nuxt-auto-crud 1.22.0 → 1.23.1

package/README.md

@@ -1,6 +1,6 @@
 # Nuxt Auto CRUD
 
-> **Note:** This module is widely used in MVP development and is rapidly maturing. While currently in **Beta**, the core API (CRUD) is stable. Breaking changes may still occur in configuration or advanced features. Production use is encouraged with version pinning.
+> **Note:** This module is production-ready and actively maintained. The core CRUD API is stable. Minor breaking changes may occasionally occur in advanced features or configuration. We recommend version pinning for production deployments.
 
 Auto-expose RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. Minimal configuration required.
 
@@ -56,20 +56,13 @@ If you want to add `nuxt-auto-crud` to an existing project, follow these steps:
 #### Install dependencies
 
 ```bash
-# Install module and required dependencies
 npm install nuxt-auto-crud @nuxthub/core@^0.10.0 drizzle-orm
-
-# Optional: Install auth dependencies if using Session Auth (Recommended)
-npm install nuxt-auth-utils nuxt-authorization
-
+npm install nuxt-auth-utils nuxt-authorization  # Optional: for authentication
 npm install --save-dev wrangler drizzle-kit
-
-# Or using bun
-bun add nuxt-auto-crud @nuxthub/core@latest drizzle-orm
-bun add nuxt-auth-utils nuxt-authorization
-bun add --dev wrangler drizzle-kit
 ```
 
+> You can also use `bun` or `pnpm` instead of `npm`.
+
 #### Configure Nuxt
 
 Add the modules to your `nuxt.config.ts`:
@@ -227,81 +220,18 @@ export default defineConfig({
 })
 ```
 
-## 🔐 Authentication Configuration
+## 🔐 Authentication
 
-The module enables authentication by default. To test APIs without authentication, you can set `auth: false`.
-
-### Session Auth (Default)
-
-Requires `nuxt-auth-utils` and `nuxt-authorization` to be installed in your project.
-
-```bash
-npm install nuxt-auth-utils nuxt-authorization
-```
+Authentication is enabled by default using **Session Auth** (requires `nuxt-auth-utils` and `nuxt-authorization`).
 
+To disable auth for testing:
 ```typescript
-export default defineNuxtConfig({
-  modules: [
-    'nuxt-auth-utils',
-    'nuxt-authorization',
-    'nuxt-auto-crud'
-  ],
-  autoCrud: {
-    auth: {
-      type: 'session',
-      authentication: true, // Enables requireUserSession() check
-      authorization: true // Enables authorize(model, action) check
-    }
-  }
-})
+autoCrud: { auth: false }
 ```
 
-### JWT Auth
+For **JWT Auth** (backend-only apps) or advanced configuration, see the [Authentication docs](https://auto-crud.clifland.in/docs/configuration/authentication).
 
-Useful for backend-only apps. Does **not** require `nuxt-auth-utils`.
 
-```typescript
-export default defineNuxtConfig({
-  autoCrud: {
-    auth: {
-      type: 'jwt',
-      authentication: true,
-      jwtSecret: process.env.JWT_SECRET,
-      authorization: true
-    }
-  }
-})
-```
-
-### Disabling Auth
-
-You can disable authentication entirely for testing or public APIs.
-
-```typescript
-export default defineNuxtConfig({
-  autoCrud: {
-    auth: {
-      authentication: false,
-      authorization: false
-    }
-    // OR simply:
-    // auth: false
-  }
-})
-```
-
-## 🧪 Testing
-
-This module is tested using **Vitest**.
-
-- **Unit Tests:** We cover utility functions and helpers.
-- **E2E Tests:** We verify the API endpoints using a real Nuxt server instance.
-
-To run the tests locally:
-
-```bash
-npm run test
-```
 
 ## 🛡️ Public View Configuration (Field Visibility)
 
@@ -415,51 +345,7 @@ await $fetch("/api/users/1", {
 > - **Fullstack App:** The module integrates with `nuxt-auth-utils`, so session cookies are handled automatically.
 > - **Backend-only App:** You must include the `Authorization: Bearer <token>` header in your requests.
 
-## Configuration
-
-### Module Options
-
-```typescript
-
-export default defineNuxtConfig({
-  autoCrud: {
-    // Path to your database schema file (relative to project root)
-    schemaPath: "server/db/schema", // default
-    
-    // Authentication configuration (see "Authentication Configuration" section)
-    auth: {
-        // ...
-    },
-
-    // Public Guest View Configuration (Field Visibility)
-    resources: {
-        users: ['id', 'name', 'avatar'],
-    },
-  },
-});
-```
-
-### Protected Fields
 
-By default, the following fields are protected from updates:
-
-- `id`
-- `createdAt`
-- `created_at`
-- `updatedAt`
-- `updated_at`
-
-You can customize updatable fields in your schema by modifying the `modelMapper.ts` utility.
-
-### Hidden Fields
-
-By default, the following fields are hidden from API responses for security:
-
-- `password`
-- `secret`
-- `token`
-
-You can customize hidden fields by modifying the `modelMapper.ts` utility.
 
 ## 🔧 Requirements
 
@@ -467,18 +353,12 @@ You can customize hidden fields by modifying the `modelMapper.ts` utility.
 - Drizzle ORM (SQLite)
 - NuxtHub >= 0.10.0
 
-## 🔗 Other Helpful Links
-
-- **Template:** [https://github.com/clifordpereira/nuxt-auto-crud_template](https://github.com/clifordpereira/nuxt-auto-crud_template)
-- **Docs:** [https://auto-crud.clifland.in/docs/auto-crud](https://auto-crud.clifland.in/docs/auto-crud)
-- **Repo:** [https://github.com/clifordpereira/nuxt-auto-crud](https://github.com/clifordpereira/nuxt-auto-crud)
-- **YouTube (Installation):** [https://youtu.be/M9-koXmhB9k](https://youtu.be/M9-koXmhB9k)
-- **YouTube (Add Schemas):** [https://youtu.be/7gW0KW1KtN0](https://youtu.be/7gW0KW1KtN0)
-- **YouTube (Various Permissions):** [https://www.youtube.com/watch?v=Yty3OCYbwOo](https://www.youtube.com/watch?v=Yty3OCYbwOo)
-- **YouTube (Dynamic RBAC):** [https://www.youtube.com/watch?v=W0ju4grRC9M](https://www.youtube.com/watch?v=W0ju4grRC9M)
-- **npm:** [https://www.npmjs.com/package/nuxt-auto-crud](https://www.npmjs.com/package/nuxt-auto-crud)
-- **Github Discussions:** [https://github.com/clifordpereira/nuxt-auto-crud/discussions/1](https://github.com/clifordpereira/nuxt-auto-crud/discussions/1)
-- **Discord:** [https://discord.gg/hGgyEaGu](https://discord.gg/hGgyEaGu)
+## 🔗 Links
+
+- **📚 Documentation:** [auto-crud.clifland.in](https://auto-crud.clifland.in/docs/auto-crud)
+- **🎬 Video Tutorials:** [YouTube Channel](https://www.youtube.com/@ClifordPereira)
+- **💬 Community:** [Discord](https://discord.gg/FBkQQfRFJM) • [GitHub Discussions](https://github.com/clifordpereira/nuxt-auto-crud/discussions/1)
+- **📦 npm:** [nuxt-auto-crud](https://www.npmjs.com/package/nuxt-auto-crud)
 
 ## 🤝 Contributing
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.22.0",
+  "version": "1.23.1",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/runtime/server/api/[model]/[id].get.js

@@ -7,15 +7,18 @@ import { checkAdminAccess } from "../../utils/auth.js";
 import { RecordNotFoundError } from "../../exceptions.js";
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "read");
+  const isAdmin = await ensureResourceAccess(event, model, "read", { id });
   const table = getTableForModel(model);
   const record = await db.select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
     throw new RecordNotFoundError();
   }
   if ("status" in record && record.status !== "active") {
-    const canListAll = await checkAdminAccess(event, model, "list_all");
-    if (!canListAll) {
+    const [canListAll, canReadOwn] = await Promise.all([
+      checkAdminAccess(event, model, "list_all").catch(() => false),
+      checkAdminAccess(event, model, "read_own", { id }).catch(() => false)
+    ]);
+    if (!canListAll && !canReadOwn) {
       throw new RecordNotFoundError();
     }
   }

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -11,6 +11,13 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
+  if ("status" in payload) {
+    const { checkAdminAccess } = await import("../../utils/auth.js");
+    const hasStatusPermission = await checkAdminAccess(event, model, "update_status", { id });
+    if (!hasStatusPermission) {
+      delete payload.status;
+    }
+  }
   await hashPayloadFields(payload);
   if ("updatedAt" in table) {
     payload.updatedAt = /* @__PURE__ */ new Date();

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,25 +1,59 @@
 import { eventHandler, getRouterParams } from "h3";
 import { getTableForModel } from "../../utils/modelMapper.js";
 import { db } from "hub:db";
-import { desc, getTableColumns, eq } from "drizzle-orm";
-import { ensureResourceAccess, formatResourceResult } from "../../utils/handler.js";
+import { desc, getTableColumns, eq, and, or } from "drizzle-orm";
+import { formatResourceResult } from "../../utils/handler.js";
+import { getUserSession } from "#imports";
 import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
   console.log("[GET] Request received", event.path);
   const { model } = getRouterParams(event);
-  const isAdmin = await ensureResourceAccess(event, model, "list");
+  let canListAny = false;
   let canListAll = false;
-  try {
-    canListAll = await checkAdminAccess(event, model, "list_all");
-  } catch {
-    canListAll = false;
+  let canListOwn = false;
+  const [anyAccess, allAccess, ownAccess] = await Promise.all([
+    checkAdminAccess(event, model, "list").catch(() => false),
+    checkAdminAccess(event, model, "list_all").catch(() => false),
+    checkAdminAccess(event, model, "list_own").catch(() => false)
+  ]);
+  canListAny = anyAccess;
+  canListAll = allAccess;
+  canListOwn = ownAccess;
+  if (!canListAny && !canListAll && !canListOwn) {
+    throw createError({ statusCode: 403, message: "Forbidden" });
   }
   const table = getTableForModel(model);
   const columns = getTableColumns(table);
+  const session = await getUserSession(event);
+  const userId = session?.user?.id;
   let query = db.select().from(table);
-  if (!canListAll && "status" in columns) {
-    query = query.where(eq(table.status, "active"));
+  const filters = [];
+  if (canListAll) {
+  } else if (canListAny && canListOwn && userId) {
+    const ownershipFilter = "createdBy" in columns ? eq(table.createdBy, userId) : "userId" in columns ? eq(table.userId, userId) : null;
+    const activeFilter = "status" in columns ? eq(table.status, "active") : null;
+    if (ownershipFilter && activeFilter) {
+      filters.push(or(activeFilter, ownershipFilter));
+    } else if (activeFilter) {
+      filters.push(activeFilter);
+    } else if (ownershipFilter) {
+      filters.push(ownershipFilter);
+    }
+  } else if (canListAny) {
+    if ("status" in columns) {
+      filters.push(eq(table.status, "active"));
+    }
+  } else if (canListOwn && userId) {
+    if ("createdBy" in columns) {
+      filters.push(eq(table.createdBy, userId));
+    } else if ("userId" in columns) {
+      filters.push(eq(table.userId, userId));
+    }
   }
+  if (filters.length > 0) {
+    query = query.where(and(...filters));
+  }
+  const isAdmin = true;
   const results = await query.orderBy(desc(table.id)).all();
   return results.map((item) => formatResourceResult(model, item, isAdmin));
 });

package/dist/runtime/server/api/[model]/index.post.js

@@ -9,6 +9,13 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model);
   const body = await readBody(event);
   const payload = filterUpdatableFields(model, body);
+  if ("status" in payload) {
+    const { checkAdminAccess } = await import("../../utils/auth.js");
+    const hasStatusPermission = await checkAdminAccess(event, model, "update_status");
+    if (!hasStatusPermission) {
+      delete payload.status;
+    }
+  }
   await hashPayloadFields(payload);
   try {
     const session = await getUserSession(event);

package/dist/runtime/server/utils/auth.js

@@ -25,7 +25,7 @@ export async function checkAdminAccess(event, model, action, context) {
       const guestCheck = !user && (typeof abilityLogic === "function" ? abilityLogic : typeof globalAbility === "function" ? globalAbility : null);
       const allowed = guestCheck ? await guestCheck(null, model, action, context) : await allows(event, globalAbility, model, action, context);
       if (!allowed) {
-        if (user && (action === "update" || action === "delete") && context && typeof context === "object" && "id" in context) {
+        if (user && (action === "read" || action === "update" || action === "delete") && context && typeof context === "object" && "id" in context) {
           const ownAction = `${action}_own`;
           const userPermissions = user.permissions?.[model];
           if (userPermissions && userPermissions.includes(ownAction)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.22.0",
+  "version": "1.23.1",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",

package/src/runtime/server/api/[model]/[id].get.ts

@@ -11,7 +11,7 @@ import { RecordNotFoundError } from '../../exceptions'
 
 export default eventHandler(async (event) => {
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'read')
+  const isAdmin = await ensureResourceAccess(event, model, 'read', { id })
 
   const table = getTableForModel(model) as TableWithId
 
@@ -25,11 +25,14 @@ export default eventHandler(async (event) => {
     throw new RecordNotFoundError()
   }
 
-  // Filter inactive rows for non-admins (or those without list_all) if status field exists
+  // Filter inactive rows for non-admins (or those without list_all or read_own) if status field exists
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   if ('status' in record && (record as any).status !== 'active') {
-    const canListAll = await checkAdminAccess(event, model, 'list_all')
-    if (!canListAll) {
+    const [canListAll, canReadOwn] = await Promise.all([
+      checkAdminAccess(event, model, 'list_all').catch(() => false),
+      checkAdminAccess(event, model, 'read_own', { id }).catch(() => false),
+    ])
+    if (!canListAll && !canReadOwn) {
       throw new RecordNotFoundError()
     }
   }

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,6 +1,7 @@
 // server/api/[model]/[id].patch.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
 import type { H3Event } from 'h3'
+// @ts-expect-error - #imports is a virtual alias
 import { getUserSession } from '#imports'
 import { eq } from 'drizzle-orm'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
@@ -21,6 +22,15 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
+  // Custom check for status update permission
+  if ('status' in payload) {
+    const { checkAdminAccess } = await import('../../utils/auth')
+    const hasStatusPermission = await checkAdminAccess(event, model, 'update_status', { id })
+    if (!hasStatusPermission) {
+      delete payload.status
+    }
+  }
+
   // Auto-hash fields based on config (default: ['password'])
   await hashPayloadFields(payload)
 

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,38 +1,91 @@
 // server/api/[model]/index.get.ts
+/* eslint-disable @typescript-eslint/no-explicit-any */
 import { eventHandler, getRouterParams } from 'h3'
 import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - hub:db is a virtual alias
 import { db } from 'hub:db'
-import { desc, getTableColumns, eq } from 'drizzle-orm'
+import { desc, getTableColumns, eq, and, or } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
-import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
+import { formatResourceResult } from '../../utils/handler'
+// @ts-expect-error - #imports is a virtual alias
+import { getUserSession } from '#imports'
 
 import { checkAdminAccess } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
   const { model } = getRouterParams(event) as { model: string }
-  const isAdmin = await ensureResourceAccess(event, model, 'list')
-
+  let canListAny = false
   let canListAll = false
-  try {
-    canListAll = await checkAdminAccess(event, model, 'list_all')
-  }
-  catch {
-    canListAll = false
+  let canListOwn = false
+
+  // 1. Check permissions
+  const [anyAccess, allAccess, ownAccess] = await Promise.all([
+    checkAdminAccess(event, model, 'list').catch(() => false),
+    checkAdminAccess(event, model, 'list_all').catch(() => false),
+    checkAdminAccess(event, model, 'list_own').catch(() => false),
+  ])
+
+  canListAny = anyAccess
+  canListAll = allAccess
+  canListOwn = ownAccess
+
+  if (!canListAny && !canListAll && !canListOwn) {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
   }
 
   const table = getTableForModel(model) as TableWithId
   const columns = getTableColumns(table)
+  const session = await (getUserSession as any)(event)
+  const userId = session?.user?.id
 
   let query = db.select().from(table)
 
-  // Filter active rows for non-admins (or those without list_all) if status field exists
+  // 2. Build Filters
+  const filters = []
 
-  if (!canListAll && 'status' in columns) {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    query = query.where(eq((table as any).status, 'active')) as any
+  if (canListAll) {
+    // No filters needed for List All
   }
+  else if (canListAny && canListOwn && userId) {
+    // Can see everyone's ACTIVE records OR OWN records (any status)
+    const ownershipFilter = 'createdBy' in columns
+      ? eq((table as any).createdBy, userId)
+      : ('userId' in columns ? eq((table as any).userId, userId) : null)
+
+    const activeFilter = 'status' in columns ? eq((table as any).status, 'active') : null
+
+    if (ownershipFilter && activeFilter) {
+      filters.push(or(activeFilter, ownershipFilter))
+    }
+    else if (activeFilter) {
+      filters.push(activeFilter)
+    }
+    else if (ownershipFilter) {
+      filters.push(ownershipFilter)
+    }
+  }
+  else if (canListAny) {
+    // Only Any: see everyone's ACTIVE records
+    if ('status' in columns) {
+      filters.push(eq((table as any).status, 'active'))
+    }
+  }
+  else if (canListOwn && userId) {
+    // Only Own: see ONLY own records (all statuses)
+    if ('createdBy' in columns) {
+      filters.push(eq((table as any).createdBy, userId))
+    }
+    else if ('userId' in columns) {
+      filters.push(eq((table as any).userId, userId))
+    }
+  }
+
+  if (filters.length > 0) {
+    query = query.where(and(...filters)) as any
+  }
+
+  const isAdmin = true // Result formatting control
 
   const results = await query.orderBy(desc(table.id)).all()
 

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,6 +1,7 @@
 // server/api/[model]/index.post.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
 import type { H3Event } from 'h3'
+// @ts-expect-error - #imports is a virtual alias
 import { getUserSession } from '#imports'
 import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 // @ts-expect-error - hub:db is a virtual alias
@@ -16,6 +17,15 @@ export default eventHandler(async (event) => {
   const body = await readBody(event)
   const payload = filterUpdatableFields(model, body)
 
+  // Custom check for status update permission (or just remove it during creation as per requirement)
+  if ('status' in payload) {
+    const { checkAdminAccess } = await import('../../utils/auth')
+    const hasStatusPermission = await checkAdminAccess(event, model, 'update_status')
+    if (!hasStatusPermission) {
+      delete payload.status
+    }
+  }
+
   // Auto-hash fields based on config (default: ['password'])
   await hashPayloadFields(payload)
 
@@ -23,9 +33,7 @@ export default eventHandler(async (event) => {
   try {
     const session = await (getUserSession as (event: H3Event) => Promise<{ user: { id: string | number } | null }>)(event)
     if (session?.user?.id) {
-      // Check if table has columns before assigning (optional but safer if we had strict types)
-      // Since we are passing payload to .values(), extra keys might be ignored or cause error depending on driver
-      // Using 'in' table check is good practice
+      // Using 'in' table check is good practice to ensure column exists
       if ('createdBy' in table) {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         (payload as any).createdBy = session.user.id

package/src/runtime/server/utils/auth.ts

@@ -3,6 +3,7 @@
 import type { H3Event } from 'h3'
 import { createError } from 'h3'
 
+// @ts-expect-error - #imports is a virtual alias
 import { requireUserSession, allows, getUserSession, abilities as globalAbility, abilityLogic } from '#imports'
 import { useAutoCrudConfig } from './config'
 import { verifyJwtToken } from './jwt'
@@ -43,7 +44,7 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
 
       if (!allowed) {
         // Fallback: Check for "Own Record" permission (e.g. update_own, delete_own)
-        if (user && (action === 'update' || action === 'delete') && context && typeof context === 'object' && 'id' in context) {
+        if (user && (action === 'read' || action === 'update' || action === 'delete') && context && typeof context === 'object' && 'id' in context) {
           const ownAction = `${action}_own`
           const userPermissions = user.permissions?.[model] as string[] | undefined
 
@@ -64,8 +65,6 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
 
               // Standard case: Check 'createdBy' or 'userId' column for ownership
 
-              // const columns = table.columns || {}
-
               const hasCreatedBy = 'createdBy' in table
               const hasUserId = 'userId' in table