webspresso 0.0.51 → 0.0.52

package/README.md

@@ -1164,9 +1164,13 @@ const User = defineModel({
     timestamps: true,     // Auto-manage created_at/updated_at
     tenant: 'tenant_id',  // Multi-tenant column (optional)
   },
+
+  hidden: ['password_hash', 'api_token'],  // Never expose in API/templates (security)
 });
 ```
 
+**Hidden columns:** Add column names to `hidden` so they are never exposed in admin API responses, exports, or when passing to templates. Use for sensitive data like `password_hash`, `api_token`, `secret_key`. The admin panel will exclude these from list views and forms automatically.
+
 ### Auto-Loading Models
 
 Models are automatically loaded from the `models/` directory when you create a database instance:

package/core/orm/index.js

@@ -13,6 +13,7 @@ const { createMigrationManager } = require('./migrations');
 const { createSeeder } = require('./seeder');
 const { createScopeContext } = require('./scopes');
 const { ModelEvents, Hooks, HookCancellationError, createEventContext } = require('./events');
+const { omitHiddenColumns, sanitizeForOutput } = require('./utils');
 
 /**
  * Create a database instance
@@ -272,6 +273,9 @@ module.exports = {
   // Column utilities
   extractColumnsFromSchema,
   getColumnMeta,
+  // Output sanitization (exclude hidden columns from API/templates)
+  omitHiddenColumns,
+  sanitizeForOutput,
   // Events/Signals
   ModelEvents,
   Hooks,

package/core/orm/model.js

@@ -28,6 +28,7 @@ function defineModel(options) {
     scopes = {},
     admin = {},
     hooks = {},
+    hidden = [],
   } = options;
 
   // Validate required fields
@@ -88,6 +89,7 @@ function defineModel(options) {
       customFields: admin.customFields || {},
       queries: admin.queries || {},
     },
+    hidden: Array.isArray(hidden) ? hidden : [],
     hooks: {},
   };
 

package/core/orm/types.js

@@ -147,6 +147,7 @@
  * @property {RelationsMap} [relations={}] - Relation definitions
  * @property {ScopeOptions} [scopes={}] - Scope options
  * @property {AdminMetadata} [admin] - Admin panel metadata
+ * @property {string[]} [hidden=[]] - Column names to never expose in API/templates (e.g. password_hash, api_token)
  */
 
 /**
@@ -159,6 +160,7 @@
  * @property {ScopeOptions} scopes - Scope options
  * @property {Map<string, ColumnMeta>} columns - Parsed column metadata
  * @property {AdminMetadata} [admin] - Admin panel metadata
+ * @property {string[]} hidden - Column names never exposed in API/templates
  */
 
 // ============================================================================

package/core/orm/utils.js

@@ -114,9 +114,37 @@ function deepClone(obj) {
   return cloned;
 }
 
+/**
+ * Remove hidden columns from a record for safe API/template output
+ * @param {Object} record - Record from database
+ * @param {import('./types').ModelDefinition} model - Model definition with hidden columns
+ * @returns {Object} Record without hidden columns
+ */
+function omitHiddenColumns(record, model) {
+  if (!record) return record;
+  if (!model?.hidden?.length) return record;
+  return omit(record, model.hidden);
+}
+
+/**
+ * Remove hidden columns from records (array or single) for safe output
+ * @param {Object|Object[]} records - Record(s) from database
+ * @param {import('./types').ModelDefinition} model - Model definition
+ * @returns {Object|Object[]} Sanitized record(s)
+ */
+function sanitizeForOutput(records, model) {
+  if (!model?.hidden?.length) return records;
+  if (Array.isArray(records)) {
+    return records.map((r) => omit(r, model.hidden));
+  }
+  return omit(records, model.hidden);
+}
+
 module.exports = {
   pick,
   omit,
+  omitHiddenColumns,
+  sanitizeForOutput,
   formatDateForDb,
   generateMigrationTimestamp,
   snakeToCamel,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "webspresso",
-  "version": "0.0.51",
+  "version": "0.0.52",
   "description": "Minimal, production-ready SSR framework for Node.js with file-based routing, Nunjucks templating, built-in i18n, and CLI tooling",
   "main": "index.js",
   "bin": {

package/plugins/admin-panel/admin-user-model.js

@@ -33,6 +33,7 @@ function createAdminUserModel() {
     scopes: {
       timestamps: true,
     },
+    hidden: ['password'], // Never expose in API/templates
   });
 }
 

package/plugins/admin-panel/api.js

@@ -5,6 +5,7 @@
  */
 
 const { getAllModels, getModel } = require('../../core/orm/model');
+const { sanitizeForOutput } = require('../../core/orm/utils');
 const { checkAdminExists, setupAdmin, login, logout, requireAuth } = require('./auth');
 
 /**
@@ -198,9 +199,11 @@ function createApiHandlers(options) {
         return res.status(403).json({ error: 'Model not enabled in admin panel' });
       }
 
-      // Build column metadata
+      // Build column metadata (hidden columns excluded from list/forms for security)
+      const hiddenSet = new Set(model.hidden || []);
       const columns = [];
       for (const [name, meta] of model.columns) {
+        const isHidden = hiddenSet.has(name);
         columns.push({
           name,
           type: meta.type,
@@ -214,7 +217,8 @@ function createApiHandlers(options) {
           autoIncrement: meta.autoIncrement || false,
           customField: model.admin.customFields?.[name] || null,
           validations: meta.validations || null,
-          ui: meta.ui || null,
+          ui: meta.ui ? { ...meta.ui, hidden: isHidden || meta.ui.hidden } : (isHidden ? { hidden: true } : null),
+          hidden: isHidden, // Excluded from list display and API responses
         });
       }
 
@@ -394,7 +398,7 @@ function createApiHandlers(options) {
       const records = await query.list();
 
       res.json({
-        data: records,
+        data: sanitizeForOutput(records, model),
         pagination: {
           page,
           perPage,
@@ -426,7 +430,7 @@ function createApiHandlers(options) {
         return res.status(404).json({ error: 'Record not found' });
       }
 
-      res.json({ data: record });
+      res.json({ data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(500).json({ error: error.message });
     }
@@ -459,7 +463,7 @@ function createApiHandlers(options) {
       const repo = db.getRepository(model.name);
       const record = await repo.create(req.body);
 
-      res.status(201).json({ data: record });
+      res.status(201).json({ data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(400).json({ error: error.message });
     }
@@ -496,7 +500,7 @@ function createApiHandlers(options) {
         return res.status(404).json({ error: 'Record not found' });
       }
 
-      res.json({ data: record });
+      res.json({ data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(400).json({ error: error.message });
     }
@@ -550,7 +554,7 @@ function createApiHandlers(options) {
         return res.status(404).json({ error: 'Record not found in trash' });
       }
 
-      res.json({ success: true, data: record });
+      res.json({ success: true, data: sanitizeForOutput(record, model) });
     } catch (error) {
       res.status(500).json({ error: error.message });
     }
@@ -579,7 +583,7 @@ function createApiHandlers(options) {
       // Get all related records (for dropdown/select)
       const records = await relatedRepo.findAll();
 
-      res.json({ data: records });
+      res.json({ data: sanitizeForOutput(records, relatedModel) });
     } catch (error) {
       res.status(500).json({ error: error.message });
     }

package/plugins/admin-panel/components.js

@@ -1484,12 +1484,15 @@ const BulkFieldUpdateDropdown = {
 // Get columns to display in table (limit to reasonable number)
 function getDisplayColumns(columns) {
   if (!columns || columns.length === 0) return [];
-  
+
+  // Filter out hidden columns (password_hash, api_token, etc.)
+  const visible = [...columns].filter((col) => !col.hidden);
+
   // Prioritize: id, name/title, then others (excluding long text/json fields)
   const priority = ['id', 'name', 'title', 'email', 'slug', 'status', 'published', 'created_at'];
   const exclude = ['password', 'content', 'body', 'description']; // Usually too long
-  
-  const sorted = [...columns].sort((a, b) => {
+
+  const sorted = visible.sort((a, b) => {
     const aIdx = priority.indexOf(a.name);
     const bIdx = priority.indexOf(b.name);
     if (aIdx !== -1 && bIdx !== -1) return aIdx - bIdx;

package/plugins/admin-panel/core/api-extensions.js

@@ -4,6 +4,8 @@
  * @module plugins/admin-panel/core/api-extensions
  */
 
+const { sanitizeForOutput } = require('../../../core/orm/utils');
+
 /**
  * Build query with filters applied
  * @param {Object} repo - Repository instance
@@ -573,8 +575,9 @@ function createExtensionApiHandlers(options) {
       }
 
       if (format === 'csv') {
-        // CSV export
-        const columns = Array.from(model.columns.keys());
+        // CSV export (exclude hidden columns)
+        const hiddenSet = new Set(model.hidden || []);
+        const columns = Array.from(model.columns.keys()).filter((c) => !hiddenSet.has(c));
         const header = columns.join(',');
         const rows = records.map(record => {
           return columns.map(col => {
@@ -595,8 +598,8 @@ function createExtensionApiHandlers(options) {
         res.setHeader('Content-Disposition', `attachment; filename="${modelName}_export.csv"`);
         res.json({ data: csvContent, format: 'csv' });
       } else {
-        // JSON export
-        res.json({ data: records, model: modelName, exportedAt: new Date().toISOString() });
+        // JSON export (exclude hidden columns)
+        res.json({ data: sanitizeForOutput(records, model), model: modelName, exportedAt: new Date().toISOString() });
       }
     } catch (error) {
       console.error('Export error:', error);