refactor: Centralize authorization and response formatting into new handler utilities and simplify schema type inference.

clifordpereira · clifordpereira · commit 4d1f21160437 · 2025-12-08T08:09:44.000+05:30
diff --git a/src/runtime/server/api/[model]/[id].delete.ts b/src/runtime/server/api/[model]/[id].delete.ts
@@ -1,36 +1,17 @@
 // server/api/[model]/[id].delete.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, getModelSingularName, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { getTableForModel, getModelSingularName } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'delete')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('delete'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'delete')
 
   const table = getTableForModel(model) as TableWithId
-
   const singularName = getModelSingularName(model)
 
   const deletedRecord = await useDrizzle()
@@ -46,10 +27,5 @@ export default eventHandler(async (event) => {
     })
   }
 
-  if (isAdmin) {
-    return filterHiddenFields(model, deletedRecord as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, deletedRecord as Record<string, unknown>)
-  }
+  return formatResourceResult(model, deletedRecord as Record<string, unknown>, isAdmin)
 })
diff --git a/src/runtime/server/api/[model]/[id].get.ts b/src/runtime/server/api/[model]/[id].get.ts
@@ -1,33 +1,15 @@
 // server/api/[model]/[id].get.ts
 import { eventHandler, getRouterParams, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { getTableForModel } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'read')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('read'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'read')
 
   const table = getTableForModel(model) as TableWithId
 
@@ -44,10 +26,5 @@ export default eventHandler(async (event) => {
     })
   }
 
-  if (isAdmin) {
-    return filterHiddenFields(model, record as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, record as Record<string, unknown>)
-  }
+  return formatResourceResult(model, record as Record<string, unknown>, isAdmin)
 })
diff --git a/src/runtime/server/api/[model]/[id].patch.ts b/src/runtime/server/api/[model]/[id].patch.ts
@@ -1,33 +1,15 @@
 // server/api/[model]/[id].patch.ts
 import { eventHandler, getRouterParams, readBody, createError } from 'h3'
 import { eq } from 'drizzle-orm'
-import { getTableForModel, filterUpdatableFields, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 import type { TableWithId } from '../../types'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model, id } = getRouterParams(event) as { model: string, id: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'update')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('update'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'update')
 
   const table = getTableForModel(model) as TableWithId
 
@@ -36,7 +18,8 @@ export default eventHandler(async (event) => {
 
   // Automatically update updatedAt if it exists
   if ('updatedAt' in table) {
-    payload.updatedAt = new Date()
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (payload as any).updatedAt = new Date()
   }
 
   const updatedRecord = await useDrizzle()
@@ -53,10 +36,5 @@ export default eventHandler(async (event) => {
     })
   }
 
-  if (isAdmin) {
-    return filterHiddenFields(model, updatedRecord as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, updatedRecord as Record<string, unknown>)
-  }
+  return formatResourceResult(model, updatedRecord as Record<string, unknown>, isAdmin)
 })
diff --git a/src/runtime/server/api/[model]/index.get.ts b/src/runtime/server/api/[model]/index.get.ts
@@ -1,46 +1,20 @@
 // server/api/[model]/index.get.ts
-import { eventHandler, getRouterParams, createError } from 'h3'
-import { getTableForModel, filterHiddenFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { eventHandler, getRouterParams } from 'h3'
+import { getTableForModel } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
-
 import { desc } from 'drizzle-orm'
 import type { TableWithId } from '../../types'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
   console.log('[GET] Request received', event.path)
-  const { resources } = useAutoCrudConfig()
   const { model } = getRouterParams(event) as { model: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'list')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('list'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'list')
 
   const table = getTableForModel(model) as TableWithId
 
   const results = await useDrizzle().select().from(table).orderBy(desc(table.id)).all()
 
-  return results.map((item: Record<string, unknown>) => {
-    if (isAdmin) {
-      return filterHiddenFields(model, item as Record<string, unknown>)
-    }
-    else {
-      return filterPublicColumns(model, item as Record<string, unknown>)
-    }
-  })
+  return results.map((item: Record<string, unknown>) => formatResourceResult(model, item, isAdmin))
 })
diff --git a/src/runtime/server/api/[model]/index.post.ts b/src/runtime/server/api/[model]/index.post.ts
@@ -1,31 +1,13 @@
 // server/api/[model]/index.post.ts
-import { eventHandler, getRouterParams, readBody, createError } from 'h3'
-import { getTableForModel, filterHiddenFields, filterUpdatableFields, filterPublicColumns } from '../../utils/modelMapper'
-
+import { eventHandler, getRouterParams, readBody } from 'h3'
+import { getTableForModel, filterUpdatableFields } from '../../utils/modelMapper'
 // @ts-expect-error - #site/drizzle is an alias defined by the module
 import { useDrizzle } from '#site/drizzle'
-
-import { useAutoCrudConfig } from '../../utils/config'
-import { checkAdminAccess } from '../../utils/auth'
+import { ensureResourceAccess, formatResourceResult } from '../../utils/handler'
 
 export default eventHandler(async (event) => {
-  const { resources } = useAutoCrudConfig()
   const { model } = getRouterParams(event) as { model: string }
-
-  const isAdmin = await checkAdminAccess(event, model, 'create')
-
-  // Check public access if not admin
-  if (!isAdmin) {
-    const resourceConfig = resources?.[model]
-    const isPublic = resourceConfig?.public === true || (Array.isArray(resourceConfig?.public) && resourceConfig.public.includes('create'))
-
-    if (!isPublic) {
-      throw createError({
-        statusCode: 401,
-        message: 'Unauthorized',
-      })
-    }
-  }
+  const isAdmin = await ensureResourceAccess(event, model, 'create')
 
   const table = getTableForModel(model)
 
@@ -34,10 +16,5 @@ export default eventHandler(async (event) => {
 
   const newRecord = await useDrizzle().insert(table).values(payload).returning().get()
 
-  if (isAdmin) {
-    return filterHiddenFields(model, newRecord as Record<string, unknown>)
-  }
-  else {
-    return filterPublicColumns(model, newRecord as Record<string, unknown>)
-  }
+  return formatResourceResult(model, newRecord as Record<string, unknown>, isAdmin)
 })
diff --git a/src/runtime/server/api/_relations.get.ts b/src/runtime/server/api/_relations.get.ts
@@ -1,32 +1,9 @@
-import { eventHandler, createError } from 'h3'
-// @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+import { eventHandler } from 'h3'
+
 import { getRelations } from '../utils/schema'
-import { useAutoCrudConfig } from '../utils/config'
-import { verifyJwtToken } from '../utils/jwt'
+import { ensureAuthenticated } from '../utils/auth'
 
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig()
-
-  if (auth?.authentication) {
-    let isAuthenticated = false
-    if (auth.type === 'jwt' && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-    }
-    else {
-      try {
-        await requireUserSession(event)
-        isAuthenticated = true
-      }
-      catch {
-        isAuthenticated = false
-      }
-    }
-
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
-  }
-
+  await ensureAuthenticated(event)
   return getRelations()
 })
diff --git a/src/runtime/server/api/_schema/[table].get.ts b/src/runtime/server/api/_schema/[table].get.ts
@@ -1,34 +1,12 @@
 import { eventHandler, createError, getRouterParam } from 'h3'
-// @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+
 import { getSchema } from '../../utils/schema'
-import { useAutoCrudConfig } from '../../utils/config'
-import { verifyJwtToken } from '../../utils/jwt'
+import { ensureAuthenticated } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig()
+  await ensureAuthenticated(event)
   const tableName = getRouterParam(event, 'table')
 
-  if (auth?.authentication) {
-    let isAuthenticated = false
-    if (auth.type === 'jwt' && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-    }
-    else {
-      try {
-        await requireUserSession(event)
-        isAuthenticated = true
-      }
-      catch {
-        isAuthenticated = false
-      }
-    }
-
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
-  }
-
   if (!tableName) {
     throw createError({ statusCode: 400, message: 'Table name is required' })
   }
diff --git a/src/runtime/server/api/_schema/index.get.ts b/src/runtime/server/api/_schema/index.get.ts
@@ -1,32 +1,9 @@
-import { eventHandler, createError } from 'h3'
-// @ts-expect-error - #imports is available in runtime
-import { requireUserSession } from '#imports'
+import { eventHandler } from 'h3'
+
 import { getAllSchemas } from '../../utils/schema'
-import { useAutoCrudConfig } from '../../utils/config'
-import { verifyJwtToken } from '../../utils/jwt'
+import { ensureAuthenticated } from '../../utils/auth'
 
 export default eventHandler(async (event) => {
-  const { auth } = useAutoCrudConfig()
-
-  if (auth?.authentication) {
-    let isAuthenticated = false
-    if (auth.type === 'jwt' && auth.jwtSecret) {
-      isAuthenticated = await verifyJwtToken(event, auth.jwtSecret)
-    }
-    else {
-      try {
-        await requireUserSession(event)
-        isAuthenticated = true
-      }
-      catch {
-        isAuthenticated = false
-      }
-    }
-
-    if (!isAuthenticated) {
-      throw createError({ statusCode: 401, message: 'Unauthorized' })
-    }
-  }
-
+  await ensureAuthenticated(event)
   return getAllSchemas()
 })
diff --git a/src/runtime/server/utils/auth.ts b/src/runtime/server/utils/auth.ts
diff --git a/src/runtime/server/utils/handler.ts b/src/runtime/server/utils/handler.ts
diff --git a/src/runtime/server/utils/schema.ts b/src/runtime/server/utils/schema.ts
