nuxt-auto-crud 1.3.0 → 1.4.0

package/README.md

@@ -1,11 +1,10 @@
 # Nuxt Auto CRUD
 
-[![npm version][npm-version-src]][npm-version-href]
-[![npm downloads][npm-downloads-src]][npm-downloads-href]
-[![License][license-src]][license-href]
-[![Nuxt][nuxt-src]][nuxt-href]
 
-Auto-generate RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. No configuration needed!
+
+> **Note:** This module is currently in its alpha stage. However, you can use it to accelerate MVP development. It has not been tested thoroughly enough for production use; only happy-path testing is performed for each release.
+
+Auto-generate RESTful CRUD APIs for your **Nuxt** application based solely on your database schema. Minimal configuration required.
 
 - [✨ Release Notes](/CHANGELOG.md)
 - [🎮 Try the Playground](/playground)
@@ -27,10 +26,13 @@ Start a new project with everything pre-configured using our template:
 ```bash
 npx nuxi init -t gh:clifordpereira/nuxt-auto-crud_template <project-name>
 cd <project-name>
+bun install
 bun db:generate
 bun run dev
 ```
 
+Detailed instructions can be found in [https://auto-crud.clifland.in/](https://auto-crud.clifland.in/)
+
 ### Add User
 Open Nuxt DevTools (bottom-middle icon) > `...` menu > **Database** icon to add users.
     > **Note:** If the users table doesn't appear, restart the server (`Ctrl + C` and `bun run dev`).
@@ -44,10 +46,16 @@ Visit [http://localhost:3000/api/users](http://localhost:3000/api/users).
 
 If you want to add `nuxt-auto-crud` to an existing project, follow these steps:
 
+> **Note:** These instructions assume you are using NuxtHub. If you are using a custom SQLite setup (e.g. better-sqlite3, Turso), please see [Custom Setup](./custom-setup.md).
+
 ### 1. Install dependencies
 
 ```bash
 # Install module and required dependencies
+npm install nuxt-auto-crud @nuxthub/core@latest drizzle-orm
+npm install --save-dev wrangler drizzle-kit
+
+# Or using bun
 bun add nuxt-auto-crud @nuxthub/core@latest drizzle-orm
 bun add --dev wrangler drizzle-kit
 ```
@@ -161,11 +169,11 @@ Want to see it in action? Clone this repo and try the playground:
 git clone https://github.com/clifordpereira/nuxt-auto-crud.git
 cd nuxt-auto-crud
 
-# Install dependencies
+# Install dependencies (parent folder)
 bun install
 
-# Run the playground
-cd playground
+# Run the playground (fullstack with auth)
+cd playground-fullstack
 bun install
 bun db:generate
 bun run dev
@@ -219,7 +227,57 @@ await $fetch("/api/users/1", {
 });
 ```
 
-## ⚙️ Configuration
+## Use Cases
+
+### 1. Full-stack App (with Auth)
+
+If you are building a full-stack Nuxt application, you can easily integrate `nuxt-auth-utils` and `nuxt-authorization` to secure your auto-generated APIs.
+
+First, install the modules:
+
+```bash
+npx nuxi@latest module add auth-utils
+npm install nuxt-authorization
+```
+
+Then, configure `nuxt-auto-crud` in your `nuxt.config.ts`:
+
+```ts
+export default defineNuxtConfig({
+  modules: [
+    'nuxt-auto-crud',
+    'nuxt-auth-utils'
+  ],
+  autoCrud: {
+    auth: {
+      enabled: true, // Enables requireUserSession() check
+      authorization: true // Enables authorize(model, action) check
+    }
+  }
+})
+```
+
+When `authorization` is enabled, the module will call `authorize(model, action)` where action is one of: `create`, `read`, `update`, `delete`.
+
+### 2. Backend-only App (API Mode)
+
+If you are using Nuxt as a backend for a separate client application (e.g., mobile app, SPA), you can use this module to quickly generate REST APIs.
+
+In this case, you might handle authentication differently (e.g., validating tokens in middleware) or disable the built-in auth checks if you have a global auth middleware.
+
+```ts
+export default defineNuxtConfig({
+  modules: ['nuxt-auto-crud'],
+  autoCrud: {
+    auth: {
+      enabled: false, // Default
+      authorization: false // Default
+    }
+  }
+})
+```
+
+## Configuration
 
 ### Module Options
 
@@ -242,11 +300,21 @@ By default, the following fields are protected from updates:
 
 You can customize updatable fields in your schema by modifying the `modelMapper.ts` utility.
 
+### Hidden Fields
+
+By default, the following fields are hidden from API responses for security:
+
+- `password`
+- `secret`
+- `token`
+
+You can customize hidden fields by modifying the `modelMapper.ts` utility.
+
 ## 🔧 Requirements
 
 - Nuxt 3 or 4
-- NuxtHub (for database functionality)
-- Drizzle ORM
+- Drizzle ORM (SQLite)
+- NuxtHub (Recommended) or [Custom SQLite Setup](./custom-setup.md)
 
 ## 🤝 Contributing
 

package/dist/module.d.mts

@@ -1,7 +1,6 @@
 import * as _nuxt_schema from '@nuxt/schema';
 
 interface ModuleOptions {
-    /**
     /**
      * Path to the database schema file
      * @default 'server/database/schema'
@@ -12,6 +11,55 @@ interface ModuleOptions {
      * @default 'server/utils/drizzle'
      */
     drizzlePath?: string;
+    /**
+     * Authentication configuration
+     */
+    auth?: {
+        /**
+         * Authentication type
+         * @default 'session'
+         */
+        type?: 'session' | 'jwt';
+        /**
+         * JWT Secret (required if type is 'jwt')
+         */
+        jwtSecret?: string;
+        /**
+         * Enable authentication checks (requires nuxt-auth-utils for session)
+         * @default false
+         */
+        enabled: boolean;
+        /**
+         * Enable authorization checks (requires nuxt-authorization)
+         * @default false
+         */
+        authorization?: boolean;
+    };
+    /**
+     * Resource-specific configuration
+     * Define public access and column visibility
+     */
+    resources?: {
+        [modelName: string]: {
+            /**
+             * Actions allowed without authentication
+             * true = all actions
+             * array = specific actions ('list', 'create', 'read', 'update', 'delete')
+             */
+            public?: boolean | ('list' | 'create' | 'read' | 'update' | 'delete')[];
+            /**
+             * Columns to return for unauthenticated requests
+             * If not specified, all columns (except hidden ones) are returned
+             */
+            publicColumns?: string[];
+        };
+    };
+}
+
+declare module '@nuxt/schema' {
+    interface RuntimeConfig {
+        autoCrud: ModuleOptions;
+    }
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-auto-crud",
   "configKey": "autoCrud",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -9,7 +9,7 @@ const module$1 = defineNuxtModule({
     schemaPath: "server/database/schema",
     drizzlePath: "server/utils/drizzle"
   },
-  setup(options, nuxt) {
+  async setup(options, nuxt) {
     const resolver = createResolver(import.meta.url);
     const schemaPath = resolver.resolve(
       nuxt.options.rootDir,
@@ -21,6 +21,29 @@ const module$1 = defineNuxtModule({
       options.drizzlePath
     );
     nuxt.options.alias["#site/drizzle"] = drizzlePath;
+    nuxt.options.alias["#authorization"] = nuxt.options.alias["#authorization"] || "nuxt-authorization/utils";
+    const { loadConfig } = await import('c12');
+    const { config: externalConfig } = await loadConfig({
+      name: "autocrud",
+      cwd: nuxt.options.rootDir
+    });
+    const mergedAuth = {
+      ...externalConfig?.auth,
+      ...options.auth
+    };
+    const mergedResources = {
+      ...externalConfig?.resources,
+      ...options.resources
+    };
+    nuxt.options.runtimeConfig.autoCrud = {
+      auth: {
+        enabled: mergedAuth.enabled ?? false,
+        authorization: mergedAuth.authorization ?? false,
+        type: mergedAuth.type ?? "session",
+        jwtSecret: mergedAuth.jwtSecret
+      },
+      resources: mergedResources || {}
+    };
     const apiDir = resolver.resolve("./runtime/server/api");
     addServerHandler({
       route: "/api/:model",

package/dist/runtime/server/api/[model]/[id].delete.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Record<string, unknown>>>;
 export default _default;

package/dist/runtime/server/api/[model]/[id].delete.js

@@ -1,9 +1,23 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
-import { getTableForModel, getModelSingularName } from "../../utils/modelMapper.js";
+import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
+import { useAutoCrudConfig } from "../../utils/config.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
+  const { resources } = useAutoCrudConfig();
   const { model, id } = getRouterParams(event);
+  const isAdmin = await checkAdminAccess(event, model, "delete");
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model];
+    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("delete");
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized"
+      });
+    }
+  }
   const table = getTableForModel(model);
   const singularName = getModelSingularName(model);
   const deletedRecord = await useDrizzle().delete(table).where(eq(table.id, Number(id))).returning().get();
@@ -13,5 +27,9 @@ export default eventHandler(async (event) => {
       message: `${singularName} not found`
     });
   }
-  return deletedRecord;
+  if (isAdmin) {
+    return filterHiddenFields(model, deletedRecord);
+  } else {
+    return filterPublicColumns(model, deletedRecord);
+  }
 });

package/dist/runtime/server/api/[model]/[id].get.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Record<string, unknown>>>;
 export default _default;

package/dist/runtime/server/api/[model]/[id].get.js

@@ -1,17 +1,34 @@
 import { eventHandler, getRouterParams, createError } from "h3";
 import { eq } from "drizzle-orm";
-import { getTableForModel, getModelSingularName } from "../../utils/modelMapper.js";
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
+import { useAutoCrudConfig } from "../../utils/config.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
+  const { resources } = useAutoCrudConfig();
   const { model, id } = getRouterParams(event);
+  const isAdmin = await checkAdminAccess(event, model, "read");
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model];
+    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("read");
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized"
+      });
+    }
+  }
   const table = getTableForModel(model);
-  const singularName = getModelSingularName(model);
   const record = await useDrizzle().select().from(table).where(eq(table.id, Number(id))).get();
   if (!record) {
     throw createError({
       statusCode: 404,
-      message: `${singularName} not found`
+      message: "Record not found"
     });
   }
-  return record;
+  if (isAdmin) {
+    return filterHiddenFields(model, record);
+  } else {
+    return filterPublicColumns(model, record);
+  }
 });

package/dist/runtime/server/api/[model]/[id].patch.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Record<string, unknown>>>;
 export default _default;

package/dist/runtime/server/api/[model]/[id].patch.js

@@ -1,12 +1,36 @@
-import { eventHandler, getRouterParams, readBody } from "h3";
+import { eventHandler, getRouterParams, readBody, createError } from "h3";
 import { eq } from "drizzle-orm";
-import { getTableForModel, filterUpdatableFields } from "../../utils/modelMapper.js";
+import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
+import { useAutoCrudConfig } from "../../utils/config.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
+  const { resources } = useAutoCrudConfig();
   const { model, id } = getRouterParams(event);
+  const isAdmin = await checkAdminAccess(event, model, "update");
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model];
+    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("update");
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized"
+      });
+    }
+  }
   const table = getTableForModel(model);
   const body = await readBody(event);
-  const updateData = filterUpdatableFields(model, body);
-  const record = await useDrizzle().update(table).set(updateData).where(eq(table.id, Number(id))).returning().get();
-  return record;
+  const payload = filterUpdatableFields(model, body);
+  const updatedRecord = await useDrizzle().update(table).set(payload).where(eq(table.id, Number(id))).returning().get();
+  if (!updatedRecord) {
+    throw createError({
+      statusCode: 404,
+      message: "Record not found"
+    });
+  }
+  if (isAdmin) {
+    return filterHiddenFields(model, updatedRecord);
+  } else {
+    return filterPublicColumns(model, updatedRecord);
+  }
 });

package/dist/runtime/server/api/[model]/index.get.js

@@ -1,9 +1,30 @@
-import { eventHandler, getRouterParams } from "h3";
-import { getTableForModel } from "../../utils/modelMapper.js";
+import { eventHandler, getRouterParams, createError } from "h3";
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
+import { useAutoCrudConfig } from "../../utils/config.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
+  console.log("[GET] Request received", event.path);
+  const { resources } = useAutoCrudConfig();
   const { model } = getRouterParams(event);
+  const isAdmin = await checkAdminAccess(event, model, "list");
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model];
+    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("list");
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized"
+      });
+    }
+  }
   const table = getTableForModel(model);
-  const records = await useDrizzle().select().from(table).all();
-  return records;
+  const results = await useDrizzle().select().from(table).all();
+  return results.map((item) => {
+    if (isAdmin) {
+      return filterHiddenFields(model, item);
+    } else {
+      return filterPublicColumns(model, item);
+    }
+  });
 });

package/dist/runtime/server/api/[model]/index.post.d.ts

@@ -1,2 +1,2 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<any>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<Record<string, unknown>>>;
 export default _default;

package/dist/runtime/server/api/[model]/index.post.js

@@ -1,14 +1,29 @@
-import { eventHandler, getRouterParams, readBody } from "h3";
-import { getTableForModel } from "../../utils/modelMapper.js";
+import { eventHandler, getRouterParams, readBody, createError } from "h3";
+import { getTableForModel, filterHiddenFields, filterUpdatableFields, filterPublicColumns } from "../../utils/modelMapper.js";
 import { useDrizzle } from "#site/drizzle";
+import { useAutoCrudConfig } from "../../utils/config.js";
+import { checkAdminAccess } from "../../utils/auth.js";
 export default eventHandler(async (event) => {
+  const { resources } = useAutoCrudConfig();
   const { model } = getRouterParams(event);
+  const isAdmin = await checkAdminAccess(event, model, "create");
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model];
+    const isPublic = resourceConfig?.public === true || Array.isArray(resourceConfig?.public) && resourceConfig.public.includes("create");
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized"
+      });
+    }
+  }
   const table = getTableForModel(model);
   const body = await readBody(event);
-  const values = {
-    ...body,
-    createdAt: /* @__PURE__ */ new Date()
-  };
-  const record = await useDrizzle().insert(table).values(values).returning().get();
-  return record;
+  const payload = filterUpdatableFields(model, body);
+  const newRecord = await useDrizzle().insert(table).values(payload).returning().get();
+  if (isAdmin) {
+    return filterHiddenFields(model, newRecord);
+  } else {
+    return filterPublicColumns(model, newRecord);
+  }
 });

package/dist/runtime/server/utils/auth.d.ts

@@ -0,0 +1,2 @@
+import type { H3Event } from 'h3';
+export declare function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean>;

package/dist/runtime/server/utils/auth.js

@@ -0,0 +1,39 @@
+import { createError } from "h3";
+import { useAutoCrudConfig } from "./config.js";
+import { verifyJwtToken } from "./jwt.js";
+export async function checkAdminAccess(event, model, action) {
+  const { auth } = useAutoCrudConfig();
+  if (!auth?.enabled) {
+    return true;
+  }
+  if (auth.type === "jwt") {
+    if (!auth.jwtSecret) {
+      console.warn("JWT Secret is not configured but auth type is jwt");
+      return false;
+    }
+    return verifyJwtToken(event, auth.jwtSecret);
+  }
+  if (typeof requireUserSession !== "function") {
+    throw new TypeError("requireUserSession is not available");
+  }
+  try {
+    await requireUserSession(event);
+    if (auth.authorization) {
+      if (event.context.ability) {
+        const can = event.context.ability.can(action, model);
+        if (!can) {
+          throw createError({
+            statusCode: 403,
+            message: "Forbidden"
+          });
+        }
+      }
+    }
+    return true;
+  } catch (e) {
+    if (e.statusCode === 403) {
+      throw e;
+    }
+    return false;
+  }
+}

package/dist/runtime/server/utils/config.d.ts

@@ -0,0 +1,2 @@
+import type { ModuleOptions } from '../../../types.js';
+export declare const useAutoCrudConfig: () => ModuleOptions;

package/dist/runtime/server/utils/config.js

@@ -0,0 +1,4 @@
+import { useRuntimeConfig } from "#imports";
+export const useAutoCrudConfig = () => {
+  return useRuntimeConfig().autoCrud;
+};

package/dist/runtime/server/utils/jwt.d.ts

@@ -0,0 +1,2 @@
+import type { H3Event } from 'h3';
+export declare function verifyJwtToken(event: H3Event, secret: string): Promise<boolean>;

package/dist/runtime/server/utils/jwt.js

@@ -0,0 +1,19 @@
+import { jwtVerify } from "jose";
+import { getRequestHeader } from "h3";
+export async function verifyJwtToken(event, secret) {
+  const authHeader = getRequestHeader(event, "Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return false;
+  }
+  const token = authHeader.split(" ")[1];
+  if (!token) {
+    return false;
+  }
+  try {
+    const secretKey = new TextEncoder().encode(secret);
+    await jwtVerify(token, secretKey);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/dist/runtime/server/utils/modelMapper.d.ts

@@ -9,6 +9,11 @@ import type { SQLiteTable } from 'drizzle-orm/sqlite-core';
  * }
  */
 export declare const customUpdatableFields: Record<string, string[]>;
+/**
+ * Custom hidden fields configuration (optional)
+ * Only define here if you want to override the default hidden fields
+ */
+export declare const customHiddenFields: Record<string, string[]>;
 /**
  * Auto-generated model table map
  * Automatically includes all tables from schema
@@ -53,3 +58,29 @@ export declare function getModelPluralName(modelName: string): string;
  * @returns Array of model names
  */
 export declare function getAvailableModels(): string[];
+/**
+ * Gets the hidden fields for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that should be hidden
+ */
+export declare function getHiddenFields(modelName: string): string[];
+/**
+ * Gets the public columns for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that are public (or undefined if all are public)
+ */
+export declare function getPublicColumns(modelName: string): string[] | undefined;
+/**
+ * Filters an object to only include public columns (if configured)
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object
+ */
+export declare function filterPublicColumns(modelName: string, data: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Filters an object to exclude hidden fields
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object without hidden fields
+ */
+export declare function filterHiddenFields(modelName: string, data: Record<string, unknown>): Record<string, unknown>;

package/dist/runtime/server/utils/modelMapper.js

@@ -3,11 +3,16 @@ import pluralize from "pluralize";
 import { pascalCase } from "scule";
 import { getTableColumns as getDrizzleTableColumns } from "drizzle-orm";
 import { createError } from "h3";
+import { useRuntimeConfig } from "#imports";
 const PROTECTED_FIELDS = ["id", "createdAt", "created_at"];
+const HIDDEN_FIELDS = ["password", "secret", "token"];
 export const customUpdatableFields = {
   // Add custom field restrictions here if needed
   // By default, all fields except PROTECTED_FIELDS are updatable
 };
+export const customHiddenFields = {
+  // Add custom hidden fields here if needed
+};
 function buildModelTableMap() {
   const tableMap = {};
   for (const [key, value] of Object.entries(schema)) {
@@ -72,3 +77,36 @@ export function getModelPluralName(modelName) {
 export function getAvailableModels() {
   return Object.keys(modelTableMap);
 }
+export function getHiddenFields(modelName) {
+  if (customHiddenFields[modelName]) {
+    return customHiddenFields[modelName];
+  }
+  return HIDDEN_FIELDS;
+}
+export function getPublicColumns(modelName) {
+  const { resources } = useRuntimeConfig().autoCrud;
+  return resources?.[modelName]?.publicColumns;
+}
+export function filterPublicColumns(modelName, data) {
+  const publicColumns = getPublicColumns(modelName);
+  if (!publicColumns) {
+    return filterHiddenFields(modelName, data);
+  }
+  const filtered = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (publicColumns.includes(key) && !getHiddenFields(modelName).includes(key)) {
+      filtered[key] = value;
+    }
+  }
+  return filtered;
+}
+export function filterHiddenFields(modelName, data) {
+  const hiddenFields = getHiddenFields(modelName);
+  const filtered = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!hiddenFields.includes(key)) {
+      filtered[key] = value;
+    }
+  }
+  return filtered;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -35,21 +35,24 @@
   ],
   "scripts": {
     "prepack": "nuxt-module-build build",
-    "dev": "npm run dev:prepare && nuxi dev playground",
-    "dev:build": "nuxi build playground",
-    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
+    "dev": "npm run dev:prepare && nuxi dev playground-fullstack",
+    "dev:build": "nuxi build playground-fullstack",
+    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground-fullstack",
     "release": "npm run lint && npm run test && npm run prepack && changelogen --release && npm publish && git push --follow-tags",
     "lint": "eslint .",
     "test": "vitest run",
+    "test:api": "node scripts/test-api.mjs",
     "test:watch": "vitest watch",
-    "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit",
+    "test:types": "vue-tsc --noEmit && cd playground-fullstack && vue-tsc --noEmit",
     "link": "npm link"
   },
   "dependencies": {
     "@nuxt/kit": "^4.2.1",
     "@types/pluralize": "^0.0.33",
     "pluralize": "^8.0.0",
-    "scule": "^1.0.0"
+    "scule": "^1.0.0",
+    "c12": "^2.0.1",
+    "jose": "^5.9.6"
   },
   "peerDependencies": {
     "drizzle-orm": "^0.30.0"
@@ -60,12 +63,19 @@
     "@nuxt/module-builder": "^1.0.2",
     "@nuxt/schema": "^4.2.1",
     "@nuxt/test-utils": "^3.20.1",
+    "@nuxthub/core": "^0.9.1",
     "@types/node": "latest",
+    "better-sqlite3": "^12.4.6",
     "changelogen": "^0.6.2",
+    "drizzle-kit": "^0.31.7",
+    "drizzle-orm": "^0.38.3",
     "eslint": "^9.39.1",
     "nuxt": "^4.2.1",
+    "nuxt-auth-utils": "^0.5.25",
+    "nuxt-authorization": "^0.3.5",
     "typescript": "~5.9.3",
     "vitest": "^4.0.13",
-    "vue-tsc": "^3.1.5"
+    "vue-tsc": "^3.1.5",
+    "wrangler": "^4.51.0"
   }
 }

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -1,15 +1,36 @@
 // server/api/[model]/[id].delete.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
+import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model, id } = getRouterParams(event)
+  const { resources } = useAutoCrudConfig()
+  const { model, id } = getRouterParams(event) as { model: string, id: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'delete')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('delete'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
+
   const singularName = getModelSingularName(model)
 
   const deletedRecord = await useDrizzle()
@@ -25,5 +46,10 @@ export default eventHandler(async (event) => {
     })
   }
 
-  return deletedRecord
+  if (isAdmin) {
+    return filterHiddenFields(model, deletedRecord as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, deletedRecord as Record<string, unknown>)
+  }
 })

package/src/runtime/server/api/[model]/[id].get.ts

@@ -1,16 +1,35 @@
 // server/api/[model]/[id].get.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model, id } = getRouterParams(event)
+  const { resources } = useAutoCrudConfig()
+  const { model, id } = getRouterParams(event) as { model: string, id: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'read')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('read'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
-  const singularName = getModelSingularName(model)
 
   const record = await useDrizzle()
     .select()
@@ -21,9 +40,14 @@ export default eventHandler(async (event) => {
   if (!record) {
     throw createError({
       statusCode: 404,
-      message: `${singularName} not found`,
+      message: 'Record not found',
     })
   }
 
-  return record
+  if (isAdmin) {
+    return filterHiddenFields(model, record as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, record as Record<string, unknown>)
+  }
 })

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,26 +1,57 @@
 // server/api/[model]/[id].patch.ts
-import { eventHandler, getRouterParams, readBody } from 'h3'
+import { eventHandler, getRouterParams, readBody, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
+import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model, id } = getRouterParams(event)
+  const { resources } = useAutoCrudConfig()
+  const { model, id } = getRouterParams(event) as { model: string, id: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'update')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('update'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
-  const body = await readBody(event)
 
-  // Filter to only allow updatable fields for this model
-  const updateData = filterUpdatableFields(model, body)
+  const body = await readBody(event)
+  const payload = filterUpdatableFields(model, body)
 
-  const record = await useDrizzle()
+  const updatedRecord = await useDrizzle()
     .update(table)
-    .set(updateData)
+    .set(payload)
     .where(eq(table.id, Number(id)))
     .returning()
     .get()
 
-  return record
+  if (!updatedRecord) {
+    throw createError({
+      statusCode: 404,
+      message: 'Record not found',
+    })
+  }
+
+  if (isAdmin) {
+    return filterHiddenFields(model, updatedRecord as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, updatedRecord as Record<string, unknown>)
+  }
 })

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,15 +1,43 @@
 // server/api/[model]/index.get.ts
-import { eventHandler, getRouterParams } from 'h3'
-import { getTableForModel } from '../../utils/modelMapper'
+import { eventHandler, getRouterParams, createError } from 'h3'
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model } = getRouterParams(event)
+  console.log('[GET] Request received', event.path)
+  const { resources } = useAutoCrudConfig()
+  const { model } = getRouterParams(event) as { model: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'list')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('list'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model)
 
-  const records = await useDrizzle().select().from(table).all()
+  const results = await useDrizzle().select().from(table).all()
 
-  return records
+  return results.map((item: Record<string, unknown>) => {
+    if (isAdmin) {
+      return filterHiddenFields(model, item as Record<string, unknown>)
+    }
+    else {
+      return filterPublicColumns(model, item as Record<string, unknown>)
+    }
+  })
 })

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,26 +1,43 @@
 // server/api/[model]/index.post.ts
-import { eventHandler, getRouterParams, readBody } from 'h3'
-import { getTableForModel } from '../../utils/modelMapper'
+import { eventHandler, getRouterParams, readBody, createError } from 'h3'
+import { getTableForModel, filterHiddenFields, filterUpdatableFields, filterPublicColumns } from '../../utils/modelMapper'
 
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model } = getRouterParams(event)
-  const table = getTableForModel(model)
-  const body = await readBody(event)
+  const { resources } = useAutoCrudConfig()
+  const { model } = getRouterParams(event) as { model: string }
 
-  // Add createdAt timestamp
-  const values = {
-    ...body,
-    createdAt: new Date(),
+  const isAdmin = await checkAdminAccess(event, model, 'create')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('create'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
   }
 
-  const record = await useDrizzle()
-    .insert(table)
-    .values(values)
-    .returning()
-    .get()
+  const table = getTableForModel(model)
 
-  return record
+  const body = await readBody(event)
+  const payload = filterUpdatableFields(model, body)
+
+  const newRecord = await useDrizzle().insert(table).values(payload).returning().get()
+
+  if (isAdmin) {
+    return filterHiddenFields(model, newRecord as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, newRecord as Record<string, unknown>)
+  }
 })

package/src/runtime/server/utils/auth.ts

@@ -0,0 +1,55 @@
+import type { H3Event } from 'h3'
+import { createError } from 'h3'
+import { useAutoCrudConfig } from './config'
+import { verifyJwtToken } from './jwt'
+
+export async function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean> {
+  const { auth } = useAutoCrudConfig()
+
+  if (!auth?.enabled) {
+    return true
+  }
+
+  if (auth.type === 'jwt') {
+    if (!auth.jwtSecret) {
+      console.warn('JWT Secret is not configured but auth type is jwt')
+      return false
+    }
+    return verifyJwtToken(event, auth.jwtSecret)
+  }
+
+  // Session based (default)
+  // @ts-expect-error - requireUserSession is auto-imported
+  if (typeof requireUserSession !== 'function') {
+    throw new TypeError('requireUserSession is not available')
+  }
+
+  try {
+    // @ts-expect-error - requireUserSession is auto-imported
+    await requireUserSession(event)
+
+    // Check authorization if enabled
+    if (auth.authorization) {
+      if (event.context.ability) {
+        const can = event.context.ability.can(action, model)
+        if (!can) {
+          throw createError({
+            statusCode: 403,
+            message: 'Forbidden',
+          })
+        }
+      }
+    }
+
+    return true
+  }
+  catch (e: unknown) {
+    // If it's a 403 (Forbidden) from our ability check, rethrow it
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    if ((e as any).statusCode === 403) {
+      throw e
+    }
+    // Otherwise (401 from requireUserSession), return false (treat as guest)
+    return false
+  }
+}

package/src/runtime/server/utils/config.ts

@@ -0,0 +1,6 @@
+import { useRuntimeConfig } from '#imports'
+import type { ModuleOptions } from '../../../types'
+
+export const useAutoCrudConfig = (): ModuleOptions => {
+  return useRuntimeConfig().autoCrud as ModuleOptions
+}

package/src/runtime/server/utils/jwt.ts

@@ -0,0 +1,23 @@
+import { jwtVerify } from 'jose'
+import type { H3Event } from 'h3'
+import { getRequestHeader } from 'h3'
+
+export async function verifyJwtToken(event: H3Event, secret: string): Promise<boolean> {
+  const authHeader = getRequestHeader(event, 'Authorization')
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return false
+  }
+
+  const token = authHeader.split(' ')[1]
+  if (!token) {
+    return false
+  }
+  try {
+    const secretKey = new TextEncoder().encode(secret)
+    await jwtVerify(token, secretKey)
+    return true
+  }
+  catch {
+    return false
+  }
+}

package/src/runtime/server/utils/modelMapper.ts

@@ -6,12 +6,18 @@ import { pascalCase } from 'scule'
 import { getTableColumns as getDrizzleTableColumns } from 'drizzle-orm'
 import type { SQLiteTable } from 'drizzle-orm/sqlite-core'
 import { createError } from 'h3'
+import { useRuntimeConfig } from '#imports'
 
 /**
  * Fields that should never be updatable via PATCH requests
  */
 const PROTECTED_FIELDS = ['id', 'createdAt', 'created_at']
 
+/**
+ * Fields that should never be returned in API responses
+ */
+const HIDDEN_FIELDS = ['password', 'secret', 'token']
+
 /**
  * Custom updatable fields configuration (optional)
  * Only define here if you want to override the auto-detection
@@ -26,6 +32,14 @@ export const customUpdatableFields: Record<string, string[]> = {
   // By default, all fields except PROTECTED_FIELDS are updatable
 }
 
+/**
+ * Custom hidden fields configuration (optional)
+ * Only define here if you want to override the default hidden fields
+ */
+export const customHiddenFields: Record<string, string[]> = {
+  // Add custom hidden fields here if needed
+}
+
 /**
  * Automatically builds a map of all exported tables from the schema
  * No manual configuration needed!
@@ -163,3 +177,72 @@ export function getModelPluralName(modelName: string): string {
 export function getAvailableModels(): string[] {
   return Object.keys(modelTableMap)
 }
+
+/**
+ * Gets the hidden fields for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that should be hidden
+ */
+export function getHiddenFields(modelName: string): string[] {
+  // Check if custom hidden fields are defined for this model
+  if (customHiddenFields[modelName]) {
+    return customHiddenFields[modelName]
+  }
+
+  return HIDDEN_FIELDS
+}
+
+/**
+ * Gets the public columns for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that are public (or undefined if all are public)
+ */
+export function getPublicColumns(modelName: string): string[] | undefined {
+  const { resources } = useRuntimeConfig().autoCrud
+  return resources?.[modelName]?.publicColumns
+}
+
+/**
+ * Filters an object to only include public columns (if configured)
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object
+ */
+export function filterPublicColumns(modelName: string, data: Record<string, unknown>): Record<string, unknown> {
+  const publicColumns = getPublicColumns(modelName)
+
+  // If no public columns configured, return all (except hidden)
+  if (!publicColumns) {
+    return filterHiddenFields(modelName, data)
+  }
+
+  const filtered: Record<string, unknown> = {}
+
+  for (const [key, value] of Object.entries(data)) {
+    // Must be in publicColumns AND not in hidden fields (double safety)
+    if (publicColumns.includes(key) && !getHiddenFields(modelName).includes(key)) {
+      filtered[key] = value
+    }
+  }
+
+  return filtered
+}
+
+/**
+ * Filters an object to exclude hidden fields
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object without hidden fields
+ */
+export function filterHiddenFields(modelName: string, data: Record<string, unknown>): Record<string, unknown> {
+  const hiddenFields = getHiddenFields(modelName)
+  const filtered: Record<string, unknown> = {}
+
+  for (const [key, value] of Object.entries(data)) {
+    if (!hiddenFields.includes(key)) {
+      filtered[key] = value
+    }
+  }
+
+  return filtered
+}