diff --git a/app/__test__/api/Api.spec.ts b/app/__test__/api/Api.spec.ts index c1041d9..4384928 100644 --- a/app/__test__/api/Api.spec.ts +++ b/app/__test__/api/Api.spec.ts @@ -6,13 +6,16 @@ describe("Api", async () => { it("should construct without options", () => { const api = new Api(); expect(api.baseUrl).toBe("http://localhost"); - expect(api.isAuthVerified()).toBe(false); + + // verified is true, because no token, user, headers or request given + // therefore nothing to check, auth state is verified + expect(api.isAuthVerified()).toBe(true); }); it("should ignore force verify if no claims given", () => { const api = new Api({ verified: true }); expect(api.baseUrl).toBe("http://localhost"); - expect(api.isAuthVerified()).toBe(false); + expect(api.isAuthVerified()).toBe(true); }); it("should construct from request (token)", async () => { diff --git a/app/__test__/app/mcp/mcp.auth.test.ts b/app/__test__/app/mcp/mcp.auth.test.ts index e7658b4..2636730 100644 --- a/app/__test__/app/mcp/mcp.auth.test.ts +++ b/app/__test__/app/mcp/mcp.auth.test.ts @@ -201,7 +201,10 @@ describe("mcp auth", async () => { }, return_config: true, }); - expect(addGuestRole.config.guest.permissions).toEqual(["read", "write"]); + expect(addGuestRole.config.guest.permissions.map((p) => p.permission)).toEqual([ + "read", + "write", + ]); // update role await tool(server, "config_auth_roles_update", { @@ -210,13 +213,15 @@ describe("mcp auth", async () => { permissions: ["read"], }, }); - expect(app.toJSON().auth.roles?.guest?.permissions).toEqual(["read"]); + expect(app.toJSON().auth.roles?.guest?.permissions?.map((p) => p.permission)).toEqual([ + "read", + ]); // get role const getGuestRole = await tool(server, "config_auth_roles_get", { key: "guest", }); - expect(getGuestRole.value.permissions).toEqual(["read"]); + expect(getGuestRole.value.permissions.map((p) => p.permission)).toEqual(["read"]); // remove role await tool(server, "config_auth_roles_remove", { diff --git a/app/__test__/auth/Authenticator.spec.ts b/app/__test__/auth/Authenticator.spec.ts index 0794528..fcf8e5c 100644 --- a/app/__test__/auth/Authenticator.spec.ts +++ b/app/__test__/auth/Authenticator.spec.ts @@ -1,3 +1,41 @@ +import { Authenticator } from "auth/authenticate/Authenticator"; import { describe, expect, test } from "bun:test"; -describe("Authenticator", async () => {}); +describe("Authenticator", async () => { + test("should return auth cookie headers", async () => { + const auth = new Authenticator({}, null as any, { + jwt: { + secret: "secret", + fields: [], + }, + cookie: { + sameSite: "strict", + }, + }); + const headers = await auth.getAuthCookieHeader("token"); + const cookie = headers.get("Set-Cookie"); + expect(cookie).toStartWith("auth="); + expect(cookie).toEndWith("HttpOnly; Secure; SameSite=Strict"); + + // now expect it to be removed + const headers2 = await auth.removeAuthCookieHeader(headers); + const cookie2 = headers2.get("Set-Cookie"); + expect(cookie2).toStartWith("auth=; Max-Age=0; Path=/; Expires="); + expect(cookie2).toEndWith("HttpOnly; Secure; SameSite=Strict"); + }); + + test("should return auth cookie string", async () => { + const auth = new Authenticator({}, null as any, { + jwt: { + secret: "secret", + fields: [], + }, + cookie: { + sameSite: "strict", + }, + }); + const cookie = await auth.unsafeGetAuthCookie("token"); + expect(cookie).toStartWith("auth="); + expect(cookie).toEndWith("HttpOnly; Secure; SameSite=Strict"); + }); +}); diff --git a/app/__test__/auth/authorize/authorize.spec.ts b/app/__test__/auth/authorize/authorize.spec.ts index c0e04ff..caa5566 100644 --- a/app/__test__/auth/authorize/authorize.spec.ts +++ b/app/__test__/auth/authorize/authorize.spec.ts @@ -1,9 +1,31 @@ import { describe, expect, test } from "bun:test"; -import { Guard } from "../../../src/auth/authorize/Guard"; +import { Guard, type GuardConfig } from "auth/authorize/Guard"; +import { Permission } from "auth/authorize/Permission"; +import { Role, type RoleSchema } from "auth/authorize/Role"; +import { objectTransform, s } from "bknd/utils"; + +function createGuard( + permissionNames: string[], + roles?: Record>, + config?: GuardConfig, +) { + const _roles = roles + ? objectTransform(roles, ({ permissions = [], is_default, implicit_allow }, name) => { + return Role.create(name, { permissions, is_default, implicit_allow }); + }) + : {}; + const _permissions = permissionNames.map((name) => new Permission(name)); + return new Guard(_permissions, Object.values(_roles), config); +} describe("authorize", () => { + const read = new Permission("read", { + filterable: true, + }); + const write = new Permission("write"); + test("basic", async () => { - const guard = Guard.create( + const guard = createGuard( ["read", "write"], { admin: { @@ -16,14 +38,14 @@ describe("authorize", () => { role: "admin", }; - expect(guard.granted("read", user)).toBe(true); - expect(guard.granted("write", user)).toBe(true); + expect(guard.granted(read, user)).toBeUndefined(); + expect(guard.granted(write, user)).toBeUndefined(); - expect(() => guard.granted("something")).toThrow(); + expect(() => guard.granted(new Permission("something"), {})).toThrow(); }); test("with default", async () => { - const guard = Guard.create( + const guard = createGuard( ["read", "write"], { admin: { @@ -37,26 +59,26 @@ describe("authorize", () => { { enabled: true }, ); - expect(guard.granted("read")).toBe(true); - expect(guard.granted("write")).toBe(false); + expect(guard.granted(read, {})).toBeUndefined(); + expect(() => guard.granted(write, {})).toThrow(); const user = { role: "admin", }; - expect(guard.granted("read", user)).toBe(true); - expect(guard.granted("write", user)).toBe(true); + expect(guard.granted(read, user)).toBeUndefined(); + expect(guard.granted(write, user)).toBeUndefined(); }); test("guard implicit allow", async () => { - const guard = Guard.create([], {}, { enabled: false }); + const guard = createGuard([], {}, { enabled: false }); - expect(guard.granted("read")).toBe(true); - expect(guard.granted("write")).toBe(true); + expect(guard.granted(read, {})).toBeUndefined(); + expect(guard.granted(write, {})).toBeUndefined(); }); test("role implicit allow", async () => { - const guard = Guard.create(["read", "write"], { + const guard = createGuard(["read", "write"], { admin: { implicit_allow: true, }, @@ -66,12 +88,12 @@ describe("authorize", () => { role: "admin", }; - expect(guard.granted("read", user)).toBe(true); - expect(guard.granted("write", user)).toBe(true); + expect(guard.granted(read, user)).toBeUndefined(); + expect(guard.granted(write, user)).toBeUndefined(); }); test("guard with guest role implicit allow", async () => { - const guard = Guard.create(["read", "write"], { + const guard = createGuard(["read", "write"], { guest: { implicit_allow: true, is_default: true, @@ -79,7 +101,143 @@ describe("authorize", () => { }); expect(guard.getUserRole()?.name).toBe("guest"); - expect(guard.granted("read")).toBe(true); - expect(guard.granted("write")).toBe(true); + expect(guard.granted(read, {})).toBeUndefined(); + expect(guard.granted(write, {})).toBeUndefined(); + }); + + describe("cases", () => { + test("guest none, member deny if user.enabled is false", () => { + const guard = createGuard( + ["read"], + { + guest: { + is_default: true, + }, + member: { + permissions: [ + { + permission: "read", + policies: [ + { + condition: {}, + effect: "filter", + filter: { + type: "member", + }, + }, + { + condition: { + "user.enabled": false, + }, + effect: "deny", + }, + ], + }, + ], + }, + }, + { enabled: true }, + ); + + expect(() => guard.granted(read, { role: "guest" })).toThrow(); + + // member is allowed, because default role permission effect is allow + // and no deny policy is met + expect(guard.granted(read, { role: "member" })).toBeUndefined(); + + // member is allowed, because deny policy is not met + expect(guard.granted(read, { role: "member", enabled: true })).toBeUndefined(); + + // member is denied, because deny policy is met + expect(() => guard.granted(read, { role: "member", enabled: false })).toThrow(); + + // get the filter for member role + expect(guard.filters(read, { role: "member" }).filter).toEqual({ + type: "member", + }); + + // get filter for guest + expect(guard.filters(read, {}).filter).toBeUndefined(); + }); + + test("guest should only read posts that are public", () => { + const read = new Permission( + "read", + { + // make this permission filterable + // without this, `filter` policies have no effect + filterable: true, + }, + // expect the context to match this schema + // otherwise exit with 500 to ensure proper policy checking + s.object({ + entity: s.string(), + }), + ); + const guard = createGuard( + ["read"], + { + guest: { + // this permission is applied if no (or invalid) role is provided + is_default: true, + permissions: [ + { + permission: "read", + // effect deny means only having this permission, doesn't guarantee access + effect: "deny", + policies: [ + { + // only if this condition is met + condition: { + entity: { + $in: ["posts"], + }, + }, + // the effect is allow + effect: "allow", + }, + { + condition: { + entity: "posts", + }, + effect: "filter", + filter: { + public: true, + }, + }, + ], + }, + ], + }, + // members should be allowed to read all + member: { + permissions: [ + { + permission: "read", + }, + ], + }, + }, + { enabled: true }, + ); + + // guest can only read posts + expect(guard.granted(read, {}, { entity: "posts" })).toBeUndefined(); + expect(() => guard.granted(read, {}, { entity: "users" })).toThrow(); + + // and guests can only read public posts + expect(guard.filters(read, {}, { entity: "posts" }).filter).toEqual({ + public: true, + }); + + // member can read posts and users + expect(guard.granted(read, { role: "member" }, { entity: "posts" })).toBeUndefined(); + expect(guard.granted(read, { role: "member" }, { entity: "users" })).toBeUndefined(); + + // member should not have a filter + expect( + guard.filters(read, { role: "member" }, { entity: "posts" }).filter, + ).toBeUndefined(); + }); }); }); diff --git a/app/__test__/auth/authorize/data.permissions.test.ts b/app/__test__/auth/authorize/data.permissions.test.ts new file mode 100644 index 0000000..6ff0c3e --- /dev/null +++ b/app/__test__/auth/authorize/data.permissions.test.ts @@ -0,0 +1,327 @@ +import { describe, it, expect, beforeAll, afterAll } from "bun:test"; +import { createApp } from "core/test/utils"; +import type { CreateAppConfig } from "App"; +import * as proto from "data/prototype"; +import { mergeObject } from "core/utils/objects"; +import type { App, DB } from "bknd"; +import type { CreateUserPayload } from "auth/AppAuth"; +import { disableConsoleLog, enableConsoleLog } from "core/utils/test"; + +beforeAll(() => disableConsoleLog()); +afterAll(() => enableConsoleLog()); + +async function makeApp(config: Partial = {}) { + const app = createApp({ + config: mergeObject( + { + data: proto + .em( + { + users: proto.systemEntity("users", {}), + posts: proto.entity("posts", { + title: proto.text(), + content: proto.text(), + }), + comments: proto.entity("comments", { + content: proto.text(), + }), + }, + ({ relation }, { users, posts, comments }) => { + relation(posts).manyToOne(users); + relation(comments).manyToOne(posts); + }, + ) + .toJSON(), + auth: { + enabled: true, + jwt: { + secret: "secret", + }, + }, + }, + config, + ), + }); + await app.build(); + + return app; +} + +async function createUsers(app: App, users: CreateUserPayload[]) { + return Promise.all( + users.map(async (user) => { + return await app.createUser(user); + }), + ); +} + +async function loadFixtures(app: App, fixtures: Record = {}) { + const results = {} as any; + for (const [entity, data] of Object.entries(fixtures)) { + results[entity] = await app.em + .mutator(entity as any) + .insertMany(data) + .then((result) => result.data); + } + return results; +} + +describe("data permissions", async () => { + const app = await makeApp({ + server: { + mcp: { + enabled: true, + }, + }, + auth: { + guard: { + enabled: true, + }, + roles: { + guest: { + is_default: true, + permissions: [ + { + permission: "system.access.api", + }, + { + permission: "data.entity.read", + policies: [ + { + condition: { + entity: "posts", + }, + effect: "filter", + filter: { + users_id: { $isnull: 1 }, + }, + }, + ], + }, + { + permission: "data.entity.create", + policies: [ + { + condition: { + entity: "posts", + }, + effect: "filter", + filter: { + users_id: { $isnull: 1 }, + }, + }, + ], + }, + { + permission: "data.entity.update", + policies: [ + { + condition: { + entity: "posts", + }, + effect: "filter", + filter: { + users_id: { $isnull: 1 }, + }, + }, + ], + }, + { + permission: "data.entity.delete", + policies: [ + { + condition: { entity: "posts" }, + }, + { + condition: { entity: "posts" }, + effect: "filter", + filter: { + users_id: { $isnull: 1 }, + }, + }, + ], + }, + ], + }, + }, + }, + }); + const users = [ + { email: "foo@example.com", password: "password" }, + { email: "bar@example.com", password: "password" }, + ]; + const fixtures = { + posts: [ + { content: "post 1", users_id: 1 }, + { content: "post 2", users_id: 2 }, + { content: "post 3", users_id: null }, + ], + comments: [ + { content: "comment 1", posts_id: 1 }, + { content: "comment 2", posts_id: 2 }, + { content: "comment 3", posts_id: 3 }, + ], + }; + await createUsers(app, users); + const results = await loadFixtures(app, fixtures); + + describe("http", async () => { + it("read many", async () => { + // many only includes posts with users_id is null + const res = await app.server.request("/api/data/entity/posts"); + const data = await res.json().then((r: any) => r.data); + expect(data).toEqual([results.posts[2]]); + + // same with /query + { + const res = await app.server.request("/api/data/entity/posts/query", { + method: "POST", + }); + const data = await res.json().then((r: any) => r.data); + expect(data).toEqual([results.posts[2]]); + } + }); + + it("read one", async () => { + // one only includes posts with users_id is null + { + const res = await app.server.request("/api/data/entity/posts/1"); + const data = await res.json().then((r: any) => r.data); + expect(res.status).toBe(404); + expect(data).toBeUndefined(); + } + + // read one by allowed id + { + const res = await app.server.request("/api/data/entity/posts/3"); + const data = await res.json().then((r: any) => r.data); + expect(res.status).toBe(200); + expect(data).toEqual(results.posts[2]); + } + }); + + it("read many by reference", async () => { + const res = await app.server.request("/api/data/entity/posts/1/comments"); + const data = await res.json().then((r: any) => r.data); + expect(res.status).toBe(200); + expect(data).toEqual(results.comments.filter((c: any) => c.posts_id === 1)); + }); + + it("mutation create one", async () => { + // not allowed + { + const res = await app.server.request("/api/data/entity/posts", { + method: "POST", + body: JSON.stringify({ content: "post 4" }), + }); + expect(res.status).toBe(403); + } + // allowed + { + const res = await app.server.request("/api/data/entity/posts", { + method: "POST", + body: JSON.stringify({ content: "post 4", users_id: null }), + }); + expect(res.status).toBe(201); + } + }); + + it("mutation update one", async () => { + // update one: not allowed + const res = await app.server.request("/api/data/entity/posts/1", { + method: "PATCH", + body: JSON.stringify({ content: "post 4" }), + }); + expect(res.status).toBe(403); + + { + // update one: allowed + const res = await app.server.request("/api/data/entity/posts/3", { + method: "PATCH", + body: JSON.stringify({ content: "post 3 (updated)" }), + }); + expect(res.status).toBe(200); + expect(await res.json().then((r: any) => r.data.content)).toBe("post 3 (updated)"); + } + }); + + it("mutation update many", async () => { + // update many: not allowed + const res = await app.server.request("/api/data/entity/posts", { + method: "PATCH", + headers: { + "Content-Type": "application/json", + }, + body: JSON.stringify({ + update: { content: "post 4" }, + where: { users_id: { $isnull: 0 } }, + }), + }); + expect(res.status).toBe(200); // because filtered + const _data = await res.json().then((r: any) => r.data.map((p: any) => p.users_id)); + expect(_data.every((u: any) => u === null)).toBe(true); + + // verify + const data = await app.em + .repo("posts") + .findMany({ select: ["content", "users_id"] }) + .then((r) => r.data); + + // expect non null users_id to not have content "post 4" + expect( + data.filter((p: any) => p.users_id !== null).every((p: any) => p.content !== "post 4"), + ).toBe(true); + // expect null users_id to have content "post 4" + expect( + data.filter((p: any) => p.users_id === null).every((p: any) => p.content === "post 4"), + ).toBe(true); + }); + + const count = async () => { + const { + data: { count: _count }, + } = await app.em.repo("posts").count(); + return _count; + }; + it("mutation delete one", async () => { + const initial = await count(); + + // delete one: not allowed + const res = await app.server.request("/api/data/entity/posts/1", { + method: "DELETE", + }); + expect(res.status).toBe(403); + expect(await count()).toBe(initial); + + { + // delete one: allowed + const res = await app.server.request("/api/data/entity/posts/3", { + method: "DELETE", + }); + expect(res.status).toBe(200); + expect(await count()).toBe(initial - 1); + } + }); + + it("mutation delete many", async () => { + // delete many: not allowed + const res = await app.server.request("/api/data/entity/posts", { + method: "DELETE", + headers: { + "Content-Type": "application/json", + }, + body: JSON.stringify({ + where: {}, + }), + }); + expect(res.status).toBe(200); + + // only deleted posts with users_id is null + const remaining = await app.em + .repo("posts") + .findMany() + .then((r) => r.data); + expect(remaining.every((p: any) => p.users_id !== null)).toBe(true); + }); + }); +}); diff --git a/app/__test__/auth/authorize/http/SystemController.spec.ts b/app/__test__/auth/authorize/http/SystemController.spec.ts new file mode 100644 index 0000000..40e6493 --- /dev/null +++ b/app/__test__/auth/authorize/http/SystemController.spec.ts @@ -0,0 +1,20 @@ +import { describe, it, expect } from "bun:test"; +import { SystemController } from "modules/server/SystemController"; +import { createApp } from "core/test/utils"; +import type { CreateAppConfig } from "App"; +import { getPermissionRoutes } from "auth/middlewares/permission.middleware"; + +async function makeApp(config: Partial = {}) { + const app = createApp(config); + await app.build(); + return app; +} + +describe.skip("SystemController", () => { + it("...", async () => { + const app = await makeApp(); + const controller = new SystemController(app); + const hono = controller.getController(); + console.log(getPermissionRoutes(hono)); + }); +}); diff --git a/app/__test__/auth/authorize/permissions.spec.ts b/app/__test__/auth/authorize/permissions.spec.ts new file mode 100644 index 0000000..411ad20 --- /dev/null +++ b/app/__test__/auth/authorize/permissions.spec.ts @@ -0,0 +1,543 @@ +import { describe, it, expect } from "bun:test"; +import { s } from "bknd/utils"; +import { Permission } from "auth/authorize/Permission"; +import { Policy } from "auth/authorize/Policy"; +import { Hono } from "hono"; +import { getPermissionRoutes, permission } from "auth/middlewares/permission.middleware"; +import { auth } from "auth/middlewares/auth.middleware"; +import { Guard, mergeFilters, type GuardConfig } from "auth/authorize/Guard"; +import { Role, RolePermission } from "auth/authorize/Role"; +import { Exception } from "bknd"; +import { convert } from "core/object/query/object-query"; + +describe("Permission", () => { + it("works with minimal schema", () => { + expect(() => new Permission("test")).not.toThrow(); + }); + + it("parses context", () => { + const p = new Permission( + "test3", + { + filterable: true, + }, + s.object({ + a: s.string(), + }), + ); + + // @ts-expect-error + expect(() => p.parseContext({ a: [] })).toThrow(); + expect(p.parseContext({ a: "test" })).toEqual({ a: "test" }); + // @ts-expect-error + expect(p.parseContext({ a: 1 })).toEqual({ a: "1" }); + }); +}); + +describe("Policy", () => { + it("works with minimal schema", () => { + expect(() => new Policy().toJSON()).not.toThrow(); + }); + + it("checks condition", () => { + const p = new Policy({ + condition: { + a: 1, + }, + }); + + expect(p.meetsCondition({ a: 1 })).toBe(true); + expect(p.meetsCondition({ a: 2 })).toBe(false); + expect(p.meetsCondition({ a: 1, b: 1 })).toBe(true); + expect(p.meetsCondition({})).toBe(false); + + const p2 = new Policy({ + condition: { + a: { $gt: 1 }, + $or: { + b: { $lt: 2 }, + }, + }, + }); + + expect(p2.meetsCondition({ a: 2 })).toBe(true); + expect(p2.meetsCondition({ a: 1 })).toBe(false); + expect(p2.meetsCondition({ a: 1, b: 1 })).toBe(true); + }); + + it("filters", () => { + const p = new Policy({ + filter: { + age: { $gt: 18 }, + }, + }); + const subjects = [{ age: 19 }, { age: 17 }, { age: 12 }]; + + expect(p.getFiltered(subjects)).toEqual([{ age: 19 }]); + + expect(p.meetsFilter({ age: 19 })).toBe(true); + expect(p.meetsFilter({ age: 17 })).toBe(false); + expect(p.meetsFilter({ age: 12 })).toBe(false); + }); + + it("replaces placeholders", () => { + const p = new Policy({ + condition: { + a: "@auth.username", + }, + filter: { + a: "@auth.username", + }, + }); + const vars = { auth: { username: "test" } }; + + expect(p.meetsCondition({ a: "test" }, vars)).toBe(true); + expect(p.meetsCondition({ a: "test2" }, vars)).toBe(false); + expect(p.meetsCondition({ a: "test2" })).toBe(false); + expect(p.meetsFilter({ a: "test" }, vars)).toBe(true); + expect(p.meetsFilter({ a: "test2" }, vars)).toBe(false); + expect(p.meetsFilter({ a: "test2" })).toBe(false); + }); +}); + +describe("Guard", () => { + it("collects filters", () => { + const p = new Permission( + "test", + { + filterable: true, + }, + s.object({ + a: s.number(), + }), + ); + const r = new Role("test", [ + new RolePermission(p, [ + new Policy({ + condition: { a: { $eq: 1 } }, + filter: { foo: "bar" }, + effect: "filter", + }), + ]), + ]); + const guard = new Guard([p], [r], { + enabled: true, + }); + expect(guard.filters(p, { role: r.name }, { a: 1 }).filter).toEqual({ foo: "bar" }); + expect(guard.filters(p, { role: r.name }, { a: 2 }).filter).toBeUndefined(); + // if no user context given, filter cannot be applied + expect(guard.filters(p, {}, { a: 1 }).filter).toBeUndefined(); + }); + + it("collects filters for default role", () => { + const p = new Permission( + "test", + { + filterable: true, + }, + s.object({ + a: s.number(), + }), + ); + const r = new Role( + "test", + [ + new RolePermission(p, [ + new Policy({ + condition: { a: { $eq: 1 } }, + filter: { foo: "bar" }, + effect: "filter", + }), + ]), + ], + true, + ); + const guard = new Guard([p], [r], { + enabled: true, + }); + + expect( + guard.filters( + p, + { + role: r.name, + }, + { a: 1 }, + ).filter, + ).toEqual({ foo: "bar" }); + expect( + guard.filters( + p, + { + role: r.name, + }, + { a: 2 }, + ).filter, + ).toBeUndefined(); + // if no user context given, the default role is applied + // hence it can be found + expect(guard.filters(p, {}, { a: 1 }).filter).toEqual({ foo: "bar" }); + }); + + it("merges filters correctly", () => { + expect(mergeFilters({ foo: "bar" }, { baz: "qux" })).toEqual({ + foo: { $eq: "bar" }, + baz: { $eq: "qux" }, + }); + expect(mergeFilters({ foo: "bar" }, { baz: { $eq: "qux" } })).toEqual({ + foo: { $eq: "bar" }, + baz: { $eq: "qux" }, + }); + expect(mergeFilters({ foo: "bar" }, { foo: "baz" })).toEqual({ foo: { $eq: "baz" } }); + + expect(mergeFilters({ foo: "bar" }, { foo: { $lt: 1 } })).toEqual({ + foo: { $eq: "bar", $lt: 1 }, + }); + + // overwrite base $or with priority + expect(mergeFilters({ $or: { foo: "one" } }, { foo: "bar" })).toEqual({ + $or: { + foo: { + $eq: "bar", + }, + }, + foo: { + $eq: "bar", + }, + }); + + // ignore base $or if priority has different key + expect(mergeFilters({ $or: { other: "one" } }, { foo: "bar" })).toEqual({ + $or: { + other: { + $eq: "one", + }, + }, + foo: { + $eq: "bar", + }, + }); + }); +}); + +describe("permission middleware", () => { + const makeApp = ( + permissions: Permission[], + roles: Role[] = [], + config: Partial = {}, + ) => { + const app = { + module: { + auth: { + enabled: true, + }, + }, + modules: { + ctx: () => ({ + guard: new Guard(permissions, roles, { + enabled: true, + ...config, + }), + }), + }, + }; + return new Hono() + .use(async (c, next) => { + // @ts-expect-error + c.set("app", app); + await next(); + }) + .use(auth()) + .onError((err, c) => { + if (err instanceof Exception) { + return c.json(err.toJSON(), err.code as any); + } + return c.json({ error: err.message }, "code" in err ? (err.code as any) : 500); + }); + }; + + it("allows if guard is disabled", async () => { + const p = new Permission("test"); + const hono = makeApp([p], [], { enabled: false }).get("/test", permission(p, {}), async (c) => + c.text("test"), + ); + + const res = await hono.request("/test"); + expect(res.status).toBe(200); + expect(await res.text()).toBe("test"); + }); + + it("denies if guard is enabled", async () => { + const p = new Permission("test"); + const hono = makeApp([p]).get("/test", permission(p, {}), async (c) => c.text("test")); + + const res = await hono.request("/test"); + expect(res.status).toBe(403); + }); + + it("allows if user has (plain) role", async () => { + const p = new Permission("test"); + const r = Role.create("test", { permissions: [p.name] }); + const hono = makeApp([p], [r]) + .use(async (c, next) => { + // @ts-expect-error + c.set("auth", { registered: true, user: { id: 0, role: r.name } }); + await next(); + }) + .get("/test", permission(p, {}), async (c) => c.text("test")); + + const res = await hono.request("/test"); + expect(res.status).toBe(200); + }); + + it("allows if user has role with policy", async () => { + const p = new Permission("test"); + const r = new Role("test", [ + new RolePermission(p, [ + new Policy({ + condition: { + a: { $gte: 1 }, + }, + }), + ]), + ]); + const hono = makeApp([p], [r], { + context: { + a: 1, + }, + }) + .use(async (c, next) => { + // @ts-expect-error + c.set("auth", { registered: true, user: { id: 0, role: r.name } }); + await next(); + }) + .get("/test", permission(p, {}), async (c) => c.text("test")); + + const res = await hono.request("/test"); + expect(res.status).toBe(200); + }); + + it("denies if user with role doesn't meet condition", async () => { + const p = new Permission("test"); + const r = new Role("test", [ + new RolePermission( + p, + [ + new Policy({ + condition: { + a: { $lt: 1 }, + }, + // default effect is allow + }), + ], + // change default effect to deny if no condition is met + "deny", + ), + ]); + const hono = makeApp([p], [r], { + context: { + a: 1, + }, + }) + .use(async (c, next) => { + // @ts-expect-error + c.set("auth", { registered: true, user: { id: 0, role: r.name } }); + await next(); + }) + .get("/test", permission(p, {}), async (c) => c.text("test")); + + const res = await hono.request("/test"); + expect(res.status).toBe(403); + }); + + it("allows if user with role doesn't meet condition (from middleware)", async () => { + const p = new Permission( + "test", + {}, + s.object({ + a: s.number(), + }), + ); + const r = new Role("test", [ + new RolePermission(p, [ + new Policy({ + condition: { + a: { $eq: 1 }, + }, + }), + ]), + ]); + const hono = makeApp([p], [r]) + .use(async (c, next) => { + // @ts-expect-error + c.set("auth", { registered: true, user: { id: 0, role: r.name } }); + await next(); + }) + .get( + "/test", + permission(p, { + context: (c) => ({ + a: 1, + }), + }), + async (c) => c.text("test"), + ); + + const res = await hono.request("/test"); + expect(res.status).toBe(200); + }); + + it("throws if permission context is invalid", async () => { + const p = new Permission( + "test", + {}, + s.object({ + a: s.number({ minimum: 2 }), + }), + ); + const r = new Role("test", [ + new RolePermission(p, [ + new Policy({ + condition: { + a: { $eq: 1 }, + }, + }), + ]), + ]); + const hono = makeApp([p], [r]) + .use(async (c, next) => { + // @ts-expect-error + c.set("auth", { registered: true, user: { id: 0, role: r.name } }); + await next(); + }) + .get( + "/test", + permission(p, { + context: (c) => ({ + a: 1, + }), + }), + async (c) => c.text("test"), + ); + + const res = await hono.request("/test"); + // expecting 500 because bknd should have handled it correctly + expect(res.status).toBe(500); + }); + + it("checks context on routes with permissions", async () => { + const make = (user: any) => { + const p = new Permission( + "test", + {}, + s.object({ + a: s.number(), + }), + ); + const r = new Role("test", [ + new RolePermission(p, [ + new Policy({ + condition: { + a: { $eq: 1 }, + }, + }), + ]), + ]); + return makeApp([p], [r]) + .use(async (c, next) => { + // @ts-expect-error + c.set("auth", { registered: true, user }); + await next(); + }) + .get( + "/valid", + permission(p, { + context: (c) => ({ + a: 1, + }), + }), + async (c) => c.text("test"), + ) + .get( + "/invalid", + permission(p, { + // @ts-expect-error + context: (c) => ({ + b: "1", + }), + }), + async (c) => c.text("test"), + ) + .get( + "/invalid2", + permission(p, { + // @ts-expect-error + context: (c) => ({}), + }), + async (c) => c.text("test"), + ) + .get( + "/invalid3", + // @ts-expect-error + permission(p), + async (c) => c.text("test"), + ); + }; + + const hono = make({ id: 0, role: "test" }); + const valid = await hono.request("/valid"); + expect(valid.status).toBe(200); + const invalid = await hono.request("/invalid"); + expect(invalid.status).toBe(500); + const invalid2 = await hono.request("/invalid2"); + expect(invalid2.status).toBe(500); + const invalid3 = await hono.request("/invalid3"); + expect(invalid3.status).toBe(500); + + { + const hono = make(null); + const valid = await hono.request("/valid"); + expect(valid.status).toBe(403); + const invalid = await hono.request("/invalid"); + expect(invalid.status).toBe(500); + const invalid2 = await hono.request("/invalid2"); + expect(invalid2.status).toBe(500); + const invalid3 = await hono.request("/invalid3"); + expect(invalid3.status).toBe(500); + } + }); +}); + +describe("Role", () => { + it("serializes and deserializes", () => { + const p = new Permission( + "test", + { + filterable: true, + }, + s.object({ + a: s.number({ minimum: 2 }), + }), + ); + const r = new Role( + "test", + [ + new RolePermission(p, [ + new Policy({ + condition: { + a: { $eq: 1 }, + }, + effect: "deny", + filter: { + b: { $lt: 1 }, + }, + }), + ]), + ], + true, + ); + const json = JSON.parse(JSON.stringify(r.toJSON())); + const r2 = Role.create(p.name, json); + expect(r2.toJSON()).toEqual(r.toJSON()); + }); +}); diff --git a/app/__test__/core/object/object-query.spec.ts b/app/__test__/core/object/object-query.spec.ts index dc03fb6..215adf8 100644 --- a/app/__test__/core/object/object-query.spec.ts +++ b/app/__test__/core/object/object-query.spec.ts @@ -66,4 +66,14 @@ describe("object-query", () => { expect(result).toBe(expected); } }); + + test("paths", () => { + const result = validate({ "user.age": { $lt: 18 } }, { user: { age: 17 } }); + expect(result).toBe(true); + }); + + test("empty filters", () => { + const result = validate({}, { user: { age: 17 } }); + expect(result).toBe(true); + }); }); diff --git a/app/__test__/core/object/query.spec.ts b/app/__test__/core/object/query.spec.ts new file mode 100644 index 0000000..80383c6 --- /dev/null +++ b/app/__test__/core/object/query.spec.ts @@ -0,0 +1,120 @@ +import { describe, expect, test } from "bun:test"; +import { + makeValidator, + exp, + Expression, + isPrimitive, + type Primitive, +} from "../../../src/core/object/query/query"; + +describe("query", () => { + test("isPrimitive", () => { + expect(isPrimitive(1)).toBe(true); + expect(isPrimitive("1")).toBe(true); + expect(isPrimitive(true)).toBe(true); + expect(isPrimitive(false)).toBe(true); + + // not primitives + expect(isPrimitive(null)).toBe(false); + expect(isPrimitive(undefined)).toBe(false); + expect(isPrimitive([])).toBe(false); + expect(isPrimitive({})).toBe(false); + expect(isPrimitive(Symbol("test"))).toBe(false); + expect(isPrimitive(new Date())).toBe(false); + expect(isPrimitive(new Error())).toBe(false); + expect(isPrimitive(new Set())).toBe(false); + expect(isPrimitive(new Map())).toBe(false); + }); + + test("strict expression creation", () => { + // @ts-expect-error + expect(() => exp()).toThrow(); + // @ts-expect-error + expect(() => exp("")).toThrow(); + // @ts-expect-error + expect(() => exp("invalid")).toThrow(); + // @ts-expect-error + expect(() => exp("$eq")).toThrow(); + // @ts-expect-error + expect(() => exp("$eq", 1)).toThrow(); + // @ts-expect-error + expect(() => exp("$eq", () => null)).toThrow(); + // @ts-expect-error + expect(() => exp("$eq", () => null, 1)).toThrow(); + expect( + exp( + "$eq", + () => true, + () => null, + ), + ).toBeInstanceOf(Expression); + }); + + test("$eq is required", () => { + expect(() => makeValidator([])).toThrow(); + expect(() => + makeValidator([ + exp( + "$valid", + () => true, + () => null, + ), + ]), + ).toThrow(); + expect( + makeValidator([ + exp( + "$eq", + () => true, + () => null, + ), + ]), + ).toBeDefined(); + }); + + test("validates filter structure", () => { + const validator = makeValidator([ + exp( + "$eq", + (v: Primitive) => isPrimitive(v), + (e, a) => e === a, + ), + exp( + "$like", + (v: string) => typeof v === "string", + (e, a) => e === a, + ), + ]); + + // @ts-expect-error intentionally typed as union of given expression keys + expect(validator.expressionKeys).toEqual(["$eq", "$like"]); + + // @ts-expect-error "$and" is not allowed + expect(() => validator.convert({ $and: {} })).toThrow(); + + // @ts-expect-error "$or" must be an object + expect(() => validator.convert({ $or: [] })).toThrow(); + + // @ts-expect-error "invalid" is not a valid expression key + expect(() => validator.convert({ foo: { invalid: "bar" } })).toThrow(); + + // @ts-expect-error "invalid" is not a valid expression key + expect(() => validator.convert({ foo: { $invalid: "bar" } })).toThrow(); + + // @ts-expect-error "null" is not a valid value + expect(() => validator.convert({ foo: null })).toThrow(); + + // @ts-expect-error only primitives are allowed for $eq + expect(() => validator.convert({ foo: { $eq: [] } })).toThrow(); + + // @ts-expect-error only strings are allowed for $like + expect(() => validator.convert({ foo: { $like: 1 } })).toThrow(); + + // undefined values are ignored + expect(validator.convert({ foo: undefined })).toEqual({}); + + expect(validator.convert({ foo: "bar" })).toEqual({ foo: { $eq: "bar" } }); + expect(validator.convert({ foo: { $eq: "bar" } })).toEqual({ foo: { $eq: "bar" } }); + expect(validator.convert({ foo: { $like: "bar" } })).toEqual({ foo: { $like: "bar" } }); + }); +}); diff --git a/app/__test__/core/utils.spec.ts b/app/__test__/core/utils.spec.ts index 36b4969..d8ea29d 100644 --- a/app/__test__/core/utils.spec.ts +++ b/app/__test__/core/utils.spec.ts @@ -194,6 +194,182 @@ describe("Core Utils", async () => { expect(result).toEqual(expected); } }); + + test("recursivelyReplacePlaceholders", () => { + // test basic replacement with simple pattern + const obj1 = { a: "Hello, {$name}!", b: { c: "Hello, {$name}!" } }; + const variables1 = { name: "John" }; + const result1 = utils.recursivelyReplacePlaceholders(obj1, /\{\$(\w+)\}/g, variables1); + expect(result1).toEqual({ a: "Hello, John!", b: { c: "Hello, John!" } }); + + // test the specific example from the user request + const obj2 = { some: "value", here: "@auth.user" }; + const variables2 = { auth: { user: "what" } }; + const result2 = utils.recursivelyReplacePlaceholders(obj2, /^@([a-z\.]+)$/, variables2); + expect(result2).toEqual({ some: "value", here: "what" }); + + // test with arrays + const obj3 = { items: ["@config.name", "static", "@config.version"] }; + const variables3 = { config: { name: "MyApp", version: "1.0.0" } }; + const result3 = utils.recursivelyReplacePlaceholders(obj3, /^@([a-z\.]+)$/, variables3); + expect(result3).toEqual({ items: ["MyApp", "static", "1.0.0"] }); + + // test with nested objects and deep paths + const obj4 = { + user: "@auth.user.name", + settings: { + theme: "@ui.theme", + nested: { + value: "@deep.nested.value", + }, + }, + }; + const variables4 = { + auth: { user: { name: "Alice" } }, + ui: { theme: "dark" }, + deep: { nested: { value: "found" } }, + }; + const result4 = utils.recursivelyReplacePlaceholders(obj4, /^@([a-z\.]+)$/, variables4); + expect(result4).toEqual({ + user: "Alice", + settings: { + theme: "dark", + nested: { + value: "found", + }, + }, + }); + + // test with missing paths (should return original match) + const obj5 = { value: "@missing.path" }; + const variables5 = { existing: "value" }; + const result5 = utils.recursivelyReplacePlaceholders(obj5, /^@([a-z\.]+)$/, variables5); + expect(result5).toEqual({ value: "@missing.path" }); + + // test with non-matching strings (should remain unchanged) + const obj6 = { value: "normal string", other: "not@matching" }; + const variables6 = { some: "value" }; + const result6 = utils.recursivelyReplacePlaceholders(obj6, /^@([a-z\.]+)$/, variables6); + expect(result6).toEqual({ value: "normal string", other: "not@matching" }); + + // test with primitive values (should handle gracefully) + expect( + utils.recursivelyReplacePlaceholders("@test.value", /^@([a-z\.]+)$/, { + test: { value: "replaced" }, + }), + ).toBe("replaced"); + expect(utils.recursivelyReplacePlaceholders(123, /^@([a-z\.]+)$/, {})).toBe(123); + expect(utils.recursivelyReplacePlaceholders(null, /^@([a-z\.]+)$/, {})).toBe(null); + + // test type preservation for full string matches + const variables7 = { test: { value: 123, flag: true, data: null, arr: [1, 2, 3] } }; + const result7 = utils.recursivelyReplacePlaceholders( + { + number: "@test.value", + boolean: "@test.flag", + nullValue: "@test.data", + array: "@test.arr", + }, + /^@([a-z\.]+)$/, + variables7, + null, + ); + expect(result7).toEqual({ + number: 123, + boolean: true, + nullValue: null, + array: [1, 2, 3], + }); + + // test partial string replacement (should convert to string) + const result8 = utils.recursivelyReplacePlaceholders( + { message: "The value is @test.value!" }, + /@([a-z\.]+)/g, + variables7, + ); + expect(result8).toEqual({ message: "The value is 123!" }); + + // test with fallback parameter + const obj9 = { user: "@user.id", config: "@config.theme" }; + const variables9 = {}; // empty context + const result9 = utils.recursivelyReplacePlaceholders( + obj9, + /^@([a-z\.]+)$/, + variables9, + null, + ); + expect(result9).toEqual({ user: null, config: null }); + + // test with fallback for partial matches + const obj10 = { message: "Hello @user.name, welcome!" }; + const variables10 = {}; // empty context + const result10 = utils.recursivelyReplacePlaceholders( + obj10, + /@([a-z\.]+)/g, + variables10, + "Guest", + ); + expect(result10).toEqual({ message: "Hello Guest, welcome!" }); + + // test with different fallback types + const obj11 = { + stringFallback: "@missing.string", + numberFallback: "@missing.number", + booleanFallback: "@missing.boolean", + objectFallback: "@missing.object", + }; + const variables11 = {}; + const result11 = utils.recursivelyReplacePlaceholders( + obj11, + /^@([a-z\.]+)$/, + variables11, + "default", + ); + expect(result11).toEqual({ + stringFallback: "default", + numberFallback: "default", + booleanFallback: "default", + objectFallback: "default", + }); + + // test fallback with arrays + const obj12 = { items: ["@item1", "@item2", "static"] }; + const variables12 = { item1: "found" }; // item2 is missing + const result12 = utils.recursivelyReplacePlaceholders( + obj12, + /^@([a-zA-Z0-9\.]+)$/, + variables12, + "missing", + ); + expect(result12).toEqual({ items: ["found", "missing", "static"] }); + + // test fallback with nested objects + const obj13 = { + user: "@user.id", + settings: { + theme: "@theme.name", + nested: { + value: "@deep.value", + }, + }, + }; + const variables13 = {}; // empty context + const result13 = utils.recursivelyReplacePlaceholders( + obj13, + /^@([a-z\.]+)$/, + variables13, + null, + ); + expect(result13).toEqual({ + user: null, + settings: { + theme: null, + nested: { + value: null, + }, + }, + }); + }); }); describe("file", async () => { @@ -264,6 +440,35 @@ describe("Core Utils", async () => { height: 512, }); }); + + test("isFileAccepted", () => { + const file = new File([""], "file.txt", { + type: "text/plain", + }); + expect(utils.isFileAccepted(file, "text/plain")).toBe(true); + expect(utils.isFileAccepted(file, "text/plain,text/html")).toBe(true); + expect(utils.isFileAccepted(file, "text/html")).toBe(false); + + { + const file = new File([""], "file.jpg", { + type: "image/jpeg", + }); + expect(utils.isFileAccepted(file, "image/jpeg")).toBe(true); + expect(utils.isFileAccepted(file, "image/jpeg,image/png")).toBe(true); + expect(utils.isFileAccepted(file, "image/png")).toBe(false); + expect(utils.isFileAccepted(file, "image/*")).toBe(true); + expect(utils.isFileAccepted(file, ".jpg")).toBe(true); + expect(utils.isFileAccepted(file, ".jpg,.png")).toBe(true); + expect(utils.isFileAccepted(file, ".png")).toBe(false); + } + + { + const file = new File([""], "file.png"); + expect(utils.isFileAccepted(file, undefined as any)).toBe(true); + } + + expect(() => utils.isFileAccepted(null as any, "text/plain")).toThrow(); + }); }); describe("dates", () => { diff --git a/app/__test__/data/data.test.ts b/app/__test__/data/data.test.ts index 10cf8ac..416b5c0 100644 --- a/app/__test__/data/data.test.ts +++ b/app/__test__/data/data.test.ts @@ -30,9 +30,9 @@ describe("some tests", async () => { const query = await em.repository(users).findId(1); expect(query.sql).toBe( - 'select "users"."id" as "id", "users"."username" as "username", "users"."email" as "email" from "users" where "id" = ? limit ?', + 'select "users"."id" as "id", "users"."username" as "username", "users"."email" as "email" from "users" where "id" = ? order by "users"."id" asc limit ? offset ?', ); - expect(query.parameters).toEqual([1, 1]); + expect(query.parameters).toEqual([1, 1, 0]); expect(query.data).toBeUndefined(); }); diff --git a/app/__test__/data/specs/SchemaManager.spec.ts b/app/__test__/data/specs/SchemaManager.spec.ts index 679010b..e35df15 100644 --- a/app/__test__/data/specs/SchemaManager.spec.ts +++ b/app/__test__/data/specs/SchemaManager.spec.ts @@ -1,5 +1,5 @@ // eslint-disable-next-line import/no-unresolved -import { afterAll, describe, expect, test } from "bun:test"; +import { afterAll, describe, expect, spyOn, test } from "bun:test"; import { randomString } from "core/utils"; import { Entity, EntityManager } from "data/entities"; import { TextField, EntityIndex } from "data/fields"; @@ -268,4 +268,39 @@ describe("SchemaManager tests", async () => { const diffAfter = await em.schema().getDiff(); expect(diffAfter.length).toBe(0); }); + + test("returns statements", async () => { + const amount = 5; + const entities = new Array(amount) + .fill(0) + .map(() => new Entity(randomString(16), [new TextField("text")])); + const em = new EntityManager(entities, dummyConnection); + const statements = await em.schema().sync({ force: true }); + expect(statements.length).toBe(amount); + expect(statements.every((stmt) => Object.keys(stmt).join(",") === "sql,parameters")).toBe( + true, + ); + }); + + test("batches statements", async () => { + const { dummyConnection } = getDummyConnection(); + const entities = new Array(20) + .fill(0) + .map(() => new Entity(randomString(16), [new TextField("text")])); + const em = new EntityManager(entities, dummyConnection); + const spy = spyOn(em.connection, "executeQueries"); + const statements = await em.schema().sync(); + expect(statements.length).toBe(entities.length); + expect(statements.every((stmt) => Object.keys(stmt).join(",") === "sql,parameters")).toBe( + true, + ); + await em.schema().sync({ force: true }); + expect(spy).toHaveBeenCalledTimes(1); + const tables = await em.connection.kysely + .selectFrom("sqlite_master") + .where("type", "=", "table") + .selectAll() + .execute(); + expect(tables.length).toBe(entities.length + 1); /* 1+ for sqlite_sequence */ + }); }); diff --git a/app/__test__/data/specs/fields/JsonField.spec.ts b/app/__test__/data/specs/fields/JsonField.spec.ts index ff94dc3..d834f67 100644 --- a/app/__test__/data/specs/fields/JsonField.spec.ts +++ b/app/__test__/data/specs/fields/JsonField.spec.ts @@ -7,7 +7,7 @@ describe("[data] JsonField", async () => { const field = new JsonField("test"); fieldTestSuite(bunTestRunner, JsonField, { defaultValue: { a: 1 }, - sampleValues: ["string", { test: 1 }, 1], + //sampleValues: ["string", { test: 1 }, 1], schemaType: "text", }); @@ -33,9 +33,9 @@ describe("[data] JsonField", async () => { }); test("getValue", async () => { - expect(field.getValue({ test: 1 }, "form")).toBe('{\n "test": 1\n}'); - expect(field.getValue("string", "form")).toBe('"string"'); - expect(field.getValue(1, "form")).toBe("1"); + expect(field.getValue({ test: 1 }, "form")).toEqual({ test: 1 }); + expect(field.getValue("string", "form")).toBe("string"); + expect(field.getValue(1, "form")).toBe(1); expect(field.getValue('{"test":1}', "submit")).toEqual({ test: 1 }); expect(field.getValue('"string"', "submit")).toBe("string"); @@ -43,6 +43,5 @@ describe("[data] JsonField", async () => { expect(field.getValue({ test: 1 }, "table")).toBe('{"test":1}'); expect(field.getValue("string", "table")).toBe('"string"'); - expect(field.getValue(1, "form")).toBe("1"); }); }); diff --git a/app/__test__/integration/auth.integration.test.ts b/app/__test__/integration/auth.integration.test.ts index 340ccaf..477951f 100644 --- a/app/__test__/integration/auth.integration.test.ts +++ b/app/__test__/integration/auth.integration.test.ts @@ -1,6 +1,6 @@ import { afterAll, beforeAll, describe, expect, it } from "bun:test"; import { App, createApp, type AuthResponse } from "../../src"; -import { auth } from "../../src/auth/middlewares"; +import { auth } from "../../src/modules/middlewares"; import { randomString, secureRandomString, withDisabledConsole } from "../../src/core/utils"; import { disableConsoleLog, enableConsoleLog } from "core/utils/test"; import { getDummyConnection } from "../helper"; diff --git a/app/build.ts b/app/build.ts index b8729bd..4a30da9 100644 --- a/app/build.ts +++ b/app/build.ts @@ -85,7 +85,12 @@ async function buildApi() { sourcemap, watch, define, - entry: ["src/index.ts", "src/core/utils/index.ts", "src/plugins/index.ts"], + entry: [ + "src/index.ts", + "src/core/utils/index.ts", + "src/plugins/index.ts", + "src/modes/index.ts", + ], outDir: "dist", external: [...external], metafile: true, diff --git a/app/internal/docs.build-assets.ts b/app/internal/docs.build-assets.ts index 4a4db73..2bedbee 100644 --- a/app/internal/docs.build-assets.ts +++ b/app/internal/docs.build-assets.ts @@ -3,11 +3,14 @@ import { createApp } from "bknd/adapter/bun"; async function generate() { console.info("Generating MCP documentation..."); const app = await createApp({ + connection: { + url: ":memory:", + }, config: { server: { mcp: { enabled: true, - path: "/mcp", + path: "/mcp2", }, }, auth: { @@ -25,9 +28,9 @@ async function generate() { }, }); await app.build(); + await app.getMcpClient().ping(); - const res = await app.server.request("/mcp?explain=1"); - const { tools, resources } = await res.json(); + const { tools, resources } = app.mcp!.toJSON(); await Bun.write("../docs/mcp.json", JSON.stringify({ tools, resources }, null, 2)); console.info("MCP documentation generated."); diff --git a/app/package.json b/app/package.json index f932580..ee5b028 100644 --- a/app/package.json +++ b/app/package.json @@ -3,7 +3,7 @@ "type": "module", "sideEffects": false, "bin": "./dist/cli/index.js", - "version": "0.18.1", + "version": "0.19.0-rc.3", "description": "Lightweight Firebase/Supabase alternative built to run anywhere — incl. Next.js, React Router, Astro, Cloudflare, Bun, Node, AWS Lambda & more.", "homepage": "https://bknd.io", "repository": { @@ -65,7 +65,7 @@ "hono": "4.8.3", "json-schema-library": "10.0.0-rc7", "json-schema-to-ts": "^3.1.1", - "jsonv-ts": "0.8.5", + "jsonv-ts": "0.9.1", "kysely": "0.27.6", "lodash-es": "^4.17.21", "oauth4webapi": "^2.11.1", @@ -180,6 +180,11 @@ "import": "./dist/plugins/index.js", "require": "./dist/plugins/index.js" }, + "./modes": { + "types": "./dist/types/modes/index.d.ts", + "import": "./dist/modes/index.js", + "require": "./dist/modes/index.js" + }, "./adapter/sqlite": { "types": "./dist/types/adapter/sqlite/edge.d.ts", "import": { diff --git a/app/src/Api.ts b/app/src/Api.ts index 28d2ef0..fd4394a 100644 --- a/app/src/Api.ts +++ b/app/src/Api.ts @@ -40,6 +40,7 @@ export type ApiOptions = { data?: SubApiOptions; auth?: SubApiOptions; media?: SubApiOptions; + credentials?: RequestCredentials; } & ( | { token?: string; @@ -67,7 +68,7 @@ export class Api { public auth!: AuthApi; public media!: MediaApi; - constructor(private options: ApiOptions = {}) { + constructor(public options: ApiOptions = {}) { // only mark verified if forced this.verified = options.verified === true; @@ -129,29 +130,45 @@ export class Api { } else if (this.storage) { this.storage.getItem(this.tokenKey).then((token) => { this.token_transport = "header"; - this.updateToken(token ? String(token) : undefined); + this.updateToken(token ? String(token) : undefined, { + verified: true, + trigger: false, + }); }); } } + /** + * Make storage async to allow async storages even if sync given + * @private + */ private get storage() { - if (!this.options.storage) return null; - return { - getItem: async (key: string) => { - return await this.options.storage!.getItem(key); + const storage = this.options.storage; + return new Proxy( + {}, + { + get(_, prop) { + return (...args: any[]) => { + const response = storage ? storage[prop](...args) : undefined; + if (response instanceof Promise) { + return response; + } + return { + // biome-ignore lint/suspicious/noThenProperty: it's a promise :) + then: (fn) => fn(response), + }; + }; + }, }, - setItem: async (key: string, value: string) => { - return await this.options.storage!.setItem(key, value); - }, - removeItem: async (key: string) => { - return await this.options.storage!.removeItem(key); - }, - }; + ) as any; } - updateToken(token?: string, opts?: { rebuild?: boolean; trigger?: boolean }) { + updateToken( + token?: string, + opts?: { rebuild?: boolean; verified?: boolean; trigger?: boolean }, + ) { this.token = token; - this.verified = false; + this.verified = opts?.verified === true; if (token) { this.user = omitKeys(decode(token).payload as any, ["iat", "iss", "exp"]) as any; @@ -159,21 +176,22 @@ export class Api { this.user = undefined; } + const emit = () => { + if (opts?.trigger !== false) { + this.options.onAuthStateChange?.(this.getAuthState()); + } + }; if (this.storage) { const key = this.tokenKey; if (token) { - this.storage.setItem(key, token).then(() => { - this.options.onAuthStateChange?.(this.getAuthState()); - }); + this.storage.setItem(key, token).then(emit); } else { - this.storage.removeItem(key).then(() => { - this.options.onAuthStateChange?.(this.getAuthState()); - }); + this.storage.removeItem(key).then(emit); } } else { if (opts?.trigger !== false) { - this.options.onAuthStateChange?.(this.getAuthState()); + emit(); } } @@ -182,6 +200,7 @@ export class Api { private markAuthVerified(verfied: boolean) { this.verified = verfied; + this.options.onAuthStateChange?.(this.getAuthState()); return this; } @@ -208,11 +227,6 @@ export class Api { } async verifyAuth() { - if (!this.token) { - this.markAuthVerified(false); - return; - } - try { const { ok, data } = await this.auth.me(); const user = data?.user; @@ -221,10 +235,10 @@ export class Api { } this.user = user; - this.markAuthVerified(true); } catch (e) { - this.markAuthVerified(false); this.updateToken(undefined); + } finally { + this.markAuthVerified(true); } } @@ -239,6 +253,7 @@ export class Api { headers: this.options.headers, token_transport: this.token_transport, verbose: this.options.verbose, + credentials: this.options.credentials, }); } @@ -257,10 +272,9 @@ export class Api { this.auth = new AuthApi( { ...baseParams, - credentials: this.options.storage ? "omit" : "include", ...this.options.auth, - onTokenUpdate: (token) => { - this.updateToken(token, { rebuild: true }); + onTokenUpdate: (token, verified) => { + this.updateToken(token, { rebuild: true, verified, trigger: true }); this.options.auth?.onTokenUpdate?.(token); }, }, diff --git a/app/src/App.ts b/app/src/App.ts index 0f535f8..633b9fa 100644 --- a/app/src/App.ts +++ b/app/src/App.ts @@ -245,9 +245,8 @@ export class App< get fetch(): Hono["fetch"] { if (!this.isBuilt()) { - throw new Error("App is not built yet, run build() first"); + console.error("App is not built yet, run build() first"); } - return this.server.fetch as any; } @@ -296,6 +295,7 @@ export class App< return this.module.auth.createUser(p); } + // @todo: potentially add option to clone the app, so that when used in listeners, it won't trigger listeners getApi(options?: LocalApiOptions) { const fetcher = this.server.request as typeof fetch; if (options && options instanceof Request) { @@ -311,8 +311,9 @@ export class App< throw new Error("MCP is not enabled"); } + const url = new URL(config.path, "http://localhost").toString(); return new McpClient({ - url: "http://localhost" + config.path, + url, fetch: this.server.request, }); } @@ -385,6 +386,7 @@ export class App< } } } + await this.options?.manager?.onModulesBuilt?.(ctx); } } diff --git a/app/src/adapter/astro/astro.adapter.ts b/app/src/adapter/astro/astro.adapter.ts index 7f24923..92a8604 100644 --- a/app/src/adapter/astro/astro.adapter.ts +++ b/app/src/adapter/astro/astro.adapter.ts @@ -8,12 +8,15 @@ export type AstroBkndConfig = FrameworkBkndConfig; export async function getApp( config: AstroBkndConfig = {}, - args: Env = {} as Env, + args: Env = import.meta.env as Env, ) { - return await createFrameworkApp(config, args ?? import.meta.env); + return await createFrameworkApp(config, args); } -export function serve(config: AstroBkndConfig = {}, args: Env = {} as Env) { +export function serve( + config: AstroBkndConfig = {}, + args: Env = import.meta.env as Env, +) { return async (fnArgs: TAstro) => { return (await getApp(config, args)).fetch(fnArgs.request); }; diff --git a/app/src/adapter/bun/bun.adapter.ts b/app/src/adapter/bun/bun.adapter.ts index 00b61b5..44e7ccf 100644 --- a/app/src/adapter/bun/bun.adapter.ts +++ b/app/src/adapter/bun/bun.adapter.ts @@ -12,7 +12,7 @@ export type BunBkndConfig = RuntimeBkndConfig & Omit( { distPath, serveStatic: _serveStatic, ...config }: BunBkndConfig = {}, - args: Env = {} as Env, + args: Env = Bun.env as Env, ) { const root = path.resolve(distPath ?? "./node_modules/bknd/dist", "static"); registerLocalMediaAdapter(); @@ -26,18 +26,18 @@ export async function createApp( }), ...config, }, - args ?? (process.env as Env), + args, ); } export function createHandler( config: BunBkndConfig = {}, - args: Env = {} as Env, + args: Env = Bun.env as Env, ) { let app: App | undefined; return async (req: Request) => { if (!app) { - app = await createApp(config, args ?? (process.env as Env)); + app = await createApp(config, args); } return app.fetch(req); }; @@ -54,9 +54,10 @@ export function serve( buildConfig, adminOptions, serveStatic, + beforeBuild, ...serveOptions }: BunBkndConfig = {}, - args: Env = {} as Env, + args: Env = Bun.env as Env, ) { Bun.serve({ ...serveOptions, @@ -71,6 +72,7 @@ export function serve( adminOptions, distPath, serveStatic, + beforeBuild, }, args, ), diff --git a/app/src/adapter/bun/index.ts b/app/src/adapter/bun/index.ts index 5f85135..a0ca1ed 100644 --- a/app/src/adapter/bun/index.ts +++ b/app/src/adapter/bun/index.ts @@ -1,3 +1,11 @@ export * from "./bun.adapter"; export * from "../node/storage"; export * from "./connection/BunSqliteConnection"; + +export async function writer(path: string, content: string) { + await Bun.write(path, content); +} + +export async function reader(path: string) { + return await Bun.file(path).text(); +} diff --git a/app/src/adapter/cloudflare/cloudflare-workers.adapter.spec.ts b/app/src/adapter/cloudflare/cloudflare-workers.adapter.spec.ts index 65477b6..6cb0f90 100644 --- a/app/src/adapter/cloudflare/cloudflare-workers.adapter.spec.ts +++ b/app/src/adapter/cloudflare/cloudflare-workers.adapter.spec.ts @@ -5,8 +5,8 @@ import { adapterTestSuite } from "adapter/adapter-test-suite"; import { bunTestRunner } from "adapter/bun/test"; import { type CloudflareBkndConfig, createApp } from "./cloudflare-workers.adapter"; -/* beforeAll(disableConsoleLog); -afterAll(enableConsoleLog); */ +beforeAll(disableConsoleLog); +afterAll(enableConsoleLog); describe("cf adapter", () => { const DB_URL = ":memory:"; diff --git a/app/src/adapter/cloudflare/cloudflare-workers.adapter.ts b/app/src/adapter/cloudflare/cloudflare-workers.adapter.ts index fe278c4..e263756 100644 --- a/app/src/adapter/cloudflare/cloudflare-workers.adapter.ts +++ b/app/src/adapter/cloudflare/cloudflare-workers.adapter.ts @@ -37,19 +37,19 @@ export async function createApp( config: CloudflareBkndConfig = {}, ctx: Partial> = {}, ) { - const appConfig = await makeConfig( + const appConfig = await makeConfig(config, ctx); + return await createRuntimeApp( { - ...config, + ...appConfig, onBuilt: async (app) => { if (ctx.ctx) { registerAsyncsExecutionContext(app, ctx?.ctx); } - await config.onBuilt?.(app); + await appConfig.onBuilt?.(app); }, }, - ctx, + ctx?.env, ); - return await createRuntimeApp(appConfig, ctx?.env); } // compatiblity diff --git a/app/src/adapter/cloudflare/storage/StorageR2Adapter.ts b/app/src/adapter/cloudflare/storage/StorageR2Adapter.ts index e257b7c..756e562 100644 --- a/app/src/adapter/cloudflare/storage/StorageR2Adapter.ts +++ b/app/src/adapter/cloudflare/storage/StorageR2Adapter.ts @@ -49,6 +49,8 @@ export function registerMedia( * @todo: add tests (bun tests won't work, need node native tests) */ export class StorageR2Adapter extends StorageAdapter { + public keyPrefix: string = ""; + constructor(private readonly bucket: R2Bucket) { super(); } @@ -175,6 +177,9 @@ export class StorageR2Adapter extends StorageAdapter { } protected getKey(key: string) { + if (this.keyPrefix.length > 0) { + return `${this.keyPrefix}/${key}`.replace(/^\/\//, "/"); + } return key; } diff --git a/app/src/adapter/index.ts b/app/src/adapter/index.ts index 2548efa..79f4c97 100644 --- a/app/src/adapter/index.ts +++ b/app/src/adapter/index.ts @@ -6,18 +6,23 @@ import { guessMimeType, type MaybePromise, registries as $registries, + type Merge, } from "bknd"; import { $console } from "bknd/utils"; import type { Context, MiddlewareHandler, Next } from "hono"; import type { AdminControllerOptions } from "modules/server/AdminController"; import type { Manifest } from "vite"; -export type BkndConfig = CreateAppConfig & { - app?: Omit | ((args: Args) => MaybePromise, "app">>); - onBuilt?: (app: App) => MaybePromise; - beforeBuild?: (app?: App, registries?: typeof $registries) => MaybePromise; - buildConfig?: Parameters[0]; -}; +export type BkndConfig = Merge< + CreateAppConfig & { + app?: + | Merge & Additional> + | ((args: Args) => MaybePromise, "app"> & Additional>>); + onBuilt?: (app: App) => MaybePromise; + beforeBuild?: (app?: App, registries?: typeof $registries) => MaybePromise; + buildConfig?: Parameters[0]; + } & Additional +>; export type FrameworkBkndConfig = BkndConfig; @@ -51,11 +56,10 @@ export async function makeConfig( return { ...rest, ...additionalConfig }; } -// a map that contains all apps by id export async function createAdapterApp( config: Config = {} as Config, args?: Args, -): Promise { +): Promise<{ app: App; config: BkndConfig }> { await config.beforeBuild?.(undefined, $registries); const appConfig = await makeConfig(config, args); @@ -65,34 +69,37 @@ export async function createAdapterApp( config: FrameworkBkndConfig = {}, args?: Args, ): Promise { - const app = await createAdapterApp(config, args); + const { app, config: appConfig } = await createAdapterApp(config, args); if (!app.isBuilt()) { if (config.onBuilt) { app.emgr.onEvent( App.Events.AppBuiltEvent, async () => { - await config.onBuilt?.(app); + await appConfig.onBuilt?.(app); }, "sync", ); } - await config.beforeBuild?.(app, $registries); + await appConfig.beforeBuild?.(app, $registries); await app.build(config.buildConfig); } @@ -103,7 +110,7 @@ export async function createRuntimeApp( { serveStatic, adminOptions, ...config }: RuntimeBkndConfig = {}, args?: Args, ): Promise { - const app = await createAdapterApp(config, args); + const { app, config: appConfig } = await createAdapterApp(config, args); if (!app.isBuilt()) { app.emgr.onEvent( @@ -116,7 +123,7 @@ export async function createRuntimeApp( app.modules.server.get(path, handler); } - await config.onBuilt?.(app); + await appConfig.onBuilt?.(app); if (adminOptions !== false) { app.registerAdminController(adminOptions); } @@ -124,7 +131,7 @@ export async function createRuntimeApp( "sync", ); - await config.beforeBuild?.(app, $registries); + await appConfig.beforeBuild?.(app, $registries); await app.build(config.buildConfig); } @@ -147,23 +154,32 @@ export async function createRuntimeApp( * }); * ``` */ -export function serveStaticViaImport(opts?: { manifest?: Manifest }) { +export function serveStaticViaImport(opts?: { + manifest?: Manifest; + appendRaw?: boolean; + package?: string; +}) { let files: string[] | undefined; + const pkg = opts?.package ?? "bknd"; // @ts-ignore return async (c: Context, next: Next) => { if (!files) { const manifest = opts?.manifest || - ((await import("bknd/dist/manifest.json", { with: { type: "json" } })) - .default as Manifest); + (( + await import(/* @vite-ignore */ `${pkg}/dist/manifest.json`, { + with: { type: "json" }, + }) + ).default as Manifest); files = Object.values(manifest).flatMap((asset) => [asset.file, ...(asset.css || [])]); } const path = c.req.path.substring(1); if (files.includes(path)) { try { - const content = await import(/* @vite-ignore */ `bknd/static/${path}?raw`, { + const url = `${pkg}/static/${path}${opts?.appendRaw ? "?raw" : ""}`; + const content = await import(/* @vite-ignore */ url, { with: { type: "text" }, }).then((m) => m.default); @@ -176,7 +192,7 @@ export function serveStaticViaImport(opts?: { manifest?: Manifest }) { }); } } catch (e) { - console.error("Error serving static file:", e); + console.error(`Error serving static file "${path}":`, String(e)); return c.text("File not found", 404); } } diff --git a/app/src/adapter/nextjs/nextjs.adapter.ts b/app/src/adapter/nextjs/nextjs.adapter.ts index ba0953b..eed1c35 100644 --- a/app/src/adapter/nextjs/nextjs.adapter.ts +++ b/app/src/adapter/nextjs/nextjs.adapter.ts @@ -9,9 +9,9 @@ export type NextjsBkndConfig = FrameworkBkndConfig & { export async function getApp( config: NextjsBkndConfig, - args: Env = {} as Env, + args: Env = process.env as Env, ) { - return await createFrameworkApp(config, args ?? (process.env as Env)); + return await createFrameworkApp(config, args); } function getCleanRequest(req: Request, cleanRequest: NextjsBkndConfig["cleanRequest"]) { @@ -39,7 +39,7 @@ function getCleanRequest(req: Request, cleanRequest: NextjsBkndConfig["cleanRequ export function serve( { cleanRequest, ...config }: NextjsBkndConfig = {}, - args: Env = {} as Env, + args: Env = process.env as Env, ) { return async (req: Request) => { const app = await getApp(config, args); diff --git a/app/src/adapter/node/index.ts b/app/src/adapter/node/index.ts index b430450..befd771 100644 --- a/app/src/adapter/node/index.ts +++ b/app/src/adapter/node/index.ts @@ -1,3 +1,13 @@ +import { readFile, writeFile } from "node:fs/promises"; + export * from "./node.adapter"; export * from "./storage"; export * from "./connection/NodeSqliteConnection"; + +export async function writer(path: string, content: string) { + await writeFile(path, content); +} + +export async function reader(path: string) { + return await readFile(path, "utf-8"); +} diff --git a/app/src/adapter/node/node.adapter.ts b/app/src/adapter/node/node.adapter.ts index fd96086..83feba8 100644 --- a/app/src/adapter/node/node.adapter.ts +++ b/app/src/adapter/node/node.adapter.ts @@ -17,7 +17,7 @@ export type NodeBkndConfig = RuntimeBkndConfig & { export async function createApp( { distPath, relativeDistPath, ...config }: NodeBkndConfig = {}, - args: Env = {} as Env, + args: Env = process.env as Env, ) { const root = path.relative( process.cwd(), @@ -33,19 +33,18 @@ export async function createApp( serveStatic: serveStatic({ root }), ...config, }, - // @ts-ignore - args ?? { env: process.env }, + args, ); } export function createHandler( config: NodeBkndConfig = {}, - args: Env = {} as Env, + args: Env = process.env as Env, ) { let app: App | undefined; return async (req: Request) => { if (!app) { - app = await createApp(config, args ?? (process.env as Env)); + app = await createApp(config, args); } return app.fetch(req); }; @@ -53,7 +52,7 @@ export function createHandler( export function serve( { port = $config.server.default_port, hostname, listener, ...config }: NodeBkndConfig = {}, - args: Env = {} as Env, + args: Env = process.env as Env, ) { honoServe( { diff --git a/app/src/adapter/react-router/react-router.adapter.ts b/app/src/adapter/react-router/react-router.adapter.ts index f37260d..f624bde 100644 --- a/app/src/adapter/react-router/react-router.adapter.ts +++ b/app/src/adapter/react-router/react-router.adapter.ts @@ -8,14 +8,14 @@ export type ReactRouterBkndConfig = FrameworkBkndConfig( config: ReactRouterBkndConfig, - args: Env = {} as Env, + args: Env = process.env as Env, ) { - return await createFrameworkApp(config, args ?? process.env); + return await createFrameworkApp(config, args); } export function serve( config: ReactRouterBkndConfig = {}, - args: Env = {} as Env, + args: Env = process.env as Env, ) { return async (fnArgs: ReactRouterFunctionArgs) => { return (await getApp(config, args)).fetch(fnArgs.request); diff --git a/app/src/auth/AppAuth.ts b/app/src/auth/AppAuth.ts index a0c6072..4b23919 100644 --- a/app/src/auth/AppAuth.ts +++ b/app/src/auth/AppAuth.ts @@ -2,7 +2,7 @@ import type { DB, PrimaryFieldType } from "bknd"; import * as AuthPermissions from "auth/auth-permissions"; import type { AuthStrategy } from "auth/authenticate/strategies/Strategy"; import type { PasswordStrategy } from "auth/authenticate/strategies/PasswordStrategy"; -import { $console, secureRandomString, transformObject } from "bknd/utils"; +import { $console, secureRandomString, transformObject, pickKeys } from "bknd/utils"; import type { Entity, EntityManager } from "data/entities"; import { em, entity, enumm, type FieldSchema } from "data/prototype"; import { Module } from "modules/Module"; @@ -61,7 +61,7 @@ export class AppAuth extends Module { // register roles const roles = transformObject(this.config.roles ?? {}, (role, name) => { - return Role.create({ name, ...role }); + return Role.create(name, role); }); this.ctx.guard.setRoles(Object.values(roles)); this.ctx.guard.setConfig(this.config.guard ?? {}); @@ -113,6 +113,19 @@ export class AppAuth extends Module { return authConfigSchema; } + getGuardContextSchema() { + const userschema = this.getUsersEntity().toSchema() as any; + return { + type: "object", + properties: { + user: { + type: "object", + properties: pickKeys(userschema.properties, this.config.jwt.fields as any), + }, + }, + }; + } + get authenticator(): Authenticator { this.throwIfNotBuilt(); return this._authenticator!; @@ -210,10 +223,12 @@ export class AppAuth extends Module { } const strategies = this.authenticator.getStrategies(); + const roles = Object.fromEntries(this.ctx.guard.getRoles().map((r) => [r.name, r.toJSON()])); return { ...this.config, ...this.authenticator.toJSON(secrets), + roles, strategies: transformObject(strategies, (strategy) => ({ enabled: this.isStrategyEnabled(strategy), ...strategy.toJSON(secrets), diff --git a/app/src/auth/api/AuthApi.ts b/app/src/auth/api/AuthApi.ts index cd22ada..e3c0843 100644 --- a/app/src/auth/api/AuthApi.ts +++ b/app/src/auth/api/AuthApi.ts @@ -4,7 +4,7 @@ import type { AuthResponse, SafeUser, AuthStrategy } from "bknd"; import { type BaseModuleApiOptions, ModuleApi } from "modules/ModuleApi"; export type AuthApiOptions = BaseModuleApiOptions & { - onTokenUpdate?: (token?: string) => void | Promise; + onTokenUpdate?: (token?: string, verified?: boolean) => void | Promise; credentials?: "include" | "same-origin" | "omit"; }; @@ -17,23 +17,19 @@ export class AuthApi extends ModuleApi { } async login(strategy: string, input: any) { - const res = await this.post([strategy, "login"], input, { - credentials: this.options.credentials, - }); + const res = await this.post([strategy, "login"], input); if (res.ok && res.body.token) { - await this.options.onTokenUpdate?.(res.body.token); + await this.options.onTokenUpdate?.(res.body.token, true); } return res; } async register(strategy: string, input: any) { - const res = await this.post([strategy, "register"], input, { - credentials: this.options.credentials, - }); + const res = await this.post([strategy, "register"], input); if (res.ok && res.body.token) { - await this.options.onTokenUpdate?.(res.body.token); + await this.options.onTokenUpdate?.(res.body.token, true); } return res; } @@ -71,6 +67,11 @@ export class AuthApi extends ModuleApi { } async logout() { - await this.options.onTokenUpdate?.(undefined); + return this.get(["logout"], undefined, { + headers: { + // this way bknd detects a json request and doesn't redirect back + Accept: "application/json", + }, + }).then(() => this.options.onTokenUpdate?.(undefined, true)); } } diff --git a/app/src/auth/api/AuthController.ts b/app/src/auth/api/AuthController.ts index ba12d4a..99f1000 100644 --- a/app/src/auth/api/AuthController.ts +++ b/app/src/auth/api/AuthController.ts @@ -60,7 +60,10 @@ export class AuthController extends Controller { if (create) { hono.post( "/create", - permission([AuthPermissions.createUser, DataPermissions.entityCreate]), + permission(AuthPermissions.createUser, {}), + permission(DataPermissions.entityCreate, { + context: (c) => ({ entity: this.auth.config.entity_name }), + }), describeRoute({ summary: "Create a new user", tags: ["auth"], @@ -223,7 +226,6 @@ export class AuthController extends Controller { const roles = Object.keys(this.auth.config.roles ?? {}); mcp.tool( - // @todo: needs permission "auth_user_create", { description: "Create a new user", @@ -238,14 +240,13 @@ export class AuthController extends Controller { }), }, async (params, c) => { - await c.context.ctx().helper.throwUnlessGranted(AuthPermissions.createUser, c); + await c.context.ctx().helper.granted(c, AuthPermissions.createUser); return c.json(await this.auth.createUser(params)); }, ); mcp.tool( - // @todo: needs permission "auth_user_token", { description: "Get a user token", @@ -255,7 +256,7 @@ export class AuthController extends Controller { }), }, async (params, c) => { - await c.context.ctx().helper.throwUnlessGranted(AuthPermissions.createToken, c); + await c.context.ctx().helper.granted(c, AuthPermissions.createToken); const user = await getUser(params); return c.json({ user, token: await this.auth.authenticator.jwt(user) }); @@ -263,7 +264,6 @@ export class AuthController extends Controller { ); mcp.tool( - // @todo: needs permission "auth_user_password_change", { description: "Change a user's password", @@ -274,7 +274,7 @@ export class AuthController extends Controller { }), }, async (params, c) => { - await c.context.ctx().helper.throwUnlessGranted(AuthPermissions.changePassword, c); + await c.context.ctx().helper.granted(c, AuthPermissions.changePassword); const user = await getUser(params); if (!(await this.auth.changePassword(user.id, params.password))) { @@ -285,7 +285,6 @@ export class AuthController extends Controller { ); mcp.tool( - // @todo: needs permission "auth_user_password_test", { description: "Test a user's password", @@ -295,7 +294,7 @@ export class AuthController extends Controller { }), }, async (params, c) => { - await c.context.ctx().helper.throwUnlessGranted(AuthPermissions.testPassword, c); + await c.context.ctx().helper.granted(c, AuthPermissions.testPassword); const pw = this.auth.authenticator.strategy("password") as PasswordStrategy; const controller = pw.getController(this.auth.authenticator); diff --git a/app/src/auth/auth-permissions.ts b/app/src/auth/auth-permissions.ts index 8b097e7..dce59f5 100644 --- a/app/src/auth/auth-permissions.ts +++ b/app/src/auth/auth-permissions.ts @@ -1,4 +1,4 @@ -import { Permission } from "core/security/Permission"; +import { Permission } from "auth/authorize/Permission"; export const createUser = new Permission("auth.user.create"); //export const updateUser = new Permission("auth.user.update"); diff --git a/app/src/auth/auth-schema.ts b/app/src/auth/auth-schema.ts index 4fd40a4..e479ea1 100644 --- a/app/src/auth/auth-schema.ts +++ b/app/src/auth/auth-schema.ts @@ -1,6 +1,7 @@ import { cookieConfig, jwtConfig } from "auth/authenticate/Authenticator"; import { CustomOAuthStrategy, OAuthStrategy, PasswordStrategy } from "auth/authenticate/strategies"; -import { objectTransform, s } from "bknd/utils"; +import { roleSchema } from "auth/authorize/Role"; +import { objectTransform, omitKeys, pick, s } from "bknd/utils"; import { $object, $record } from "modules/mcp"; export const Strategies = { @@ -40,11 +41,8 @@ export type AppAuthCustomOAuthStrategy = s.Static { - const user = pick(_user, this.config.jwt.fields); + const user = pickKeys(_user, this.config.jwt.fields as any); const payload: JWTPayload = { ...user, @@ -255,7 +254,7 @@ export class Authenticator< } async safeAuthResponse(_user: User): Promise { - const user = pick(_user, this.config.jwt.fields) as SafeUser; + const user = pickKeys(_user, this.config.jwt.fields as any) as SafeUser; return { user, token: await this.jwt(user), @@ -290,6 +289,7 @@ export class Authenticator< return { ...cookieConfig, + domain: cookieConfig.domain ?? undefined, expires: new Date(Date.now() + expires * 1000), }; } @@ -327,6 +327,31 @@ export class Authenticator< await setSignedCookie(c, "auth", token, secret, this.cookieOptions); } + async getAuthCookieHeader(token: string, headers = new Headers()) { + const c = { + header: (key: string, value: string) => { + headers.set(key, value); + }, + }; + await this.setAuthCookie(c as any, token); + return headers; + } + + async removeAuthCookieHeader(headers = new Headers()) { + const c = { + header: (key: string, value: string) => { + headers.set(key, value); + }, + req: { + raw: { + headers, + }, + }, + }; + this.deleteAuthCookie(c as any); + return headers; + } + async unsafeGetAuthCookie(token: string): Promise { // this works for as long as cookieOptions.prefix is not set return serializeSigned("auth", token, this.config.jwt.secret, this.cookieOptions); @@ -354,7 +379,10 @@ export class Authenticator< // @todo: move this to a server helper isJsonRequest(c: Context): boolean { - return c.req.header("Content-Type") === "application/json"; + return ( + c.req.header("Content-Type") === "application/json" || + c.req.header("Accept") === "application/json" + ); } async getBody(c: Context) { diff --git a/app/src/auth/authorize/Guard.ts b/app/src/auth/authorize/Guard.ts index a89b98d..a8f91e3 100644 --- a/app/src/auth/authorize/Guard.ts +++ b/app/src/auth/authorize/Guard.ts @@ -1,9 +1,12 @@ import { Exception } from "core/errors"; -import { $console, objectTransform } from "bknd/utils"; -import { Permission } from "core/security/Permission"; +import { $console, mergeObject, type s } from "bknd/utils"; +import type { Permission, PermissionContext } from "auth/authorize/Permission"; import type { Context } from "hono"; import type { ServerEnv } from "modules/Controller"; -import { Role } from "./Role"; +import type { Role } from "./Role"; +import { HttpStatus } from "bknd/utils"; +import type { Policy, PolicySchema } from "./Policy"; +import { convert, type ObjectQuery } from "core/object/query/object-query"; export type GuardUserContext = { role?: string | null; @@ -12,41 +15,43 @@ export type GuardUserContext = { export type GuardConfig = { enabled?: boolean; + context?: object; }; export type GuardContext = Context | GuardUserContext; -export class Guard { - permissions: Permission[]; - roles?: Role[]; - config?: GuardConfig; +export class GuardPermissionsException extends Exception { + override name = "PermissionsException"; + override code = HttpStatus.FORBIDDEN; - constructor(permissions: Permission[] = [], roles: Role[] = [], config?: GuardConfig) { + constructor( + public permission: Permission, + public policy?: Policy, + public description?: string, + ) { + super(`Permission "${permission.name}" not granted`); + } + + override toJSON(): any { + return { + ...super.toJSON(), + description: this.description, + permission: this.permission.name, + policy: this.policy?.toJSON(), + }; + } +} + +export class Guard { + constructor( + public permissions: Permission[] = [], + public roles: Role[] = [], + public config?: GuardConfig, + ) { this.permissions = permissions; this.roles = roles; this.config = config; } - static create( - permissionNames: string[], - roles?: Record< - string, - { - permissions?: string[]; - is_default?: boolean; - implicit_allow?: boolean; - } - >, - config?: GuardConfig, - ) { - const _roles = roles - ? objectTransform(roles, ({ permissions = [], is_default, implicit_allow }, name) => { - return Role.createWithPermissionNames(name, permissions, is_default, implicit_allow); - }) - : {}; - const _permissions = permissionNames.map((name) => new Permission(name)); - return new Guard(_permissions, Object.values(_roles), config); - } - getPermissionNames(): string[] { return this.permissions.map((permission) => permission.name); } @@ -73,7 +78,7 @@ export class Guard { return this; } - registerPermission(permission: Permission) { + registerPermission(permission: Permission) { if (this.permissions.find((p) => p.name === permission.name)) { throw new Error(`Permission ${permission.name} already exists`); } @@ -82,9 +87,13 @@ export class Guard { return this; } - registerPermissions(permissions: Record); - registerPermissions(permissions: Permission[]); - registerPermissions(permissions: Permission[] | Record) { + registerPermissions(permissions: Record>); + registerPermissions(permissions: Permission[]); + registerPermissions( + permissions: + | Permission[] + | Record>, + ) { const p = Array.isArray(permissions) ? permissions : Object.values(permissions); for (const permission of p) { @@ -117,56 +126,216 @@ export class Guard { return this.config?.enabled === true; } - hasPermission(permission: Permission, user?: GuardUserContext): boolean; - hasPermission(name: string, user?: GuardUserContext): boolean; - hasPermission(permissionOrName: Permission | string, user?: GuardUserContext): boolean { - if (!this.isEnabled()) { - return true; - } - - const name = typeof permissionOrName === "string" ? permissionOrName : permissionOrName.name; - $console.debug("guard: checking permission", { - name, - user: { id: user?.id, role: user?.role }, - }); - const exists = this.permissionExists(name); - if (!exists) { - throw new Error(`Permission ${name} does not exist`); - } - - const role = this.getUserRole(user); - - if (!role) { - $console.debug("guard: user has no role, denying"); - return false; - } else if (role.implicit_allow === true) { - $console.debug(`guard: role "${role.name}" has implicit allow, allowing`); - return true; - } - - const rolePermission = role.permissions.find( - (rolePermission) => rolePermission.permission.name === name, - ); - - $console.debug("guard: rolePermission, allowing?", { - permission: name, - role: role.name, - allowing: !!rolePermission, - }); - return !!rolePermission; - } - - granted(permission: Permission | string, c?: GuardContext): boolean { + private collect(permission: Permission, c: GuardContext | undefined, context: any) { const user = c && "get" in c ? c.get("auth")?.user : c; - return this.hasPermission(permission as any, user); + const ctx = { + ...((context ?? {}) as any), + ...this.config?.context, + user, + }; + const exists = this.permissionExists(permission.name); + const role = this.getUserRole(user); + const rolePermission = role?.permissions.find( + (rolePermission) => rolePermission.permission.name === permission.name, + ); + return { + ctx, + user, + exists, + role, + rolePermission, + }; } - throwUnlessGranted(permission: Permission | string, c: GuardContext) { - if (!this.granted(permission, c)) { - throw new Exception( - `Permission "${typeof permission === "string" ? permission : permission.name}" not granted`, - 403, + granted

>( + permission: P, + c: GuardContext, + context: PermissionContext

, + ): void; + granted

>(permission: P, c: GuardContext): void; + granted

>( + permission: P, + c: GuardContext, + context?: PermissionContext

, + ): void { + if (!this.isEnabled()) { + return; + } + const { ctx: _ctx, exists, role, rolePermission } = this.collect(permission, c, context); + + // validate context + let ctx = Object.assign({}, _ctx); + if (permission.context) { + ctx = permission.parseContext(ctx); + } + + $console.debug("guard: checking permission", { + name: permission.name, + context: ctx, + }); + if (!exists) { + throw new GuardPermissionsException( + permission, + undefined, + `Permission ${permission.name} does not exist`, ); } + + if (!role) { + throw new GuardPermissionsException(permission, undefined, "User has no role"); + } + + if (!rolePermission) { + if (role.implicit_allow === true) { + $console.debug(`guard: role "${role.name}" has implicit allow, allowing`); + return; + } + + throw new GuardPermissionsException( + permission, + undefined, + `Role "${role.name}" does not have required permission`, + ); + } + + if (rolePermission?.policies.length > 0) { + $console.debug("guard: rolePermission has policies, checking"); + + // set the default effect of the role permission + let allowed = rolePermission.effect === "allow"; + for (const policy of rolePermission.policies) { + $console.debug("guard: checking policy", { policy: policy.toJSON(), ctx }); + // skip filter policies + if (policy.content.effect === "filter") continue; + + // if condition is met, check the effect + const meets = policy.meetsCondition(ctx); + if (meets) { + $console.debug("guard: policy meets condition"); + // if deny, then break early + if (policy.content.effect === "deny") { + $console.debug("guard: policy is deny, setting allowed to false"); + allowed = false; + break; + + // if allow, set allow but continue checking + } else if (policy.content.effect === "allow") { + allowed = true; + } + } else { + $console.debug("guard: policy does not meet condition"); + } + } + + if (!allowed) { + throw new GuardPermissionsException(permission, undefined, "Policy condition unmet"); + } + } + + $console.debug("guard allowing", { + permission: permission.name, + role: role.name, + }); + } + + filters

>( + permission: P, + c: GuardContext, + context: PermissionContext

, + ); + filters

>(permission: P, c: GuardContext); + filters

>( + permission: P, + c: GuardContext, + context?: PermissionContext

, + ) { + if (!permission.isFilterable()) { + throw new GuardPermissionsException(permission, undefined, "Permission is not filterable"); + } + + const { + ctx: _ctx, + exists, + role, + user, + rolePermission, + } = this.collect(permission, c, context); + + // validate context + let ctx = Object.assign( + { + user, + }, + _ctx, + ); + + if (permission.context) { + ctx = permission.parseContext(ctx, { + coerceDropUnknown: false, + }); + } + + const filters: PolicySchema["filter"][] = []; + const policies: Policy[] = []; + if (exists && role && rolePermission && rolePermission.policies.length > 0) { + for (const policy of rolePermission.policies) { + if (policy.content.effect === "filter") { + const meets = policy.meetsCondition(ctx); + if (meets) { + policies.push(policy); + filters.push(policy.getReplacedFilter(ctx)); + } + } + } + } + + const filter = filters.length > 0 ? mergeObject({}, ...filters) : undefined; + return { + filters, + filter, + policies, + merge: (givenFilter: object | undefined) => { + return mergeFilters(givenFilter ?? {}, filter ?? {}); + }, + matches: (subject: object | object[], opts?: { throwOnError?: boolean }) => { + const subjects = Array.isArray(subject) ? subject : [subject]; + if (policies.length > 0) { + for (const policy of policies) { + for (const subject of subjects) { + if (!policy.meetsFilter(subject, ctx)) { + if (opts?.throwOnError) { + throw new GuardPermissionsException( + permission, + policy, + "Policy filter not met", + ); + } + return false; + } + } + } + } + return true; + }, + }; } } + +export function mergeFilters(base: ObjectQuery, priority: ObjectQuery) { + const base_converted = convert(base); + const priority_converted = convert(priority); + const merged = mergeObject(base_converted, priority_converted); + + // in case priority filter is also contained in base's $and, merge priority in + if ("$or" in base_converted && base_converted.$or) { + const $ors = base_converted.$or as ObjectQuery; + const priority_keys = Object.keys(priority_converted); + for (const key of priority_keys) { + if (key in $ors) { + merged.$or[key] = mergeObject($ors[key], priority_converted[key]); + } + } + } + + return merged; +} diff --git a/app/src/auth/authorize/Permission.ts b/app/src/auth/authorize/Permission.ts new file mode 100644 index 0000000..cfd5963 --- /dev/null +++ b/app/src/auth/authorize/Permission.ts @@ -0,0 +1,77 @@ +import { s, type ParseOptions, parse, InvalidSchemaError, HttpStatus } from "bknd/utils"; + +export const permissionOptionsSchema = s + .strictObject({ + description: s.string(), + filterable: s.boolean(), + }) + .partial(); + +export type TPermission = { + name: string; + description?: string; + filterable?: boolean; + context?: any; +}; + +export type PermissionOptions = s.Static; +export type PermissionContext

> = P extends Permission< + any, + any, + infer Context, + any +> + ? Context extends s.ObjectSchema + ? s.Static + : never + : never; + +export class InvalidPermissionContextError extends InvalidSchemaError { + override name = "InvalidPermissionContextError"; + + // changing to internal server error because it's an unexpected behavior + override code = HttpStatus.INTERNAL_SERVER_ERROR; + + static from(e: InvalidSchemaError) { + return new InvalidPermissionContextError(e.schema, e.value, e.errors); + } +} + +export class Permission< + Name extends string = string, + Options extends PermissionOptions = {}, + Context extends s.ObjectSchema | undefined = undefined, + ContextValue = Context extends s.ObjectSchema ? s.Static : undefined, +> { + constructor( + public name: Name, + public options: Options = {} as Options, + public context: Context = undefined as Context, + ) {} + + isFilterable() { + return this.options.filterable === true; + } + + parseContext(ctx: ContextValue, opts?: ParseOptions) { + // @todo: allow additional properties + if (!this.context) return ctx; + try { + return this.context ? parse(this.context!, ctx, opts) : undefined; + } catch (e) { + if (e instanceof InvalidSchemaError) { + throw InvalidPermissionContextError.from(e); + } + + throw e; + } + } + + toJSON() { + return { + name: this.name, + ...this.options, + context: this.context, + }; + } +} diff --git a/app/src/auth/authorize/Policy.ts b/app/src/auth/authorize/Policy.ts new file mode 100644 index 0000000..06357f1 --- /dev/null +++ b/app/src/auth/authorize/Policy.ts @@ -0,0 +1,52 @@ +import { s, parse, recursivelyReplacePlaceholders } from "bknd/utils"; +import * as query from "core/object/query/object-query"; + +export const policySchema = s + .strictObject({ + description: s.string(), + condition: s.object({}).optional() as s.Schema<{}, query.ObjectQuery | undefined>, + // @todo: potentially remove this, and invert from rolePermission.effect + effect: s.string({ enum: ["allow", "deny", "filter"], default: "allow" }), + filter: s.object({}).optional() as s.Schema<{}, query.ObjectQuery | undefined>, + }) + .partial(); +export type PolicySchema = s.Static; + +export class Policy { + public content: Schema; + + constructor(content?: Schema) { + this.content = parse(policySchema, content ?? {}, { + withDefaults: true, + }) as Schema; + } + + replace(context: object, vars?: Record, fallback?: any) { + return vars + ? recursivelyReplacePlaceholders(context, /^@([a-zA-Z_\.]+)$/, vars, fallback) + : context; + } + + getReplacedFilter(context: object, fallback?: any) { + if (!this.content.filter) return context; + return this.replace(this.content.filter!, context, fallback); + } + + meetsCondition(context: object, vars?: Record) { + if (!this.content.condition) return true; + return query.validate(this.replace(this.content.condition!, vars), context); + } + + meetsFilter(subject: object, vars?: Record) { + if (!this.content.filter) return true; + return query.validate(this.replace(this.content.filter!, vars), subject); + } + + getFiltered(given: Given): Given { + return given.filter((item) => this.meetsFilter(item)) as Given; + } + + toJSON() { + return this.content; + } +} diff --git a/app/src/auth/authorize/Role.ts b/app/src/auth/authorize/Role.ts index 54efaf1..7506fc7 100644 --- a/app/src/auth/authorize/Role.ts +++ b/app/src/auth/authorize/Role.ts @@ -1,10 +1,39 @@ -import { Permission } from "core/security/Permission"; +import { s } from "bknd/utils"; +import { Permission } from "./Permission"; +import { Policy, policySchema } from "./Policy"; + +// default effect is allow for backward compatibility +const defaultEffect = "allow"; + +export const rolePermissionSchema = s.strictObject({ + permission: s.string(), + effect: s.string({ enum: ["allow", "deny"], default: defaultEffect }).optional(), + policies: s.array(policySchema).optional(), +}); +export type RolePermissionSchema = s.Static; + +export const roleSchema = s.strictObject({ + // @todo: remove anyOf, add migration + permissions: s.anyOf([s.array(s.string()), s.array(rolePermissionSchema)]).optional(), + is_default: s.boolean().optional(), + implicit_allow: s.boolean().optional(), +}); +export type RoleSchema = s.Static; export class RolePermission { constructor( - public permission: Permission, - public config?: any, + public permission: Permission, + public policies: Policy[] = [], + public effect: "allow" | "deny" = defaultEffect, ) {} + + toJSON() { + return { + permission: this.permission.name, + policies: this.policies.map((p) => p.toJSON()), + effect: this.effect, + }; + } } export class Role { @@ -15,31 +44,23 @@ export class Role { public implicit_allow: boolean = false, ) {} - static createWithPermissionNames( - name: string, - permissionNames: string[], - is_default: boolean = false, - implicit_allow: boolean = false, - ) { - return new Role( - name, - permissionNames.map((name) => new RolePermission(new Permission(name))), - is_default, - implicit_allow, - ); + static create(name: string, config: RoleSchema) { + const permissions = + config.permissions?.map((p: string | RolePermissionSchema) => { + if (typeof p === "string") { + return new RolePermission(new Permission(p), []); + } + const policies = p.policies?.map((policy) => new Policy(policy)); + return new RolePermission(new Permission(p.permission), policies, p.effect); + }) ?? []; + return new Role(name, permissions, config.is_default, config.implicit_allow); } - static create(config: { - name: string; - permissions?: string[]; - is_default?: boolean; - implicit_allow?: boolean; - }) { - return new Role( - config.name, - config.permissions?.map((name) => new RolePermission(new Permission(name))) ?? [], - config.is_default, - config.implicit_allow, - ); + toJSON() { + return { + permissions: this.permissions.map((p) => p.toJSON()), + is_default: this.is_default, + implicit_allow: this.implicit_allow, + }; } } diff --git a/app/src/auth/middlewares.ts b/app/src/auth/middlewares/auth.middleware.ts similarity index 53% rename from app/src/auth/middlewares.ts rename to app/src/auth/middlewares/auth.middleware.ts index 702023b..eeebe45 100644 --- a/app/src/auth/middlewares.ts +++ b/app/src/auth/middlewares/auth.middleware.ts @@ -1,4 +1,3 @@ -import type { Permission } from "core/security/Permission"; import { $console, patternMatch } from "bknd/utils"; import type { Context } from "hono"; import { createMiddleware } from "hono/factory"; @@ -49,7 +48,7 @@ export const auth = (options?: { // make sure to only register once if (authCtx.registered) { skipped = true; - $console.warn(`auth middleware already registered for ${getPath(c)}`); + $console.debug(`auth middleware already registered for ${getPath(c)}`); } else { authCtx.registered = true; @@ -67,48 +66,3 @@ export const auth = (options?: { authCtx.resolved = false; authCtx.user = undefined; }); - -export const permission = ( - permission: Permission | Permission[], - options?: { - onGranted?: (c: Context) => Promise; - onDenied?: (c: Context) => Promise; - }, -) => - // @ts-ignore - createMiddleware(async (c, next) => { - const app = c.get("app"); - const authCtx = c.get("auth"); - if (!authCtx) { - throw new Error("auth ctx not found"); - } - - // in tests, app is not defined - if (!authCtx.registered || !app) { - const msg = `auth middleware not registered, cannot check permissions for ${getPath(c)}`; - if (app?.module.auth.enabled) { - throw new Error(msg); - } else { - $console.warn(msg); - } - } else if (!authCtx.skip) { - const guard = app.modules.ctx().guard; - const permissions = Array.isArray(permission) ? permission : [permission]; - - if (options?.onGranted || options?.onDenied) { - let returned: undefined | void | Response; - if (permissions.every((p) => guard.granted(p, c))) { - returned = await options?.onGranted?.(c); - } else { - returned = await options?.onDenied?.(c); - } - if (returned instanceof Response) { - return returned; - } - } else { - permissions.some((p) => guard.throwUnlessGranted(p, c)); - } - } - - await next(); - }); diff --git a/app/src/auth/middlewares/permission.middleware.ts b/app/src/auth/middlewares/permission.middleware.ts new file mode 100644 index 0000000..c6e53f4 --- /dev/null +++ b/app/src/auth/middlewares/permission.middleware.ts @@ -0,0 +1,94 @@ +import type { Permission, PermissionContext } from "auth/authorize/Permission"; +import { $console, threw } from "bknd/utils"; +import type { Context, Hono } from "hono"; +import type { RouterRoute } from "hono/types"; +import { createMiddleware } from "hono/factory"; +import type { ServerEnv } from "modules/Controller"; +import type { MaybePromise } from "core/types"; +import { GuardPermissionsException } from "auth/authorize/Guard"; + +function getPath(reqOrCtx: Request | Context) { + const req = reqOrCtx instanceof Request ? reqOrCtx : reqOrCtx.req.raw; + return new URL(req.url).pathname; +} + +const permissionSymbol = Symbol.for("permission"); + +type PermissionMiddlewareOptions

> = { + onGranted?: (c: Context) => MaybePromise; + onDenied?: (c: Context) => MaybePromise; +} & (P extends Permission + ? PC extends undefined + ? { + context?: never; + } + : { + context: (c: Context) => MaybePromise>; + } + : { + context?: never; + }); + +export function permission

>( + permission: P, + options: PermissionMiddlewareOptions

, +) { + // @ts-ignore (middlewares do not always return) + const handler = createMiddleware(async (c, next) => { + const app = c.get("app"); + const authCtx = c.get("auth"); + if (!authCtx) { + throw new Error("auth ctx not found"); + } + + // in tests, app is not defined + if (!authCtx.registered || !app) { + const msg = `auth middleware not registered, cannot check permissions for ${getPath(c)}`; + if (app?.module.auth.enabled) { + throw new Error(msg); + } else { + $console.warn(msg); + } + } else if (!authCtx.skip) { + const guard = app.modules.ctx().guard; + const context = (await options?.context?.(c)) ?? ({} as any); + + if (options?.onGranted || options?.onDenied) { + let returned: undefined | void | Response; + if (threw(() => guard.granted(permission, c, context), GuardPermissionsException)) { + returned = await options?.onDenied?.(c); + } else { + returned = await options?.onGranted?.(c); + } + if (returned instanceof Response) { + return returned; + } + } else { + guard.granted(permission, c, context); + } + } + + await next(); + }); + + return Object.assign(handler, { + [permissionSymbol]: { permission, options }, + }); +} + +export function getPermissionRoutes(hono: Hono) { + const routes: { + route: RouterRoute; + permission: Permission; + options: PermissionMiddlewareOptions; + }[] = []; + for (const route of hono.routes) { + if (permissionSymbol in route.handler) { + routes.push({ + route, + ...(route.handler[permissionSymbol] as any), + }); + } + } + return routes; +} diff --git a/app/src/cli/commands/create/create.ts b/app/src/cli/commands/create/create.ts index 217b07d..3fca3b2 100644 --- a/app/src/cli/commands/create/create.ts +++ b/app/src/cli/commands/create/create.ts @@ -10,6 +10,7 @@ import color from "picocolors"; import { overridePackageJson, updateBkndPackages } from "./npm"; import { type Template, templates, type TemplateSetupCtx } from "./templates"; import { createScoped, flush } from "cli/utils/telemetry"; +import path from "node:path"; const config = { types: { @@ -20,6 +21,7 @@ const config = { node: "Node.js", bun: "Bun", cloudflare: "Cloudflare", + deno: "Deno", aws: "AWS Lambda", }, framework: { @@ -259,17 +261,19 @@ async function action(options: { } } - // update package name - await overridePackageJson( - (pkg) => ({ - ...pkg, - name: ctx.name, - }), - { dir: ctx.dir }, - ); - $p.log.success(`Updated package name to ${color.cyan(ctx.name)}`); + // update package name if there is a package.json + if (fs.existsSync(path.resolve(ctx.dir, "package.json"))) { + await overridePackageJson( + (pkg) => ({ + ...pkg, + name: ctx.name, + }), + { dir: ctx.dir }, + ); + $p.log.success(`Updated package name to ${color.cyan(ctx.name)}`); + } - { + if (template.installDeps !== false) { const install = options.yes ?? (await $p.confirm({ diff --git a/app/src/cli/commands/create/npm.ts b/app/src/cli/commands/create/npm.ts index 7722e1c..964ee47 100644 --- a/app/src/cli/commands/create/npm.ts +++ b/app/src/cli/commands/create/npm.ts @@ -93,17 +93,19 @@ export async function replacePackageJsonVersions( } export async function updateBkndPackages(dir?: string, map?: Record) { - const versions = { - bknd: await sysGetVersion(), - ...(map ?? {}), - }; - await replacePackageJsonVersions( - async (pkg) => { - if (pkg in versions) { - return versions[pkg]; - } - return; - }, - { dir }, - ); + try { + const versions = { + bknd: await sysGetVersion(), + ...(map ?? {}), + }; + await replacePackageJsonVersions( + async (pkg) => { + if (pkg in versions) { + return versions[pkg]; + } + return; + }, + { dir }, + ); + } catch (e) {} } diff --git a/app/src/cli/commands/create/templates/deno.ts b/app/src/cli/commands/create/templates/deno.ts new file mode 100644 index 0000000..eb17269 --- /dev/null +++ b/app/src/cli/commands/create/templates/deno.ts @@ -0,0 +1,21 @@ +import { overrideJson } from "cli/commands/create/npm"; +import type { Template } from "cli/commands/create/templates"; +import { getVersion } from "cli/utils/sys"; + +export const deno = { + key: "deno", + title: "Deno Basic", + integration: "deno", + description: "A basic bknd Deno server with static assets", + path: "gh:bknd-io/bknd/examples/deno", + installDeps: false, + ref: true, + setup: async (ctx) => { + const version = await getVersion(); + await overrideJson( + "deno.json", + (json) => ({ ...json, links: undefined, imports: { bknd: `npm:bknd@${version}` } }), + { dir: ctx.dir }, + ); + }, +} satisfies Template; diff --git a/app/src/cli/commands/create/templates/index.ts b/app/src/cli/commands/create/templates/index.ts index ed0f9e1..7aab8d5 100644 --- a/app/src/cli/commands/create/templates/index.ts +++ b/app/src/cli/commands/create/templates/index.ts @@ -1,3 +1,4 @@ +import { deno } from "cli/commands/create/templates/deno"; import { cloudflare } from "./cloudflare"; export type TemplateSetupCtx = { @@ -15,6 +16,7 @@ export type Integration = | "react-router" | "astro" | "aws" + | "deno" | "custom"; type TemplateScripts = "install" | "dev" | "build" | "start"; @@ -34,6 +36,11 @@ export type Template = { * adds a ref "#{ref}" to the path. If "true", adds the current version of bknd */ ref?: true | string; + /** + * control whether to install dependencies automatically + * e.g. on deno, this is not needed + */ + installDeps?: boolean; scripts?: Partial>; preinstall?: (ctx: TemplateSetupCtx) => Promise; postinstall?: (ctx: TemplateSetupCtx) => Promise; @@ -90,4 +97,5 @@ export const templates: Template[] = [ path: "gh:bknd-io/bknd/examples/aws-lambda", ref: true, }, + deno, ]; diff --git a/app/src/cli/commands/user.ts b/app/src/cli/commands/user.ts index 3721a2b..726748b 100644 --- a/app/src/cli/commands/user.ts +++ b/app/src/cli/commands/user.ts @@ -3,6 +3,7 @@ import { log as $log, password as $password, text as $text, + select as $select, } from "@clack/prompts"; import type { App } from "App"; import type { PasswordStrategy } from "auth/authenticate/strategies"; @@ -29,6 +30,11 @@ async function action(action: "create" | "update" | "token", options: WithConfig server: "node", }); + if (!app.module.auth.enabled) { + $log.error("Auth is not enabled"); + process.exit(1); + } + switch (action) { case "create": await create(app, options); @@ -43,7 +49,28 @@ async function action(action: "create" | "update" | "token", options: WithConfig } async function create(app: App, options: any) { - const strategy = app.module.auth.authenticator.strategy("password") as PasswordStrategy; + const auth = app.module.auth; + let role: string | null = null; + const roles = Object.keys(auth.config.roles ?? {}); + + const strategy = auth.authenticator.strategy("password") as PasswordStrategy; + if (roles.length > 0) { + role = (await $select({ + message: "Select role", + options: [ + { + value: null, + label: "", + hint: "No role will be assigned to the user", + }, + ...roles.map((role) => ({ + value: role, + label: role, + })), + ], + })) as any; + if ($isCancel(role)) process.exit(1); + } if (!strategy) { $log.error("Password strategy not configured"); @@ -76,6 +103,7 @@ async function create(app: App, options: any) { const created = await app.createUser({ email, password: await strategy.hash(password as string), + role, }); $log.success(`Created user: ${c.cyan(created.email)}`); process.exit(0); diff --git a/app/src/core/events/EventManager.ts b/app/src/core/events/EventManager.ts index 8370f2b..1ac8bc4 100644 --- a/app/src/core/events/EventManager.ts +++ b/app/src/core/events/EventManager.ts @@ -205,7 +205,17 @@ export class EventManager< if (listener.mode === "sync") { syncs.push(listener); } else { - asyncs.push(async () => await listener.handler(event, listener.event.slug)); + asyncs.push(async () => { + try { + await listener.handler(event, listener.event.slug); + } catch (e) { + if (this.options?.onError) { + this.options.onError(event, e); + } else { + $console.error("Error executing async listener", listener, e); + } + } + }); } // Remove if `once` is true, otherwise keep return !listener.once; diff --git a/app/src/core/object/query/query.ts b/app/src/core/object/query/query.ts index e90921d..110cce6 100644 --- a/app/src/core/object/query/query.ts +++ b/app/src/core/object/query/query.ts @@ -1,4 +1,5 @@ import type { PrimaryFieldType } from "core/config"; +import { getPath, invariant, isPlainObject } from "bknd/utils"; export type Primitive = PrimaryFieldType | string | number | boolean; export function isPrimitive(value: any): value is Primitive { @@ -25,6 +26,10 @@ export function exp( valid: (v: Expect) => boolean, validate: (e: Expect, a: unknown, ctx: CTX) => any, ): Expression { + invariant(typeof key === "string", "key must be a string"); + invariant(key[0] === "$", "key must start with '$'"); + invariant(typeof valid === "function", "valid must be a function"); + invariant(typeof validate === "function", "validate must be a function"); return new Expression(key, valid, validate); } @@ -50,7 +55,7 @@ function getExpression( } type LiteralExpressionCondition = { - [key: string]: Primitive | ExpressionCondition; + [key: string]: undefined | Primitive | ExpressionCondition; }; const OperandOr = "$or" as const; @@ -67,8 +72,9 @@ function _convert( expressions: Exps, path: string[] = [], ): FilterQuery { + invariant(typeof $query === "object", "$query must be an object"); const ExpressionConditionKeys = expressions.map((e) => e.key); - const keys = Object.keys($query); + const keys = Object.keys($query ?? {}); const operands = [OperandOr] as const; const newQuery: FilterQuery = {}; @@ -83,13 +89,21 @@ function _convert( function validate(key: string, value: any, path: string[] = []) { const exp = getExpression(expressions, key as any); if (exp.valid(value) === false) { - throw new Error(`Invalid value at "${[...path, key].join(".")}": ${value}`); + throw new Error( + `Given value at "${[...path, key].join(".")}" is invalid, got "${JSON.stringify(value)}"`, + ); } } for (const [key, value] of Object.entries($query)) { + // skip undefined values + if (value === undefined) { + continue; + } + // if $or, convert each value if (key === "$or") { + invariant(isPlainObject(value), "$or must be an object"); newQuery.$or = _convert(value, expressions, [...path, key]); // if primitive, assume $eq @@ -98,7 +112,7 @@ function _convert( newQuery[key] = { $eq: value }; // if object, check for expressions - } else if (typeof value === "object") { + } else if (isPlainObject(value)) { // when object is given, check if all keys are expressions const invalid = Object.keys(value).filter( (f) => !ExpressionConditionKeys.includes(f as any), @@ -112,9 +126,13 @@ function _convert( } } else { throw new Error( - `Invalid key(s) at "${key}": ${invalid.join(", ")}. Expected expressions.`, + `Invalid key(s) at "${key}": ${invalid.join(", ")}. Expected expression key: ${ExpressionConditionKeys.join(", ")}.`, ); } + } else { + throw new Error( + `Invalid value at "${[...path, key].join(".")}", got "${JSON.stringify(value)}"`, + ); } } @@ -149,15 +167,19 @@ function _build( throw new Error(`Expression does not exist: "${$op}"`); } if (!exp.valid(expected)) { - throw new Error(`Invalid expected value at "${[...path, $op].join(".")}": ${expected}`); + throw new Error( + `Invalid value at "${[...path, $op].join(".")}", got "${JSON.stringify(expected)}"`, + ); } return exp.validate(expected, actual, options.exp_ctx); } // check $and for (const [key, value] of Object.entries($and)) { + if (value === undefined) continue; + for (const [$op, $v] of Object.entries(value)) { - const objValue = options.value_is_kv ? key : options.object[key]; + const objValue = options.value_is_kv ? key : getPath(options.object, key); result.$and.push(__validate($op, $v, objValue, [key])); result.keys.add(key); } @@ -165,7 +187,7 @@ function _build( // check $or for (const [key, value] of Object.entries($or ?? {})) { - const objValue = options.value_is_kv ? key : options.object[key]; + const objValue = options.value_is_kv ? key : getPath(options.object, key); for (const [$op, $v] of Object.entries(value)) { result.$or.push(__validate($op, $v, objValue, [key])); @@ -189,6 +211,10 @@ function _validate(results: ValidationResults): boolean { } export function makeValidator(expressions: Exps) { + if (!expressions.some((e) => e.key === "$eq")) { + throw new Error("'$eq' expression is required"); + } + return { convert: (query: FilterQuery) => _convert(query, expressions), build: (query: FilterQuery, options: BuildOptions) => diff --git a/app/src/core/security/Permission.ts b/app/src/core/security/Permission.ts deleted file mode 100644 index 86cf46b..0000000 --- a/app/src/core/security/Permission.ts +++ /dev/null @@ -1,11 +0,0 @@ -export class Permission { - constructor(public name: Name) { - this.name = name; - } - - toJSON() { - return { - name: this.name, - }; - } -} diff --git a/app/src/core/types.ts b/app/src/core/types.ts index 03beae5..c0550db 100644 --- a/app/src/core/types.ts +++ b/app/src/core/types.ts @@ -6,3 +6,7 @@ export interface Serializable { export type MaybePromise = T | Promise; export type PartialRec = { [P in keyof T]?: PartialRec }; + +export type Merge = { + [K in keyof T]: T[K]; +}; diff --git a/app/src/core/utils/file.ts b/app/src/core/utils/file.ts index 8e812cf..a2093c0 100644 --- a/app/src/core/utils/file.ts +++ b/app/src/core/utils/file.ts @@ -240,3 +240,46 @@ export async function blobToFile( lastModified: Date.now(), }); } + +export function isFileAccepted(file: File | unknown, _accept: string | string[]): boolean { + const accept = Array.isArray(_accept) ? _accept.join(",") : _accept; + if (!accept || !accept.trim()) return true; // no restrictions + if (!isFile(file)) { + throw new Error("Given file is not a File instance"); + } + + const name = file.name.toLowerCase(); + const type = (file.type || "").trim().toLowerCase(); + + // split on commas, trim whitespace + const tokens = accept + .split(",") + .map((t) => t.trim().toLowerCase()) + .filter(Boolean); + + // try each token until one matches + return tokens.some((token) => { + if (token.startsWith(".")) { + // extension match, e.g. ".png" or ".tar.gz" + return name.endsWith(token); + } + + const slashIdx = token.indexOf("/"); + if (slashIdx !== -1) { + const [major, minor] = token.split("/"); + if (minor === "*") { + // wildcard like "image/*" + if (!type) return false; + const [fMajor] = type.split("/"); + return fMajor === major; + } else { + // exact MIME like "image/svg+xml" or "application/pdf" + // because of "text/plain;charset=utf-8" + return type.startsWith(token); + } + } + + // unknown token shape, ignore + return false; + }); +} diff --git a/app/src/core/utils/objects.ts b/app/src/core/utils/objects.ts index 41902a9..33c6a43 100644 --- a/app/src/core/utils/objects.ts +++ b/app/src/core/utils/objects.ts @@ -372,7 +372,7 @@ export function isEqual(value1: any, value2: any): boolean { export function getPath( object: object, _path: string | (string | number)[], - defaultValue = undefined, + defaultValue: any = undefined, ): any { const path = typeof _path === "string" ? _path.split(/[.\[\]\"]+/).filter((x) => x) : _path; @@ -512,3 +512,43 @@ export function convertNumberedObjectToArray(obj: object): any[] | object { } return obj; } + +export function recursivelyReplacePlaceholders( + obj: any, + pattern: RegExp, + variables: Record, + fallback?: any, +) { + if (typeof obj === "string") { + // check if the entire string matches the pattern + const match = obj.match(pattern); + if (match && match[0] === obj && match[1]) { + // full string match - replace with the actual value (preserving type) + const key = match[1]; + const value = getPath(variables, key, null); + return value !== null ? value : fallback !== undefined ? fallback : obj; + } + // partial match - use string replacement + if (pattern.test(obj)) { + return obj.replace(pattern, (match, key) => { + const value = getPath(variables, key, null); + // convert to string for partial replacements + return value !== null + ? String(value) + : fallback !== undefined + ? String(fallback) + : match; + }); + } + } + if (Array.isArray(obj)) { + return obj.map((item) => recursivelyReplacePlaceholders(item, pattern, variables, fallback)); + } + if (obj && typeof obj === "object") { + return Object.entries(obj).reduce((acc, [key, value]) => { + acc[key] = recursivelyReplacePlaceholders(value, pattern, variables, fallback); + return acc; + }, {} as object); + } + return obj; +} diff --git a/app/src/core/utils/runtime.ts b/app/src/core/utils/runtime.ts index 0772abd..5b943ff 100644 --- a/app/src/core/utils/runtime.ts +++ b/app/src/core/utils/runtime.ts @@ -61,3 +61,19 @@ export function invariant(condition: boolean | any, message: string) { throw new Error(message); } } + +export function threw(fn: () => any, instance?: new (...args: any[]) => Error) { + try { + fn(); + return false; + } catch (e) { + if (instance) { + if (e instanceof instance) { + return true; + } + // if instance given but not what expected, throw + throw e; + } + return true; + } +} diff --git a/app/src/core/utils/schema/index.ts b/app/src/core/utils/schema/index.ts index 3d3692c..ff8190c 100644 --- a/app/src/core/utils/schema/index.ts +++ b/app/src/core/utils/schema/index.ts @@ -1,3 +1,5 @@ +import { Exception } from "core/errors"; +import { HttpStatus } from "bknd/utils"; import * as s from "jsonv-ts"; export { validator as jsc, type Options } from "jsonv-ts/hono"; @@ -58,7 +60,10 @@ export const stringIdentifier = s.string({ maxLength: 150, }); -export class InvalidSchemaError extends Error { +export class InvalidSchemaError extends Exception { + override name = "InvalidSchemaError"; + override code = HttpStatus.UNPROCESSABLE_ENTITY; + constructor( public schema: s.Schema, public value: unknown, diff --git a/app/src/data/api/DataController.ts b/app/src/data/api/DataController.ts index 163f0af..082ae0c 100644 --- a/app/src/data/api/DataController.ts +++ b/app/src/data/api/DataController.ts @@ -15,6 +15,7 @@ import type { AppDataConfig } from "../data-schema"; import type { EntityManager, EntityData } from "data/entities"; import * as DataPermissions from "data/permissions"; import { repoQuery, type RepoQuery } from "data/server/query"; +import { EntityTypescript } from "data/entities/EntityTypescript"; export class DataController extends Controller { constructor( @@ -42,7 +43,7 @@ export class DataController extends Controller { override getController() { const { permission, auth } = this.middlewares; - const hono = this.create().use(auth(), permission(SystemPermissions.accessApi)); + const hono = this.create().use(auth(), permission(SystemPermissions.accessApi, {})); const entitiesEnum = this.getEntitiesEnum(this.em); // info @@ -58,7 +59,7 @@ export class DataController extends Controller { // sync endpoint hono.get( "/sync", - permission(DataPermissions.databaseSync), + permission(DataPermissions.databaseSync, {}), mcpTool("data_sync", { // @todo: should be removed if readonly annotations: { @@ -95,7 +96,9 @@ export class DataController extends Controller { // read entity schema hono.get( "/schema.json", - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), describeRoute({ summary: "Retrieve data schema", tags: ["data"], @@ -121,7 +124,9 @@ export class DataController extends Controller { // read schema hono.get( "/schemas/:entity/:context?", - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), describeRoute({ summary: "Retrieve entity schema", tags: ["data"], @@ -153,6 +158,22 @@ export class DataController extends Controller { }, ); + hono.get( + "/types", + permission(SystemPermissions.schemaRead, { + context: (c) => ({ module: "data" }), + }), + describeRoute({ + summary: "Retrieve data typescript definitions", + tags: ["data"], + }), + mcpTool("data_types"), + async (c) => { + const et = new EntityTypescript(this.em); + return c.text(et.toString()); + }, + ); + // entity endpoints hono.route("/entity", this.getEntityRoutes()); @@ -161,7 +182,9 @@ export class DataController extends Controller { */ hono.get( "/info/:entity", - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), describeRoute({ summary: "Retrieve entity info", tags: ["data"], @@ -213,7 +236,9 @@ export class DataController extends Controller { // fn: count hono.post( "/:entity/fn/count", - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), describeRoute({ summary: "Count entities", tags: ["data"], @@ -236,7 +261,9 @@ export class DataController extends Controller { // fn: exists hono.post( "/:entity/fn/exists", - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), describeRoute({ summary: "Check if entity exists", tags: ["data"], @@ -285,16 +312,26 @@ export class DataController extends Controller { parameters: saveRepoQueryParams(["limit", "offset", "sort", "select", "join"]), tags: ["data"], }), - permission(DataPermissions.entityRead), jsc("param", s.object({ entity: entitiesEnum })), jsc("query", repoQuery, { skipOpenAPI: true }), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), async (c) => { const { entity } = c.req.valid("param"); if (!this.entityExists(entity)) { return this.notFound(c); } + + const { merge } = this.ctx.guard.filters(DataPermissions.entityRead, c, { + entity, + }); + const options = c.req.valid("query") as RepoQuery; - const result = await this.em.repository(entity).findMany(options); + const result = await this.em.repository(entity).findMany({ + ...options, + where: merge(options.where), + }); return c.json(result, { status: result.data ? 200 : 404 }); }, @@ -308,7 +345,9 @@ export class DataController extends Controller { parameters: saveRepoQueryParams(["offset", "sort", "select"]), tags: ["data"], }), - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ ...c.req.param() }) as any, + }), mcpTool("data_entity_read_one", { inputSchema: { param: s.object({ entity: entitiesEnum, id: idType }), @@ -326,11 +365,19 @@ export class DataController extends Controller { jsc("query", repoQuery, { skipOpenAPI: true }), async (c) => { const { entity, id } = c.req.valid("param"); - if (!this.entityExists(entity)) { + if (!this.entityExists(entity) || !id) { return this.notFound(c); } const options = c.req.valid("query") as RepoQuery; - const result = await this.em.repository(entity).findId(id, options); + const { merge } = this.ctx.guard.filters( + DataPermissions.entityRead, + c, + c.req.valid("param"), + ); + const id_name = this.em.entity(entity).getPrimaryField().name; + const result = await this.em + .repository(entity) + .findOne(merge({ [id_name]: id }), options); return c.json(result, { status: result.data ? 200 : 404 }); }, @@ -344,7 +391,9 @@ export class DataController extends Controller { parameters: saveRepoQueryParams(), tags: ["data"], }), - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ ...c.req.param() }) as any, + }), jsc( "param", s.object({ @@ -361,9 +410,20 @@ export class DataController extends Controller { } const options = c.req.valid("query") as RepoQuery; - const result = await this.em + const { entity: newEntity } = this.em .repository(entity) - .findManyByReference(id, reference, options); + .getEntityByReference(reference); + + const { merge } = this.ctx.guard.filters(DataPermissions.entityRead, c, { + entity: newEntity.name, + id, + reference, + }); + + const result = await this.em.repository(entity).findManyByReference(id, reference, { + ...options, + where: merge(options.where), + }); return c.json(result, { status: result.data ? 200 : 404 }); }, @@ -390,7 +450,9 @@ export class DataController extends Controller { }, tags: ["data"], }), - permission(DataPermissions.entityRead), + permission(DataPermissions.entityRead, { + context: (c) => ({ entity: c.req.param("entity") }), + }), mcpTool("data_entity_read_many", { inputSchema: { param: s.object({ entity: entitiesEnum }), @@ -405,7 +467,13 @@ export class DataController extends Controller { return this.notFound(c); } const options = c.req.valid("json") as RepoQuery; - const result = await this.em.repository(entity).findMany(options); + const { merge } = this.ctx.guard.filters(DataPermissions.entityRead, c, { + entity, + }); + const result = await this.em.repository(entity).findMany({ + ...options, + where: merge(options.where), + }); return c.json(result, { status: result.data ? 200 : 404 }); }, @@ -421,7 +489,9 @@ export class DataController extends Controller { summary: "Insert one or many", tags: ["data"], }), - permission(DataPermissions.entityCreate), + permission(DataPermissions.entityCreate, { + context: (c) => ({ ...c.req.param() }) as any, + }), mcpTool("data_entity_insert"), jsc("param", s.object({ entity: entitiesEnum })), jsc("json", s.anyOf([s.object({}), s.array(s.object({}))])), @@ -438,6 +508,12 @@ export class DataController extends Controller { // to transform all validation targets into a single object const body = convertNumberedObjectToArray(_body); + this.ctx.guard + .filters(DataPermissions.entityCreate, c, { + entity, + }) + .matches(body, { throwOnError: true }); + if (Array.isArray(body)) { const result = await this.em.mutator(entity).insertMany(body); return c.json(result, 201); @@ -455,7 +531,9 @@ export class DataController extends Controller { summary: "Update many", tags: ["data"], }), - permission(DataPermissions.entityUpdate), + permission(DataPermissions.entityUpdate, { + context: (c) => ({ ...c.req.param() }) as any, + }), mcpTool("data_entity_update_many", { inputSchema: { param: s.object({ entity: entitiesEnum }), @@ -482,7 +560,10 @@ export class DataController extends Controller { update: EntityData; where: RepoQuery["where"]; }; - const result = await this.em.mutator(entity).updateWhere(update, where); + const { merge } = this.ctx.guard.filters(DataPermissions.entityUpdate, c, { + entity, + }); + const result = await this.em.mutator(entity).updateWhere(update, merge(where)); return c.json(result); }, @@ -495,7 +576,9 @@ export class DataController extends Controller { summary: "Update one", tags: ["data"], }), - permission(DataPermissions.entityUpdate), + permission(DataPermissions.entityUpdate, { + context: (c) => ({ ...c.req.param() }) as any, + }), mcpTool("data_entity_update_one"), jsc("param", s.object({ entity: entitiesEnum, id: idType })), jsc("json", s.object({})), @@ -505,6 +588,17 @@ export class DataController extends Controller { return this.notFound(c); } const body = (await c.req.json()) as EntityData; + const fns = this.ctx.guard.filters(DataPermissions.entityUpdate, c, { + entity, + id, + }); + + // if it has filters attached, fetch entry and make the check + if (fns.filters.length > 0) { + const { data } = await this.em.repository(entity).findId(id); + fns.matches(data, { throwOnError: true }); + } + const result = await this.em.mutator(entity).updateOne(id, body); return c.json(result); @@ -518,7 +612,9 @@ export class DataController extends Controller { summary: "Delete one", tags: ["data"], }), - permission(DataPermissions.entityDelete), + permission(DataPermissions.entityDelete, { + context: (c) => ({ ...c.req.param() }) as any, + }), mcpTool("data_entity_delete_one"), jsc("param", s.object({ entity: entitiesEnum, id: idType })), async (c) => { @@ -526,6 +622,18 @@ export class DataController extends Controller { if (!this.entityExists(entity)) { return this.notFound(c); } + + const fns = this.ctx.guard.filters(DataPermissions.entityDelete, c, { + entity, + id, + }); + + // if it has filters attached, fetch entry and make the check + if (fns.filters.length > 0) { + const { data } = await this.em.repository(entity).findId(id); + fns.matches(data, { throwOnError: true }); + } + const result = await this.em.mutator(entity).deleteOne(id); return c.json(result); @@ -539,7 +647,9 @@ export class DataController extends Controller { summary: "Delete many", tags: ["data"], }), - permission(DataPermissions.entityDelete), + permission(DataPermissions.entityDelete, { + context: (c) => ({ ...c.req.param() }) as any, + }), mcpTool("data_entity_delete_many", { inputSchema: { param: s.object({ entity: entitiesEnum }), @@ -554,7 +664,10 @@ export class DataController extends Controller { return this.notFound(c); } const where = (await c.req.json()) as RepoQuery["where"]; - const result = await this.em.mutator(entity).deleteWhere(where); + const { merge } = this.ctx.guard.filters(DataPermissions.entityDelete, c, { + entity, + }); + const result = await this.em.mutator(entity).deleteWhere(merge(where)); return c.json(result); }, diff --git a/app/src/data/entities/EntityManager.ts b/app/src/data/entities/EntityManager.ts index 36168f8..033d51a 100644 --- a/app/src/data/entities/EntityManager.ts +++ b/app/src/data/entities/EntityManager.ts @@ -34,7 +34,6 @@ export class EntityManager { private _entities: Entity[] = []; private _relations: EntityRelation[] = []; private _indices: EntityIndex[] = []; - private _schema?: SchemaManager; readonly emgr: EventManager; static readonly Events = { ...MutatorEvents, ...RepositoryEvents }; @@ -249,11 +248,7 @@ export class EntityManager { } schema() { - if (!this._schema) { - this._schema = new SchemaManager(this); - } - - return this._schema; + return new SchemaManager(this); } // @todo: centralize and add tests diff --git a/app/src/data/entities/query/Repository.ts b/app/src/data/entities/query/Repository.ts index 13554a6..3d8f432 100644 --- a/app/src/data/entities/query/Repository.ts +++ b/app/src/data/entities/query/Repository.ts @@ -1,4 +1,4 @@ -import type { DB as DefaultDB, PrimaryFieldType } from "bknd"; +import type { DB as DefaultDB, EntityRelation, PrimaryFieldType } from "bknd"; import { $console } from "bknd/utils"; import { type EmitsEvents, EventManager } from "core/events"; import { type SelectQueryBuilder, sql } from "kysely"; @@ -280,16 +280,11 @@ export class Repository>, ): Promise> { - const { qb, options } = this.buildQuery( - { - ..._options, - where: { [this.entity.getPrimaryField().name]: id }, - limit: 1, - }, - ["offset", "sort"], - ); + if (typeof id === "undefined" || id === null) { + throw new InvalidSearchParamsException("id is required"); + } - return this.single(qb, options) as any; + return this.findOne({ [this.entity.getPrimaryField().name]: id }, _options); } async findOne( @@ -315,23 +310,27 @@ export class Repository r.ref(reference).reference === reference); + if (!relation) { + throw new Error( + `Relation "${reference}" not found or not listable on entity "${this.entity.name}"`, + ); + } + return { + entity: relation.other(this.entity).entity, + relation, + }; + } + // @todo: add unit tests, specially for many to many async findManyByReference( id: PrimaryFieldType, reference: string, _options?: Partial>, ): Promise> { - const entity = this.entity; - const listable_relations = this.em.relations.listableRelationsOf(entity); - const relation = listable_relations.find((r) => r.ref(reference).reference === reference); - - if (!relation) { - throw new Error( - `Relation "${reference}" not found or not listable on entity "${entity.name}"`, - ); - } - - const newEntity = relation.other(entity).entity; + const { entity: newEntity, relation } = this.getEntityByReference(reference); const refQueryOptions = relation.getReferenceQuery(newEntity, id as number, reference); if (!("where" in refQueryOptions) || Object.keys(refQueryOptions.where as any).length === 0) { throw new Error( diff --git a/app/src/data/fields/JsonField.ts b/app/src/data/fields/JsonField.ts index c54854b..8ed4802 100644 --- a/app/src/data/fields/JsonField.ts +++ b/app/src/data/fields/JsonField.ts @@ -64,20 +64,27 @@ export class JsonField }[] = []; for (const table of diff) { - const qbs: { compile(): CompiledQuery; execute(): Promise }[] = []; - let local_updates: number = 0; const addFieldSchemas = this.collectFieldSchemas(table.name, table.columns.add); const dropFields = table.columns.drop; const dropIndices = table.indices.drop; if (table.isDrop) { - updates++; - local_updates++; if (config.drop) { qbs.push(schema.dropTable(table.name)); } @@ -269,8 +265,6 @@ export class SchemaManager { let createQb = schema.createTable(table.name); // add fields for (const fieldSchema of addFieldSchemas) { - updates++; - local_updates++; // @ts-ignore createQb = createQb.addColumn(...fieldSchema); } @@ -281,8 +275,6 @@ export class SchemaManager { if (addFieldSchemas.length > 0) { // add fields for (const fieldSchema of addFieldSchemas) { - updates++; - local_updates++; // @ts-ignore qbs.push(schema.alterTable(table.name).addColumn(...fieldSchema)); } @@ -292,8 +284,6 @@ export class SchemaManager { if (config.drop && dropFields.length > 0) { // drop fields for (const column of dropFields) { - updates++; - local_updates++; qbs.push(schema.alterTable(table.name).dropColumn(column)); } } @@ -311,35 +301,33 @@ export class SchemaManager { qb = qb.unique(); } qbs.push(qb); - local_updates++; - updates++; } // drop indices if (config.drop) { for (const index of dropIndices) { qbs.push(schema.dropIndex(index)); - local_updates++; - updates++; } } + } - if (local_updates === 0) continue; + if (qbs.length > 0) { + statements.push( + ...qbs.map((qb) => { + const { sql, parameters } = qb.compile(); + return { sql, parameters }; + }), + ); - // iterate through built qbs - // @todo: run in batches - for (const qb of qbs) { - const { sql, parameters } = qb.compile(); - statements.push({ sql, parameters }); + $console.debug( + "[SchemaManager]", + `${qbs.length} statements\n${statements.map((stmt) => stmt.sql).join(";\n")}`, + ); - if (config.force) { - try { - $console.debug("[SchemaManager]", sql); - await qb.execute(); - } catch (e) { - throw new Error(`Failed to execute query: ${sql}: ${(e as any).message}`); - } - } + try { + await this.em.connection.executeQueries(...qbs); + } catch (e) { + throw new Error(`Failed to execute batch: ${String(e)}`); } } diff --git a/app/src/data/server/query.spec.ts b/app/src/data/server/query.spec.ts index 89585a3..eb2eb2b 100644 --- a/app/src/data/server/query.spec.ts +++ b/app/src/data/server/query.spec.ts @@ -1,6 +1,8 @@ import { test, describe, expect } from "bun:test"; import * as q from "./query"; import { parse as $parse, type ParseOptions } from "bknd/utils"; +import type { PrimaryFieldType } from "modules"; +import type { Generated } from "kysely"; const parse = (v: unknown, o: ParseOptions = {}) => $parse(q.repoQuery, v, { @@ -186,4 +188,35 @@ describe("server/query", () => { decode({ with: { images: {}, comments: {} } }, output); } }); + + test("types", () => { + const id = 1 as PrimaryFieldType; + const id2 = "1" as unknown as Generated; + + const c: q.RepoQueryIn = { + where: { + // @ts-expect-error only primitives are allowed for $eq + something: [], + // this gets ignored + another: undefined, + // @ts-expect-error null is not a valid value + null_is_okay: null, + some_id: id, + another_id: id2, + }, + }; + + const d: q.RepoQuery = { + where: { + // @ts-expect-error only primitives are allowed for $eq + something: [], + // this gets ignored + another: undefined, + // @ts-expect-error null is not a valid value + null_is_okay: null, + some_id: id, + another_id: id2, + }, + }; + }); }); diff --git a/app/src/data/server/query.ts b/app/src/data/server/query.ts index cb4defe..9a01e2a 100644 --- a/app/src/data/server/query.ts +++ b/app/src/data/server/query.ts @@ -84,8 +84,6 @@ const where = s.anyOf([s.string(), s.object({})], { return WhereBuilder.convert(q); }, }); -//type WhereSchemaIn = s.Static; -//type WhereSchema = s.StaticCoerced; // ------ // with @@ -128,7 +126,7 @@ const withSchema = (self: s.Schema): s.Schema<{}, Type, Type> => } } - return value as unknown as any; + return value as any; }, }) as any; @@ -167,15 +165,3 @@ export type RepoQueryIn = { export type RepoQuery = s.StaticCoerced & { sort: SortSchema; }; - -//export type RepoQuery = s.StaticCoerced; -// @todo: CURRENT WORKAROUND -/* export type RepoQuery = { - limit?: number; - offset?: number; - sort?: { by: string; dir: "asc" | "desc" }; - select?: string[]; - with?: Record; - join?: string[]; - where?: WhereQuery; -}; */ diff --git a/app/src/index.ts b/app/src/index.ts index ae01151..e30af8a 100644 --- a/app/src/index.ts +++ b/app/src/index.ts @@ -41,15 +41,16 @@ export { getSystemMcp } from "modules/mcp/system-mcp"; /** * Core */ -export type { MaybePromise } from "core/types"; +export type { MaybePromise, Merge } from "core/types"; export { Exception, BkndError } from "core/errors"; export { isDebug, env } from "core/env"; export { type PrimaryFieldType, config, type DB, type AppEntity } from "core/config"; -export { Permission } from "core/security/Permission"; +export { Permission } from "auth/authorize/Permission"; export { getFlashMessage } from "core/server/flash"; export * from "core/drivers"; export { Event, InvalidEventReturn } from "core/events/Event"; export type { + EventListener, ListenerMode, ListenerHandler, } from "core/events/EventListener"; diff --git a/app/src/media/AppMedia.ts b/app/src/media/AppMedia.ts index 2c1b6b2..ff2cadd 100644 --- a/app/src/media/AppMedia.ts +++ b/app/src/media/AppMedia.ts @@ -22,6 +22,9 @@ declare module "bknd" { // @todo: current workaround to make it all required export class AppMedia extends Module> { private _storage?: Storage; + options = { + body_max_size: null as number | null, + }; override async build() { if (!this.config.enabled) { diff --git a/app/src/media/api/MediaController.ts b/app/src/media/api/MediaController.ts index 6a72048..0523b6a 100644 --- a/app/src/media/api/MediaController.ts +++ b/app/src/media/api/MediaController.ts @@ -36,7 +36,7 @@ export class MediaController extends Controller { summary: "Get the list of files", tags: ["media"], }), - permission(MediaPermissions.listFiles), + permission(MediaPermissions.listFiles, {}), async (c) => { const files = await this.getStorageAdapter().listObjects(); return c.json(files); @@ -51,7 +51,7 @@ export class MediaController extends Controller { summary: "Get a file by name", tags: ["media"], }), - permission(MediaPermissions.readFile), + permission(MediaPermissions.readFile, {}), async (c) => { const { filename } = c.req.param(); if (!filename) { @@ -81,7 +81,7 @@ export class MediaController extends Controller { summary: "Delete a file by name", tags: ["media"], }), - permission(MediaPermissions.deleteFile), + permission(MediaPermissions.deleteFile, {}), async (c) => { const { filename } = c.req.param(); if (!filename) { @@ -93,7 +93,10 @@ export class MediaController extends Controller { }, ); - const maxSize = this.getStorage().getConfig().body_max_size ?? Number.POSITIVE_INFINITY; + const maxSize = + this.media.options.body_max_size ?? + this.getStorage().getConfig().body_max_size ?? + Number.POSITIVE_INFINITY; if (isDebug()) { hono.post( @@ -146,7 +149,7 @@ export class MediaController extends Controller { requestBody, }), jsc("param", s.object({ filename: s.string().optional() })), - permission(MediaPermissions.uploadFile), + permission(MediaPermissions.uploadFile, {}), async (c) => { const reqname = c.req.param("filename"); @@ -186,7 +189,10 @@ export class MediaController extends Controller { }), ), jsc("query", s.object({ overwrite: s.boolean().optional() })), - permission([DataPermissions.entityCreate, MediaPermissions.uploadFile]), + permission(DataPermissions.entityCreate, { + context: (c) => ({ entity: c.req.param("entity") }), + }), + permission(MediaPermissions.uploadFile, {}), async (c) => { const { entity: entity_name, id: entity_id, field: field_name } = c.req.valid("param"); diff --git a/app/src/media/media-permissions.ts b/app/src/media/media-permissions.ts index 527ce28..0ae0017 100644 --- a/app/src/media/media-permissions.ts +++ b/app/src/media/media-permissions.ts @@ -1,4 +1,4 @@ -import { Permission } from "core/security/Permission"; +import { Permission } from "auth/authorize/Permission"; export const readFile = new Permission("media.file.read"); export const listFiles = new Permission("media.file.list"); diff --git a/app/src/media/media-schema.ts b/app/src/media/media-schema.ts index 4e71d83..eaa2b8d 100644 --- a/app/src/media/media-schema.ts +++ b/app/src/media/media-schema.ts @@ -48,7 +48,7 @@ export function buildMediaSchema() { { default: {}, }, - ); + ).strict(); } export const mediaConfigSchema = buildMediaSchema(); diff --git a/app/src/modes/code.ts b/app/src/modes/code.ts new file mode 100644 index 0000000..30e4dc3 --- /dev/null +++ b/app/src/modes/code.ts @@ -0,0 +1,49 @@ +import type { BkndConfig } from "bknd/adapter"; +import { makeModeConfig, type BkndModeConfig } from "./shared"; +import { $console } from "bknd/utils"; + +export type BkndCodeModeConfig = BkndModeConfig; + +export type CodeMode = AdapterConfig extends BkndConfig< + infer Args +> + ? BkndModeConfig + : never; + +export function code(config: BkndCodeModeConfig): BkndConfig { + return { + ...config, + app: async (args) => { + const { + config: appConfig, + plugins, + isProd, + syncSchemaOptions, + } = await makeModeConfig(config, args); + + if (appConfig?.options?.mode && appConfig?.options?.mode !== "code") { + $console.warn("You should not set a different mode than `db` when using code mode"); + } + + return { + ...appConfig, + options: { + ...appConfig?.options, + mode: "code", + plugins, + manager: { + // skip validation in prod for a speed boost + skipValidation: isProd, + onModulesBuilt: async (ctx) => { + if (!isProd && syncSchemaOptions.force) { + $console.log("[code] syncing schema"); + await ctx.em.schema().sync(syncSchemaOptions); + } + }, + ...appConfig?.options?.manager, + }, + }, + }; + }, + }; +} diff --git a/app/src/modes/hybrid.ts b/app/src/modes/hybrid.ts new file mode 100644 index 0000000..7a8022b --- /dev/null +++ b/app/src/modes/hybrid.ts @@ -0,0 +1,89 @@ +import type { BkndConfig } from "bknd/adapter"; +import { makeModeConfig, type BkndModeConfig } from "./shared"; +import { getDefaultConfig, type MaybePromise, type ModuleConfigs, type Merge } from "bknd"; +import type { DbModuleManager } from "modules/db/DbModuleManager"; +import { invariant, $console } from "bknd/utils"; + +export type BkndHybridModeOptions = { + /** + * Reader function to read the configuration from the file system. + * This is required for hybrid mode to work. + */ + reader?: (path: string) => MaybePromise; + /** + * Provided secrets to be merged into the configuration + */ + secrets?: Record; +}; + +export type HybridBkndConfig = BkndModeConfig; +export type HybridMode = AdapterConfig extends BkndConfig< + infer Args +> + ? BkndModeConfig> + : never; + +export function hybrid({ + configFilePath = "bknd-config.json", + ...rest +}: HybridBkndConfig): BkndConfig { + return { + ...rest, + config: undefined, + app: async (args) => { + const { + config: appConfig, + isProd, + plugins, + syncSchemaOptions, + } = await makeModeConfig( + { + ...rest, + configFilePath, + }, + args, + ); + + if (appConfig?.options?.mode && appConfig?.options?.mode !== "db") { + $console.warn("You should not set a different mode than `db` when using hybrid mode"); + } + invariant( + typeof appConfig.reader === "function", + "You must set the `reader` option when using hybrid mode", + ); + + let fileConfig: ModuleConfigs; + try { + fileConfig = JSON.parse(await appConfig.reader!(configFilePath)) as ModuleConfigs; + } catch (e) { + const defaultConfig = (appConfig.config ?? getDefaultConfig()) as ModuleConfigs; + await appConfig.writer!(configFilePath, JSON.stringify(defaultConfig, null, 2)); + fileConfig = defaultConfig; + } + + return { + ...(appConfig as any), + beforeBuild: async (app) => { + if (app && !isProd) { + const mm = app.modules as DbModuleManager; + mm.buildSyncConfig = syncSchemaOptions; + } + await appConfig.beforeBuild?.(app); + }, + config: fileConfig, + options: { + ...appConfig?.options, + mode: isProd ? "code" : "db", + plugins, + manager: { + // skip validation in prod for a speed boost + skipValidation: isProd, + // secrets are required for hybrid mode + secrets: appConfig.secrets, + ...appConfig?.options?.manager, + }, + }, + }; + }, + }; +} diff --git a/app/src/modes/index.ts b/app/src/modes/index.ts new file mode 100644 index 0000000..b053671 --- /dev/null +++ b/app/src/modes/index.ts @@ -0,0 +1,3 @@ +export * from "./code"; +export * from "./hybrid"; +export * from "./shared"; diff --git a/app/src/modes/shared.ts b/app/src/modes/shared.ts new file mode 100644 index 0000000..f1bc4ff --- /dev/null +++ b/app/src/modes/shared.ts @@ -0,0 +1,183 @@ +import type { AppPlugin, BkndConfig, MaybePromise, Merge } from "bknd"; +import { syncTypes, syncConfig } from "bknd/plugins"; +import { syncSecrets } from "plugins/dev/sync-secrets.plugin"; +import { invariant, $console } from "bknd/utils"; + +export type BkndModeOptions = { + /** + * Whether the application is running in production. + */ + isProduction?: boolean; + /** + * Writer function to write the configuration to the file system + */ + writer?: (path: string, content: string) => MaybePromise; + /** + * Configuration file path + */ + configFilePath?: string; + /** + * Types file path + * @default "bknd-types.d.ts" + */ + typesFilePath?: string; + /** + * Syncing secrets options + */ + syncSecrets?: { + /** + * Whether to enable syncing secrets + */ + enabled?: boolean; + /** + * Output file path + */ + outFile?: string; + /** + * Format of the output file + * @default "env" + */ + format?: "json" | "env"; + /** + * Whether to include secrets in the output file + * @default false + */ + includeSecrets?: boolean; + }; + /** + * Determines whether to automatically sync the schema if not in production. + * @default true + */ + syncSchema?: boolean | { force?: boolean; drop?: boolean }; +}; + +export type BkndModeConfig = BkndConfig< + Args, + Merge +>; + +export async function makeModeConfig< + Args = any, + Config extends BkndModeConfig = BkndModeConfig, +>({ app, ..._config }: Config, args: Args) { + const appConfig = typeof app === "function" ? await app(args) : app; + + const config = { + ..._config, + ...appConfig, + } as Omit; + + if (typeof config.isProduction !== "boolean") { + $console.warn( + "You should set `isProduction` option when using managed modes to prevent accidental issues", + ); + } + + invariant( + typeof config.writer === "function", + "You must set the `writer` option when using managed modes", + ); + + const { typesFilePath, configFilePath, writer, syncSecrets: syncSecretsOptions } = config; + + const isProd = config.isProduction; + const plugins = appConfig?.options?.plugins ?? ([] as AppPlugin[]); + const syncSchemaOptions = + typeof config.syncSchema === "object" + ? config.syncSchema + : { + force: config.syncSchema !== false, + drop: true, + }; + + if (!isProd) { + if (typesFilePath) { + if (plugins.some((p) => p.name === "bknd-sync-types")) { + throw new Error("You have to unregister the `syncTypes` plugin"); + } + plugins.push( + syncTypes({ + enabled: true, + includeFirstBoot: true, + write: async (et) => { + try { + await config.writer?.(typesFilePath, et.toString()); + } catch (e) { + console.error(`Error writing types to"${typesFilePath}"`, e); + } + }, + }) as any, + ); + } + + if (configFilePath) { + if (plugins.some((p) => p.name === "bknd-sync-config")) { + throw new Error("You have to unregister the `syncConfig` plugin"); + } + plugins.push( + syncConfig({ + enabled: true, + includeFirstBoot: true, + write: async (config) => { + try { + await writer?.(configFilePath, JSON.stringify(config, null, 2)); + } catch (e) { + console.error(`Error writing config to "${configFilePath}"`, e); + } + }, + }) as any, + ); + } + + if (syncSecretsOptions && syncSecretsOptions.enabled !== false) { + if (plugins.some((p) => p.name === "bknd-sync-secrets")) { + throw new Error("You have to unregister the `syncSecrets` plugin"); + } + + let outFile = syncSecretsOptions.outFile; + const format = syncSecretsOptions.format ?? "env"; + if (!outFile) { + outFile = ["env", !syncSecretsOptions.includeSecrets && "example", format] + .filter(Boolean) + .join("."); + } + + plugins.push( + syncSecrets({ + enabled: true, + includeFirstBoot: true, + write: async (secrets) => { + const values = Object.fromEntries( + Object.entries(secrets).map(([key, value]) => [ + key, + syncSecretsOptions.includeSecrets ? value : "", + ]), + ); + + try { + if (format === "env") { + await writer?.( + outFile, + Object.entries(values) + .map(([key, value]) => `${key}=${value}`) + .join("\n"), + ); + } else { + await writer?.(outFile, JSON.stringify(values, null, 2)); + } + } catch (e) { + console.error(`Error writing secrets to "${outFile}"`, e); + } + }, + }) as any, + ); + } + } + + return { + config, + isProd, + plugins, + syncSchemaOptions, + }; +} diff --git a/app/src/modules/ModuleApi.ts b/app/src/modules/ModuleApi.ts index f89fb99..9b9ebb7 100644 --- a/app/src/modules/ModuleApi.ts +++ b/app/src/modules/ModuleApi.ts @@ -8,6 +8,7 @@ export type BaseModuleApiOptions = { host: string; basepath?: string; token?: string; + credentials?: RequestCredentials; headers?: Headers; token_transport?: "header" | "cookie" | "none"; verbose?: boolean; @@ -106,6 +107,7 @@ export abstract class ModuleApi>( c: { context: ModuleBuildContextMcpContext; raw?: unknown }, - ) { + permission: P, + context: PermissionContext

, + ): Promise; + async granted

>( + c: { context: ModuleBuildContextMcpContext; raw?: unknown }, + permission: P, + ): Promise; + async granted

>( + c: { context: ModuleBuildContextMcpContext; raw?: unknown }, + permission: P, + context?: PermissionContext

, + ): Promise { invariant(c.context.app, "app is not available in mcp context"); const auth = c.context.app.module.auth; if (!auth.enabled) return; @@ -127,12 +137,6 @@ export class ModuleHelper { } const user = await auth.authenticator?.resolveAuthFromRequest(c.raw as any); - - if (!this.ctx.guard.granted(permission, user)) { - throw new Exception( - `Permission "${typeof permission === "string" ? permission : permission.name}" not granted`, - 403, - ); - } + this.ctx.guard.granted(permission, user as any, context as any); } } diff --git a/app/src/modules/SystemApi.ts b/app/src/modules/SystemApi.ts index dc2e5c6..ab26bae 100644 --- a/app/src/modules/SystemApi.ts +++ b/app/src/modules/SystemApi.ts @@ -1,6 +1,7 @@ import type { ConfigUpdateResponse } from "modules/server/SystemController"; import { ModuleApi } from "./ModuleApi"; import type { ModuleConfigs, ModuleKey, ModuleSchemas } from "./ModuleManager"; +import type { TPermission } from "auth/authorize/Permission"; export type ApiSchemaResponse = { version: number; @@ -54,4 +55,8 @@ export class SystemApi extends ModuleApi { removeConfig(module: Module, path: string) { return this.delete(["config", "remove", module, path]); } + + permissions() { + return this.get<{ permissions: TPermission[]; context: object }>("permissions"); + } } diff --git a/app/src/modules/db/DbModuleManager.ts b/app/src/modules/db/DbModuleManager.ts index a7bc903..8af95e8 100644 --- a/app/src/modules/db/DbModuleManager.ts +++ b/app/src/modules/db/DbModuleManager.ts @@ -70,6 +70,9 @@ export class DbModuleManager extends ModuleManager { private readonly _booted_with?: "provided" | "partial"; private _stable_configs: ModuleConfigs | undefined; + // config used when syncing database + public buildSyncConfig: { force?: boolean; drop?: boolean } = { force: true }; + constructor(connection: Connection, options?: Partial) { let initial = {} as InitialModuleConfigs; let booted_with = "partial" as any; @@ -393,7 +396,7 @@ export class DbModuleManager extends ModuleManager { const version_before = this.version(); const [_version, _configs] = await migrate(version_before, result.configs.json, { - db: this.db + db: this.db, }); this._version = _version; @@ -463,7 +466,7 @@ export class DbModuleManager extends ModuleManager { this.logger.log("db sync requested"); // sync db - await ctx.em.schema().sync({ force: true }); + await ctx.em.schema().sync(this.buildSyncConfig); state.synced = true; // save diff --git a/app/src/modules/middlewares/index.ts b/app/src/modules/middlewares/index.ts index be1ad59..213eb7e 100644 --- a/app/src/modules/middlewares/index.ts +++ b/app/src/modules/middlewares/index.ts @@ -1 +1,2 @@ -export { auth, permission } from "auth/middlewares"; +export { auth } from "auth/middlewares/auth.middleware"; +export { permission } from "auth/middlewares/permission.middleware"; diff --git a/app/src/modules/permissions/index.ts b/app/src/modules/permissions/index.ts index b6fbead..152072d 100644 --- a/app/src/modules/permissions/index.ts +++ b/app/src/modules/permissions/index.ts @@ -1,10 +1,35 @@ -import { Permission } from "core/security/Permission"; +import { Permission } from "auth/authorize/Permission"; +import { s } from "bknd/utils"; export const accessAdmin = new Permission("system.access.admin"); export const accessApi = new Permission("system.access.api"); -export const configRead = new Permission("system.config.read"); -export const configReadSecrets = new Permission("system.config.read.secrets"); -export const configWrite = new Permission("system.config.write"); -export const schemaRead = new Permission("system.schema.read"); +export const configRead = new Permission( + "system.config.read", + {}, + s.object({ + module: s.string().optional(), + }), +); +export const configReadSecrets = new Permission( + "system.config.read.secrets", + {}, + s.object({ + module: s.string().optional(), + }), +); +export const configWrite = new Permission( + "system.config.write", + {}, + s.object({ + module: s.string().optional(), + }), +); +export const schemaRead = new Permission( + "system.schema.read", + {}, + s.object({ + module: s.string().optional(), + }), +); export const build = new Permission("system.build"); export const mcp = new Permission("system.mcp"); diff --git a/app/src/modules/server/AdminController.tsx b/app/src/modules/server/AdminController.tsx index 2800781..e098101 100644 --- a/app/src/modules/server/AdminController.tsx +++ b/app/src/modules/server/AdminController.tsx @@ -114,8 +114,9 @@ export class AdminController extends Controller { }), permission(SystemPermissions.schemaRead, { onDenied: async (c) => { - addFlashMessage(c, "You not allowed to read the schema", "warning"); + addFlashMessage(c, "You are not allowed to read the schema", "warning"); }, + context: (c) => ({}), }), async (c) => { const obj: AdminBkndWindowContext = { @@ -139,17 +140,19 @@ export class AdminController extends Controller { } if (auth_enabled) { + const options = { + onGranted: async (c) => { + // @todo: add strict test to permissions middleware? + if (c.get("auth")?.user) { + $console.log("redirecting to success"); + return c.redirect(authRoutes.success); + } + }, + context: (c) => ({}), + }; const redirectRouteParams = [ - permission([SystemPermissions.accessAdmin, SystemPermissions.schemaRead], { - // @ts-ignore - onGranted: async (c) => { - // @todo: add strict test to permissions middleware? - if (c.get("auth")?.user) { - $console.log("redirecting to success"); - return c.redirect(authRoutes.success); - } - }, - }), + permission(SystemPermissions.accessAdmin, options as any), + permission(SystemPermissions.schemaRead, options), async (c) => { return c.html(c.get("html")!); }, diff --git a/app/src/modules/server/AppServer.ts b/app/src/modules/server/AppServer.ts index b9fb531..9434309 100644 --- a/app/src/modules/server/AppServer.ts +++ b/app/src/modules/server/AppServer.ts @@ -52,11 +52,16 @@ export class AppServer extends Module { } override async build() { - const origin = this.config.cors.origin ?? ""; + const origin = this.config.cors.origin ?? "*"; + const origins = origin.includes(",") ? origin.split(",").map((o) => o.trim()) : [origin]; + const all_origins = origins.includes("*"); this.client.use( "*", cors({ - origin: origin.includes(",") ? origin.split(",").map((o) => o.trim()) : origin, + origin: (origin: string) => { + if (all_origins) return origin; + return origins.includes(origin) ? origin : undefined; + }, allowMethods: this.config.cors.allow_methods, allowHeaders: this.config.cors.allow_headers, credentials: this.config.cors.allow_credentials, @@ -87,6 +92,10 @@ export class AppServer extends Module { } if (err instanceof AuthException) { + if (isDebug()) { + return c.json(err.toJSON(), err.code); + } + return c.json(err.toJSON(), err.getSafeErrorAndCode().code); } diff --git a/app/src/modules/server/SystemController.ts b/app/src/modules/server/SystemController.ts index 93533a2..3ae6cd2 100644 --- a/app/src/modules/server/SystemController.ts +++ b/app/src/modules/server/SystemController.ts @@ -17,6 +17,7 @@ import { mcp as mcpMiddleware, isNode, type McpServer, + threw, } from "bknd/utils"; import type { Context, Hono } from "hono"; import { Controller } from "modules/Controller"; @@ -32,6 +33,7 @@ import { getVersion } from "core/env"; import type { Module } from "modules/Module"; import { getSystemMcp } from "modules/mcp/system-mcp"; import type { DbModuleManager } from "modules/db/DbModuleManager"; +import type { TPermission } from "auth/authorize/Permission"; export type ConfigUpdate = { success: true; @@ -46,7 +48,8 @@ export type SchemaResponse = { schema: ModuleSchemas; readonly: boolean; config: ModuleConfigs; - permissions: string[]; + //permissions: string[]; + permissions: TPermission[]; }; export class SystemController extends Controller { @@ -67,10 +70,14 @@ export class SystemController extends Controller { if (!config.mcp.enabled) { return; } + const { permission, auth } = this.middlewares; this.registerMcp(); - app.server.use( + app.server.all( + config.mcp.path, + auth(), + permission(SystemPermissions.mcp, {}), mcpMiddleware({ setup: async () => { if (!this._mcpServer) { @@ -108,7 +115,6 @@ export class SystemController extends Controller { explainEndpoint: true, }, endpoint: { - path: config.mcp.path as any, // @ts-ignore _init: isNode() ? { duplex: "half" } : {}, }, @@ -119,7 +125,7 @@ export class SystemController extends Controller { private registerConfigController(client: Hono): void { const { permission } = this.middlewares; // don't add auth again, it's already added in getController - const hono = this.create().use(permission(SystemPermissions.configRead)); + const hono = this.create(); /* .use(permission(SystemPermissions.configRead)); */ if (!this.app.isReadOnly()) { const manager = this.app.modules as DbModuleManager; @@ -130,7 +136,11 @@ export class SystemController extends Controller { summary: "Get the raw config", tags: ["system"], }), - permission([SystemPermissions.configReadSecrets]), + permission(SystemPermissions.configReadSecrets, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), async (c) => { // @ts-expect-error "fetch" is private return c.json(await this.app.modules.fetch().then((r) => r?.configs)); @@ -165,7 +175,11 @@ export class SystemController extends Controller { hono.post( "/set/:module", - permission(SystemPermissions.configWrite), + permission(SystemPermissions.configWrite, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), jsc("query", s.object({ force: s.boolean().optional() }), { skipOpenAPI: true }), async (c) => { const module = c.req.param("module") as any; @@ -194,32 +208,44 @@ export class SystemController extends Controller { }, ); - hono.post("/add/:module/:path", permission(SystemPermissions.configWrite), async (c) => { - // @todo: require auth (admin) - const module = c.req.param("module") as any; - const value = await c.req.json(); - const path = c.req.param("path") as string; + hono.post( + "/add/:module/:path", + permission(SystemPermissions.configWrite, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), + async (c) => { + // @todo: require auth (admin) + const module = c.req.param("module") as any; + const value = await c.req.json(); + const path = c.req.param("path") as string; - if (this.app.modules.get(module).schema().has(path)) { - return c.json( - { success: false, path, error: "Path already exists" }, - { status: 400 }, - ); - } + if (this.app.modules.get(module).schema().has(path)) { + return c.json( + { success: false, path, error: "Path already exists" }, + { status: 400 }, + ); + } - return await handleConfigUpdateResponse(c, async () => { - await manager.mutateConfigSafe(module).patch(path, value); - return { - success: true, - module, - config: this.app.module[module].config, - }; - }); - }); + return await handleConfigUpdateResponse(c, async () => { + await manager.mutateConfigSafe(module).patch(path, value); + return { + success: true, + module, + config: this.app.module[module].config, + }; + }); + }, + ); hono.patch( "/patch/:module/:path", - permission(SystemPermissions.configWrite), + permission(SystemPermissions.configWrite, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), async (c) => { // @todo: require auth (admin) const module = c.req.param("module") as any; @@ -239,7 +265,11 @@ export class SystemController extends Controller { hono.put( "/overwrite/:module/:path", - permission(SystemPermissions.configWrite), + permission(SystemPermissions.configWrite, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), async (c) => { // @todo: require auth (admin) const module = c.req.param("module") as any; @@ -259,7 +289,11 @@ export class SystemController extends Controller { hono.delete( "/remove/:module/:path", - permission(SystemPermissions.configWrite), + permission(SystemPermissions.configWrite, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), async (c) => { // @todo: require auth (admin) const module = c.req.param("module") as any; @@ -295,7 +329,11 @@ export class SystemController extends Controller { const { secrets } = c.req.valid("query"); const { module } = c.req.valid("param"); - secrets && this.ctx.guard.throwUnlessGranted(SystemPermissions.configReadSecrets, c); + if (secrets) { + this.ctx.guard.granted(SystemPermissions.configReadSecrets, c, { + module, + }); + } const config = this.app.toJSON(secrets); @@ -326,7 +364,11 @@ export class SystemController extends Controller { summary: "Get the schema for a module", tags: ["system"], }), - permission(SystemPermissions.schemaRead), + permission(SystemPermissions.schemaRead, { + context: (c) => ({ + module: c.req.param("module"), + }), + }), jsc( "query", s @@ -340,10 +382,22 @@ export class SystemController extends Controller { async (c) => { const module = c.req.param("module") as ModuleKey | undefined; const { config, secrets, fresh } = c.req.valid("query"); - const readonly = this.app.isReadOnly(); + const readonly = + // either if app is read only in general + this.app.isReadOnly() || + // or if user is not allowed to modify the config + threw(() => this.ctx.guard.granted(SystemPermissions.configWrite, c, { module })); - config && this.ctx.guard.throwUnlessGranted(SystemPermissions.configRead, c); - secrets && this.ctx.guard.throwUnlessGranted(SystemPermissions.configReadSecrets, c); + if (config) { + this.ctx.guard.granted(SystemPermissions.configRead, c, { + module, + }); + } + if (secrets) { + this.ctx.guard.granted(SystemPermissions.configReadSecrets, c, { + module, + }); + } const { version, ...schema } = this.app.getSchema(); @@ -368,11 +422,23 @@ export class SystemController extends Controller { readonly, schema, config: config ? this.app.toJSON(secrets) : undefined, - permissions: this.app.modules.ctx().guard.getPermissionNames(), + permissions: this.app.modules.ctx().guard.getPermissions(), }); }, ); + hono.get( + "/permissions", + describeRoute({ + summary: "Get the permissions", + tags: ["system"], + }), + (c) => { + const permissions = this.app.modules.ctx().guard.getPermissions(); + return c.json({ permissions, context: this.app.module.auth.getGuardContextSchema() }); + }, + ); + hono.post( "/build", describeRoute({ @@ -383,7 +449,7 @@ export class SystemController extends Controller { jsc("query", s.object({ sync: s.boolean().optional(), fetch: s.boolean().optional() })), async (c) => { const options = c.req.valid("query") as Record; - this.ctx.guard.throwUnlessGranted(SystemPermissions.build, c); + this.ctx.guard.granted(SystemPermissions.build, c); await this.app.build(options); return c.json({ @@ -455,7 +521,7 @@ export class SystemController extends Controller { const { version, ...appConfig } = this.app.toJSON(); mcp.resource("system_config", "bknd://system/config", async (c) => { - await c.context.ctx().helper.throwUnlessGranted(SystemPermissions.configRead, c); + await c.context.ctx().helper.granted(c, SystemPermissions.configRead, {}); return c.json(this.app.toJSON(), { title: "System Config", @@ -465,7 +531,9 @@ export class SystemController extends Controller { "system_config_module", "bknd://system/config/{module}", async (c, { module }) => { - await this.ctx.helper.throwUnlessGranted(SystemPermissions.configRead, c); + await this.ctx.helper.granted(c, SystemPermissions.configRead, { + module, + }); const m = this.app.modules.get(module as any) as Module; return c.json(m.toJSON(), { @@ -477,7 +545,7 @@ export class SystemController extends Controller { }, ) .resource("system_schema", "bknd://system/schema", async (c) => { - await this.ctx.helper.throwUnlessGranted(SystemPermissions.schemaRead, c); + await this.ctx.helper.granted(c, SystemPermissions.schemaRead, {}); return c.json(this.app.getSchema(), { title: "System Schema", @@ -487,7 +555,9 @@ export class SystemController extends Controller { "system_schema_module", "bknd://system/schema/{module}", async (c, { module }) => { - await this.ctx.helper.throwUnlessGranted(SystemPermissions.schemaRead, c); + await this.ctx.helper.granted(c, SystemPermissions.schemaRead, { + module, + }); const m = this.app.modules.get(module as any); return c.json(m.getSchema().toJSON(), { diff --git a/app/src/plugins/data/timestamp.plugin.spec.ts b/app/src/plugins/data/timestamp.plugin.spec.ts new file mode 100644 index 0000000..bdf8811 --- /dev/null +++ b/app/src/plugins/data/timestamp.plugin.spec.ts @@ -0,0 +1,74 @@ +import { describe, test, expect, beforeAll, afterAll } from "bun:test"; +import { timestamps } from "./timestamps.plugin"; +import { em, entity, text } from "bknd"; +import { createApp } from "core/test/utils"; +import { disableConsoleLog, enableConsoleLog } from "core/utils/test"; + +beforeAll(() => disableConsoleLog()); +afterAll(enableConsoleLog); + +describe("timestamps plugin", () => { + test("should ignore if no or invalid entities are provided", async () => { + const app = createApp({ + options: { + plugins: [timestamps({ entities: [] })], + }, + }); + await app.build(); + expect(app.em.entities.map((e) => e.name)).toEqual([]); + + { + const app = createApp({ + options: { + plugins: [timestamps({ entities: ["posts"] })], + }, + }); + await app.build(); + expect(app.em.entities.map((e) => e.name)).toEqual([]); + } + }); + + test("should add timestamps to the specified entities", async () => { + const app = createApp({ + config: { + data: em({ + posts: entity("posts", { + title: text(), + }), + }).toJSON(), + }, + options: { + plugins: [timestamps({ entities: ["posts", "invalid"] })], + }, + }); + await app.build(); + expect(app.em.entities.map((e) => e.name)).toEqual(["posts"]); + expect(app.em.entity("posts")?.fields.map((f) => f.name)).toEqual([ + "id", + "title", + "created_at", + "updated_at", + ]); + + // insert + const mutator = app.em.mutator(app.em.entity("posts")); + const { data } = await mutator.insertOne({ title: "Hello" }); + expect(data.created_at).toBeDefined(); + expect(data.updated_at).toBeDefined(); + expect(data.created_at).toBeInstanceOf(Date); + expect(data.updated_at).toBeInstanceOf(Date); + const diff = data.created_at.getTime() - data.updated_at.getTime(); + expect(diff).toBeLessThan(10); + expect(diff).toBeGreaterThan(-1); + + // update (set updated_at to null, otherwise it's too fast to test) + await app.em.connection.kysely + .updateTable("posts") + .set({ updated_at: null }) + .where("id", "=", data.id) + .execute(); + const { data: updatedData } = await mutator.updateOne(data.id, { title: "Hello 2" }); + expect(updatedData.updated_at).toBeDefined(); + expect(updatedData.updated_at).toBeInstanceOf(Date); + }); +}); diff --git a/app/src/plugins/data/timestamps.plugin.ts b/app/src/plugins/data/timestamps.plugin.ts new file mode 100644 index 0000000..0de5a94 --- /dev/null +++ b/app/src/plugins/data/timestamps.plugin.ts @@ -0,0 +1,86 @@ +import { type App, type AppPlugin, em, entity, datetime, DatabaseEvents } from "bknd"; +import { $console } from "bknd/utils"; + +export type TimestampsPluginOptions = { + entities: string[]; + setUpdatedOnCreate?: boolean; +}; + +/** + * This plugin adds `created_at` and `updated_at` fields to the specified entities. + * Add it to your plugins in `bknd.config.ts` like this: + * + * ```ts + * export default { + * plugins: [timestamps({ entities: ["posts"] })], + * } + * ``` + */ +export function timestamps({ + entities = [], + setUpdatedOnCreate = true, +}: TimestampsPluginOptions): AppPlugin { + return (app: App) => ({ + name: "timestamps", + schema: () => { + if (entities.length === 0) { + $console.warn("No entities specified for timestamps plugin"); + return; + } + + const appEntities = app.em.entities.map((e) => e.name); + + return em( + Object.fromEntries( + entities + .filter((e) => appEntities.includes(e)) + .map((e) => [ + e, + entity(e, { + created_at: datetime(), + updated_at: datetime(), + }), + ]), + ), + ); + }, + onBuilt: async () => { + app.emgr.onEvent( + DatabaseEvents.MutatorInsertBefore, + (event) => { + const { entity, data } = event.params; + if (entities.includes(entity.name)) { + return { + ...data, + created_at: new Date(), + updated_at: setUpdatedOnCreate ? new Date() : null, + }; + } + return data; + }, + { + mode: "sync", + id: "bknd-timestamps", + }, + ); + + app.emgr.onEvent( + DatabaseEvents.MutatorUpdateBefore, + async (event) => { + const { entity, data } = event.params; + if (entities.includes(entity.name)) { + return { + ...data, + updated_at: new Date(), + }; + } + return data; + }, + { + mode: "sync", + id: "bknd-timestamps", + }, + ); + }, + }); +} diff --git a/app/src/plugins/index.ts b/app/src/plugins/index.ts index 45db2d5..b0090ff 100644 --- a/app/src/plugins/index.ts +++ b/app/src/plugins/index.ts @@ -7,3 +7,4 @@ export { showRoutes, type ShowRoutesOptions } from "./dev/show-routes.plugin"; export { syncConfig, type SyncConfigOptions } from "./dev/sync-config.plugin"; export { syncTypes, type SyncTypesOptions } from "./dev/sync-types.plugin"; export { syncSecrets, type SyncSecretsOptions } from "./dev/sync-secrets.plugin"; +export { timestamps, type TimestampsPluginOptions } from "./data/timestamps.plugin"; diff --git a/app/src/ui/client/BkndProvider.tsx b/app/src/ui/client/BkndProvider.tsx index abb0020..c37d182 100644 --- a/app/src/ui/client/BkndProvider.tsx +++ b/app/src/ui/client/BkndProvider.tsx @@ -15,13 +15,14 @@ import { AppReduced } from "./utils/AppReduced"; import { Message } from "ui/components/display/Message"; import { useNavigate } from "ui/lib/routes"; import type { BkndAdminProps } from "ui/Admin"; +import type { TPermission } from "auth/authorize/Permission"; export type BkndContext = { version: number; readonly: boolean; schema: ModuleSchemas; config: ModuleConfigs; - permissions: string[]; + permissions: TPermission[]; hasSecrets: boolean; requireSecrets: () => Promise; actions: ReturnType; diff --git a/app/src/ui/client/ClientProvider.tsx b/app/src/ui/client/ClientProvider.tsx index 13352d1..88a54c1 100644 --- a/app/src/ui/client/ClientProvider.tsx +++ b/app/src/ui/client/ClientProvider.tsx @@ -53,9 +53,7 @@ export const ClientProvider = ({ [JSON.stringify(apiProps)], ); - const [authState, setAuthState] = useState | undefined>( - apiProps.user ? api.getAuthState() : undefined, - ); + const [authState, setAuthState] = useState | undefined>(api.getAuthState()); return ( diff --git a/app/src/ui/client/api/use-api.ts b/app/src/ui/client/api/use-api.ts index 6b6d546..573b990 100644 --- a/app/src/ui/client/api/use-api.ts +++ b/app/src/ui/client/api/use-api.ts @@ -1,6 +1,6 @@ import type { Api } from "Api"; import { FetchPromise, type ModuleApi, type ResponseObject } from "modules/ModuleApi"; -import useSWR, { type SWRConfiguration, useSWRConfig } from "swr"; +import useSWR, { type SWRConfiguration, useSWRConfig, type Middleware, type SWRHook } from "swr"; import useSWRInfinite from "swr/infinite"; import { useApi } from "ui/client"; import { useState } from "react"; @@ -89,3 +89,25 @@ export const useInvalidate = (options?: { exact?: boolean }) => { return mutate((k) => typeof k === "string" && k.startsWith(key)); }; }; + +const mountOnceCache = new Map(); + +/** + * Simple middleware to only load on first mount. + */ +export const mountOnce: Middleware = (useSWRNext: SWRHook) => (key, fetcher, config) => { + if (typeof key === "string") { + if (mountOnceCache.has(key)) { + return useSWRNext(key, fetcher, { + ...config, + revalidateOnMount: false, + }); + } + const swr = useSWRNext(key, fetcher, config); + if (swr.data) { + mountOnceCache.set(key, true); + } + return swr; + } + return useSWRNext(key, fetcher, config); +}; diff --git a/app/src/ui/client/schema/auth/use-auth.ts b/app/src/ui/client/schema/auth/use-auth.ts index e3fb4a6..291c963 100644 --- a/app/src/ui/client/schema/auth/use-auth.ts +++ b/app/src/ui/client/schema/auth/use-auth.ts @@ -16,8 +16,8 @@ type UseAuth = { verified: boolean; login: (data: LoginData) => Promise; register: (data: LoginData) => Promise; - logout: () => void; - verify: () => void; + logout: () => Promise; + verify: () => Promise; setToken: (token: string) => void; }; @@ -42,12 +42,13 @@ export const useAuth = (options?: { baseUrl?: string }): UseAuth => { } async function logout() { - api.updateToken(undefined); - invalidate(); + await api.auth.logout(); + await invalidate(); } async function verify() { await api.verifyAuth(); + await invalidate(); } return { diff --git a/app/src/ui/client/schema/auth/use-bknd-auth.ts b/app/src/ui/client/schema/auth/use-bknd-auth.ts index b48d1e1..7f83358 100644 --- a/app/src/ui/client/schema/auth/use-bknd-auth.ts +++ b/app/src/ui/client/schema/auth/use-bknd-auth.ts @@ -49,7 +49,7 @@ export function useBkndAuth() { has_admin: Object.entries(config.auth.roles ?? {}).some( ([name, role]) => role.implicit_allow || - minimum_permissions.every((p) => role.permissions?.includes(p)), + minimum_permissions.every((p) => role.permissions?.some((p) => p.permission === p)), ), }, routes: { diff --git a/app/src/ui/components/buttons/Button.tsx b/app/src/ui/components/buttons/Button.tsx index b80f006..79ee3cc 100644 --- a/app/src/ui/components/buttons/Button.tsx +++ b/app/src/ui/components/buttons/Button.tsx @@ -5,13 +5,15 @@ import { twMerge } from "tailwind-merge"; import { Link } from "ui/components/wouter/Link"; const sizes = { + smaller: "px-1.5 py-1 rounded-md gap-1 !text-xs", small: "px-2 py-1.5 rounded-md gap-1 text-sm", default: "px-3 py-2.5 rounded-md gap-1.5", large: "px-4 py-3 rounded-md gap-2.5 text-lg", }; const iconSizes = { - small: 12, + smaller: 12, + small: 14, default: 16, large: 20, }; diff --git a/app/src/ui/components/code/CodePreview.tsx b/app/src/ui/components/code/CodePreview.tsx new file mode 100644 index 0000000..d79fd3a --- /dev/null +++ b/app/src/ui/components/code/CodePreview.tsx @@ -0,0 +1,75 @@ +import { useEffect, useState } from "react"; +import { useTheme } from "ui/client/use-theme"; +import { cn, importDynamicBrowserModule } from "ui/lib/utils"; + +export type CodePreviewProps = { + code: string; + className?: string; + lang?: string; + theme?: string; + enabled?: boolean; +}; + +export const CodePreview = ({ + code, + className, + lang = "typescript", + theme: _theme, + enabled = true, +}: CodePreviewProps) => { + const [highlightedHtml, setHighlightedHtml] = useState(null); + const $theme = useTheme(); + const theme = (_theme ?? $theme.theme === "dark") ? "github-dark" : "github-light"; + + useEffect(() => { + if (!enabled) return; + + let cancelled = false; + setHighlightedHtml(null); + + async function highlightCode() { + try { + // Dynamically import Shiki from CDN + const { codeToHtml } = await importDynamicBrowserModule( + "shiki", + "https://esm.sh/shiki@3.13.0", + ); + + if (cancelled) return; + + const html = await codeToHtml(code, { + lang, + theme, + structure: "inline", + }); + + if (cancelled) return; + + setHighlightedHtml(html); + } catch (error) { + console.error("Failed to load Shiki:", error); + // Fallback to plain text if Shiki fails to load + if (!cancelled) { + setHighlightedHtml(code); + } + } + } + + highlightCode(); + + return () => { + cancelled = true; + }; + }, [code, enabled]); + + if (!highlightedHtml) { + return 

{code}
; + } + + return ( + 
+   );
+};
diff --git a/app/src/ui/components/code/JsonEditor.tsx b/app/src/ui/components/code/JsonEditor.tsx
index ec96811..d12bf77 100644
--- a/app/src/ui/components/code/JsonEditor.tsx
+++ b/app/src/ui/components/code/JsonEditor.tsx
@@ -1,19 +1,68 @@
-import { Suspense, lazy } from "react";
+import { Suspense, lazy, useEffect, useState } from "react";
 import { twMerge } from "tailwind-merge";
 import type { CodeEditorProps } from "./CodeEditor";
+import { useDebouncedCallback } from "@mantine/hooks";
 const CodeEditor = lazy(() => import("./CodeEditor"));
 
-export function JsonEditor({ editable, className, ...props }: CodeEditorProps) {
+export type JsonEditorProps = Omit & {
+   value?: object;
+   onChange?: (value: object) => void;
+   emptyAs?: any;
+   onInvalid?: (error: Error) => void;
+};
+
+export function JsonEditor({
+   editable,
+   className,
+   value,
+   onChange,
+   onBlur,
+   emptyAs = undefined,
+   onInvalid,
+   ...props
+}: JsonEditorProps) {
+   const [editorValue, setEditorValue] = useState(
+      value ? JSON.stringify(value, null, 2) : emptyAs,
+   );
+   const [error, setError] = useState(false);
+   const handleChange = useDebouncedCallback((given: string) => {
+      try {
+         setError(false);
+         onChange?.(given ? JSON.parse(given) : emptyAs);
+      } catch (e) {
+         onInvalid?.(e as Error);
+         setError(true);
+      }
+   }, 250);
+   const handleBlur = (e) => {
+      try {
+         const formatted = JSON.stringify(value, null, 2);
+         setEditorValue(formatted);
+      } catch (e) {}
+
+      onBlur?.(e);
+   };
+
+   useEffect(() => {
+      if (!editorValue) {
+         setEditorValue(value ? JSON.stringify(value, null, 2) : emptyAs);
+      }
+   }, [value]);
+
    return (
       
          
       
diff --git a/app/src/ui/components/form/Formy/components.tsx b/app/src/ui/components/form/Formy/components.tsx
index 502a844..3ad9146 100644
--- a/app/src/ui/components/form/Formy/components.tsx
+++ b/app/src/ui/components/form/Formy/components.tsx
@@ -28,8 +28,9 @@ export const Group = ({
    return (
        {
+export type ArrayFieldProps = {
+   path?: string;
+   labelAdd?: string;
+   wrapperProps?: Omit;
+};
+
+export const ArrayField = ({
+   path = "",
+   labelAdd = "Add",
+   wrapperProps = { wrapper: "fieldset" },
+}: ArrayFieldProps) => {
    const { setValue, pointer, required, schema, ...ctx } = useDerivedFieldContext(path);
    if (!schema || typeof schema === "undefined") return `ArrayField(${path}): no schema ${pointer}`;
 
    // if unique items with enum
    if (schema.uniqueItems && typeof schema.items === "object" && "enum" in schema.items) {
       return (
-         
+         
              {
    }
 
    return (
-      
+      
          
             {({ value }) =>
                value?.map((v, index: number) => (
@@ -44,17 +54,21 @@ export const ArrayField = ({ path = "" }: { path?: string }) => {
             }
          
          

-            
+            
          

       
    );
 };
 
 const ArrayItem = memo(({ path, index, schema }: any) => {
-   const { value, ...ctx } = useDerivedFieldContext(path, (ctx) => {
+   const {
+      value,
+      path: absolutePath,
+      ...ctx
+   } = useDerivedFieldContext(path, (ctx) => {
       return ctx.value?.[index];
    });
-   const itemPath = suffixPath(path, index);
+   const itemPath = suffixPath(absolutePath, index);
    let subschema = schema.items;
    const itemsMultiSchema = getMultiSchema(schema.items);
    if (itemsMultiSchema) {
@@ -62,10 +76,6 @@ const ArrayItem = memo(({ path, index, schema }: any) => {
       subschema = _subschema;
    }
 
-   const handleUpdate = useEvent((pointer: string, value: any) => {
-      ctx.setValue(pointer, value);
-   });
-
    const handleDelete = useEvent((pointer: string) => {
       ctx.deleteValue(pointer);
    });
@@ -76,21 +86,26 @@ const ArrayItem = memo(({ path, index, schema }: any) => {
    );
 
    return (
-      

-          {
-               handleUpdate(itemPath, coerce(e.target.value, subschema!));
-            }}
-            className="w-full"
-         />
-         {DeleteButton}
-      

+      
+         

+            {/* another wrap is required for primitive schemas */}
+            
+            {DeleteButton}
+         

+      
    );
 }, isEqual);
 
+const AnotherField = (props: Partial) => {
+   const { value } = useFormValue("");
+
+   const inputProps = {
+      // @todo: check, potentially just provide value
+      value: ["string", "number", "boolean"].includes(typeof value) ? value : undefined,
+   };
+   return ;
+};
+
 const ArrayIterator = memo(
    ({ name, children }: any) => {
       return children(useFormValue(name));
@@ -98,19 +113,25 @@ const ArrayIterator = memo(
    (prev, next) => prev.value?.length === next.value?.length,
 );
 
-const ArrayAdd = ({ schema, path }: { schema: JsonSchema; path: string }) => {
+const ArrayAdd = ({
+   schema,
+   path: _path,
+   label = "Add",
+}: { schema: JsonSchema; path: string; label?: string }) => {
    const {
       setValue,
       value: { currentIndex },
+      path,
       ...ctx
-   } = useDerivedFieldContext(path, (ctx) => {
+   } = useDerivedFieldContext(_path, (ctx) => {
       return { currentIndex: ctx.value?.length ?? 0 };
    });
    const itemsMultiSchema = getMultiSchema(schema.items);
+   const options = { addOptionalProps: true };
 
    function handleAdd(template?: any) {
       const newPath = suffixPath(path, currentIndex);
-      setValue(newPath, template ?? ctx.lib.getTemplate(undefined, schema!.items));
+      setValue(newPath, template ?? ctx.lib.getTemplate(undefined, schema!.items, options));
    }
 
    if (itemsMultiSchema) {
@@ -121,14 +142,14 @@ const ArrayAdd = ({ schema, path }: { schema: JsonSchema; path: string }) => {
             }}
             items={itemsMultiSchema.map((s, i) => ({
                label: s!.title ?? `Option ${i + 1}`,
-               onClick: () => handleAdd(ctx.lib.getTemplate(undefined, s!)),
+               onClick: () => handleAdd(ctx.lib.getTemplate(undefined, s!, options)),
             }))}
             onClickItem={console.log}
          >
-            
+            
          
       );
    }
 
-   return ;
+   return ;
 };
diff --git a/app/src/ui/components/form/json-schema-form/Field.tsx b/app/src/ui/components/form/json-schema-form/Field.tsx
index 60351ca..4669022 100644
--- a/app/src/ui/components/form/json-schema-form/Field.tsx
+++ b/app/src/ui/components/form/json-schema-form/Field.tsx
@@ -72,7 +72,7 @@ const FieldImpl = ({
       );
 
    if (isType(schema.type, "object")) {
-      return ;
+      return ;
    }
 
    if (isType(schema.type, "array")) {
@@ -217,14 +217,14 @@ export type CustomFieldProps = {
    ) => React.ReactNode;
 };
 
-export const CustomField = ({
+export function CustomField({
    path: _path,
    valueStrict = true,
    deriveFn,
    children,
-}: CustomFieldProps) => {
+}: CustomFieldProps) {
    const ctx = useDerivedFieldContext(_path, deriveFn);
-   const $value = useFormValue(ctx.path, { strict: valueStrict });
+   const $value = useFormValue(_path, { strict: valueStrict });
    const setValue = (value: any) => ctx.setValue(ctx.path, value);
    return children({ ...ctx, ...$value, setValue, _setValue: ctx.setValue });
-};
+}
diff --git a/app/src/ui/components/form/json-schema-form/FieldWrapper.tsx b/app/src/ui/components/form/json-schema-form/FieldWrapper.tsx
index 784db35..334dfe5 100644
--- a/app/src/ui/components/form/json-schema-form/FieldWrapper.tsx
+++ b/app/src/ui/components/form/json-schema-form/FieldWrapper.tsx
@@ -1,4 +1,4 @@
-import { IconBug } from "@tabler/icons-react";
+import { IconBug, IconInfoCircle } from "@tabler/icons-react";
 import type { JsonSchema } from "json-schema-library";
 import { Children, type ReactElement, type ReactNode, cloneElement, isValidElement } from "react";
 import { IconButton } from "ui/components/buttons/IconButton";
@@ -11,6 +11,8 @@ import {
 } from "ui/components/form/json-schema-form/Form";
 import { Popover } from "ui/components/overlay/Popover";
 import { getLabel } from "./utils";
+import { twMerge } from "tailwind-merge";
+import { Tooltip } from "@mantine/core";
 
 export type FieldwrapperProps = {
    name: string;
@@ -23,8 +25,9 @@ export type FieldwrapperProps = {
    children: ReactElement | ReactNode;
    errorPlacement?: "top" | "bottom";
    description?: string;
-   descriptionPlacement?: "top" | "bottom";
+   descriptionPlacement?: "top" | "bottom" | "label";
    fieldId?: string;
+   className?: string;
 };
 
 export function FieldWrapper({
@@ -38,6 +41,7 @@ export function FieldWrapper({
    descriptionPlacement = "bottom",
    children,
    fieldId,
+   className,
    ...props
 }: FieldwrapperProps) {
    const errors = useFormError(name, { strict: true });
@@ -50,17 +54,23 @@ export function FieldWrapper({
       {errors.map((e) => e.message).join(", ")}
    );
 
-   const Description = description && (
-      
-         {description}
-      
-   );
+   const Description = description ? (
+      ["top", "bottom"].includes(descriptionPlacement) ? (
+         
+            {description}
+         
+      ) : (
+         
+            
+         
+      )
+   ) : null;
 
    return (
        0}
          as={wrapper === "fieldset" ? "fieldset" : "div"}
-         className={hidden ? "hidden" : "relative"}
+         className={twMerge(hidden ? "hidden" : "relative", className)}
       >
          {errorPlacement === "top" && Errors}
          
@@ -69,14 +79,15 @@ export function FieldWrapper({
             
                {label} {required && *}
+               {descriptionPlacement === "label" && Description}
             
          )}
          {descriptionPlacement === "top" && Description}
 
-         

+         

             

                {Children.count(children) === 1 && isValidElement(children)
                   ? cloneElement(children, {
diff --git a/app/src/ui/components/form/json-schema-form/Form.tsx b/app/src/ui/components/form/json-schema-form/Form.tsx
index 274c162..5608796 100644
--- a/app/src/ui/components/form/json-schema-form/Form.tsx
+++ b/app/src/ui/components/form/json-schema-form/Form.tsx
@@ -80,6 +80,7 @@ export function Form<
    onInvalidSubmit,
    validateOn = "submit",
    hiddenSubmit = true,
+   beforeSubmit,
    ignoreKeys = [],
    options = {},
    readOnly = false,
@@ -90,6 +91,7 @@ export function Form<
    initialOpts?: LibTemplateOptions;
    ignoreKeys?: string[];
    onChange?: (data: Partial, name: string, value: any, context: FormContext) => void;
+   beforeSubmit?: (data: Data) => Data;
    onSubmit?: (data: Data) => void | Promise;
    onInvalidSubmit?: (errors: JsonError[], data: Partial) => void;
    hiddenSubmit?: boolean;
@@ -128,7 +130,7 @@ export function Form<
             if (errors.length === 0) {
                await onSubmit(data as Data);
             } else {
-               console.log("invalid", errors);
+               console.error("form: invalid", { data, errors });
                onInvalidSubmit?.(errors, data);
             }
          } catch (e) {
@@ -177,7 +179,8 @@ export function Form<
    });
 
    const validate = useEvent((_data?: Partial) => {
-      const actual = _data ?? getCurrentState()?.data;
+      const before = beforeSubmit ?? ((a: any) => a);
+      const actual = before((_data as any) ?? getCurrentState()?.data);
       const errors = lib.validate(actual, schema);
       setFormState((prev) => ({ ...prev, errors }));
       return { data: actual, errors };
@@ -378,5 +381,5 @@ export function FormDebug({ force = false }: { force?: boolean }) {
    if (options?.debug !== true && force !== true) return null;
    const ctx = useFormStateSelector((s) => s);
 
-   return ;
+   return ;
 }
diff --git a/app/src/ui/components/form/json-schema-form/ObjectField.tsx b/app/src/ui/components/form/json-schema-form/ObjectField.tsx
index 59deceb..748bf23 100644
--- a/app/src/ui/components/form/json-schema-form/ObjectField.tsx
+++ b/app/src/ui/components/form/json-schema-form/ObjectField.tsx
@@ -2,7 +2,8 @@ import { isTypeSchema } from "ui/components/form/json-schema-form/utils";
 import { AnyOfField } from "./AnyOfField";
 import { Field } from "./Field";
 import { FieldWrapper, type FieldwrapperProps } from "./FieldWrapper";
-import { type JSONSchema, useDerivedFieldContext } from "./Form";
+import { type JSONSchema, useDerivedFieldContext, useFormValue } from "./Form";
+import { JsonEditor } from "ui/components/code/JsonEditor";
 
 export type ObjectFieldProps = {
    path?: string;
@@ -11,7 +12,7 @@ export type ObjectFieldProps = {
 };
 
 export const ObjectField = ({ path = "", label: _label, wrapperProps = {} }: ObjectFieldProps) => {
-   const { schema, ...ctx } = useDerivedFieldContext(path);
+   const { schema } = useDerivedFieldContext(path);
    if (!isTypeSchema(schema)) return `ObjectField "${path}": no schema`;
    const properties = Object.entries(schema.properties ?? {}) as [string, JSONSchema][];
 
@@ -24,7 +25,7 @@ export const ObjectField = ({ path = "", label: _label, wrapperProps = {} }: Obj
          {...wrapperProps}
       >
          {properties.length === 0 ? (
-            No properties
+            
          ) : (
             properties.map(([prop, schema]) => {
                const name = [path, prop].filter(Boolean).join(".");
@@ -40,3 +41,9 @@ export const ObjectField = ({ path = "", label: _label, wrapperProps = {} }: Obj
       
    );
 };
+
+export const ObjectJsonField = ({ path }: { path: string }) => {
+   const { value } = useFormValue(path);
+   const { setValue, path: absolutePath } = useDerivedFieldContext(path);
+   return  setValue(absolutePath, value)} />;
+};
diff --git a/app/src/ui/components/form/json-schema-form/utils.ts b/app/src/ui/components/form/json-schema-form/utils.ts
index 333bba3..7b755cf 100644
--- a/app/src/ui/components/form/json-schema-form/utils.ts
+++ b/app/src/ui/components/form/json-schema-form/utils.ts
@@ -67,18 +67,23 @@ export function isRequired(lib: Draft, pointer: string, schema: JsonSchema, data
          return false;
       }
 
-      const childSchema = lib.getSchema({ pointer, data, schema });
-      if (typeof childSchema === "object" && "const" in childSchema) {
-         return true;
+      try {
+         const childSchema = lib.getSchema({ pointer, data, schema });
+         if (typeof childSchema === "object" && "const" in childSchema) {
+            return true;
+         }
+      } catch (e) {
+         return false;
       }
 
       const parentPointer = getParentPointer(pointer);
       const parentSchema = lib.getSchema({ pointer: parentPointer, data });
-      const required = parentSchema?.required?.includes(pointer.split("/").pop()!);
+      const l = pointer.split("/").pop();
+      const required = parentSchema?.required?.includes(l);
 
       return !!required;
    } catch (e) {
-      console.error("isRequired", { pointer, schema, data, e });
+      console.warn("isRequired", { pointer, schema, data, e });
       return false;
    }
 }
diff --git a/app/src/ui/components/form/json-schema/fields/JsonField.tsx b/app/src/ui/components/form/json-schema/fields/JsonField.tsx
index 1517a29..9fd2d5a 100644
--- a/app/src/ui/components/form/json-schema/fields/JsonField.tsx
+++ b/app/src/ui/components/form/json-schema/fields/JsonField.tsx
@@ -10,23 +10,13 @@ export default function JsonField({
    readonly,
    ...props
 }: FieldProps) {
-   const value = JSON.stringify(formData, null, 2);
-
-   function handleChange(data) {
-      try {
-         onChange(JSON.parse(data));
-      } catch (err) {
-         console.error(err);
-      }
-   }
-
    const isDisabled = disabled || readonly;
    const id = props.idSchema.$id;
 
    return (
       

          

    );
 }
diff --git a/app/src/ui/elements/media/Dropzone.tsx b/app/src/ui/elements/media/Dropzone.tsx
index ffaa5df..b7cb384 100644
--- a/app/src/ui/elements/media/Dropzone.tsx
+++ b/app/src/ui/elements/media/Dropzone.tsx
@@ -9,8 +9,8 @@ import {
    useEffect,
    useMemo,
    useRef,
-   useState,
 } from "react";
+import { isFileAccepted } from "bknd/utils";
 import { type FileWithPath, useDropzone } from "./use-dropzone";
 import { checkMaxReached } from "./helper";
 import { DropzoneInner } from "./DropzoneInner";
@@ -173,12 +173,14 @@ export function Dropzone({
 
       return specs.every((spec) => {
          if (spec.kind !== "file") {
-            console.log("not a file", spec.kind);
+            console.warn("file not accepted: not a file", spec.kind);
             return false;
          }
          if (allowedMimeTypes && allowedMimeTypes.length > 0) {
-            console.log("not allowed mimetype", spec.type);
-            return allowedMimeTypes.includes(spec.type);
+            if (!isFileAccepted(i, allowedMimeTypes)) {
+               console.warn("file not accepted: not allowed mimetype", spec.type);
+               return false;
+            }
          }
          return true;
       });
diff --git a/app/src/ui/lib/routes.ts b/app/src/ui/lib/routes.ts
index 7243099..46ed4fb 100644
--- a/app/src/ui/lib/routes.ts
+++ b/app/src/ui/lib/routes.ts
@@ -95,7 +95,7 @@ export function useNavigate() {
                   window.location.href = url;
                   return;
                } else if ("target" in options) {
-                  const _url = window.location.origin + basepath + router.base + url;
+                  const _url = window.location.origin + router.base + url;
                   window.open(_url, options.target);
                   return;
                }
diff --git a/app/src/ui/lib/utils.ts b/app/src/ui/lib/utils.ts
index 1af2c04..29eb301 100644
--- a/app/src/ui/lib/utils.ts
+++ b/app/src/ui/lib/utils.ts
@@ -3,3 +3,30 @@ import { type ClassNameValue, twMerge } from "tailwind-merge";
 export function cn(...inputs: ClassNameValue[]) {
    return twMerge(inputs);
 }
+
+/**
+ * Dynamically import a module from a URL in the browser in a way compatible with all react frameworks (nextjs doesn't support dynamic imports)
+ */
+export async function importDynamicBrowserModule(name: string, url: string): Promise {
+   if (!(window as any)[name]) {
+      const script = document.createElement("script");
+      script.type = "module";
+      script.async = true;
+      script.textContent = `import * as ${name} from '${url}';window.${name} = ${name};`;
+      document.head.appendChild(script);
+
+      // poll for the module to be available
+      const maxAttempts = 50; // 5s
+      let attempts = 0;
+      while (!(window as any)[name] && attempts < maxAttempts) {
+         await new Promise((resolve) => setTimeout(resolve, 100));
+         attempts++;
+      }
+
+      if (!(window as any)[name]) {
+         throw new Error(`Browser module "${name}" failed to load`);
+      }
+   }
+
+   return (window as any)[name] as T;
+}
diff --git a/app/src/ui/modules/data/components/EntityForm.tsx b/app/src/ui/modules/data/components/EntityForm.tsx
index ff778a1..2db0ae9 100644
--- a/app/src/ui/modules/data/components/EntityForm.tsx
+++ b/app/src/ui/modules/data/components/EntityForm.tsx
@@ -3,7 +3,7 @@ import type { FieldApi, ReactFormExtendedApi } from "@tanstack/react-form";
 import type { JSX } from "react";
 import { useStore } from "@tanstack/react-store";
 import { MediaField } from "media/MediaField";
-import { type ComponentProps, Suspense } from "react";
+import { type ComponentProps, Suspense, useState } from "react";
 import { JsonEditor } from "ui/components/code/JsonEditor";
 import * as Formy from "ui/components/form/Formy";
 import { FieldLabel } from "ui/components/form/Formy";
@@ -287,12 +287,14 @@ function EntityJsonFormField({
    field,
    ...props
 }: { fieldApi: TFieldApi; field: JsonField }) {
+   const [error, setError] = useState(null);
    const handleUpdate = useEvent((value: any) => {
+      setError(null);
       fieldApi.handleChange(value);
    });
 
    return (
-      
+      
          
          
             
diff --git a/app/src/ui/routes/auth/auth.roles.edit.$role.tsx b/app/src/ui/routes/auth/auth.roles.edit.$role.tsx
index 7ee4ea6..d24ac9b 100644
--- a/app/src/ui/routes/auth/auth.roles.edit.$role.tsx
+++ b/app/src/ui/routes/auth/auth.roles.edit.$role.tsx
@@ -1,17 +1,48 @@
-import { useRef } from "react";
-import { TbDots } from "react-icons/tb";
 import { useBknd } from "ui/client/bknd";
-import { useBkndAuth } from "ui/client/schema/auth/use-bknd-auth";
-import { Button } from "ui/components/buttons/Button";
-import { IconButton } from "ui/components/buttons/IconButton";
 import { Message } from "ui/components/display/Message";
+import { useBkndAuth } from "ui/client/schema/auth/use-bknd-auth";
+import { useBrowserTitle } from "ui/hooks/use-browser-title";
+import { useState } from "react";
+import { useNavigate } from "ui/lib/routes";
+import { isDebug } from "core/env";
 import { Dropdown } from "ui/components/overlay/Dropdown";
-import * as AppShell from "ui/layouts/AppShell/AppShell";
+import { IconButton } from "ui/components/buttons/IconButton";
+import { TbAdjustments, TbDots, TbFilter, TbTrash, TbInfoCircle, TbCodeDots } from "react-icons/tb";
+import { Button } from "ui/components/buttons/Button";
 import { Breadcrumbs2 } from "ui/layouts/AppShell/Breadcrumbs2";
-import { routes, useNavigate } from "ui/lib/routes";
-import { AuthRoleForm, type AuthRoleFormRef } from "ui/routes/auth/forms/role.form";
+import { routes } from "ui/lib/routes";
+import * as AppShell from "ui/layouts/AppShell/AppShell";
+import * as Formy from "ui/components/form/Formy";
+import { ucFirst, s, transformObject, isObject, autoFormatString } from "bknd/utils";
+import type { ModuleSchemas } from "bknd";
+import {
+   CustomField,
+   Field,
+   FieldWrapper,
+   Form,
+   FormContextOverride,
+   FormDebug,
+   ObjectJsonField,
+   Subscribe,
+   useDerivedFieldContext,
+   useFormContext,
+   useFormError,
+   useFormValue,
+} from "ui/components/form/json-schema-form";
+import type { TPermission } from "auth/authorize/Permission";
+import type { RoleSchema } from "auth/authorize/Role";
+import { SegmentedControl, Tooltip } from "@mantine/core";
+import { Popover } from "ui/components/overlay/Popover";
+import { cn } from "ui/lib/utils";
+import { JsonViewer } from "ui/components/code/JsonViewer";
+import { mountOnce, useApiQuery } from "ui/client";
+import { CodePreview } from "ui/components/code/CodePreview";
+import type { JsonError } from "json-schema-library";
+import { Alert } from "ui/components/display/Alert";
 
 export function AuthRolesEdit(props) {
+   useBrowserTitle(["Auth", "Roles", props.params.role]);
+
    const { hasSecrets } = useBknd({ withSecrets: true });
    if (!hasSecrets) {
       return ;
@@ -20,32 +51,69 @@ export function AuthRolesEdit(props) {
    return ;
 }
 
-function AuthRolesEditInternal({ params }) {
+// currently for backward compatibility
+function getSchema(authSchema: ModuleSchemas["auth"]) {
+   const roles = authSchema.properties.roles.additionalProperties;
+   return {
+      ...roles,
+      properties: {
+         ...roles.properties,
+         permissions: {
+            ...roles.properties.permissions.anyOf[1],
+         },
+      },
+   };
+}
+
+const formConfig = {
+   options: {
+      debug: isDebug(),
+   },
+};
+
+function AuthRolesEditInternal({ params }: { params: { role: string } }) {
    const [navigate] = useNavigate();
-   const { config, actions } = useBkndAuth();
+   const { config, schema: authSchema, actions } = useBkndAuth();
+   const [error, setError] = useState();
    const roleName = params.role;
    const role = config.roles?.[roleName];
-   const formRef = useRef(null);
-   const { readonly } = useBknd();
+   const { readonly, permissions } = useBknd();
+   const schema = getSchema(authSchema);
+   const data = {
+      ...role,
+      // this is to maintain array structure
+      permissions: permissions.map((p) => {
+         return role?.permissions?.find((v: any) => v.permission === p.name);
+      }),
+   };
 
-   async function handleUpdate() {
-      console.log("data", formRef.current?.isValid());
-      if (!formRef.current?.isValid()) return;
-      const data = formRef.current?.getData();
-      const success = await actions.roles.patch(roleName, data);
+   async function handleDelete() {
+      const success = await actions.roles.delete(roleName);
       if (success) {
          navigate(routes.auth.roles.list());
       }
    }
-
-   async function handleDelete() {
-      if (await actions.roles.delete(roleName)) {
-         navigate(routes.auth.roles.list());
-      }
+   async function handleUpdate(data: any) {
+      setError(undefined);
+      await actions.roles.patch(roleName, data);
    }
 
    return (
-      <>
+      
 {
+            return {
+               ...data,
+               permissions: [...Object.values(data.permissions).filter(Boolean)],
+            };
+         }}
+         onSubmit={handleUpdate}
+         onInvalidSubmit={(errors) => {
+            setError(errors);
+         }}
+      >
          
@@ -69,9 +137,23 @@ function AuthRolesEditInternal({ params }) {
                      
                   
                   {!readonly && (
-                     
+                      ({
+                           dirty: state.dirty,
+                           errors: state.errors.length > 0,
+                           submitting: state.submitting,
+                        })}
+                     >
+                        {({ dirty, errors, submitting }) => (
+                           
+                        )}
+                     
                   )}
                
             }
@@ -85,8 +167,368 @@ function AuthRolesEditInternal({ params }) {
             />
          
          
-            
+            {error && }
+            

+               

+                  
+               

+
+               

+                  
+                  
+               

+            

+            
          
-      
+      

    );
 }
+
+type PermissionsData = Exclude;
+type PermissionData = PermissionsData[number];
+
+const Permissions = () => {
+   const { permissions } = useBknd();
+
+   const grouped = permissions.reduce(
+      (acc, permission, index) => {
+         const [group, name] = permission.name.split(".") as [string, string];
+         if (!acc[group]) acc[group] = [];
+         acc[group].push({ index, permission });
+         return acc;
+      },
+      {} as Record,
+   );
+
+   return (
+      

+         {Object.entries(grouped).map(([group, rows]) => {
+            return (
+               

+                  
{ucFirst(group)} Permissions

+                  

+                     {rows.map(({ index, permission }) => (
+                        
+                     ))}
+                  

+               

+            );
+         })}
+      

+   );
+};
+
+const Permission = ({ permission, index }: { permission: TPermission; index?: number }) => {
+   const path = `permissions.${index}`;
+   const { value } = useDerivedFieldContext("permissions", (ctx) => {
+      const v = ctx.value;
+      if (!Array.isArray(v)) return undefined;
+      const v2 = v.find((v) => v && v.permission === permission.name);
+      return {
+         set: !!v2,
+         policies: (v2?.policies?.length ?? 0) as number,
+      };
+   });
+   const { setValue } = useFormContext();
+   const [open, setOpen] = useState(false);
+   const policiesCount = value?.policies ?? 0;
+   const isSet = value?.set ?? false;
+
+   async function handleSwitch() {
+      if (isSet) {
+         setValue(path, undefined);
+         setOpen(false);
+      } else {
+         setValue(path, {
+            permission: permission.name,
+            policies: [],
+            effect: "allow",
+         });
+      }
+   }
+
+   function toggleOpen() {
+      setOpen((o) => !o);
+   }
+
+   return (
+      <>
+         

+            

+               

+                  {permission.name}
+                  {permission.filterable && (
+                     
+                        
+                     
+                  )}
+               

+               

+               

+                  

+                     {policiesCount > 0 && (
+                        

+                           {policiesCount}
+                        

+                     )}
+                     
+                  

+                  
+               

+            

+            {open && (
+               

+                  
+               

+            )}
+         

+      
+   );
+};
+
+const Policies = ({ path, permission }: { path: string; permission: TPermission }) => {
+   const {
+      setValue,
+      schema: policySchema,
+      lib,
+      deleteValue,
+      value,
+   } = useDerivedFieldContext(path, ({ value }) => {
+      return {
+         policies: (value?.length ?? 0) as number,
+      };
+   });
+   const policiesCount = value?.policies ?? 0;
+
+   function handleAdd() {
+      setValue(
+         `${path}.${policiesCount}`,
+         lib.getTemplate(undefined, policySchema!.items, {
+            addOptionalProps: true,
+         }),
+      );
+   }
+
+   function handleDelete(index: number) {
+      deleteValue(`${path}.${index}`);
+   }
+
+   return (
+      
 0 && "gap-8")}>
+         

+            {policiesCount > 0 &&
+               Array.from({ length: policiesCount }).map((_, i) => (
+                  
+                     {i > 0 && 
}
+                     

+                        

+                           
+                        

+                         handleDelete(i)} size="sm" />
+                     

+                  
+               ))}
+         

+         

+            
+         

+      

+   );
+};
+
+const mergeSchemas = (...schemas: object[]) => {
+   return s.allOf(schemas.filter(Boolean).map(s.fromSchema));
+};
+
+function replaceEntitiesEnum(schema: Record, entities: string[]) {
+   if (!isObject(schema) || !Array.isArray(entities) || entities.length === 0) return schema;
+   return transformObject(schema, (sub, name) => {
+      if (name === "properties") {
+         return transformObject(sub as Record, (propConfig, propKey) => {
+            if (propKey === "entity" && propConfig.type === "string") {
+               return {
+                  ...propConfig,
+                  enum: entities,
+               };
+            }
+            return propConfig;
+         });
+      }
+      return sub;
+   });
+}
+
+const Policy = ({
+   permission,
+}: {
+   permission: TPermission;
+}) => {
+   const { value } = useDerivedFieldContext("", ({ value }) => ({
+      effect: (value?.effect ?? "allow") as "allow" | "deny" | "filter",
+   }));
+   const $bknd = useBknd();
+   const $permissions = useApiQuery((api) => api.system.permissions(), {
+      use: [mountOnce],
+   });
+   const entities = Object.keys($bknd.config.data.entities ?? {});
+   const ctx = $permissions.data
+      ? mergeSchemas(
+           $permissions.data.context,
+           replaceEntitiesEnum(permission.context ?? null, entities),
+        )
+      : undefined;
+
+   return (
+      

+         
+
+         
+            
+         
+
+         
+            {({ value, setValue }) => (
+               
+                   setValue(value)}
+                     data={
+                        ["allow", "deny", permission.filterable ? "filter" : undefined]
+                           .filter(Boolean)
+                           .map((effect) => ({
+                              label: ucFirst(effect ?? ""),
+                              value: effect,
+                           })) as any
+                     }
+                  />
+               
+            )}
+         
+
+         {value?.effect === "filter" && (
+            
+               
+            
+         )}
+      

+   );
+};
+
+const CustomFieldWrapper = ({
+   children,
+   name,
+   label,
+   description,
+   schema,
+}: {
+   children: React.ReactNode;
+   name: string;
+   label: string;
+   description: string;
+   schema?: {
+      name: string;
+      content: string | object;
+   };
+}) => {
+   const errors = useFormError(name, { strict: true });
+   const Errors = errors.length > 0 && (
+      {errors.map((e) => e.message).join(", ")}
+   );
+
+   return (
+      
+         
+            

+               {label}
+               {description && (
+                  
+                     
+                  
+               )}
+            

+            {schema && (
+               

+                  
+                        typeof schema.content === "object" ? (
+                           
+                        ) : (
+                           
+                        )
+                     }
+                  >
+                     
+                  
+               

+            )}
+         
+         {children}
+         {Errors}
+      
+   );
+};
diff --git a/app/src/ui/routes/auth/auth.roles.tsx b/app/src/ui/routes/auth/auth.roles.tsx
index 59c7e22..75793fe 100644
--- a/app/src/ui/routes/auth/auth.roles.tsx
+++ b/app/src/ui/routes/auth/auth.roles.tsx
@@ -12,8 +12,21 @@ import { CellValue, DataTable } from "../../components/table/DataTable";
 import * as AppShell from "../../layouts/AppShell/AppShell";
 import { routes, useNavigate } from "../../lib/routes";
 import { useBknd } from "ui/client/bknd";
+import { useBrowserTitle } from "ui/hooks/use-browser-title";
+import { Message } from "ui/components/display/Message";
 
-export function AuthRolesList() {
+export function AuthRolesList(props) {
+   useBrowserTitle(["Auth", "Roles"]);
+
+   const { hasSecrets } = useBknd({ withSecrets: true });
+   if (!hasSecrets) {
+      return ;
+   }
+
+   return ;
+}
+
+function AuthRolesListInternal() {
    const [navigate] = useNavigate();
    const { config, actions } = useBkndAuth();
    const { readonly } = useBknd();
@@ -21,7 +34,10 @@ export function AuthRolesList() {
    const data = Object.values(
       transformObject(config.roles ?? {}, (role, name) => ({
          role: name,
-         permissions: role.permissions,
+         permissions: role.permissions?.map((p) => p.permission) as string[],
+         policies: role.permissions
+            ?.flatMap((p) => p.policies?.length ?? 0)
+            .reduce((acc, curr) => acc + curr, 0),
          is_default: role.is_default ?? false,
          implicit_allow: role.implicit_allow ?? false,
       })),
@@ -94,6 +110,9 @@ const renderValue = ({ value, property }) => {
    if (["is_default", "implicit_allow"].includes(property)) {
       return value ? Yes : No;
    }
+   if (property === "policies") {
+      return value ? {value} : 0;
+   }
 
    if (property === "permissions") {
       const max = 3;
diff --git a/app/src/ui/routes/auth/forms/role.form.tsx b/app/src/ui/routes/auth/forms/role.form.tsx
index 0a16d2d..d1b7f51 100644
--- a/app/src/ui/routes/auth/forms/role.form.tsx
+++ b/app/src/ui/routes/auth/forms/role.form.tsx
@@ -34,7 +34,11 @@ export const AuthRoleForm = forwardRef<
       getValues,
    } = useForm({
       resolver: standardSchemaResolver(schema),
-      defaultValues: role,
+      defaultValues: {
+         ...role,
+         // compat
+         permissions: role?.permissions?.map((p) => p.permission),
+      },
    });
 
    useImperativeHandle(ref, () => ({
@@ -47,7 +51,7 @@ export const AuthRoleForm = forwardRef<
       

          

             {/*
Role Permissions
*/}
-            
+             p.name)} />
          

          

             ,
    );
 
-   console.log("grouped", grouped);
-   //console.log("fieldState", fieldState, value);
    return (
       

          {Object.entries(grouped).map(([group, permissions]) => {
@@ -121,7 +123,7 @@ const Permissions = ({
                   
{ucFirst(group)} Permissions

                   

                      {permissions.map((permission) => {
-                        const selected = data.includes(permission);
+                        const selected = data.includes(permission as any);
                         return (
                            

                               

diff --git a/app/src/ui/routes/data/_data.root.tsx b/app/src/ui/routes/data/_data.root.tsx
index fb4bc2f..ba27bf9 100644
--- a/app/src/ui/routes/data/_data.root.tsx
+++ b/app/src/ui/routes/data/_data.root.tsx
@@ -215,7 +215,9 @@ const EntityContextMenu = ({
             href && {
                icon: IconExternalLink,
                label: "Open in tab",
-               onClick: () => navigate(href, { target: "_blank" }),
+               onClick: () => {
+                  navigate(href, { target: "_blank", absolute: true });
+               },
             },
             separator,
             !$data.system(entity.name).any && {
diff --git a/app/src/ui/routes/data/data.$entity.$id.tsx b/app/src/ui/routes/data/data.$entity.$id.tsx
index a21d444..bb238bf 100644
--- a/app/src/ui/routes/data/data.$entity.$id.tsx
+++ b/app/src/ui/routes/data/data.$entity.$id.tsx
@@ -301,7 +301,11 @@ function EntityDetailInner({
 
    // @todo: add custom key for invalidation
    const $q = useApiQuery(
-      (api) => api.data.readManyByReference(entity.name, id, other.reference, search),
+      (api) =>
+         api.data.readManyByReference(entity.name, id, other.reference, {
+            ...search,
+            limit: search.limit + 1 /* overfetch for softscan=false */,
+         }),
       {
          keepPreviousData: true,
          revalidateOnFocus: true,
@@ -320,7 +324,6 @@ function EntityDetailInner({
             navigate(routes.data.entity.create(other.entity.name), {
                query: ref.where,
             });
-            //navigate(routes.data.entity.create(other.entity.name) + `?${query}`);
          };
       }
    } catch (e) {}
@@ -330,6 +333,7 @@ function EntityDetailInner({
    }
 
    const isUpdating = $q.isValidating || $q.isLoading;
+   const meta = $q.data?.body.meta;
 
    return (
       
 {
                setSearch((s) => ({
                   ...s,
diff --git a/app/src/ui/routes/settings/routes/auth.settings.tsx b/app/src/ui/routes/settings/routes/auth.settings.tsx
index 6432570..a5faf5f 100644
--- a/app/src/ui/routes/settings/routes/auth.settings.tsx
+++ b/app/src/ui/routes/settings/routes/auth.settings.tsx
@@ -63,10 +63,10 @@ export const AuthSettings = ({ schema: _unsafe_copy, config }) => {
    } catch (e) {}
    console.log("_s", _s);
    const roleSchema = _schema.properties.roles?.additionalProperties ?? { type: "object" };
-   if (_s.permissions) {
+   /* if (_s.permissions) {
       roleSchema.properties.permissions.items.enum = _s.permissions;
       roleSchema.properties.permissions.uniqueItems = true;
-   }
+   } */
 
    return (
       
diff --git a/app/src/ui/routes/test/index.tsx b/app/src/ui/routes/test/index.tsx
index 71bb87f..95681fd 100644
--- a/app/src/ui/routes/test/index.tsx
+++ b/app/src/ui/routes/test/index.tsx
@@ -27,6 +27,7 @@ import SortableTest from "./tests/sortable-test";
 import { SqlAiTest } from "./tests/sql-ai-test";
 import Themes from "./tests/themes";
 import ErrorBoundary from "ui/components/display/ErrorBoundary";
+import CodeEditorTest from "./tests/code-editor-test";
 
 const tests = {
    DropdownTest,
@@ -52,6 +53,7 @@ const tests = {
    JsonSchemaForm3,
    FormyTest,
    HtmlFormTest,
+   CodeEditorTest,
 } as const;
 
 export default function TestRoutes() {
diff --git a/app/src/ui/routes/test/tests/code-editor-test.tsx b/app/src/ui/routes/test/tests/code-editor-test.tsx
new file mode 100644
index 0000000..99bcee1
--- /dev/null
+++ b/app/src/ui/routes/test/tests/code-editor-test.tsx
@@ -0,0 +1,13 @@
+import { useState } from "react";
+import { JsonEditor } from "ui/components/code/JsonEditor";
+import { JsonViewer } from "ui/components/code/JsonViewer";
+
+export default function CodeEditorTest() {
+   const [value, setValue] = useState({});
+   return (
+      

+         
+         
+      

+   );
+}
diff --git a/app/src/ui/routes/test/tests/json-schema-form3.tsx b/app/src/ui/routes/test/tests/json-schema-form3.tsx
index 401ab1f..f1d219c 100644
--- a/app/src/ui/routes/test/tests/json-schema-form3.tsx
+++ b/app/src/ui/routes/test/tests/json-schema-form3.tsx
@@ -56,6 +56,14 @@ const authSchema = {
    },
 } as const satisfies JSONSchema;
 
+const objectCodeSchema = {
+   type: "object",
+   properties: {
+      name: { type: "string" },
+      config: { type: "object", properties: {} },
+   },
+};
+
 const formOptions = {
    debug: true,
 };
@@ -77,6 +85,45 @@ export default function JsonSchemaForm3() {
             {/* 
 */}
 
             
+            
+
+            
+
+            {/* 
+            /> */}
 
             {/* console.log("change", data)}
diff --git a/app/src/ui/routes/tools/mcp/mcp.tsx b/app/src/ui/routes/tools/mcp/mcp.tsx
index c06668b..ccde4c6 100644
--- a/app/src/ui/routes/tools/mcp/mcp.tsx
+++ b/app/src/ui/routes/tools/mcp/mcp.tsx
@@ -39,7 +39,7 @@ export default function ToolsMcp() {
                

                   
                   

-                     
+                     
                         {window.location.origin + mcpPath}
                      
                   

diff --git a/app/src/ui/routes/tools/mcp/tools.tsx b/app/src/ui/routes/tools/mcp/tools.tsx
index d439fc1..6c475dd 100644
--- a/app/src/ui/routes/tools/mcp/tools.tsx
+++ b/app/src/ui/routes/tools/mcp/tools.tsx
@@ -12,6 +12,7 @@ import * as Formy from "ui/components/form/Formy";
 import { appShellStore } from "ui/store";
 import { Icon } from "ui/components/display/Icon";
 import { useMcpClient } from "./hooks/use-mcp-client";
+import { Tooltip } from "@mantine/core";
 
 export function Sidebar({ open, toggle }) {
    const client = useMcpClient();
@@ -48,7 +49,11 @@ export function Sidebar({ open, toggle }) {
          toggle={toggle}
          renderHeaderRight={() => (
             

-               {error && }
+               {error && (
+                  
+                     
+                  
+               )}
                
                   {tools.length}
                
diff --git a/app/tsconfig.json b/app/tsconfig.json
index 55264d4..10260b4 100644
--- a/app/tsconfig.json
+++ b/app/tsconfig.json
@@ -33,7 +33,9 @@
       "bknd": ["./src/index.ts"],
       "bknd/utils": ["./src/core/utils/index.ts"],
       "bknd/adapter": ["./src/adapter/index.ts"],
-      "bknd/client": ["./src/ui/client/index.ts"]
+      "bknd/adapter/*": ["./src/adapter/*/index.ts"],
+      "bknd/client": ["./src/ui/client/index.ts"],
+      "bknd/modes": ["./src/modes/index.ts"]
     }
   },
   "include": [
diff --git a/bun.lock b/bun.lock
index 8b5995e..fa63422 100644
--- a/bun.lock
+++ b/bun.lock
@@ -15,7 +15,7 @@
     },
     "app": {
       "name": "bknd",
-      "version": "0.18.0-rc.6",
+      "version": "0.18.1",
       "bin": "./dist/cli/index.js",
       "dependencies": {
         "@cfworker/json-schema": "^4.1.1",
@@ -35,7 +35,7 @@
         "hono": "4.8.3",
         "json-schema-library": "10.0.0-rc7",
         "json-schema-to-ts": "^3.1.1",
-        "jsonv-ts": "0.8.4",
+        "jsonv-ts": "0.9.1",
         "kysely": "0.27.6",
         "lodash-es": "^4.17.21",
         "oauth4webapi": "^2.11.1",
@@ -1243,7 +1243,7 @@
 
     "@types/babel__traverse": ["@types/babel__traverse@7.20.6", "", { "dependencies": { "@babel/types": "^7.20.7" } }, "sha512-r1bzfrm0tomOI8g1SzvCaQHo6Lcv6zu0EA+W2kHrt8dyrHQxGzBBL4kdkzIS+jBMV+EYcMAEAqXqYaLJq5rOZg=="],
 
-    "@types/bun": ["@types/bun@1.2.21", "", { "dependencies": { "bun-types": "1.2.21" } }, "sha512-NiDnvEqmbfQ6dmZ3EeUO577s4P5bf4HCTXtI6trMc6f6RzirY5IrF3aIookuSpyslFzrnvv2lmEWv5HyC1X79A=="],
+    "@types/bun": ["@types/bun@1.3.1", "", { "dependencies": { "bun-types": "1.3.1" } }, "sha512-4jNMk2/K9YJtfqwoAa28c8wK+T7nvJFOjxI4h/7sORWcypRNxBpr+TPNaCfVWq70tLCJsqoFwcf0oI0JU/fvMQ=="],
 
     "@types/cookie": ["@types/cookie@0.6.0", "", {}, "sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA=="],
 
@@ -2529,7 +2529,7 @@
 
     "jsonpointer": ["jsonpointer@5.0.1", "", {}, "sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ=="],
 
-    "jsonv-ts": ["jsonv-ts@0.8.4", "", { "optionalDependencies": { "hono": "*" }, "peerDependencies": { "typescript": "^5.0.0" } }, "sha512-TZOyAVGBZxHuzk09NgJCx2dbeh0XqVWVKHU1PtIuvjT9XO7zhvAD02RcVisJoUdt2rJNt3zlyeNQ2b8MMPc+ug=="],
+    "jsonv-ts": ["jsonv-ts@0.9.1", "", { "optionalDependencies": { "hono": "*" }, "peerDependencies": { "typescript": "^5.0.0" } }, "sha512-sQZn7kdSMK9m3hLWvTLyNk2zCUmte2lVWIcK02633EwMosk/VAdRgpMyfMDMV6/ZzSMI0/SwevkUbkxdGQrWtg=="],
 
     "jsonwebtoken": ["jsonwebtoken@9.0.2", "", { "dependencies": { "jws": "^3.2.2", "lodash.includes": "^4.3.0", "lodash.isboolean": "^3.0.3", "lodash.isinteger": "^4.0.4", "lodash.isnumber": "^3.0.3", "lodash.isplainobject": "^4.0.6", "lodash.isstring": "^4.0.1", "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" } }, "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ=="],
 
@@ -3847,6 +3847,8 @@
 
     "@bknd/plasmic/typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
 
+    "@bknd/postgres/@types/bun": ["@types/bun@1.2.21", "", { "dependencies": { "bun-types": "1.2.21" } }, "sha512-NiDnvEqmbfQ6dmZ3EeUO577s4P5bf4HCTXtI6trMc6f6RzirY5IrF3aIookuSpyslFzrnvv2lmEWv5HyC1X79A=="],
+
     "@bknd/sqlocal/typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
 
     "@bundled-es-modules/cookie/cookie": ["cookie@0.7.2", "", {}, "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="],
@@ -4093,7 +4095,7 @@
 
     "@testing-library/jest-dom/chalk": ["chalk@3.0.0", "", { "dependencies": { "ansi-styles": "^4.1.0", "supports-color": "^7.1.0" } }, "sha512-4D3B6Wf41KOYRFdszmDqMCGq5VV/uMAB273JILmO+3jAlh8X4qDtdtgCR3fxtbLEMzSx22QdhnDcJvu2u1fVwg=="],
 
-    "@types/bun/bun-types": ["bun-types@1.2.21", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-sa2Tj77Ijc/NTLS0/Odjq/qngmEPZfbfnOERi0KRUYhT9R8M4VBioWVmMWE5GrYbKMc+5lVybXygLdibHaqVqw=="],
+    "@types/bun/bun-types": ["bun-types@1.3.1", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-NMrcy7smratanWJ2mMXdpatalovtxVggkj11bScuWuiOoXTiKIu2eVS1/7qbyI/4yHedtsn175n4Sm4JcdHLXw=="],
 
     "@typescript-eslint/experimental-utils/eslint-utils": ["eslint-utils@2.1.0", "", { "dependencies": { "eslint-visitor-keys": "^1.1.0" } }, "sha512-w94dQYoauyvlDc43XnGB8lU3Zt713vNChgt4EWwhXAP2XkBvndfxF0AgIqKOOasjPIPzj9JqgwkwbCYD0/V3Zg=="],
 
@@ -4701,6 +4703,8 @@
 
     "@babel/preset-env/babel-plugin-polyfill-regenerator/@babel/helper-define-polyfill-provider": ["@babel/helper-define-polyfill-provider@0.6.3", "", { "dependencies": { "@babel/helper-compilation-targets": "^7.22.6", "@babel/helper-plugin-utils": "^7.22.5", "debug": "^4.1.1", "lodash.debounce": "^4.0.8", "resolve": "^1.14.2" }, "peerDependencies": { "@babel/core": "^7.4.0 || ^8.0.0-0 <8.0.0" } }, "sha512-HK7Bi+Hj6H+VTHA3ZvBis7V/6hu9QuTrnMXNybfUf2iiuU/N97I8VjB+KbhFF8Rld/Lx5MzoCwPCpPjfK+n8Cg=="],
 
+    "@bknd/postgres/@types/bun/bun-types": ["bun-types@1.2.21", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-sa2Tj77Ijc/NTLS0/Odjq/qngmEPZfbfnOERi0KRUYhT9R8M4VBioWVmMWE5GrYbKMc+5lVybXygLdibHaqVqw=="],
+
     "@bundled-es-modules/tough-cookie/tough-cookie/universalify": ["universalify@0.2.0", "", {}, "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg=="],
 
     "@cloudflare/unenv-preset/workerd/@cloudflare/workerd-darwin-64": ["@cloudflare/workerd-darwin-64@1.20250917.0", "", { "os": "darwin", "cpu": "x64" }, "sha512-0kL/kFnKUSycoo7b3PgM0nRyZ+1MGQAKaXtE6a2+SAeUkZ2FLnuFWmASi0s4rlWGsf/rlTw4AwXROePir9dUcQ=="],
diff --git a/docker/Dockerfile b/docker/Dockerfile
index c946b6a..71c2716 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,15 +1,13 @@
 # Stage 1: Build stage
 FROM node:24 as builder
-
 WORKDIR /app
 
 # define bknd version to be used as:
 # `docker build --build-arg VERSION= -t bknd .`
-ARG VERSION=0.17.1
+ARG VERSION=0.18.0
 
 # Install & copy required cli
 RUN npm install --omit=dev bknd@${VERSION}
-RUN mkdir /output && cp -r node_modules/bknd/dist /output/dist
 
 # Stage 2: Final minimal image
 FROM node:24-alpine
@@ -19,14 +17,14 @@ WORKDIR /app
 # Install required dependencies
 RUN npm install -g pm2
 RUN echo '{"type":"module"}' > package.json
-RUN npm install jsonv-ts @libsql/client
+
+# Copy dist and node_modules from builder
+COPY --from=builder /app/node_modules/bknd/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
 
 # Create volume and init args
 VOLUME /data
 ENV DEFAULT_ARGS="--db-url file:/data/data.db"
 
-# Copy output from builder
-COPY --from=builder /output/dist ./dist
-
 EXPOSE 1337
 CMD ["pm2-runtime", "dist/cli/index.js run ${ARGS:-${DEFAULT_ARGS}} --no-open"]
diff --git a/docs/content/docs/(documentation)/extending/plugins.mdx b/docs/content/docs/(documentation)/extending/plugins.mdx
index 1ab0fa1..850629d 100644
--- a/docs/content/docs/(documentation)/extending/plugins.mdx
+++ b/docs/content/docs/(documentation)/extending/plugins.mdx
@@ -239,7 +239,25 @@ Now you can add query parameters for the transformations, e.g. `?width=1000&heig
   }}
 />
 
-
-
+### `timestamps`
+
+A plugin that adds `created_at` and `updated_at` fields to the specified entities.
+
+```typescript title="bknd.config.ts"
+import { timestamps } from "bknd/plugins";
+
+export default {
+   options: {
+      plugins: [
+         timestamps({ 
+            // the entities to add timestamps to
+            entities: ["pages"],
+            // whether to set the `updated_at` field on create, defaults to true
+            setUpdatedOnCreate: true,
+         })
+      ],
+   },
+} satisfies BkndConfig;
+```
 
 
diff --git a/docs/content/docs/(documentation)/integration/(runtimes)/deno.mdx b/docs/content/docs/(documentation)/integration/(runtimes)/deno.mdx
new file mode 100644
index 0000000..dbebcaa
--- /dev/null
+++ b/docs/content/docs/(documentation)/integration/(runtimes)/deno.mdx
@@ -0,0 +1,141 @@
+---
+title: "Deno"
+description: "Run bknd inside Deno"
+tags: ["documentation"]
+---
+
+## Installation
+
+To get started with Deno and bknd you can either install the package manually, and follow the descriptions below, or use the CLI starter:
+
+### CLI Starter
+
+Create a new Deno CLI starter project by running the following command:
+
+```sh
+deno run npm:bknd create -i deno
+```
+
+### Manual
+
+Deno is fully supported as a runtime for bknd. If you plan to solely use the API, the setup is pretty straightforward.
+
+```ts title="main.ts"
+import { createAdapterApp } from "npm:bknd/adapter";
+
+const app = await createAdapterApp({
+   connection: {
+      url: "file:data.db",
+   },
+});
+
+export default {
+   fetch: app.fetch,
+};
+```
+
+## Serve the Admin UI
+
+In order to also serve the static assets of the admin UI, you have 3 choices:
+
+1. Use the `serveStaticViaImport` function to serve the static assets from the `bknd` package directly. Requires unstable `raw-imports`, but it's the easiest way to serve the static assets.
+2. Copy the static assets to your local project and use Hono's `serveStatic` middleware.
+3. Use the `adminOptions.assetsPath` property to point to a remote address with the static assets.
+
+### `serveStaticViaImport`
+
+The `serveStaticViaImport` function is a middleware that serves the static assets from the `bknd` package directly using dynamic raw imports. It requires the unstable `raw-imports` feature to be enabled. You can enable it by adding the following to your `deno.json`:
+
+```json title="deno.json"
+{
+   "unstable": ["raw-imports"]
+}
+```
+
+Or by using the `--unstable-raw-imports` flag when running your script. Now create a `main.ts` file to serve the API and static assets:
+
+```ts title="main.ts"
+import { createRuntimeApp, serveStaticViaImport } from "bknd/adapter";
+
+const app = await createRuntimeApp({
+   connection: {
+      url: "file:data.db",
+   },
+   serveStatic: serveStaticViaImport()
+});
+
+export default {
+   fetch: app.fetch,
+};
+```
+
+In case you don't want to point your bknd dependency to the latest version, either add an `imports` section to your `deno.json` file:
+
+```json title="deno.json"
+{
+   "imports": {
+      "bknd": "npm:bknd@" // [!code highlight]
+   }
+}
+```
+
+Or specify the package with the version specified to the `serveStaticViaImport` function:
+
+```ts
+const app = await createRuntimeApp({
+   serveStatic: serveStaticViaImport({
+      package: "bknd@", // [!code highlight]
+   }),
+});
+```
+
+Replace `` with the version you want to use.
+
+### `serveStatic` from local files
+
+You can also serve the static assets from your local project by using Hono's `serveStatic` middleware. You can do so by copying the static assets to your local project and using the `serveStatic` middleware. First, you have to copy the static assets, by running the following command:
+
+```bash
+deno run npm:bknd copy-assets --out public
+```
+
+This will copy the static assets to the `public` directory and then serve them from there:
+
+```ts title="main.ts"
+import { createRuntimeApp, serveStatic } from "bknd/adapter";
+import { serveStatic } from "npm:hono/deno";
+
+const app = await createRuntimeApp({
+   connection: {
+      url: "file:data.db",
+   },
+   serveStatic: serveStatic({
+      root: "./public",
+   }),
+});
+
+export default {
+   fetch: app.fetch,
+};
+```
+
+### `adminOptions.assetsPath`
+
+You can also use the `adminOptions.assetsPath` property to point to a remote address with the static assets. This is useful in case none of the other methods work for you.
+
+```ts title="main.ts"
+import { createRuntimeApp } from "bknd/adapter";
+
+const app = await createRuntimeApp({
+   connection: {
+      url: "file:data.db",
+   },
+   adminOptions: {
+      assetsPath: "https://...",
+   },
+});
+
+export default {
+   fetch: app.fetch,
+};
+```
\ No newline at end of file
diff --git a/docs/content/docs/(documentation)/integration/(runtimes)/meta.json b/docs/content/docs/(documentation)/integration/(runtimes)/meta.json
index 9083adc..33c50b3 100644
--- a/docs/content/docs/(documentation)/integration/(runtimes)/meta.json
+++ b/docs/content/docs/(documentation)/integration/(runtimes)/meta.json
@@ -1,3 +1,3 @@
 {
-  "pages": ["node", "bun", "cloudflare", "aws", "docker"]
+  "pages": ["node", "bun", "cloudflare", "deno", "aws", "docker"]
 }
diff --git a/docs/content/docs/(documentation)/integration/introduction.mdx b/docs/content/docs/(documentation)/integration/introduction.mdx
index 6d67d94..6330208 100644
--- a/docs/content/docs/(documentation)/integration/introduction.mdx
+++ b/docs/content/docs/(documentation)/integration/introduction.mdx
@@ -61,6 +61,12 @@ If you prefer to use a runtime instead of a framework, you can choose from the f
   href="/integration/cloudflare"
 />
 
+}
+  title="Deno"
+  href="/integration/deno"
+/>
+
 }
   title="AWS Lambda"
diff --git a/docs/content/docs/(documentation)/start.mdx b/docs/content/docs/(documentation)/start.mdx
index 8e664c6..91bfdd7 100644
--- a/docs/content/docs/(documentation)/start.mdx
+++ b/docs/content/docs/(documentation)/start.mdx
@@ -97,6 +97,12 @@ Start by using the integration guide for these popular frameworks/runtimes. Ther
   href="/integration/bun"
 />
 
+}
+  title="Deno"
+  href="/integration/deno"
+/>
+
 }
   title="AWS Lambda"
diff --git a/docs/content/docs/(documentation)/usage/introduction.mdx b/docs/content/docs/(documentation)/usage/introduction.mdx
index ebac844..adf6810 100644
--- a/docs/content/docs/(documentation)/usage/introduction.mdx
+++ b/docs/content/docs/(documentation)/usage/introduction.mdx
@@ -41,15 +41,23 @@ await app.build();
 export default app;
 ```
 
-In Web API compliant environments, all you have to do is to default exporting the app, as it
-implements the `Fetch` API.
+In Web API compliant environments, all you have to do is to default exporting the app, as it implements the `Fetch` API. In case an explicit `fetch` export is needed, you can use the `app.fetch` property.
+
+```typescript
+const app = /* ... */;
+export default {
+  fetch: app.fetch,
+}
+```
+
+Check the integration details for your specific runtime or framework in the [integration](/integration/introduction) section.
 
 ## Modes
 
 Main project goal is to provide a backend that can be configured visually with the built-in Admin UI. However, you may instead want to configure your backend programmatically, and define your data structure with a Drizzle-like API:
 
 
-  }>
+  }>
      This is the default mode, it allows visual configuration and saves the configuration to the database. Expects you to deploy your backend separately from your frontend.
   
   }>
@@ -117,6 +125,11 @@ export default {
 } satisfies BkndConfig;
 ```
 
+
+  Note that when using the default UI-mode, the initial configuration using the `config` property will only be applied if the database is empty.
+
+
+
 ### Code-only mode
 
 This mode allows you to configure your backend programmatically, and define your data structure with a Drizzle-like API. Visual configuration controls are disabled. 
@@ -150,6 +163,8 @@ export default {
 } satisfies BkndConfig;
 ```
 
+Unlike the UI-only mode, the configuration passed to `config` is always applied. In case you make data structure changes, you may need to sync the schema to the database manually, e.g. using the [sync command](/usage/cli#syncing-the-database-sync).
+
 ### Hybrid mode
 
 This mode allows you to configure your backend visually while in development, and uses the produced configuration in a code-only mode for maximum performance. It gives you the best of both worlds.
@@ -183,5 +198,71 @@ To keep your config, secrets and types in sync, you can either use the CLI or th
 | Types          | [`syncTypes`](/extending/plugins/#synctypes)                          | [`types`](/usage/cli/#generating-types-types)     |
 
 
+## Mode helpers
 
+To make the setup using your preferred mode easier, there are mode helpers for [`code`](/usage/introduction#code-only-mode) and [`hybrid`](/usage/introduction#hybrid-mode) modes. 
 
+* built-in syncing of config, types and secrets
+* let bknd automatically sync the data schema in development
+* automatically switch modes in hybrid (from db to code) in production
+* automatically skip config validation in production to boost performance
+
+To use it, you have to wrap your configuration in a mode helper, e.g. for `code` mode using the Bun adapter:
+
+```typescript title="bknd.config.ts"
+import { code, type CodeMode } from "bknd/modes";
+import { type BunBkndConfig, writer } from "bknd/adapter/bun";
+
+const config = {
+   // some normal bun bknd config
+   connection: { url: "file:test.db" },
+   // ...
+   // a writer is required, to sync the types
+   writer,
+   // (optional) mode specific config
+   isProduction: Bun.env.NODE_ENV === "production",
+   typesFilePath: "bknd-types.d.ts",
+   // (optional) e.g. have the schema synced if !isProduction
+   syncSchema: {
+      force: true,
+      drop: true,
+   }
+} satisfies CodeMode;
+
+export default code(config);
+```
+
+Similarily, for `hybrid` mode:
+
+```typescript title="bknd.config.ts"
+import { hybrid, type HybridMode } from "bknd/modes";
+import { type BunBkndConfig, writer, reader } from "bknd/adapter/bun";
+
+const config = {
+   // some normal bun bknd config
+   connection: { url: "file:test.db" },
+   // ...
+   // reader/writer are required, to sync the types and config
+   writer,
+   reader,
+   // supply secrets
+   secrets: await Bun.file(".env.local").json(),
+   // (optional) mode specific config
+   isProduction: Bun.env.NODE_ENV === "production",
+   typesFilePath: "bknd-types.d.ts",
+   configFilePath: "bknd-config.json",
+   // (optional) and have them automatically written if !isProduction
+   syncSecrets: {
+      outFile: ".env.local",
+      format: "env",
+      includeSecrets: true,
+   },
+   // (optional) also have the schema synced if !isProduction
+   syncSchema: {
+      force: true,
+      drop: true,
+   },
+} satisfies HybridMode;
+
+export default hybrid(config);
+```
\ No newline at end of file
diff --git a/docs/content/docs/(documentation)/usage/mcp/tools-resources.mdx b/docs/content/docs/(documentation)/usage/mcp/tools-resources.mdx
index 78e1b45..40a7e97 100644
--- a/docs/content/docs/(documentation)/usage/mcp/tools-resources.mdx
+++ b/docs/content/docs/(documentation)/usage/mcp/tools-resources.mdx
@@ -24,7 +24,7 @@ Get the available authentication strategies
 
 Create a new user
 
-
+
 
 ### `auth_user_password_change`
 
@@ -48,61 +48,61 @@ Get a user token
 
 Delete many
 
-
+
 
 ### `data_entity_delete_one`
 
 Delete one
 
-
+
 
 ### `data_entity_fn_count`
 
 Count entities
 
-
+
 
 ### `data_entity_fn_exists`
 
 Check if entity exists
 
-
+
 
 ### `data_entity_info`
 
 Retrieve entity info
 
-
+
 
 ### `data_entity_insert`
 
 Insert one or many
 
-
+
 
 ### `data_entity_read_many`
 
 Query entities
 
-
+
 
 ### `data_entity_read_one`
 
 Read one
 
-
+
 
 ### `data_entity_update_many`
 
 Update many
 
-
+
 
 ### `data_entity_update_one`
 
 Update one
 
-
+
 
 ### `data_sync`
 
@@ -110,6 +110,12 @@ Sync database schema
 
 
 
+### `data_types`
+
+Retrieve data typescript definitions
+
+
+
 ### `system_build`
 
 Build the app
@@ -144,7 +150,7 @@ Ping the server
 
 
 
-
+
 
 ### `config_auth_roles_get`
 
@@ -162,7 +168,7 @@ Ping the server
 
 
 
-
+
 
 ### `config_auth_strategies_add`
 
@@ -192,7 +198,7 @@ Ping the server
 
 
 
-
+
 
 ### `config_data_entities_add`
 
@@ -306,7 +312,7 @@ Get Server configuration
 
 Update Server configuration
 
-
+
    
 
 ## Resources
diff --git a/docs/mcp.json b/docs/mcp.json
index 7075b1e..afd9b12 100644
--- a/docs/mcp.json
+++ b/docs/mcp.json
@@ -612,6 +612,13 @@
         "destructiveHint": true
       }
     },
+    {
+      "name": "data_types",
+      "description": "Retrieve data typescript definitions",
+      "inputSchema": {
+        "type": "object"
+      }
+    },
     {
       "name": "system_build",
       "description": "Build the app",
@@ -714,10 +721,66 @@
             "additionalProperties": false,
             "properties": {
               "permissions": {
-                "type": "array",
-                "items": {
-                  "type": "string"
-                }
+                "anyOf": [
+                  {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    }
+                  },
+                  {
+                    "type": "array",
+                    "items": {
+                      "type": "object",
+                      "additionalProperties": false,
+                      "properties": {
+                        "permission": {
+                          "type": "string"
+                        },
+                        "effect": {
+                          "type": "string",
+                          "enum": [
+                            "allow",
+                            "deny"
+                          ],
+                          "default": "allow"
+                        },
+                        "policies": {
+                          "type": "array",
+                          "items": {
+                            "type": "object",
+                            "additionalProperties": false,
+                            "properties": {
+                              "description": {
+                                "type": "string"
+                              },
+                              "condition": {
+                                "type": "object",
+                                "properties": {}
+                              },
+                              "effect": {
+                                "type": "string",
+                                "enum": [
+                                  "allow",
+                                  "deny",
+                                  "filter"
+                                ],
+                                "default": "allow"
+                              },
+                              "filter": {
+                                "type": "object",
+                                "properties": {}
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "required": [
+                        "permission"
+                      ]
+                    }
+                  }
+                ]
               },
               "is_default": {
                 "type": "boolean"
@@ -810,10 +873,66 @@
             "additionalProperties": false,
             "properties": {
               "permissions": {
-                "type": "array",
-                "items": {
-                  "type": "string"
-                }
+                "anyOf": [
+                  {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    }
+                  },
+                  {
+                    "type": "array",
+                    "items": {
+                      "type": "object",
+                      "additionalProperties": false,
+                      "required": [
+                        "permission"
+                      ],
+                      "properties": {
+                        "permission": {
+                          "type": "string"
+                        },
+                        "effect": {
+                          "type": "string",
+                          "enum": [
+                            "allow",
+                            "deny"
+                          ],
+                          "default": "allow"
+                        },
+                        "policies": {
+                          "type": "array",
+                          "items": {
+                            "type": "object",
+                            "additionalProperties": false,
+                            "properties": {
+                              "description": {
+                                "type": "string"
+                              },
+                              "condition": {
+                                "type": "object",
+                                "properties": {}
+                              },
+                              "effect": {
+                                "type": "string",
+                                "enum": [
+                                  "allow",
+                                  "deny",
+                                  "filter"
+                                ],
+                                "default": "allow"
+                              },
+                              "filter": {
+                                "type": "object",
+                                "properties": {}
+                              }
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                ]
               },
               "is_default": {
                 "type": "boolean"
@@ -1062,6 +1181,9 @@
                 "type": "object",
                 "additionalProperties": false,
                 "properties": {
+                  "domain": {
+                    "type": "string"
+                  },
                   "path": {
                     "type": "string",
                     "default": "/"
@@ -4067,6 +4189,20 @@
                   "path": {
                     "type": "string",
                     "default": "/api/system/mcp"
+                  },
+                  "logLevel": {
+                    "type": "string",
+                    "enum": [
+                      "emergency",
+                      "alert",
+                      "critical",
+                      "error",
+                      "warning",
+                      "notice",
+                      "info",
+                      "debug"
+                    ],
+                    "default": "warning"
                   }
                 }
               }
diff --git a/examples/.gitignore b/examples/.gitignore
index f0f60a6..d305846 100644
--- a/examples/.gitignore
+++ b/examples/.gitignore
@@ -1,2 +1,5 @@
 */package-lock.json
-*/bun.lock
\ No newline at end of file
+*/bun.lock
+*/deno.lock
+*/node_modules
+*/*.db
\ No newline at end of file
diff --git a/examples/deno/deno.json b/examples/deno/deno.json
new file mode 100644
index 0000000..6e8656b
--- /dev/null
+++ b/examples/deno/deno.json
@@ -0,0 +1,11 @@
+{
+  "nodeModulesDir": "auto",
+  "tasks": {
+    "dev": "deno serve -A --watch main.ts"
+  },
+  "imports": {
+    "bknd": "npm:bknd@0.19.0-rc.1"
+  },
+  "links": ["../../app/"],
+  "unstable": ["raw-imports"]
+}
diff --git a/examples/deno/main.ts b/examples/deno/main.ts
index 58e052f..68aba30 100644
--- a/examples/deno/main.ts
+++ b/examples/deno/main.ts
@@ -1,14 +1,12 @@
-import { createRuntimeApp } from "bknd/adapter";
+import { createRuntimeApp, serveStaticViaImport } from "bknd/adapter";
 
 const app = await createRuntimeApp({
    connection: {
       url: "file:./data.db",
    },
-   adminOptions: {
-      // currently needs a hosted version of the static assets
-      assetsPath: "https://cdn.bknd.io/bknd/static/0.15.0-rc.9/",
-   },
+   serveStatic: serveStaticViaImport(),
 });
 
-// @ts-ignore
-Deno.serve(app.fetch);
+export default {
+   fetch: app.fetch,
+};
diff --git a/examples/deno/package.json b/examples/deno/package.json
deleted file mode 100644
index 97faf72..0000000
--- a/examples/deno/package.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  "name": "bknd-deno-example",
-  "private": true,
-  "dependencies": {
-    "bknd": "file:../../app"
-  }
-}