sonamu 0.7.53 → 0.8.0

package/src/api/sonamu.ts

@@ -18,6 +18,7 @@ import {
   DB,
   isDaemonServer,
   merge,
+  NotFoundException,
 } from "..";
 import type { CacheConfig, CacheManager } from "../cache/types";
 import { applyCacheHeaders, CachePresets } from "../cache-control/cache-control";
@@ -25,6 +26,7 @@ import type { CacheControlConfig, CacheControlRequest } from "../cache-control/t
 import { toFastifyCompressOption } from "../compress/compress";
 import type { CompressOptions } from "../compress/types";
 import type { SonamuDBConfig } from "../database/db";
+import { SD } from "../dict/sd";
 import type { LocalizedString } from "../dict/types";
 import { Naite } from "../naite/naite";
 import { BufferedFile } from "../storage/buffered-file";
@@ -379,7 +381,6 @@ class SonamuClass {
       server.register(sonamuUIApiPlugin);
     }
 
-    // 로컬/프로덕션 환경 분기
     const webPath = path.join(this.appRootPath, "web");
     const hasWeb = await exists(webPath);
 
@@ -396,9 +397,13 @@ class SonamuClass {
       : undefined;
 
     if (isLocal()) {
-      // 로컬 개발 환경: Vite Dev Server + 통합 핸들러
-      if (hasWeb) {
-        await this.setupViteDevServer(server, webPath, config, globalCompressOptions);
+      // 로컬 개발 환경: catch-all로 API를 동적 매칭하여 HMR을 지원합니다.
+      // SONAMU_DISABLE_INTEGRATED_WEB=yes로 설정하면 dev_api 모드에서 Vite 통합을 비활성화할 수 있습니다.
+      const disableIntegratedWeb = process.env.SONAMU_DISABLE_INTEGRATED_WEB === "yes";
+      if (hasWeb && !disableIntegratedWeb) {
+        await this.setupDevServerWithVite(server, webPath, config);
+      } else {
+        this.setupDevServer(server, config);
       }
     } else {
       // 프로덕션 환경: 개별 API 라우트 + 정적 파일 서빙
@@ -415,20 +420,84 @@ class SonamuClass {
         });
       }
 
-      if (hasWeb) {
-        await this.setupStaticWebServer(server, webPath, config, globalCompressOptions);
+      // 프로덕션에서는 web 소스(appRoot/web) 유무와 무관하게,
+      // api/web-dist 존재 여부를 setupStaticWebServer 내부에서 판단합니다.
+      await this.setupStaticWebServer(server, config, globalCompressOptions);
+    }
+  }
+
+  /**
+   * dev 모드 공통: catch-all에서 syncer.apis를 동적으로 탐색하여 API 요청을 처리합니다.
+   * server.route()로 개별 등록하면 handler가 고정되어 HMR이 동작하지 않으므로,
+   * 매 요청마다 syncer.apis를 조회하는 이 방식을 사용합니다.
+   *
+   * 요청이 /api(정확히는 this.config.api.route.prefix)로 시작하지 않는 경우라면 null을 반환하며 끝냅니다.
+   */
+  private handleDevApiRequest(
+    request: FastifyRequest,
+    config: SonamuFastifyConfig,
+  ): ((request: FastifyRequest, reply: FastifyReply) => Promise<unknown>) | null {
+    const url = this.getPathnameFromUrl(request.url);
+    const method = request.method;
+
+    if (!url.startsWith(this.config.api.route.prefix)) {
+      return null;
+    }
+
+    // syncer.apis의 path는 :param 형태를 포함할 수 있으므로 세그먼트 단위로 매칭합니다.
+    // 정규식 생성 방식은 path 문자열 내 특수문자(., +, (, [ 등)로 오작동할 수 있어 사용하지 않습니다.
+    const matchedApi = this.syncer.apis.find((api) => {
+      if (this.syncer.models[api.modelName] === undefined) {
+        return false;
       }
+      const apiMethod = api.options.httpMethod ?? "GET";
+      if (apiMethod !== method) return false;
+
+      const fullPath = this.config.api.route.prefix + api.path;
+      return this.isPathPatternMatch(fullPath, url);
+    });
+
+    if (!matchedApi) {
+      throw new NotFoundException(SD("error.api.notFound"));
     }
+
+    return this.createApiHandler(matchedApi, config);
+  }
+
+  /**
+   * dev api 모드: Vite 없이 API 동적 라우팅만 제공합니다.
+   * HMR을 위해 catch-all에서 매 요청마다 syncer.apis를 조회합니다.
+   */
+  private setupDevServer(
+    server: FastifyInstance<Server, IncomingMessage, ServerResponse>,
+    config: SonamuFastifyConfig,
+  ): void {
+    server.route({
+      method: ["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"],
+      url: `${this.config.api.route.prefix}/*`,
+      handler: async (request, reply) => {
+        const handler = this.handleDevApiRequest(request, config);
+        if (handler) {
+          return handler(request, reply);
+        }
+        // 사실 /api로 시작하지 않는 요청은 여기에 들어오지도 않을 거라 이 라인은 도달 불가능입니다만,
+        // 안전빵으로 남겨놓습니다.
+        throw new NotFoundException(SD("error.api.notFound"));
+      },
+    });
   }
 
   // biome-ignore lint/suspicious/noExplicitAny: ViteDevServer 타입을 동적으로 로드해야 함
   private viteServer: any = null;
 
-  private async setupViteDevServer(
+  /**
+   * dev all 모드: Vite Dev Server를 통합하여 API + SSR + CSR을 모두 제공합니다.
+   * API 동적 매칭은 handleDevApiRequest를 공유합니다.
+   */
+  private async setupDevServerWithVite(
     server: FastifyInstance<Server, IncomingMessage, ServerResponse>,
     webPath: string,
     config: SonamuFastifyConfig,
-    globalCompressOptions?: CompressOptions,
   ): Promise<void> {
     // @fastify/middie 등록 (Connect-style middleware 지원)
     await server.register((await import("@fastify/middie")).default);
@@ -456,49 +525,39 @@ class SonamuClass {
       return this.viteServer.middlewares(req, res, next);
     });
 
-    // API 동적 라우팅 (catch-all 전에 등록)
-    for (const api of this.syncer.apis) {
-      if (this.syncer.models[api.modelName] === undefined) {
-        throw new Error(`정의되지 않은 모델에 접근 ${api.modelName}`);
-      }
-
-      server.route({
-        method: api.options.httpMethod ?? "GET",
-        url: this.config.api.route.prefix + api.path,
-        handler: this.createApiHandler(api, config),
-        compress: toFastifyCompressOption(api.options.compress, globalCompressOptions),
-      });
-    }
-
-    // SSR 라우트 개별 등록 (compress 옵션이 라우트별로 적용되도록)
-    const { getSSRRoutes, renderSSR } = await import("../ssr");
-    const ssrRoutes = getSSRRoutes();
-
-    for (const route of ssrRoutes) {
-      server.route({
-        method: ["GET", "HEAD"],
-        url: route.path,
-        compress: toFastifyCompressOption(route.compress ?? true, globalCompressOptions),
-        handler: async (request, reply) => {
-          const url = request.url;
-          console.log(`[SSR] Matched route: ${route.path}`);
-
-          const params = this.extractPathParams(route.path, url);
-          const html = await renderSSR(url, route, params, request, reply, config, this.viteServer);
-
-          reply.type("text/html");
-          return html;
-        },
-      });
-    }
-
-    // CSR fallback (SSR 라우트에 매칭되지 않는 모든 요청)
+    // catch-all 라우트에서 동적으로 API/SSR 처리
+    // 개발 환경에서는 라우트별 compress 옵션을 포기하고 HMR 이점을 취합니다.
     server.route({
-      method: ["GET", "HEAD"],
+      method: ["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"],
       url: "/*",
       handler: async (request, reply) => {
+        // 1. API 요청 처리
+        const result = this.handleDevApiRequest(request, config);
+        if (result) {
+          return result(request, reply);
+        }
+
         const url = request.url;
 
+        // 2. SSR 라우트 처리
+        const { matchSSRRoute, renderSSR } = await import("../ssr");
+        const ssrMatch = matchSSRRoute(url);
+        if (ssrMatch) {
+          console.log(`[SSR] Matched route: ${ssrMatch.route.path}`);
+          const html = await renderSSR(
+            url,
+            ssrMatch.route,
+            ssrMatch.params,
+            request,
+            reply,
+            config,
+            this.viteServer,
+          );
+          reply.type("text/html");
+          return html;
+        }
+
+        // 3. CSR fallback
         try {
           const fs = await import("node:fs/promises");
           let template = await fs.readFile(
@@ -528,15 +587,14 @@ class SonamuClass {
 
   private async setupStaticWebServer(
     server: FastifyInstance<Server, IncomingMessage, ServerResponse>,
-    _webPath: string,
     config: SonamuFastifyConfig,
     globalCompressOptions: CompressOptions | undefined,
   ): Promise<void> {
-    // 경로 명확화: api/public/web, api/dist/ssr
-    const webDistPath = path.join(this.apiRootPath, "public", "web");
-    const ssrPath = path.join(this.apiRootPath, "dist", "ssr");
+    // 경로 명확화: api/web-dist/client (정적 파일), api/web-dist/server (SSR entry), api/dist/ssr (SSR routes - API 소유)
+    const webDistPath = path.join(this.apiRootPath, "web-dist", "client");
+    const ssrPath = path.join(this.apiRootPath, "web-dist", "server");
     const ssrEntryPath = path.join(ssrPath, "entry-server.generated.js");
-    const ssrRoutesPath = path.join(ssrPath, "routes.js");
+    const ssrRoutesPath = path.join(this.apiRootPath, "dist", "ssr", "routes.js");
 
     if (!(await exists(webDistPath))) {
       console.warn(`⚠ Web dist not found: ${webDistPath}`);
@@ -568,7 +626,14 @@ class SonamuClass {
     server.get("/assets/:filename", async (request, reply) => {
       const requestedFile = (request.params as { filename: string }).filename;
       const assetsDir = path.join(webDistPath, "assets");
-      const assetPath = `/assets/${requestedFile}`;
+      const safeFilePath = this.resolvePathWithinBaseDir(assetsDir, requestedFile);
+      if (safeFilePath === null) {
+        reply.status(403).send();
+        return;
+      }
+      const normalizedRequestedFile = path.relative(assetsDir, safeFilePath).replace(/\\/g, "/");
+
+      const assetPath = `/assets/${normalizedRequestedFile}`;
 
       // Cache-Control 헤더 결정
       const getCacheControlForAsset = (): CacheControlConfig => {
@@ -590,8 +655,8 @@ class SonamuClass {
       };
 
       // index-*.js 또는 index-*.css 요청인 경우
-      if (/^index-[a-f0-9]+\.(js|css)$/.test(requestedFile)) {
-        const ext = requestedFile.split(".").pop();
+      if (/^index-[a-f0-9]+\.(js|css)$/.test(normalizedRequestedFile)) {
+        const ext = normalizedRequestedFile.split(".").pop();
         const files = await fs.readdir(assetsDir);
         const currentFile = files.find((f) => f.startsWith("index-") && f.endsWith(`.${ext}`));
 
@@ -605,18 +670,18 @@ class SonamuClass {
       }
 
       // 일반 파일 서빙
-      const filePath = path.join(assetsDir, requestedFile);
+      const filePath = safeFilePath;
       if (await exists(filePath)) {
         const content = await fs.readFile(filePath);
-        const ext = requestedFile.split(".").pop();
+        const ext = normalizedRequestedFile.split(".").pop();
         reply.type(ext === "js" ? "application/javascript" : ext === "css" ? "text/css" : "");
-        if (requestedFile.includes("-")) {
+        if (normalizedRequestedFile.includes("-")) {
           applyCacheHeaders(reply, getCacheControlForAsset());
         }
         return reply.send(content);
       }
 
-      reply.code(404).send("Not found");
+      reply.status(404).send();
     });
 
     // SSR 라우트 개별 등록 (compress 옵션이 라우트별로 적용되도록)
@@ -651,7 +716,7 @@ class SonamuClass {
       handler: async (request, reply) => {
         // /api, /sonamu-ui는 404 그대로
         if (request.url.startsWith("/api") || request.url.startsWith("/sonamu-ui")) {
-          reply.code(404).send({ error: "Not Found" });
+          reply.status(404).send();
           return;
         }
 
@@ -671,10 +736,15 @@ class SonamuClass {
         }
 
         // 정적 파일이 존재할 경우, 정적 파일을 먼저 서빙해야함
-        const filePath = path.join(webDistPath, request.url);
-        if (await fileExists(filePath)) {
-          const content = await fs.readFile(filePath);
-          return reply.type(mimeLookup(filePath) || "application/octet-stream").send(content);
+        const requestPath = this.getPathnameFromUrl(request.url);
+        const safeFilePath = this.resolvePathWithinBaseDir(webDistPath, requestPath);
+        if (safeFilePath === null) {
+          reply.status(403).send();
+          return;
+        }
+        if (await fileExists(safeFilePath)) {
+          const content = await fs.readFile(safeFilePath);
+          return reply.type(mimeLookup(safeFilePath) || "application/octet-stream").send(content);
         }
 
         // CSR fallback: index.html 서빙
@@ -845,7 +915,7 @@ class SonamuClass {
    */
   private extractPathParams(pattern: string, url: string): Record<string, string> {
     const patternParts = pattern.split("/").filter(Boolean);
-    const urlParts = url.split("?")[0].split("/").filter(Boolean);
+    const urlParts = this.getPathnameFromUrl(url).split("/").filter(Boolean);
     const params: Record<string, string> = {};
 
     for (let i = 0; i < patternParts.length; i++) {
@@ -856,6 +926,50 @@ class SonamuClass {
     return params;
   }
 
+  private isPathPatternMatch(pattern: string, url: string): boolean {
+    const patternParts = pattern.split("/").filter(Boolean);
+    const urlParts = this.getPathnameFromUrl(url).split("/").filter(Boolean);
+
+    if (patternParts.length !== urlParts.length) {
+      return false;
+    }
+
+    for (let i = 0; i < patternParts.length; i++) {
+      const patternPart = patternParts[i];
+      const urlPart = urlParts[i];
+      if (patternPart.startsWith(":")) {
+        continue;
+      }
+      if (patternPart !== urlPart) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  private getPathnameFromUrl(url: string): string {
+    return url.split("?")[0];
+  }
+
+  private resolvePathWithinBaseDir(baseDir: string, inputPath: string): string | null {
+    try {
+      const decoded = decodeURIComponent(inputPath).replace(/\\/g, "/");
+      if (decoded.includes("\0")) {
+        return null;
+      }
+      const relativePath = decoded.replace(/^\/+/, "");
+      const resolvedPath = path.resolve(baseDir, relativePath);
+      const relativeFromBase = path.relative(baseDir, resolvedPath);
+      if (relativeFromBase.startsWith("..") || path.isAbsolute(relativeFromBase)) {
+        return null;
+      }
+      return resolvedPath;
+    } catch {
+      return null;
+    }
+  }
+
   /**
    * API 응답에 적용할 Cache-Control 설정을 결정합니다.
    * 우선순위: 개별 지정 > cacheControlHandler
@@ -1037,7 +1151,7 @@ class SonamuClass {
   }
 
   /*
-     A function that automatically handles init and destroy when using Sonamu via scripts.    
+     A function that automatically handles init and destroy when using Sonamu via scripts.
   */
   async runScript(fn: () => Promise<void>) {
     await this.init(true, false, undefined, false);

package/src/auth/plugins/entity-definitions/anonymous.ts

@@ -0,0 +1,17 @@
+import type { BetterAuthEntityDef } from "./types";
+
+/**
+ * better-auth Anonymous 플러그인 엔티티 정의
+ * https://www.better-auth.com/docs/plugins/anonymous
+ *
+ * 익명 사용자 인증을 지원합니다.
+ * 새로운 테이블을 생성하지 않고 User 테이블에 is_anonymous 필드만 추가합니다.
+ */
+export const anonymousEntityDef: BetterAuthEntityDef = {
+  id: "anonymous",
+  name: "Anonymous",
+  entities: [],
+  additionalProps: {
+    User: [{ name: "is_anonymous", type: "boolean", nullable: true, desc: "익명 사용자 여부" }],
+  },
+};

package/src/auth/plugins/entity-definitions/api-key.ts

@@ -0,0 +1,93 @@
+import type { BetterAuthEntityDef } from "./types";
+
+/**
+ * better-auth API Key 플러그인 엔티티 정의
+ * https://www.better-auth.com/docs/plugins/api-key
+ *
+ * API 키 인증을 지원합니다.
+ */
+export const apiKeyEntityDef: BetterAuthEntityDef = {
+  id: "api-key",
+  name: "API Key",
+  entities: [
+    {
+      id: "ApiKey",
+      table: "api_keys",
+      title: "API 키",
+      props: [
+        { name: "id", type: "string", desc: "ID" },
+        { name: "key", type: "string", desc: "해시된 API 키" },
+        { name: "start", type: "string", nullable: true, desc: "키 시작 문자열" },
+        { name: "prefix", type: "string", nullable: true, desc: "키 접두사" },
+        { name: "name", type: "string", nullable: true, desc: "키 이름" },
+        { name: "remaining", type: "integer", nullable: true, desc: "남은 요청 수" },
+        { name: "last_request", type: "date", nullable: true, desc: "마지막 요청 시간" },
+        { name: "request_count", type: "integer", desc: "요청 횟수" },
+        { name: "rate_limit_enabled", type: "boolean", desc: "Rate Limit 활성화 여부" },
+        {
+          name: "rate_limit_time_window",
+          type: "integer",
+          nullable: true,
+          desc: "Rate Limit 시간 창 (ms)",
+        },
+        {
+          name: "rate_limit_max",
+          type: "integer",
+          nullable: true,
+          desc: "Rate Limit 최대 요청 수",
+        },
+        { name: "refill_interval", type: "integer", nullable: true, desc: "리필 간격 (ms)" },
+        { name: "refill_amount", type: "integer", nullable: true, desc: "리필 양" },
+        { name: "last_refill_at", type: "date", nullable: true, desc: "마지막 리필 시간" },
+        { name: "expires_at", type: "date", nullable: true, desc: "만료일시" },
+        { name: "enabled", type: "boolean", desc: "활성화 여부" },
+        { name: "permissions", type: "string", nullable: true, desc: "권한" },
+        { name: "metadata", type: "string", nullable: true, desc: "메타데이터 (JSON)" },
+        { name: "created_at", type: "date", dbDefault: "CURRENT_TIMESTAMP", desc: "생성일시" },
+        { name: "updated_at", type: "date", nullable: true, desc: "수정일시" },
+        {
+          type: "relation",
+          name: "user",
+          with: "User",
+          relationType: "BelongsToOne",
+          onDelete: "CASCADE",
+          desc: "사용자",
+        },
+      ],
+      indexes: [
+        { type: "index", name: "api_keys_user_id_idx", columns: [{ name: "user_id" }] },
+        { type: "unique", name: "api_keys_key_unique", columns: [{ name: "key" }] },
+      ],
+      subsets: {
+        A: [
+          "id",
+          "key",
+          "start",
+          "prefix",
+          "name",
+          "remaining",
+          "last_request",
+          "request_count",
+          "rate_limit_enabled",
+          "rate_limit_time_window",
+          "rate_limit_max",
+          "refill_interval",
+          "refill_amount",
+          "last_refill_at",
+          "expires_at",
+          "enabled",
+          "permissions",
+          "metadata",
+          "created_at",
+          "updated_at",
+          "user.id",
+        ],
+      },
+      enums: {
+        ApiKeyOrderBy: { "id-desc": "ID최신순", "created_at-desc": "생성일최신순" },
+        ApiKeySearchField: { id: "ID", name: "이름" },
+      },
+    },
+  ],
+  additionalProps: {},
+};

package/src/auth/plugins/entity-definitions/index.ts

@@ -1,11 +1,23 @@
 export { adminEntityDef } from "./admin";
+export { anonymousEntityDef } from "./anonymous";
+export { apiKeyEntityDef } from "./api-key";
+export { jwtEntityDef } from "./jwt";
+export { organizationEntityDef } from "./organization";
+export { passkeyEntityDef } from "./passkey";
 export { phoneNumberEntityDef } from "./phone-number";
+export { ssoEntityDef } from "./sso";
 export { twoFactorEntityDef } from "./two-factor";
 export type { BetterAuthEntityDef, BetterAuthPluginId } from "./types";
 export { usernameEntityDef } from "./username";
 
 import { adminEntityDef } from "./admin";
+import { anonymousEntityDef } from "./anonymous";
+import { apiKeyEntityDef } from "./api-key";
+import { jwtEntityDef } from "./jwt";
+import { organizationEntityDef } from "./organization";
+import { passkeyEntityDef } from "./passkey";
 import { phoneNumberEntityDef } from "./phone-number";
+import { ssoEntityDef } from "./sso";
 import { twoFactorEntityDef } from "./two-factor";
 import type { BetterAuthEntityDef, BetterAuthPluginId } from "./types";
 import { usernameEntityDef } from "./username";
@@ -19,6 +31,12 @@ export const ENTITY_DEFINITIONS: Record<BetterAuthPluginId, BetterAuthEntityDef>
   username: usernameEntityDef,
   "phone-number": phoneNumberEntityDef,
   "2fa": twoFactorEntityDef,
+  sso: ssoEntityDef,
+  passkey: passkeyEntityDef,
+  organization: organizationEntityDef,
+  "api-key": apiKeyEntityDef,
+  jwt: jwtEntityDef,
+  anonymous: anonymousEntityDef,
 };
 
 /**

package/src/auth/plugins/entity-definitions/jwt.ts

@@ -0,0 +1,35 @@
+import type { BetterAuthEntityDef } from "./types";
+
+/**
+ * better-auth JWT 플러그인 엔티티 정의
+ * https://www.better-auth.com/docs/plugins/jwt
+ *
+ * JWT 토큰 발급 및 JWKS 키 관리를 지원합니다.
+ */
+export const jwtEntityDef: BetterAuthEntityDef = {
+  id: "jwt",
+  name: "JWT",
+  entities: [
+    {
+      id: "Jwks",
+      table: "jwks",
+      title: "JWKS",
+      props: [
+        { name: "id", type: "string", desc: "ID" },
+        { name: "public_key", type: "string", desc: "공개키" },
+        { name: "private_key", type: "string", desc: "비밀키" },
+        { name: "created_at", type: "date", dbDefault: "CURRENT_TIMESTAMP", desc: "생성일시" },
+        { name: "expires_at", type: "date", nullable: true, desc: "만료일시" },
+      ],
+      indexes: [],
+      subsets: {
+        A: ["id", "public_key", "private_key", "created_at", "expires_at"],
+      },
+      enums: {
+        JwksOrderBy: { "id-desc": "ID최신순", "created_at-desc": "생성일최신순" },
+        JwksSearchField: { id: "ID" },
+      },
+    },
+  ],
+  additionalProps: {},
+};