User Entity Schema

[artemdemo]

Note

Description

This PR adds local User entity support to the dev server, replacing the previous behavior of proxying /User requests to production. The authenticated user is now automatically seeded into an in-memory user collection on startup, and a dedicated router handles User CRUD operations locally with production-compatible semantics. The validator is also refactored from a return-value pattern to throw-based errors for cleaner call sites.

Related Issue

None

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Other (please describe):

Changes Made

• User entity local support: Database.load() now seeds a user collection pre-populated with the current authenticated user's info (email, name, role, etc.), eliminating the need to proxy /User calls to production
• New entities-user-router.ts: Dedicated Express router for /User endpoints — GET by id or "me", PUT for "me" only, POST/DELETE/bulk as no-ops matching production behavior
• Validator refactored to throw: Validator.validate() now throws EntityValidationError instead of returning a ValidationResponse object; all call sites and tests updated accordingly
• Entity name normalization: Collection and schema lookups now normalize entity names to lowercase via normalizeName()
• Bearer token middleware: Added global authorization check in main.ts requiring a Bearer token on all requests
• Shared utils.ts: Extracted stripInternalFields and getNowISOTimestamp helpers into a shared dev-server/utils.ts module
• File restructure: routes/entities.ts renamed to routes/entities/entities-router.ts; remoteProxy dependency removed from createEntityRoutes

Testing

• I have tested these changes locally
• I have added/updated tests as needed
• All tests pass (npm test)

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (if applicable)
• My changes generate no new warnings
• I have updated docs/ (AGENTS.md) if I made architectural changes

Additional Notes

The User entity is treated as a built-in collection with reserved fields (full_name, email). If an app defines a custom User entity schema containing these fields, loading will throw an error at startup to prevent conflicts. The POST /User endpoint silently returns a fake record (matching production behavior where direct user creation is not permitted).

---

_{🤖 Generated by Claude | 2026-03-18 12:45 UTC}

[github-actions]

🚀 Package Preview Available!

---

Install this PR's preview build with npm:

npm i @base44-preview/cli@0.0.45-pr.406.b61b272

Prefer not to change any import paths? Install using npm alias so your code still imports base44:

npm i "base44@npm:@base44-preview/cli@0.0.45-pr.406.b61b272"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "base44": "npm:@base44-preview/cli@0.0.45-pr.406.b61b272"
  }
}

• 📦 Preview Package: @base44-preview/cli@0.0.45-pr.406.b61b272
• 🔗 View this commit on GitHub

---

_{Preview published to npm registry — try new features instantly!}

[artemdemo]

Not related to my PR, but started to fail for me.
Ignoring

[artemdemo]

Validator is now throwing an error, instead of returning object that describes the error.
Updating tests to handle it.
Here and below.

[artemdemo]

I found that it's more convenient to throw the error, rather than return an object that describes the error.
So I decided to refactor it a bit.

[artemdemo]

Behind the scenes production is treating entity name as case-insensitive: "User" and "user" are the same.

[kfirstri]

Looks good, i'm not sure i understand some stuff in the entities-user-router..
Also, can we resolve the user with the auth token and not with readAuth somehow? I see we added a check to assert the api calls has a Bearer.. so maybe we can parse the token?

[kfirstri]

So every request to the dev-server must have an authorization header. Is this also how the apper/ backend works? It won't allow anonymous calls at all?

[kfirstri]

Wont the request at this point will have a authorization token that we can read some user data from? then we don't need the readAuth call

[kfirstri]

I don't understand this whole POST / endpoint .. we're validating the developing (since we're using readAuth), and if we found the developer account we just return an object, but not really save it? so basically it's just a mock.. but production also does not allow it?

[kfirstri]

Is this a noop endpoint because we just don't want to support it? can't we just delete it and it will return 404?

[kfirstri]

If this is really how we will get the developer account (raising it again - do we have it as an auth header maybe?), then this is the 3rd time we're doing this in this file, so maybe refactor to another function

[kfirstri]

This error looks weird, no need to use USER_COLLECTION inside the url that we're printing

[kfirstri]

IF the user can only update himself and not others, shouldn't we return some errors? this is how apper behaves? :S

[kfirstri]

same question like in /bulk route, maybe we can just remove it? what does "direct call" mean?

[kfirstri]

"role" is also a built-in field https://docs.base44.com/developers/backend/resources/entities/user-schema#built-in-fields