special case: User updating their own profile (record.id === user.id)
+              if (model === 'users' && String((context as { id: string | number }).id) === String(user.id)) {
+                return true
+              }
+
+              // Standard case: Check 'createdBy' or 'userId' column for ownership
+
+              // const columns = table.columns || {}
+
+              const hasCreatedBy = 'createdBy' in table
+              const hasUserId = 'userId' in table
+
+              if (hasCreatedBy || hasUserId) {
+                // @ts-expect-error - table is dynamic
+                const query = db.select().from(table).where(eq(table.id, Number(context.id)))
+                const record = await query.get()
+
+                if (record) {
+                  // Check createdBy
+                  if (hasCreatedBy) {
+                    if (String(record.createdBy) === String(user.id)) return true
+                  }
+                  // Check userId (legacy)
+                  if (hasUserId) {
+                    if (String(record.userId) === String(user.id)) return true
+                  }
+                }
+              }
+            }
+            catch (e) {
+              console.error('[checkAdminAccess] Ownership check failed', e)
+            }
+          }
+        }
+
         if (user) throw createError({ statusCode: 403, message: 'Forbidden' })
         return false
       }
@@ -49,6 +99,7 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
     }
     catch (err) {
       if ((err as { statusCode: number }).statusCode === 403) throw err
+      console.error('[checkAdminAccess] Error', err)
       return false
     }
   }
@@ -73,5 +124,5 @@ export async function ensureAuthenticated(event: H3Event): Promise<void> {
     return
   }
 
-  await requireUserSession(event)
+  await (requireUserSession as (event: H3Event) => Promise<void>)(event)
 }

package/src/runtime/server/utils/handler.ts

@@ -3,10 +3,11 @@ import type { H3Event } from 'h3'
 
 import { checkAdminAccess } from './auth'
 import { filterHiddenFields, filterPublicColumns } from './modelMapper'
+import { useAutoCrudConfig } from './config'
 
-export async function ensureResourceAccess(event: H3Event, model: string, action: string): Promise<boolean> {
+export async function ensureResourceAccess(event: H3Event, model: string, action: string, context?: unknown): Promise<boolean> {
   // This throws 403 if not authorized
-  const isAuthorized = await checkAdminAccess(event, model, action)
+  const isAuthorized = await checkAdminAccess(event, model, action, context)
   if (!isAuthorized) {
     throw createError({
       statusCode: 401,
@@ -17,6 +18,21 @@ export async function ensureResourceAccess(event: H3Event, model: string, action
   return true
 }
 
+export async function hashPayloadFields(payload: Record<string, unknown>): Promise<void> {
+  // Auto-hash fields based on config (default: ['password'])
+  const { hashedFields } = useAutoCrudConfig()
+
+  if (hashedFields) {
+    console.log('[hashPayloadFields] Configured hashedFields:', hashedFields)
+    for (const field of hashedFields) {
+      if (payload[field] && typeof payload[field] === 'string') {
+        // @ts-expect-error - hashPassword is auto-imported from nuxt-auth-utils or stub
+        payload[field] = await hashPassword(payload[field])
+      }
+    }
+  }
+}
+
 export function formatResourceResult(model: string, data: Record<string, unknown>, isAdmin: boolean) {
   if (isAdmin) {
     return filterHiddenFields(model, data)