nuxt-auto-crud 1.3.0 → 1.5.0

package/dist/runtime/server/utils/jwt.js

@@ -0,0 +1,19 @@
+import { jwtVerify } from "jose";
+import { getRequestHeader } from "h3";
+export async function verifyJwtToken(event, secret) {
+  const authHeader = getRequestHeader(event, "Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return false;
+  }
+  const token = authHeader.split(" ")[1];
+  if (!token) {
+    return false;
+  }
+  try {
+    const secretKey = new TextEncoder().encode(secret);
+    await jwtVerify(token, secretKey);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/dist/runtime/server/utils/modelMapper.d.ts

@@ -9,6 +9,11 @@ import type { SQLiteTable } from 'drizzle-orm/sqlite-core';
  * }
  */
 export declare const customUpdatableFields: Record<string, string[]>;
+/**
+ * Custom hidden fields configuration (optional)
+ * Only define here if you want to override the default hidden fields
+ */
+export declare const customHiddenFields: Record<string, string[]>;
 /**
  * Auto-generated model table map
  * Automatically includes all tables from schema
@@ -53,3 +58,29 @@ export declare function getModelPluralName(modelName: string): string;
  * @returns Array of model names
  */
 export declare function getAvailableModels(): string[];
+/**
+ * Gets the hidden fields for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that should be hidden
+ */
+export declare function getHiddenFields(modelName: string): string[];
+/**
+ * Gets the public columns for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that are public (or undefined if all are public)
+ */
+export declare function getPublicColumns(modelName: string): string[] | undefined;
+/**
+ * Filters an object to only include public columns (if configured)
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object
+ */
+export declare function filterPublicColumns(modelName: string, data: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Filters an object to exclude hidden fields
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object without hidden fields
+ */
+export declare function filterHiddenFields(modelName: string, data: Record<string, unknown>): Record<string, unknown>;

package/dist/runtime/server/utils/modelMapper.js

@@ -3,11 +3,16 @@ import pluralize from "pluralize";
 import { pascalCase } from "scule";
 import { getTableColumns as getDrizzleTableColumns } from "drizzle-orm";
 import { createError } from "h3";
+import { useRuntimeConfig } from "#imports";
 const PROTECTED_FIELDS = ["id", "createdAt", "created_at"];
+const HIDDEN_FIELDS = ["password", "secret", "token"];
 export const customUpdatableFields = {
   // Add custom field restrictions here if needed
   // By default, all fields except PROTECTED_FIELDS are updatable
 };
+export const customHiddenFields = {
+  // Add custom hidden fields here if needed
+};
 function buildModelTableMap() {
   const tableMap = {};
   for (const [key, value] of Object.entries(schema)) {
@@ -72,3 +77,36 @@ export function getModelPluralName(modelName) {
 export function getAvailableModels() {
   return Object.keys(modelTableMap);
 }
+export function getHiddenFields(modelName) {
+  if (customHiddenFields[modelName]) {
+    return customHiddenFields[modelName];
+  }
+  return HIDDEN_FIELDS;
+}
+export function getPublicColumns(modelName) {
+  const { resources } = useRuntimeConfig().autoCrud;
+  return resources?.[modelName]?.publicColumns;
+}
+export function filterPublicColumns(modelName, data) {
+  const publicColumns = getPublicColumns(modelName);
+  if (!publicColumns) {
+    return filterHiddenFields(modelName, data);
+  }
+  const filtered = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (publicColumns.includes(key) && !getHiddenFields(modelName).includes(key)) {
+      filtered[key] = value;
+    }
+  }
+  return filtered;
+}
+export function filterHiddenFields(modelName, data) {
+  const hiddenFields = getHiddenFields(modelName);
+  const filtered = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!hiddenFields.includes(key)) {
+      filtered[key] = value;
+    }
+  }
+  return filtered;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-auto-crud",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "Exposes RESTful CRUD APIs for your Nuxt app based solely on your database migrations.",
   "author": "Cliford Pereira",
   "license": "MIT",
@@ -41,6 +41,7 @@
     "release": "npm run lint && npm run test && npm run prepack && changelogen --release && npm publish && git push --follow-tags",
     "lint": "eslint .",
     "test": "vitest run",
+    "test:api": "node scripts/test-api.mjs",
     "test:watch": "vitest watch",
     "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit",
     "link": "npm link"
@@ -49,7 +50,9 @@
     "@nuxt/kit": "^4.2.1",
     "@types/pluralize": "^0.0.33",
     "pluralize": "^8.0.0",
-    "scule": "^1.0.0"
+    "scule": "^1.0.0",
+    "c12": "^2.0.1",
+    "jose": "^5.9.6"
   },
   "peerDependencies": {
     "drizzle-orm": "^0.30.0"
@@ -60,12 +63,19 @@
     "@nuxt/module-builder": "^1.0.2",
     "@nuxt/schema": "^4.2.1",
     "@nuxt/test-utils": "^3.20.1",
+    "@nuxthub/core": "^0.9.1",
     "@types/node": "latest",
+    "better-sqlite3": "^12.4.6",
     "changelogen": "^0.6.2",
+    "drizzle-kit": "^0.31.7",
+    "drizzle-orm": "^0.38.3",
     "eslint": "^9.39.1",
     "nuxt": "^4.2.1",
+    "nuxt-auth-utils": "^0.5.25",
+    "nuxt-authorization": "^0.3.5",
     "typescript": "~5.9.3",
     "vitest": "^4.0.13",
-    "vue-tsc": "^3.1.5"
+    "vue-tsc": "^3.1.5",
+    "wrangler": "^4.51.0"
   }
 }

package/src/runtime/server/api/[model]/[id].delete.ts

@@ -1,15 +1,36 @@
 // server/api/[model]/[id].delete.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
+import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model, id } = getRouterParams(event)
+  const { resources } = useAutoCrudConfig()
+  const { model, id } = getRouterParams(event) as { model: string, id: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'delete')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('delete'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
+
   const singularName = getModelSingularName(model)
 
   const deletedRecord = await useDrizzle()
@@ -25,5 +46,10 @@ export default eventHandler(async (event) => {
     })
   }
 
-  return deletedRecord
+  if (isAdmin) {
+    return filterHiddenFields(model, deletedRecord as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, deletedRecord as Record<string, unknown>)
+  }
 })

package/src/runtime/server/api/[model]/[id].get.ts

@@ -1,16 +1,35 @@
 // server/api/[model]/[id].get.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model, id } = getRouterParams(event)
+  const { resources } = useAutoCrudConfig()
+  const { model, id } = getRouterParams(event) as { model: string, id: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'read')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('read'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
-  const singularName = getModelSingularName(model)
 
   const record = await useDrizzle()
     .select()
@@ -21,9 +40,14 @@ export default eventHandler(async (event) => {
   if (!record) {
     throw createError({
       statusCode: 404,
-      message: `${singularName} not found`,
+      message: 'Record not found',
     })
   }
 
-  return record
+  if (isAdmin) {
+    return filterHiddenFields(model, record as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, record as Record<string, unknown>)
+  }
 })

package/src/runtime/server/api/[model]/[id].patch.ts

@@ -1,26 +1,57 @@
 // server/api/[model]/[id].patch.ts
-import { eventHandler, getRouterParams, readBody } from 'h3'
+import { eventHandler, getRouterParams, readBody, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
+import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model, id } = getRouterParams(event)
+  const { resources } = useAutoCrudConfig()
+  const { model, id } = getRouterParams(event) as { model: string, id: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'update')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('update'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
-  const body = await readBody(event)
 
-  // Filter to only allow updatable fields for this model
-  const updateData = filterUpdatableFields(model, body)
+  const body = await readBody(event)
+  const payload = filterUpdatableFields(model, body)
 
-  const record = await useDrizzle()
+  const updatedRecord = await useDrizzle()
     .update(table)
-    .set(updateData)
+    .set(payload)
     .where(eq(table.id, Number(id)))
     .returning()
     .get()
 
-  return record
+  if (!updatedRecord) {
+    throw createError({
+      statusCode: 404,
+      message: 'Record not found',
+    })
+  }
+
+  if (isAdmin) {
+    return filterHiddenFields(model, updatedRecord as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, updatedRecord as Record<string, unknown>)
+  }
 })

package/src/runtime/server/api/[model]/index.get.ts

@@ -1,15 +1,43 @@
 // server/api/[model]/index.get.ts
-import { eventHandler, getRouterParams } from 'h3'
-import { getTableForModel } from '../../utils/modelMapper'
+import { eventHandler, getRouterParams, createError } from 'h3'
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model } = getRouterParams(event)
+  console.log('[GET] Request received', event.path)
+  const { resources } = useAutoCrudConfig()
+  const { model } = getRouterParams(event) as { model: string }
+
+  const isAdmin = await checkAdminAccess(event, model, 'list')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('list'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model)
 
-  const records = await useDrizzle().select().from(table).all()
+  const results = await useDrizzle().select().from(table).all()
 
-  return records
+  return results.map((item: Record<string, unknown>) => {
+    if (isAdmin) {
+      return filterHiddenFields(model, item as Record<string, unknown>)
+    }
+    else {
+      return filterPublicColumns(model, item as Record<string, unknown>)
+    }
+  })
 })

package/src/runtime/server/api/[model]/index.post.ts

@@ -1,26 +1,43 @@
 // server/api/[model]/index.post.ts
-import { eventHandler, getRouterParams, readBody } from 'h3'
-import { getTableForModel } from '../../utils/modelMapper'
+import { eventHandler, getRouterParams, readBody, createError } from 'h3'
+import { getTableForModel, filterHiddenFields, filterUpdatableFields, filterPublicColumns } from '../../utils/modelMapper'
 
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
+import { useAutoCrudConfig } from '../../utils/config'
+import { checkAdminAccess } from '../../utils/auth'
+
 export default eventHandler(async (event) => {
-  const { model } = getRouterParams(event)
-  const table = getTableForModel(model)
-  const body = await readBody(event)
+  const { resources } = useAutoCrudConfig()
+  const { model } = getRouterParams(event) as { model: string }
 
-  // Add createdAt timestamp
-  const values = {
-    ...body,
-    createdAt: new Date(),
+  const isAdmin = await checkAdminAccess(event, model, 'create')
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('create'))
+
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
   }
 
-  const record = await useDrizzle()
-    .insert(table)
-    .values(values)
-    .returning()
-    .get()
+  const table = getTableForModel(model)
 
-  return record
+  const body = await readBody(event)
+  const payload = filterUpdatableFields(model, body)
+
+  const newRecord = await useDrizzle().insert(table).values(payload).returning().get()
+
+  if (isAdmin) {
+    return filterHiddenFields(model, newRecord as Record<string, unknown>)
+  }
+  else {
+    return filterPublicColumns(model, newRecord as Record<string, unknown>)
+  }
 })

package/src/runtime/server/utils/auth.ts

@@ -0,0 +1,55 @@
+import type { H3Event } from 'h3'
+import { createError } from 'h3'
+import { useAutoCrudConfig } from './config'
+import { verifyJwtToken } from './jwt'
+
+export async function checkAdminAccess(event: H3Event, model: string, action: string): Promise<boolean> {
+  const { auth } = useAutoCrudConfig()
+
+  if (!auth?.authentication) {
+    return true
+  }
+
+  if (auth.type === 'jwt') {
+    if (!auth.jwtSecret) {
+      console.warn('JWT Secret is not configured but auth type is jwt')
+      return false
+    }
+    return verifyJwtToken(event, auth.jwtSecret)
+  }
+
+  // Session based (default)
+  // @ts-expect-error - requireUserSession is auto-imported
+  if (typeof requireUserSession !== 'function') {
+    throw new TypeError('requireUserSession is not available')
+  }
+
+  try {
+    // @ts-expect-error - requireUserSession is auto-imported
+    await requireUserSession(event)
+
+    // Check authorization if enabled
+    if (auth.authorization) {
+      if (event.context.ability) {
+        const can = event.context.ability.can(action, model)
+        if (!can) {
+          throw createError({
+            statusCode: 403,
+            message: 'Forbidden',
+          })
+        }
+      }
+    }
+
+    return true
+  }
+  catch (e: unknown) {
+    // If it's a 403 (Forbidden) from our ability check, rethrow it
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    if ((e as any).statusCode === 403) {
+      throw e
+    }
+    // Otherwise (401 from requireUserSession), return false (treat as guest)
+    return false
+  }
+}

package/src/runtime/server/utils/config.ts

@@ -0,0 +1,6 @@
+import { useRuntimeConfig } from '#imports'
+import type { RuntimeModuleOptions } from '../../../types'
+
+export const useAutoCrudConfig = (): RuntimeModuleOptions => {
+  return useRuntimeConfig().autoCrud as RuntimeModuleOptions
+}

package/src/runtime/server/utils/jwt.ts

@@ -0,0 +1,23 @@
+import { jwtVerify } from 'jose'
+import type { H3Event } from 'h3'
+import { getRequestHeader } from 'h3'
+
+export async function verifyJwtToken(event: H3Event, secret: string): Promise<boolean> {
+  const authHeader = getRequestHeader(event, 'Authorization')
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return false
+  }
+
+  const token = authHeader.split(' ')[1]
+  if (!token) {
+    return false
+  }
+  try {
+    const secretKey = new TextEncoder().encode(secret)
+    await jwtVerify(token, secretKey)
+    return true
+  }
+  catch {
+    return false
+  }
+}

package/src/runtime/server/utils/modelMapper.ts

@@ -6,12 +6,18 @@ import { pascalCase } from 'scule'
 import { getTableColumns as getDrizzleTableColumns } from 'drizzle-orm'
 import type { SQLiteTable } from 'drizzle-orm/sqlite-core'
 import { createError } from 'h3'
+import { useRuntimeConfig } from '#imports'
 
 /**
  * Fields that should never be updatable via PATCH requests
  */
 const PROTECTED_FIELDS = ['id', 'createdAt', 'created_at']
 
+/**
+ * Fields that should never be returned in API responses
+ */
+const HIDDEN_FIELDS = ['password', 'secret', 'token']
+
 /**
  * Custom updatable fields configuration (optional)
  * Only define here if you want to override the auto-detection
@@ -26,6 +32,14 @@ export const customUpdatableFields: Record<string, string[]> = {
   // By default, all fields except PROTECTED_FIELDS are updatable
 }
 
+/**
+ * Custom hidden fields configuration (optional)
+ * Only define here if you want to override the default hidden fields
+ */
+export const customHiddenFields: Record<string, string[]> = {
+  // Add custom hidden fields here if needed
+}
+
 /**
  * Automatically builds a map of all exported tables from the schema
  * No manual configuration needed!
@@ -163,3 +177,72 @@ export function getModelPluralName(modelName: string): string {
 export function getAvailableModels(): string[] {
   return Object.keys(modelTableMap)
 }
+
+/**
+ * Gets the hidden fields for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that should be hidden
+ */
+export function getHiddenFields(modelName: string): string[] {
+  // Check if custom hidden fields are defined for this model
+  if (customHiddenFields[modelName]) {
+    return customHiddenFields[modelName]
+  }
+
+  return HIDDEN_FIELDS
+}
+
+/**
+ * Gets the public columns for a model
+ * @param modelName - The name of the model
+ * @returns Array of field names that are public (or undefined if all are public)
+ */
+export function getPublicColumns(modelName: string): string[] | undefined {
+  const { resources } = useRuntimeConfig().autoCrud
+  return resources?.[modelName]?.publicColumns
+}
+
+/**
+ * Filters an object to only include public columns (if configured)
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object
+ */
+export function filterPublicColumns(modelName: string, data: Record<string, unknown>): Record<string, unknown> {
+  const publicColumns = getPublicColumns(modelName)
+
+  // If no public columns configured, return all (except hidden)
+  if (!publicColumns) {
+    return filterHiddenFields(modelName, data)
+  }
+
+  const filtered: Record<string, unknown> = {}
+
+  for (const [key, value] of Object.entries(data)) {
+    // Must be in publicColumns AND not in hidden fields (double safety)
+    if (publicColumns.includes(key) && !getHiddenFields(modelName).includes(key)) {
+      filtered[key] = value
+    }
+  }
+
+  return filtered
+}
+
+/**
+ * Filters an object to exclude hidden fields
+ * @param modelName - The name of the model
+ * @param data - The data object to filter
+ * @returns Filtered object without hidden fields
+ */
+export function filterHiddenFields(modelName: string, data: Record<string, unknown>): Record<string, unknown> {
+  const hiddenFields = getHiddenFields(modelName)
+  const filtered: Record<string, unknown> = {}
+
+  for (const [key, value] of Object.entries(data)) {
+    if (!hiddenFields.includes(key)) {
+      filtered[key] = value
+    }
+  }
+
+  return filtered
+}