feat: Add resource-specific public access control and column filtering for API endpoints.

clifordpereira · clifordpereira · commit 0eacd3c4dfbb · 2025-11-29T08:42:03.000+05:30
diff --git a/scripts/test-api.mjs b/scripts/test-api.mjs
@@ -17,7 +17,7 @@ async function startServer(playgroundDir, port) {
   })
 
   // Wait for server to be ready (naive wait, better to check output or poll)
-  await new Promise((resolve) => setTimeout(resolve, 5000))
+  await new Promise((resolve) => setTimeout(resolve, 10000))
   return server
 }
 
diff --git a/src/module.ts b/src/module.ts
@@ -34,6 +34,26 @@ export interface ModuleOptions {
      */
     authorization?: boolean
   }
+
+  /**
+   * Resource-specific configuration
+   * Define public access and column visibility
+   */
+  resources?: {
+    [modelName: string]: {
+      /**
+       * Actions allowed without authentication
+       * true = all actions
+       * array = specific actions ('list', 'create', 'read', 'update', 'delete')
+       */
+      public?: boolean | ('list' | 'create' | 'read' | 'update' | 'delete')[]
+      /**
+       * Columns to return for unauthenticated requests
+       * If not specified, all columns (except hidden ones) are returned
+       */
+      publicColumns?: string[]
+    }
+  }
 }
 
 export default defineNuxtModule<ModuleOptions>({
@@ -64,7 +84,11 @@ export default defineNuxtModule<ModuleOptions>({
 
     // 3. Pass options to runtimeConfig
     nuxt.options.runtimeConfig.autoCrud = {
-      auth: options.auth || { enabled: false, authorization: false },
+      auth: {
+        enabled: options.auth?.enabled ?? false,
+        authorization: options.auth?.authorization ?? false,
+      },
+      resources: options.resources || {},
     }
 
     // 2. Register the API routes
diff --git a/src/runtime/server/api/[model]/[id].delete.ts b/src/runtime/server/api/[model]/[id].delete.ts
@@ -1,30 +1,53 @@
 // server/api/[model]/[id].delete.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName, filterHiddenFields } from '../../utils/modelMapper'
+import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 import { useRuntimeConfig } from '#imports'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
 export default eventHandler(async (event) => {
-  const { auth } = useRuntimeConfig().autoCrud
+  const { auth, resources } = useRuntimeConfig().autoCrud
+  let isAdmin = false
+
   if (auth?.enabled) {
     // Try using global auto-import
     // @ts-ignore
     if (typeof requireUserSession === 'function') {
-      // @ts-ignore
-      await requireUserSession(event)
+      try {
+        // @ts-ignore
+        await requireUserSession(event)
+        isAdmin = true
+      } catch (e) {
+        isAdmin = false
+      }
     } else {
        throw new Error('requireUserSession is not available')
     }
+  } else {
+    isAdmin = true
   }
 
   const { model, id } = getRouterParams(event)
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('delete'))
+    
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
 
-  if (auth?.authorization) {
+  if (isAdmin && auth?.authorization) {
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore - #authorization is an optional module
     const { authorize } = await import('#authorization')
@@ -45,5 +68,9 @@ export default eventHandler(async (event) => {
     })
   }
 
-  return filterHiddenFields(model, deletedRecord as Record<string, unknown>)
+  if (isAdmin) {
+    return filterHiddenFields(model, deletedRecord as Record<string, unknown>)
+  } else {
+    return filterPublicColumns(model, deletedRecord as Record<string, unknown>)
+  }
 })
diff --git a/src/runtime/server/api/[model]/[id].get.ts b/src/runtime/server/api/[model]/[id].get.ts
@@ -1,30 +1,53 @@
 // server/api/[model]/[id].get.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName, filterHiddenFields } from '../../utils/modelMapper'
+import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 import { useRuntimeConfig } from '#imports'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
 export default eventHandler(async (event) => {
-  const { auth } = useRuntimeConfig().autoCrud
+  const { auth, resources } = useRuntimeConfig().autoCrud
+  let isAdmin = false
+
   if (auth?.enabled) {
     // Try using global auto-import
     // @ts-ignore
     if (typeof requireUserSession === 'function') {
-      // @ts-ignore
-      await requireUserSession(event)
+      try {
+        // @ts-ignore
+        await requireUserSession(event)
+        isAdmin = true
+      } catch (e) {
+        isAdmin = false
+      }
     } else {
        throw new Error('requireUserSession is not available')
     }
+  } else {
+    isAdmin = true
   }
 
   const { model, id } = getRouterParams(event)
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('read'))
+    
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
 
-  if (auth?.authorization) {
+  if (isAdmin && auth?.authorization) {
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore - #authorization is an optional module
     const { authorize } = await import('#authorization')
@@ -41,9 +64,13 @@ export default eventHandler(async (event) => {
   if (!record) {
     throw createError({
       statusCode: 404,
-      message: `${singularName} not found`,
+      message: 'Record not found',
     })
   }
 
-  return filterHiddenFields(model, record as Record<string, unknown>)
+  if (isAdmin) {
+    return filterHiddenFields(model, record as Record<string, unknown>)
+  } else {
+    return filterPublicColumns(model, record as Record<string, unknown>)
+  }
 })
diff --git a/src/runtime/server/api/[model]/[id].patch.ts b/src/runtime/server/api/[model]/[id].patch.ts
@@ -1,46 +1,79 @@
 // server/api/[model]/[id].patch.ts
-import { eventHandler, getRouterParams, readBody } from 'h3'
+import { eventHandler, getRouterParams, readBody, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterUpdatableFields, filterHiddenFields } from '../../utils/modelMapper'
+import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 import { useRuntimeConfig } from '#imports'
 
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
 export default eventHandler(async (event) => {
-  const { auth } = useRuntimeConfig().autoCrud
+  const { auth, resources } = useRuntimeConfig().autoCrud
+  let isAdmin = false
+
   if (auth?.enabled) {
     // Try using global auto-import
     // @ts-ignore
     if (typeof requireUserSession === 'function') {
-      // @ts-ignore
-      await requireUserSession(event)
+      try {
+        // @ts-ignore
+        await requireUserSession(event)
+        isAdmin = true
+      } catch (e) {
+        isAdmin = false
+      }
     } else {
        throw new Error('requireUserSession is not available')
     }
+  } else {
+    isAdmin = true
   }
 
   const { model, id } = getRouterParams(event)
+
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('update'))
+    
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model) as TableWithId
 
-  if (auth?.authorization) {
+  if (isAdmin && auth?.authorization) {
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore - #authorization is an optional module
     const { authorize } = await import('#authorization')
     await authorize(model, 'update')
   }
-  const body = await readBody(event)
 
-  // Filter to only allow updatable fields for this model
-  const updateData = filterUpdatableFields(model, body)
+  const body = await readBody(event)
+  const payload = filterUpdatableFields(model, body)
 
-  const record = await useDrizzle()
+  const updatedRecord = await useDrizzle()
     .update(table)
-    .set(updateData)
+    .set(payload)
     .where(eq(table.id, Number(id)))
     .returning()
     .get()
 
-  return filterHiddenFields(model, record as Record<string, unknown>)
+  if (!updatedRecord) {
+    throw createError({
+      statusCode: 404,
+      message: 'Record not found',
+    })
+  }
+
+  if (isAdmin) {
+    return filterHiddenFields(model, updatedRecord as Record<string, unknown>)
+  } else {
+    return filterPublicColumns(model, updatedRecord as Record<string, unknown>)
+  }
 })
diff --git a/src/runtime/server/api/[model]/index.get.ts b/src/runtime/server/api/[model]/index.get.ts
@@ -1,39 +1,71 @@
 // server/api/[model]/index.get.ts
-import { eventHandler, getRouterParams } from 'h3'
-import { getTableForModel, filterHiddenFields } from '../../utils/modelMapper'
+import { eventHandler, getRouterParams, createError } from 'h3'
+import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
 import { useRuntimeConfig } from '#imports'
 
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
 
 export default eventHandler(async (event) => {
-  const { auth } = useRuntimeConfig().autoCrud
+  console.log('[GET] Request received', event.path)
+  const { auth, resources } = useRuntimeConfig().autoCrud
+  let isAdmin = false
+
   if (auth?.enabled) {
     // Try using global auto-import
     // @ts-ignore
     if (typeof requireUserSession === 'function') {
-      // @ts-ignore
-      await requireUserSession(event)
+      try {
+        // @ts-ignore
+        await requireUserSession(event)
+        isAdmin = true
+      } catch (e) {
+        // Not authenticated
+        isAdmin = false
+      }
     } else {
        console.warn('requireUserSession is not available globally')
        // Fallback or error?
        // If auth is enabled, we expect it to be available.
        // But if it's not, we might want to throw to fail the test.
        throw new Error('requireUserSession is not available')
     }
+  } else {
+    // Auth disabled = everyone is admin (or public with full access)
+    isAdmin = true
   }
 
   const { model } = getRouterParams(event)
+  
+  // Check public access if not admin
+  if (!isAdmin) {
+    const resourceConfig = resources?.[model]
+    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('list'))
+    
+    if (!isPublic) {
+      throw createError({
+        statusCode: 401,
+        message: 'Unauthorized',
+      })
+    }
+  }
+
   const table = getTableForModel(model)
 
-  if (auth?.authorization) {
+  if (isAdmin && auth?.authorization) {
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore - #authorization is an optional module
     const { authorize } = await import('#authorization')
-    await authorize(model, 'read')
+    await authorize(model, 'list')
   }
 
-  const records = await useDrizzle().select().from(table).all()
+  const results = await useDrizzle().select().from(table).all()
 
-  return records.map((record: Record<string, unknown>) => filterHiddenFields(model, record))
+  return results.map((item: Record<string, unknown>) => {
+    if (isAdmin) {
+      return filterHiddenFields(model, item as Record<string, unknown>)
+    } else {
+      return filterPublicColumns(model, item as Record<string, unknown>)
+    }
+  })
 })
diff --git a/src/runtime/server/api/[model]/index.post.ts b/src/runtime/server/api/[model]/index.post.ts
diff --git a/src/runtime/server/utils/modelMapper.ts b/src/runtime/server/utils/modelMapper.ts
diff --git a/test/api.test.ts b/test/api.test.ts

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ async function startServer(playgroundDir, port) {`
`17`	`17`	`})`
`18`	`18`
`19`	`19`	`// Wait for server to be ready (naive wait, better to check output or poll)`
`20`		`- await new Promise((resolve) => setTimeout(resolve, 5000))`
	`20`	`+ await new Promise((resolve) => setTimeout(resolve, 10000))`
`21`	`21`	`return server`
`22`	`22`	`}`
`23`	`23`