nuxt-auto-crud 1.24.0 → 1.26.0

package/dist/runtime/server/utils/modelMapper.d.ts

@@ -1,86 +1,28 @@
 import type { SQLiteTable } from 'drizzle-orm/sqlite-core';
-/**
- * Custom updatable fields configuration (optional)
- * Only define here if you want to override the auto-detection
- *
- * Example:
- * export const customUpdatableFields: Record<string, string[]> = {
- *   users: ['name', 'avatar'], // Only these fields can be updated
- * }
- */
+import type { z } from 'zod';
 export declare const customUpdatableFields: Record<string, string[]>;
-/**
- * Custom hidden fields configuration (optional)
- * Only define here if you want to override the default hidden fields
- */
 export declare const customHiddenFields: Record<string, string[]>;
-/**
- * Auto-generated model table map
- * Automatically includes all tables from schema
- */
 export declare const modelTableMap: Record<string, unknown>;
 /**
- * Gets the table for a given model name
- * @param modelName - The name of the model (e.g., 'users', 'products')
- * @returns The corresponding database table
- * @throws Error if model is not found
+ * @throws 404 if modelName is not found in tableMap.
  */
 export declare function getTableForModel(modelName: string): SQLiteTable;
-/**
- * Gets the updatable fields for a model
- * @param modelName - The name of the model
- * @returns Array of field names that can be updated
- */
 export declare function getUpdatableFields(modelName: string): string[];
 /**
- * Filters an object to only include updatable fields for a model
- * @param modelName - The name of the model
- * @param data - The data object to filter
- * @returns Filtered object with only updatable fields
+ * Filters and coerces data for updates, handling timestamp conversion.
  */
 export declare function filterUpdatableFields(modelName: string, data: Record<string, unknown>): Record<string, unknown>;
-/**
- * Gets the singular name for a model (for error messages)
- * Uses pluralize library for accurate singular/plural conversion
- * @param modelName - The plural model name
- * @returns The singular name in PascalCase
- */
 export declare function getModelSingularName(modelName: string): string;
-/**
- * Gets the plural name for a model
- * @param modelName - The model name (singular or plural)
- * @returns The plural name
- * @return The plural name
- */
 export declare function getModelPluralName(modelName: string): string;
-/**
- * Lists all available models
- * @returns Array of model names
- */
 export declare function getAvailableModels(): string[];
-/**
- * Gets the hidden fields for a model
- * @param modelName - The name of the model
- * @returns Array of field names that should be hidden
- */
 export declare function getHiddenFields(modelName: string): string[];
-/**
- * Gets the public columns for a model
- * @param modelName - The name of the model
- * @returns Array of field names that are public (or undefined if all are public)
- */
 export declare function getPublicColumns(modelName: string): string[] | undefined;
 /**
- * Filters an object to only include public columns (if configured)
- * @param modelName - The name of the model
- * @param data - The data object to filter
- * @returns Filtered object
+ * Restricts payload to runtimeConfig resource whitelist and filters hidden fields.
  */
 export declare function filterPublicColumns(modelName: string, data: Record<string, unknown>): Record<string, unknown>;
+export declare function filterHiddenFields(modelName: string, data: Record<string, unknown>): Record<string, unknown>;
 /**
- * Filters an object to exclude hidden fields
- * @param modelName - The name of the model
- * @param data - The data object to filter
- * @returns Filtered object without hidden fields
+ * Generates Zod schema via drizzle-zod, omitting server-managed and protected fields.
  */
-export declare function filterHiddenFields(modelName: string, data: Record<string, unknown>): Record<string, unknown>;
+export declare function getZodSchema(modelName: string, type?: 'insert' | 'patch'): z.ZodObject<any, any>;

package/dist/runtime/server/utils/modelMapper.js

@@ -4,15 +4,10 @@ import { pascalCase } from "scule";
 import { getTableColumns as getDrizzleTableColumns, getTableName } from "drizzle-orm";
 import { createError } from "h3";
 import { useRuntimeConfig } from "#imports";
-const PROTECTED_FIELDS = ["id", "created_at", "updated_at", "createdAt", "updatedAt"];
-const HIDDEN_FIELDS = ["password", "secret", "token"];
-export const customUpdatableFields = {
-  // Add custom field restrictions here if needed
-  // By default, all fields except PROTECTED_FIELDS are updatable
-};
-export const customHiddenFields = {
-  // Add custom hidden fields here if needed
-};
+import { createInsertSchema } from "drizzle-zod";
+import { PROTECTED_FIELDS, HIDDEN_FIELDS } from "./constants.js";
+export const customUpdatableFields = {};
+export const customHiddenFields = {};
 function buildModelTableMap() {
   const tableMap = {};
   for (const [key, value] of Object.entries(schema)) {
@@ -56,7 +51,7 @@ export function getUpdatableFields(modelName) {
   const table = modelTableMap[modelName];
   if (!table) return [];
   const allColumns = getTableColumns(table);
-  return allColumns.filter((col) => !PROTECTED_FIELDS.includes(col));
+  return allColumns.filter((col) => !PROTECTED_FIELDS.includes(col) && !HIDDEN_FIELDS.includes(col));
 }
 export function filterUpdatableFields(modelName, data) {
   const allowedFields = getUpdatableFields(modelName);
@@ -86,10 +81,7 @@ export function getAvailableModels() {
   return Object.keys(modelTableMap);
 }
 export function getHiddenFields(modelName) {
-  if (customHiddenFields[modelName]) {
-    return customHiddenFields[modelName];
-  }
-  return HIDDEN_FIELDS;
+  return customHiddenFields[modelName] ?? HIDDEN_FIELDS;
 }
 export function getPublicColumns(modelName) {
   const { resources } = useRuntimeConfig().autoCrud;
@@ -101,8 +93,9 @@ export function filterPublicColumns(modelName, data) {
     return filterHiddenFields(modelName, data);
   }
   const filtered = {};
+  const hidden = getHiddenFields(modelName);
   for (const [key, value] of Object.entries(data)) {
-    if (publicColumns.includes(key) && !getHiddenFields(modelName).includes(key)) {
+    if (publicColumns.includes(key) && !hidden.includes(key)) {
       filtered[key] = value;
     }
   }
@@ -118,3 +111,22 @@ export function filterHiddenFields(modelName, data) {
   }
   return filtered;
 }
+export function getZodSchema(modelName, type = "insert") {
+  const table = getTableForModel(modelName);
+  const schema2 = createInsertSchema(table);
+  if (type === "patch") {
+    return schema2.partial();
+  }
+  const OMIT_ON_CREATE = [
+    ...PROTECTED_FIELDS,
+    ...HIDDEN_FIELDS
+  ];
+  const columns = getDrizzleTableColumns(table);
+  const fieldsToOmit = {};
+  OMIT_ON_CREATE.forEach((field) => {
+    if (columns[field]) {
+      fieldsToOmit[field] = true;
+    }
+  });
+  return schema2.omit(fieldsToOmit);
+}

package/dist/runtime/server/utils/schema.d.ts

@@ -7,11 +7,13 @@ export interface Field {
 }
 export declare function drizzleTableToFields(table: any, resourceName: string): {
     resource: string;
+    labelField: string;
     fields: Field[];
 };
 export declare function getRelations(): Promise<Record<string, Record<string, string>>>;
 export declare function getAllSchemas(): Promise<Record<string, any>>;
 export declare function getSchema(tableName: string): Promise<{
     resource: string;
+    labelField: string;
     fields: Field[];
 } | undefined>;

package/dist/runtime/server/utils/schema.js

@@ -15,6 +15,8 @@ export function drizzleTableToFields(table, resourceName) {
       selectOptions
     });
   }
+  const fieldNames = fields.map((f) => f.name);
+  const labelField = fieldNames.find((n) => n === "name") || fieldNames.find((n) => n === "title") || fieldNames.find((n) => n === "email") || "id";
   try {
     const config = getTableConfig(table);
     config.foreignKeys.forEach((fk) => {
@@ -32,6 +34,8 @@ export function drizzleTableToFields(table, resourceName) {
   }
   return {
     resource: resourceName,
+    labelField,
+    // metadata point
     fields
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.24.0",
+  "version": "1.26.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -51,6 +51,7 @@
     "@nuxt/scripts": "^0.13.0",
     "@types/pluralize": "^0.0.33",
     "c12": "^2.0.1",
+    "drizzle-zod": "^0.8.3",
     "jose": "^5.9.6",
     "pluralize": "^8.0.0",
     "scule": "^1.0.0"
@@ -78,7 +79,7 @@
     "drizzle-orm": "^0.38.3",
     "eslint": "^9.39.1",
     "nuxt": "^4.2.1",
-    "nuxt-auth-utils": "^0.5.26",
+    "nuxt-auth-utils": "^0.5.27",
     "nuxt-authorization": "^0.3.5",
     "typescript": "~5.9.3",
     "vitest": "^4.0.13",

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -4,7 +4,7 @@ import type { H3Event } from 'h3'
 // @ts-expect-error - #imports is a virtual alias
 import { getUserSession } from '#imports'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
+import { getTableForModel, getZodSchema } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 
 // @ts-expect-error - hub:db is a virtual alias
@@ -20,7 +20,8 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model) as TableWithId
 
   const body = await readBody(event)
-  const payload = filterUpdatableFields(model, body)
+  const schema = getZodSchema(model, 'patch')
+  const payload = await schema.parseAsync(body)
 
   // Custom check for status update permission
   if ('status' in payload) {

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,10 +1,10 @@
 // server/api/[model]/index.post.ts
 import { eventHandler, getRouterParams, readBody } from 'h3'
 import type { H3Event } from 'h3'
-// @ts-expect-error - #imports is a virtual alias
+// @ts-expect-error - '#imports' is a virtual alias
 import { getUserSession } from '#imports'
-import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
-// @ts-expect-error - hub:db is a virtual alias
+import { getTableForModel, getZodSchema } from '../../utils/modelMapper'
+// @ts-expect-error - 'hub:db' is a virtual alias
 import { db } from 'hub:db'
 import { ensureResourceAccess, formatResourceResult, hashPayloadFields } from '../../utils/handler'
 
@@ -15,7 +15,8 @@ export default eventHandler(async (event) => {
   const table = getTableForModel(model)
 
   const body = await readBody(event)
-  const payload = filterUpdatableFields(model, body)
+  const schema = getZodSchema(model, 'insert')
+  const payload = await schema.parseAsync(body)
 
   // Custom check for status update permission (or just remove it during creation as per requirement)
   if ('status' in payload) {

package/src/runtime/server/api/_meta.get.ts

@@ -0,0 +1,111 @@
+import { eventHandler, getQuery, getHeader } from 'h3'
+import { getTableForModel, getAvailableModels } from '../utils/modelMapper'
+import { getTableColumns as getDrizzleTableColumns } from 'drizzle-orm'
+import { getTableConfig } from 'drizzle-orm/sqlite-core'
+import { PROTECTED_FIELDS, HIDDEN_FIELDS } from '../utils/constants'
+// @ts-expect-error - 'hub:db' is a virtual alias
+import { db } from 'hub:db'
+import { ensureAuthenticated } from '../utils/auth'
+
+export default eventHandler(async (event) => {
+  await ensureAuthenticated(event)
+
+  const query = getQuery(event)
+  const acceptHeader = getHeader(event, 'accept') || ''
+
+  const models = getAvailableModels().length > 0
+    ? getAvailableModels()
+    : Object.keys(db?.query || {})
+
+  const resources = models.map((model) => {
+    try {
+      const table = getTableForModel(model)
+      const columns = getDrizzleTableColumns(table)
+      const config = getTableConfig(table)
+
+      const fields = Object.entries(columns)
+        .filter(([name]) => !HIDDEN_FIELDS.includes(name))
+        .map(([name, col]) => {
+          let references = null
+          // @ts-expect-error - Drizzle foreign key internals
+          const fk = config?.foreignKeys.find(f => f.reference().columns[0].name === col.name)
+
+          if (fk) {
+            // @ts-expect-error - Drizzle internals
+            references = fk.reference().foreignTable[Symbol.for('drizzle:Name')]
+          }
+          // @ts-expect-error - Drizzle internal referenceConfig
+          else if (col.referenceConfig?.foreignTable) {
+            // @ts-expect-error - Drizzle internal referenceConfig
+            const foreignTable = col.referenceConfig.foreignTable
+            references = foreignTable[Symbol.for('drizzle:Name')] || foreignTable.name
+          }
+
+          const semanticType = col.columnType.toLowerCase().replace('sqlite', '')
+
+          return {
+            name,
+            type: semanticType,
+            required: col.notNull || false,
+            isEnum: !!col.enumValues,
+            options: col.enumValues || null,
+            references,
+            isRelation: !!references,
+            // Agentic Hint: Is this field writable by the user/agent?
+            isReadOnly: PROTECTED_FIELDS.includes(name),
+          }
+        })
+
+      const fieldNames = fields.map(f => f.name)
+      const labelField = fieldNames.find(n => n === 'name')
+        || fieldNames.find(n => n === 'title')
+        || fieldNames.find(n => n === 'email')
+        || 'id'
+
+      return {
+        resource: model,
+        endpoint: `/api/${model}`,
+        labelField,
+        methods: ['GET', 'POST', 'PATCH', 'DELETE'],
+        fields,
+      }
+    }
+    catch {
+      return null
+    }
+  }).filter(Boolean)
+
+  const payload = {
+    architecture: 'Clifland-NAC',
+    version: '1.0.0-agentic',
+    resources,
+  }
+
+  const currentToken = getQuery(event).token || (getHeader(event, 'authorization')?.split(' ')[1])
+  const tokenSuffix = currentToken ? `?token=${currentToken}` : ''
+
+  // --- CONTENT NEGOTIATION FOR AGENTIC TOOLS ---
+  if (query.format === 'md' || acceptHeader.includes('text/markdown')) {
+    let markdown = `# ${payload.architecture} API Manifest (v${payload.version})\n\n`
+
+    payload.resources.forEach((res) => {
+      if (!res) return
+      markdown += `### Resource: ${res.resource}\n`
+      markdown += `- **Endpoint**: \`${res.endpoint}${tokenSuffix}\`\n`
+      markdown += `- **Methods**: ${res.methods.join(', ')}\n`
+      markdown += `- **Primary Label**: \`${res.labelField}\`\n\n`
+      markdown += `| Field | Type | Required | Writable | Details |\n`
+      markdown += `| :--- | :--- | :--- | :--- | :--- |\n`
+
+      res.fields.forEach((f) => {
+        const details = f.isEnum && f.options ? `Options: ${f.options.join(', ')}` : (f.references ? `Refs: ${f.references}` : '-')
+        markdown += `| ${f.name} | ${f.type} | ${f.required ? '✅' : '❌'} | ${f.isReadOnly ? '❌' : '✅'} | ${details} |\n`
+      })
+      markdown += `\n---\n`
+    })
+
+    return markdown
+  }
+
+  return payload
+})

package/src/runtime/server/utils/auth.ts

@@ -15,6 +15,18 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
     return true
   }
 
+  // 1. Bearer Token or Query Check (Agentic/MCP Tooling)
+  const authHeader = getHeader(event, 'authorization')
+  const query = getQuery(event)
+  const apiToken = useRuntimeConfig(event).apiSecretToken
+
+  // Extract token from Header or fallback to Query param
+  const token = (authHeader?.startsWith('Bearer ') ? authHeader.split(' ')[1] : null) || query.token
+
+  if (token && apiToken && token === apiToken) {
+    return true
+  }
+
   if (auth.type === 'jwt') {
     if (!auth.jwtSecret) {
       console.warn('JWT Secret is not configured but auth type is jwt')
@@ -113,15 +125,28 @@ export async function checkAdminAccess(event: H3Event, model: string, action: st
 
 export async function ensureAuthenticated(event: H3Event): Promise<void> {
   const { auth } = useAutoCrudConfig()
+  const runtimeConfig = useRuntimeConfig(event)
 
   if (!auth?.authentication) return
 
-  if (auth.type === 'jwt' && auth.jwtSecret) {
-    if (!await verifyJwtToken(event, auth.jwtSecret)) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
+  // Extract Token: Priority 1: Authorization Header | Priority 2: Query String (?token=)
+  const authHeader = getHeader(event, 'authorization')
+  const query = getQuery(event)
+  const apiToken = runtimeConfig.apiSecretToken
+
+  const token = (authHeader?.startsWith('Bearer ') ? authHeader.split(' ')[1] : null) || query.token
+
+  // 1. API Token Check (Agentic/MCP)
+  if (token && apiToken && token === apiToken) {
     return
   }
 
+  // 2. JWT Check
+  if (auth.type === 'jwt' && auth.jwtSecret) {
+    if (await verifyJwtToken(event, auth.jwtSecret)) return
+    throw createError({ statusCode: 401, statusMessage: 'Unauthorized' })
+  }
+
+  // 3. Session Check (Standard UI)
   await (requireUserSession as (event: H3Event) => Promise<void>)(event)
 }

package/src/runtime/server/utils/constants.ts

@@ -0,0 +1,25 @@
+export const PROTECTED_FIELDS = [
+  'id',
+  'createdAt', 'updatedAt', 'deletedAt',
+  'createdBy', 'updatedBy', 'deletedBy',
+  'created_at', 'updated_at', 'deleted_at',
+  'created_by', 'updated_by', 'deleted_by',
+]
+
+export const HIDDEN_FIELDS = [
+  // Sensitive Auth
+  'password',
+  'resetToken', 'reset_token',
+  'resetExpires', 'reset_expires',
+  'githubId', 'github_id',
+  'googleId', 'google_id',
+  'secret',
+  'token',
+  // System Fields (Leakage prevention)
+  'deletedAt',
+  'createdBy',
+  'updatedBy',
+  'deleted_at',
+  'created_by',
+  'updated_by',
+]