@aeriajs/core 0.0.185 → 0.0.187

package/dist/collection/traverseDocument.d.ts

@@ -4,7 +4,7 @@ import { ObjectId } from 'mongodb';
 export type TraverseOptionsBase = {
     autoCast?: boolean;
     validate?: boolean;
-    validateRequired?: Description['required'];
+    validateWholeness?: boolean | 'deep';
     fromProperties?: boolean;
     allowOperators?: boolean;
     undefinedToNull?: boolean;

package/dist/collection/traverseDocument.js

@@ -28,6 +28,7 @@ const types_1 = require("@aeriajs/types");
 const common_1 = require("@aeriajs/common");
 const validation_1 = require("@aeriajs/validation");
 const entrypoint_1 = require("@aeriajs/entrypoint");
+const security_1 = require("@aeriajs/security");
 const mongodb_1 = require("mongodb");
 const assets_js_1 = require("../assets.js");
 const context_js_1 = require("../context.js");
@@ -191,6 +192,9 @@ const isValidTempFile = (value) => {
     return !!(value === undefined
         || value === null);
 };
+const isMissingPropertyError = (error) => {
+    return 'code' in error && error.code === types_1.ValidationErrorCode.MissingProperties;
+};
 const moveFiles = async (value, ctx) => {
     if (!('$ref' in ctx.property) || ctx.property.$ref !== 'file') {
         return value;
@@ -229,6 +233,12 @@ const recurseDeep = async (value, ctx) => {
         return value;
     }
     if ('properties' in ctx.property) {
+        if (ctx.options.validateWholeness) {
+            const wholenessError = (0, validation_1.validateWholeness)(value, ctx.property);
+            if (wholenessError) {
+                return types_1.Result.error(wholenessError);
+            }
+        }
         const { error, result } = await recurse(value, ctx);
         if (error) {
             return types_1.Result.error(error);
@@ -296,20 +306,20 @@ const recurse = async (target, ctx) => {
                 continue;
             }
         }
-        if (!property) {
-            if (value && (value.constructor === Object || value.constructor === Array)) {
-                // if first propName is preceded by '$' we assume
-                // it contains MongoDB query operators
-                if (Object.keys(value)[0]?.startsWith('$')) {
+        if (value && typeof value === 'object') {
+            for (const key in value) {
+                if (key.startsWith('$')) {
                     if (!ctx.options.allowOperators) {
                         return types_1.Result.error(types_1.ACError.InsecureOperator);
                     }
-                    entries.push([
-                        propName,
-                        value,
-                    ]);
-                    continue;
+                    if (security_1.INSECURE_OPERATORS.includes(key)) {
+                        return types_1.Result.error(types_1.ACError.InsecureOperator);
+                    }
                 }
+            }
+        }
+        if (!property) {
+            if (value && (value.constructor === Object || value.constructor === Array)) {
                 if (Array.isArray(value)) {
                     const operations = [];
                     for (const operation of value) {
@@ -340,7 +350,7 @@ const recurse = async (target, ctx) => {
                 value,
             ]);
         }
-        if (property) {
+        else {
             if (!ctx.options.preserveHidden && property.hidden) {
                 continue;
             }
@@ -413,7 +423,9 @@ const traverseDocument = async (what, description, _options) => {
         return types_1.Result.result(what);
     }
     const whatCopy = Object.assign({}, what);
-    const options = Object.assign({}, _options);
+    const options = Object.assign({
+        description,
+    }, _options);
     const functions = [];
     if (!options.validate && Object.keys(whatCopy).length === 0) {
         return types_1.Result.result(whatCopy);
@@ -428,13 +440,11 @@ const traverseDocument = async (what, description, _options) => {
         functions.push(getters);
     }
     if (options.validate) {
-        const descriptionCopy = Object.assign({}, description);
-        if (options.validateRequired) {
-            descriptionCopy.required = options.validateRequired;
-        }
-        const wholenessError = (0, validation_1.validateWholeness)(whatCopy, descriptionCopy);
-        if (wholenessError) {
-            return types_1.Result.error(wholenessError);
+        if (options.validateWholeness === true) {
+            const wholenessError = (0, validation_1.validateWholeness)(whatCopy, options.description);
+            if (wholenessError) {
+                return types_1.Result.error(wholenessError);
+            }
         }
         functions.push(validate);
     }
@@ -444,8 +454,7 @@ const traverseDocument = async (what, description, _options) => {
     if ('moveFiles' in options && options.moveFiles) {
         functions.push(moveFiles);
     }
-    let traverseError;
-    let validationError;
+    let traverseError, validationError;
     const mutateTarget = (fn) => {
         return async (value, ctx) => {
             const result = await fn(value, ctx);
@@ -453,7 +462,6 @@ const traverseDocument = async (what, description, _options) => {
             return result;
         };
     };
-    options.description = description;
     Object.assign(options, {
         pipe: (0, common_1.pipe)(functions.map(mutateTarget), {
             returnFirst: (value) => {
@@ -464,8 +472,9 @@ const traverseDocument = async (what, description, _options) => {
                         case types_1.TraverseError.InvalidTempfile:
                             traverseError = error;
                             break;
-                        default:
+                        default: {
                             validationError = error;
+                        }
                     }
                     return value;
                 }
@@ -485,6 +494,9 @@ const traverseDocument = async (what, description, _options) => {
         return types_1.Result.error(traverseError);
     }
     if (validationError) {
+        if (isMissingPropertyError(validationError)) {
+            return types_1.Result.error(validationError);
+        }
         return types_1.Result.error((0, validation_1.makeValidationError)({
             code: types_1.ValidationErrorCode.InvalidProperties,
             errors: validationError,

package/dist/collection/traverseDocument.mjs

@@ -3,6 +3,7 @@ import { Result, ACError, ValidationErrorCode, TraverseError } from "@aeriajs/ty
 import { throwIfError, pipe, isReference, getReferenceProperty, getValueFromPath, isError } from "@aeriajs/common";
 import { makeValidationError, validateProperty, validateWholeness } from "@aeriajs/validation";
 import { getCollection } from "@aeriajs/entrypoint";
+import { INSECURE_OPERATORS } from "@aeriajs/security";
 import { ObjectId } from "mongodb";
 import { getCollectionAsset } from "../assets.mjs";
 import { createContext } from "../context.mjs";
@@ -158,6 +159,9 @@ const isValidTempFile = (value) => {
   }
   return !!(value === void 0 || value === null);
 };
+const isMissingPropertyError = (error) => {
+  return "code" in error && error.code === ValidationErrorCode.MissingProperties;
+};
 const moveFiles = async (value, ctx) => {
   if (!("$ref" in ctx.property) || ctx.property.$ref !== "file") {
     return value;
@@ -196,6 +200,12 @@ const recurseDeep = async (value, ctx) => {
     return value;
   }
   if ("properties" in ctx.property) {
+    if (ctx.options.validateWholeness) {
+      const wholenessError = validateWholeness(value, ctx.property);
+      if (wholenessError) {
+        return Result.error(wholenessError);
+      }
+    }
     const { error, result } = await recurse(value, ctx);
     if (error) {
       return Result.error(error);
@@ -260,18 +270,20 @@ const recurse = async (target, ctx) => {
         continue;
       }
     }
-    if (!property) {
-      if (value && (value.constructor === Object || value.constructor === Array)) {
-        if (Object.keys(value)[0]?.startsWith("$")) {
+    if (value && typeof value === "object") {
+      for (const key in value) {
+        if (key.startsWith("$")) {
           if (!ctx.options.allowOperators) {
             return Result.error(ACError.InsecureOperator);
           }
-          entries.push([
-            propName,
-            value
-          ]);
-          continue;
+          if (INSECURE_OPERATORS.includes(key)) {
+            return Result.error(ACError.InsecureOperator);
+          }
         }
+      }
+    }
+    if (!property) {
+      if (value && (value.constructor === Object || value.constructor === Array)) {
         if (Array.isArray(value)) {
           const operations = [];
           for (const operation of value) {
@@ -301,8 +313,7 @@ const recurse = async (target, ctx) => {
         propName,
         value
       ]);
-    }
-    if (property) {
+    } else {
       if (!ctx.options.preserveHidden && property.hidden) {
         continue;
       }
@@ -371,7 +382,9 @@ export const traverseDocument = async (what, description, _options) => {
     return Result.result(what);
   }
   const whatCopy = Object.assign({}, what);
-  const options = Object.assign({}, _options);
+  const options = Object.assign({
+    description
+  }, _options);
   const functions = [];
   if (!options.validate && Object.keys(whatCopy).length === 0) {
     return Result.result(whatCopy);
@@ -386,13 +399,11 @@ export const traverseDocument = async (what, description, _options) => {
     functions.push(getters);
   }
   if (options.validate) {
-    const descriptionCopy = Object.assign({}, description);
-    if (options.validateRequired) {
-      descriptionCopy.required = options.validateRequired;
-    }
-    const wholenessError = validateWholeness(whatCopy, descriptionCopy);
-    if (wholenessError) {
-      return Result.error(wholenessError);
+    if (options.validateWholeness === true) {
+      const wholenessError = validateWholeness(whatCopy, options.description);
+      if (wholenessError) {
+        return Result.error(wholenessError);
+      }
     }
     functions.push(validate);
   }
@@ -402,8 +413,7 @@ export const traverseDocument = async (what, description, _options) => {
   if ("moveFiles" in options && options.moveFiles) {
     functions.push(moveFiles);
   }
-  let traverseError;
-  let validationError;
+  let traverseError, validationError;
   const mutateTarget = (fn) => {
     return async (value, ctx) => {
       const result2 = await fn(value, ctx);
@@ -411,7 +421,6 @@ export const traverseDocument = async (what, description, _options) => {
       return result2;
     };
   };
-  options.description = description;
   Object.assign(options, {
     pipe: pipe(functions.map(mutateTarget), {
       returnFirst: (value) => {
@@ -422,8 +431,9 @@ export const traverseDocument = async (what, description, _options) => {
             case TraverseError.InvalidTempfile:
               traverseError = error2;
               break;
-            default:
+            default: {
               validationError = error2;
+            }
           }
           return value;
         }
@@ -443,6 +453,9 @@ export const traverseDocument = async (what, description, _options) => {
     return Result.error(traverseError);
   }
   if (validationError) {
+    if (isMissingPropertyError(validationError)) {
+      return Result.error(validationError);
+    }
     return Result.error(makeValidationError({
       code: ValidationErrorCode.InvalidProperties,
       errors: validationError

package/dist/functions/get.js

@@ -16,11 +16,20 @@ const internalGet = async (payload, context) => {
     const refMap = await (0, index_js_1.getReferences)(context.description.properties, {
         memoize: context.description.$id,
     });
+    const { error: filtersError, result: traversedFilters } = await (0, index_js_1.traverseDocument)(filters, context.description, {
+        autoCast: true,
+        allowOperators: true,
+    });
+    if (filtersError) {
+        switch (filtersError) {
+            case types_1.ACError.InsecureOperator: return context.error(types_1.HTTPStatus.Forbidden, {
+                code: filtersError,
+            });
+            default: throw new Error;
+        }
+    }
     pipeline.push({
-        $match: (0, common_1.throwIfError)(await (0, index_js_1.traverseDocument)(filters, context.description, {
-            autoCast: true,
-            allowOperators: true,
-        })),
+        $match: traversedFilters,
     });
     if (project) {
         const projection = (0, index_js_1.normalizeProjection)(project, context.description);

package/dist/functions/get.mjs

@@ -22,11 +22,22 @@ const internalGet = async (payload, context) => {
   const refMap = await getReferences(context.description.properties, {
     memoize: context.description.$id
   });
+  const { error: filtersError, result: traversedFilters } = await traverseDocument(filters, context.description, {
+    autoCast: true,
+    allowOperators: true
+  });
+  if (filtersError) {
+    switch (filtersError) {
+      case ACError.InsecureOperator:
+        return context.error(HTTPStatus.Forbidden, {
+          code: filtersError
+        });
+      default:
+        throw new Error();
+    }
+  }
   pipeline.push({
-    $match: throwIfError(await traverseDocument(filters, context.description, {
-      autoCast: true,
-      allowOperators: true
-    }))
+    $match: traversedFilters
   });
   if (project) {
     const projection = normalizeProjection(project, context.description);

package/dist/functions/getAll.js

@@ -39,12 +39,21 @@ const internalGetAll = async (payload, context) => {
             $sort: preferredSort,
         });
     }
+    const { error: filtersError, result: traversedFilters } = await (0, index_js_1.traverseDocument)(filters, context.description, {
+        autoCast: true,
+        allowOperators: true,
+    });
+    if (filtersError) {
+        switch (filtersError) {
+            case types_1.ACError.InsecureOperator: return context.error(types_1.HTTPStatus.Forbidden, {
+                code: filtersError,
+            });
+            default: throw new Error;
+        }
+    }
     if (Object.keys(filters).length > 0) {
         pipeline.push({
-            $match: (0, common_1.throwIfError)(await (0, index_js_1.traverseDocument)(filters, context.description, {
-                autoCast: true,
-                allowOperators: true,
-            })),
+            $match: traversedFilters,
         });
     }
     if (offset > 0) {

package/dist/functions/getAll.mjs

@@ -1,6 +1,6 @@
 "use strict";
 import { useSecurity, applyReadMiddlewares } from "@aeriajs/security";
-import { HTTPStatus, Result } from "@aeriajs/types";
+import { ACError, HTTPStatus, Result } from "@aeriajs/types";
 import { throwIfError } from "@aeriajs/common";
 import {
   traverseDocument,
@@ -39,12 +39,23 @@ const internalGetAll = async (payload, context) => {
       $sort: preferredSort
     });
   }
+  const { error: filtersError, result: traversedFilters } = await traverseDocument(filters, context.description, {
+    autoCast: true,
+    allowOperators: true
+  });
+  if (filtersError) {
+    switch (filtersError) {
+      case ACError.InsecureOperator:
+        return context.error(HTTPStatus.Forbidden, {
+          code: filtersError
+        });
+      default:
+        throw new Error();
+    }
+  }
   if (Object.keys(filters).length > 0) {
     pipeline.push({
-      $match: throwIfError(await traverseDocument(filters, context.description, {
-        autoCast: true,
-        allowOperators: true
-      }))
+      $match: traversedFilters
     });
   }
   if (offset > 0) {

package/dist/functions/insert.js

@@ -41,15 +41,15 @@ const internalInsert = async (payload, context) => {
     const { error, result: what } = await (0, index_js_1.traverseDocument)(payload.what, context.description, {
         recurseDeep: true,
         autoCast: true,
-        validate: true,
-        validateRequired: isUpdate
-            ? []
-            : context.description.required,
         moveFiles: true,
         cleanupReferences: true,
-        fromProperties: !isUpdate,
         undefinedToNull: true,
         preserveHidden: true,
+        validate: true,
+        validateWholeness: isUpdate
+            ? 'deep'
+            : true,
+        fromProperties: !isUpdate,
         context,
     });
     if (error) {

package/dist/functions/insert.mjs

@@ -38,13 +38,13 @@ const internalInsert = async (payload, context) => {
   const { error, result: what } = await traverseDocument(payload.what, context.description, {
     recurseDeep: true,
     autoCast: true,
-    validate: true,
-    validateRequired: isUpdate ? [] : context.description.required,
     moveFiles: true,
     cleanupReferences: true,
-    fromProperties: !isUpdate,
     undefinedToNull: true,
     preserveHidden: true,
+    validate: true,
+    validateWholeness: isUpdate ? "deep" : true,
+    fromProperties: !isUpdate,
     context
   });
   if (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aeriajs/core",
-  "version": "0.0.185",
+  "version": "0.0.187",
   "description": "",
   "main": "dist/index.js",
   "aeriaMain": "tests/fixtures/aeriaMain.js",
@@ -42,13 +42,13 @@
     "mongodb-memory-server": "^9.2.0"
   },
   "peerDependencies": {
-    "@aeriajs/builtins": "^0.0.185",
-    "@aeriajs/common": "^0.0.113",
-    "@aeriajs/entrypoint": "^0.0.116",
-    "@aeriajs/http": "^0.0.127",
-    "@aeriajs/security": "^0.0.185",
-    "@aeriajs/types": "^0.0.96",
-    "@aeriajs/validation": "^0.0.116"
+    "@aeriajs/builtins": "^0.0.187",
+    "@aeriajs/common": "^0.0.114",
+    "@aeriajs/entrypoint": "^0.0.117",
+    "@aeriajs/http": "^0.0.128",
+    "@aeriajs/security": "^0.0.187",
+    "@aeriajs/types": "^0.0.97",
+    "@aeriajs/validation": "^0.0.117"
   },
   "dependencies": {
     "mongodb": "^6.5.0",
@@ -59,8 +59,8 @@
   },
   "scripts": {
     "test": "vitest run",
-    "lint": "eslint src",
-    "lint:fix": "eslint src --fix",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
     "build": "pnpm build:cjs && pnpm build:esm",
     "build:cjs": "tsc",
     "build:esm": "esbuild './src/**/*.ts' --outdir=dist --out-extension:.js=.mjs && pnpm build:esm-transform",