nuxt-auto-crud 1.20.0 → 1.22.0

package/README.md

@@ -321,11 +321,30 @@ export default defineNuxtConfig({
 })
 ```
 
-## ⚠️ Known Issues
 
-- **Automatic Relation Expansion:** The module tries to automatically expand foreign keys (e.g., `user_id` -> `user: { name: ... }`). However, this relies on the foreign key column name matching the target table name (e.g., `user_id` for `users`).
-  - **Limitation:** If you have custom FK names like `customer_id` or `author_id` pointing to `users`, the automatic expansion will not work yet.
-  - **Workaround:** Ensure your FK columns follow the `tablename_id` convention where possible for now.
+## 👤 Owner-based Permissions (RBAC)
+
+In addition to standard `create`, `read`, `update`, and `delete` permissions, you can assign **Ownership Permissions**:
+
+- `list`: Allows a user to view a list of active records (status='active').
+- `list_all`: Allows a user to view **all** records, including inactive ones (e.g., status='inactive', 'draft').
+- `update_own`: Allows a user to update a record **only if they created it**.
+- `delete_own`: Allows a user to delete a record **only if they created it**.
+
+**How it works:**
+The module checks for ownership using the following logic:
+1.  **Standard Tables:** Checks if the record has a `createdBy` (or `userId`) column that matches the logged-in user's ID.
+2.  **Users Table:** Checks if the record being accessed is the user's own profile (`id` matches).
+
+**Prerequisites:**
+Ensure your schema includes a `createdBy` field for resources where you want this behavior:
+
+```typescript
+export const posts = sqliteTable('posts', {
+  // ...
+  createdBy: integer('created_by'), // Recommended
+})
+```
 
 ## 🎮 Try the Playground
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.20.0",
+  "version": "1.22.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/runtime/composables/useRelationDisplay.d.ts

@@ -9,4 +9,5 @@ export declare const useRelationDisplay: (schema: {
     fetchRelations: () => Promise<void>;
     getDisplayValue: (key: string, value: unknown) => unknown;
     relationsMap: import("vue").Ref<Record<string, Record<string, string>>, Record<string, Record<string, string>>>;
+    forbiddenRelations: import("vue").Ref<Set<string> & Omit<Set<string>, keyof Set<any>>, Set<string> | (Set<string> & Omit<Set<string>, keyof Set<any>>)>;
 };

package/dist/runtime/composables/useRelationDisplay.js

@@ -4,6 +4,7 @@ export const useRelationDisplay = (schema) => {
   const relationsMap = ref({});
   const displayValues = ref({});
   const headers = useRequestHeaders(["cookie"]);
+  const forbiddenRelations = ref(/* @__PURE__ */ new Set());
   const fetchRelations = async () => {
     const { data: relations } = await useFetch("/api/_relations");
     if (relations.value) {
@@ -30,6 +31,10 @@ export const useRelationDisplay = (schema) => {
           }
         } catch (error) {
           console.error(`Failed to fetch relation data for ${targetTable}:`, error);
+          const err = error;
+          if (err?.statusCode === 403) {
+            forbiddenRelations.value.add(fieldName);
+          }
         }
       })
     );
@@ -43,6 +48,7 @@ export const useRelationDisplay = (schema) => {
   return {
     fetchRelations,
     getDisplayValue,
-    relationsMap
+    relationsMap,
+    forbiddenRelations
   };
 };

package/dist/runtime/server/api/[model]/[id].delete.js

@@ -1,8 +1,9 @@
-import { eventHandler, getRouterParams, createError } from "h3";
+import { eventHandler, getRouterParams } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel, getModelSingularName } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { RecordNotFoundError } from "../../exceptions.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "delete", { id });
@@ -10,10 +11,7 @@ export default eventHandler(async (event) => {
   const singularName = getModelSingularName(model);
   const deletedRecord = await db.delete(table).where(eq(table.id, Number(id))).returning().get();
   if (!deletedRecord) {
-    throw createError({
-      statusCode: 404,
-      message: `${singularName} not found`
-    });
+    throw new RecordNotFoundError(`${singularName} not found`);
   }
   return formatResourceResult(model, deletedRecord, isAdmin);
 });

package/dist/runtime/server/api/[model]/[id].get.js

@@ -1,27 +1,22 @@
-import { eventHandler, getRouterParams, createError } from "h3";
+import { eventHandler, getRouterParams } from "h3";
 import { eq } from "drizzle-orm";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
 import { checkAdminAccess } from "../../utils/auth.js";
+import { RecordNotFoundError } from "../../exceptions.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "read");
   const table = getTableForModel(model);
   const record = await db.select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
-    throw createError({
-      statusCode: 404,
-      message: "Record not found"
-    });
+    throw new RecordNotFoundError();
   }
   if ("status" in record && record.status !== "active") {
     const canListAll = await checkAdminAccess(event, model, "list_all");
     if (!canListAll) {
-      throw createError({
-        statusCode: 404,
-        message: "Record not found"
-      });
+      throw new RecordNotFoundError();
     }
   }
   return formatResourceResult(model, record, isAdmin);

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,9 +1,10 @@
-import { eventHandler, getRouterParams, readBody, createError } from "h3";
+import { eventHandler, getRouterParams, readBody } from "h3";
 import { getUserSession } from "#imports";
 import { eq } from "drizzle-orm";
 import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
 import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from "../../utils/handler.js";
+import { RecordNotFoundError } from "../../exceptions.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
   const isAdmin = await ensureResourceAccess(event, model, "update", { id });
@@ -25,10 +26,7 @@ export default eventHandler(async (event) => {
   }
   const updatedRecord = await db.update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
   if (!updatedRecord) {
-    throw createError({
-      statusCode: 404,
-      message: "Record not found"
-    });
+    throw new RecordNotFoundError();
   }
   return formatResourceResult(model, updatedRecord, isAdmin);
 });

package/dist/runtime/server/api/_schema/[table].get.d.ts

@@ -1,10 +1,5 @@
 declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
     resource: string;
-    fields: {
-        name: string;
-        type: string;
-        required: any;
-        selectOptions: string[] | undefined;
-    }[];
+    fields: import("../../utils/schema.js").Field[];
 }>>;
 export default _default;

package/dist/runtime/server/exceptions.d.ts

@@ -0,0 +1,9 @@
+export declare class AutoCrudError extends Error {
+    statusCode: number;
+    statusMessage?: string;
+    constructor(message: string, statusCode: number);
+    toH3Error(): import("h3").H3Error<unknown>;
+}
+export declare class RecordNotFoundError extends AutoCrudError {
+    constructor(message?: string);
+}

package/dist/runtime/server/exceptions.js

@@ -0,0 +1,21 @@
+import { createError } from "h3";
+export class AutoCrudError extends Error {
+  statusCode;
+  statusMessage;
+  constructor(message, statusCode) {
+    super(message);
+    this.statusCode = statusCode;
+    this.statusMessage = message;
+  }
+  toH3Error() {
+    return createError({
+      statusCode: this.statusCode,
+      message: this.message
+    });
+  }
+}
+export class RecordNotFoundError extends AutoCrudError {
+  constructor(message = "Record not found") {
+    super(message, 404);
+  }
+}

package/dist/runtime/server/utils/schema.d.ts

@@ -1,20 +1,17 @@
+export interface Field {
+    name: string;
+    type: string;
+    required: boolean;
+    selectOptions?: string[];
+    references?: string;
+}
 export declare function drizzleTableToFields(table: any, resourceName: string): {
     resource: string;
-    fields: {
-        name: string;
-        type: string;
-        required: any;
-        selectOptions: string[] | undefined;
-    }[];
+    fields: Field[];
 };
 export declare function getRelations(): Promise<Record<string, Record<string, string>>>;
 export declare function getAllSchemas(): Promise<Record<string, any>>;
 export declare function getSchema(tableName: string): Promise<{
     resource: string;
-    fields: {
-        name: string;
-        type: string;
-        required: any;
-        selectOptions: string[] | undefined;
-    }[];
+    fields: Field[];
 } | undefined>;

package/dist/runtime/server/utils/schema.js

@@ -15,6 +15,21 @@ export function drizzleTableToFields(table, resourceName) {
       selectOptions
     });
   }
+  try {
+    const config = getTableConfig(table);
+    config.foreignKeys.forEach((fk) => {
+      const sourceColumnName = fk.reference().columns[0].name;
+      const propertyName = Object.entries(columns).find(([_, col]) => col.name === sourceColumnName)?.[0];
+      if (propertyName) {
+        const field = fields.find((f) => f.name === propertyName);
+        if (field) {
+          const targetTable = fk.reference().foreignTable[Symbol.for("drizzle:Name")];
+          field.references = targetTable;
+        }
+      }
+    });
+  } catch {
+  }
   return {
     resource: resourceName,
     fields
@@ -37,6 +52,9 @@ function mapColumnType(column) {
     }
     return { type: "number" };
   }
+  if (["content", "description", "bio", "message"].includes(column.name)) {
+    return { type: "textarea" };
+  }
   return { type: "string" };
 }
 export async function getRelations() {
@@ -44,14 +62,18 @@ export async function getRelations() {
   for (const [tableName, table] of Object.entries(modelTableMap)) {
     try {
       const config = getTableConfig(table);
-      if (config.foreignKeys.length > 0) {
-        const tableRelations = {};
-        relations[tableName] = tableRelations;
-        const columns = getTableColumns(table);
-        const columnToProperty = {};
-        for (const [key, col] of Object.entries(columns)) {
-          columnToProperty[col.name] = key;
+      const tableRelations = {};
+      relations[tableName] = tableRelations;
+      const columns = getTableColumns(table);
+      const columnToProperty = {};
+      for (const [key, col] of Object.entries(columns)) {
+        const columnName = col.name;
+        columnToProperty[columnName] = key;
+        if (["createdBy", "created_by", "updatedBy", "updated_by", "deletedBy", "deleted_by"].includes(key)) {
+          tableRelations[key] = "users";
         }
+      }
+      if (config.foreignKeys.length > 0) {
         config.foreignKeys.forEach((fk) => {
           const sourceColumnName = fk.reference().columns[0].name;
           const sourceProperty = columnToProperty[sourceColumnName] || sourceColumnName;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.20.0",
+  "version": "1.22.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -35,8 +35,8 @@
   ],
   "scripts": {
     "prepack": "nuxt-module-build build",
-    "dev": "npm run dev:prepare && nuxi dev playground",
-    "dev:build": "nuxi build playground",
+    "dev": "bun run dev:prepare && nuxi dev --bun playground",
+    "dev:build": "nuxi build --bun playground",
     "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
     "release": "npm run lint && npm run test && npm run prepack && changelogen --release && npm publish && git push --follow-tags",
     "lint": "eslint .",
@@ -47,7 +47,7 @@
     "link": "npm link"
   },
   "dependencies": {
-    "@nuxt/kit": "^4.2.1",
+    "@nuxt/kit": "^4.2.2",
     "@nuxt/scripts": "^0.13.0",
     "@types/pluralize": "^0.0.33",
     "c12": "^2.0.1",
@@ -78,7 +78,7 @@
     "drizzle-orm": "^0.38.3",
     "eslint": "^9.39.1",
     "nuxt": "^4.2.1",
-    "nuxt-auth-utils": "^0.5.25",
+    "nuxt-auth-utils": "^0.5.26",
     "nuxt-authorization": "^0.3.5",
     "typescript": "~5.9.3",
     "vitest": "^4.0.13",

package/src/runtime/composables/useRelationDisplay.ts

@@ -11,6 +11,8 @@ export const useRelationDisplay = (
   const displayValues = ref<Record<string, Record<string, string>>>({})
   const headers = useRequestHeaders(['cookie'])
 
+  const forbiddenRelations = ref<Set<string>>(new Set())
+
   const fetchRelations = async () => {
     // 1. Fetch relations metadata
     const { data: relations } = await useFetch<Record<string, Record<string, string>>>('/api/_relations')
@@ -45,8 +47,12 @@ export const useRelationDisplay = (
             )
           }
         }
-        catch (error) {
+        catch (error: unknown) {
           console.error(`Failed to fetch relation data for ${targetTable}:`, error)
+          const err = error as { statusCode?: number }
+          if (err?.statusCode === 403) {
+            forbiddenRelations.value.add(fieldName)
+          }
         }
       }),
     )
@@ -63,5 +69,6 @@ export const useRelationDisplay = (
     fetchRelations,
     getDisplayValue,
     relationsMap,
+    forbiddenRelations,
   }
 }

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -1,11 +1,12 @@
 // server/api/[model]/[id].delete.ts
-import { eventHandler, getRouterParams, createError } from 'h3'
+import { eventHandler, getRouterParams } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - hub:db is a virtual alias
 import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+import { RecordNotFoundError } from '../../exceptions'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
@@ -21,10 +22,7 @@ export default eventHandler(async (event) => {
     .get()
 
   if (!deletedRecord) {
-    throw createError({
-      statusCode: 404,
-      message: `${singularName} not found`,
-    })
+    throw new RecordNotFoundError(`${singularName} not found`)
   }
 
   return formatResourceResult(model, deletedRecord as Record<string, unknown>, isAdmin)

package/src/runtime/server/api/[model]/[id].get.ts

@@ -1,5 +1,5 @@
 // server/api/[model]/[id].get.ts
-import { eventHandler, getRouterParams, createError } from 'h3'
+import { eventHandler, getRouterParams } from 'h3'
 import { eq } from 'drizzle-orm'
 import { getTableForModel } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
@@ -7,6 +7,7 @@ import type { TableWithId } from '../../types'
 import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 import { checkAdminAccess } from '../../utils/auth'
+import { RecordNotFoundError } from '../../exceptions'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
@@ -21,10 +22,7 @@ export default eventHandler(async (event) => {
     .get()
 
   if (!record) {
-    throw createError({
-      statusCode: 404,
-      message: 'Record not found',
-    })
+    throw new RecordNotFoundError()
   }
 
   // Filter inactive rows for non-admins (or those without list_all) if status field exists
@@ -32,10 +30,7 @@ export default eventHandler(async (event) => {
   if ('status' in record && (record as any).status !== 'active') {
     const canListAll = await checkAdminAccess(event, model, 'list_all')
     if (!canListAll) {
-      throw createError({
-        statusCode: 404,
-        message: 'Record not found',
-      })
+      throw new RecordNotFoundError()
     }
   }
 

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,5 +1,5 @@
 // server/api/[model]/[id].patch.ts
-import { eventHandler, getRouterParams, readBody, createError } from 'h3'
+import { eventHandler, getRouterParams, readBody } from 'h3'
 import type { H3Event } from 'h3'
 import { getUserSession } from '#imports'
 import { eq } from 'drizzle-orm'
@@ -9,6 +9,7 @@ import type { TableWithId } from '../../types'
 // @ts-expect-error - hub:db is a virtual alias
 import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from '../../utils/handler'
+import { RecordNotFoundError } from '../../exceptions'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
@@ -20,7 +21,6 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
-  // Auto-hash fields based on config (default: ['password'])
   // Auto-hash fields based on config (default: ['password'])
   await hashPayloadFields(payload)
 
@@ -52,10 +52,7 @@ export default eventHandler(async (event) => {
     .get()
 
   if (!updatedRecord) {
-    throw createError({
-      statusCode: 404,
-      message: 'Record not found',
-    })
+    throw new RecordNotFoundError()
   }
 
   return formatResourceResult(model, updatedRecord as Record<string, unknown>, isAdmin)

package/src/runtime/server/exceptions.ts

@@ -0,0 +1,25 @@
+import { createError } from 'h3'
+
+export class AutoCrudError extends Error {
+  statusCode: number
+  statusMessage?: string
+
+  constructor(message: string, statusCode: number) {
+    super(message)
+    this.statusCode = statusCode
+    this.statusMessage = message
+  }
+
+  toH3Error() {
+    return createError({
+      statusCode: this.statusCode,
+      message: this.message,
+    })
+  }
+}
+
+export class RecordNotFoundError extends AutoCrudError {
+  constructor(message: string = 'Record not found') {
+    super(message, 404)
+  }
+}

package/src/runtime/server/utils/schema.ts

@@ -2,10 +2,18 @@ import { getTableColumns } from 'drizzle-orm'
 import { getTableConfig } from 'drizzle-orm/sqlite-core'
 import { modelTableMap } from './modelMapper'
 
+export interface Field {
+  name: string
+  type: string
+  required: boolean
+  selectOptions?: string[]
+  references?: string
+}
+
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function drizzleTableToFields(table: any, resourceName: string) {
   const columns = getTableColumns(table)
-  const fields = []
+  const fields: Field[] = []
 
   for (const [key, col] of Object.entries(columns)) {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -22,6 +30,31 @@ export function drizzleTableToFields(table: any, resourceName: string) {
     })
   }
 
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const config = getTableConfig(table as any)
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    config.foreignKeys.forEach((fk: any) => {
+      const sourceColumnName = fk.reference().columns[0].name
+
+      // Find the TS property name (key) that corresponds to this SQL column name
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const propertyName = Object.entries(columns).find(([_, col]: [string, any]) => col.name === sourceColumnName)?.[0]
+
+      if (propertyName) {
+        const field = fields.find(f => f.name === propertyName)
+        if (field) {
+          // Get target table name
+          const targetTable = fk.reference().foreignTable[Symbol.for('drizzle:Name')] as string
+          field.references = targetTable
+        }
+      }
+    })
+  }
+  catch {
+    // Ignore error if getTableConfig fails (e.g. not a Drizzle table)
+  }
+
   return {
     resource: resourceName,
     fields,
@@ -53,6 +86,10 @@ function mapColumnType(column: any): { type: string, selectOptions?: string[] }
     return { type: 'number' }
   }
 
+  if (['content', 'description', 'bio', 'message'].includes(column.name)) {
+    return { type: 'textarea' }
+  }
+
   return { type: 'string' }
 }
 
@@ -63,19 +100,25 @@ export async function getRelations() {
     try {
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       const config = getTableConfig(table as any)
-      if (config.foreignKeys.length > 0) {
-        const tableRelations: Record<string, string> = {}
-        relations[tableName] = tableRelations
+      const tableRelations: Record<string, string> = {}
+      relations[tableName] = tableRelations
 
-        // Map column names to property names
+      // Map column names to property names
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const columns = getTableColumns(table as any)
+      const columnToProperty: Record<string, string> = {}
+      for (const [key, col] of Object.entries(columns)) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        const columns = getTableColumns(table as any)
-        const columnToProperty: Record<string, string> = {}
-        for (const [key, col] of Object.entries(columns)) {
-          // eslint-disable-next-line @typescript-eslint/no-explicit-any
-          columnToProperty[(col as any).name] = key
+        const columnName = (col as any).name
+        columnToProperty[columnName] = key
+
+        // Auto-link createdBy/updatedBy to users table
+        if (['createdBy', 'created_by', 'updatedBy', 'updated_by', 'deletedBy', 'deleted_by'].includes(key)) {
+          tableRelations[key] = 'users'
         }
+      }
 
+      if (config.foreignKeys.length > 0) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         config.foreignKeys.forEach((fk: any) => {
           const sourceColumnName = fk.reference().columns[0].name