@atscript/moost-db 0.1.62 → 0.1.63

package/dist/index.cjs

@@ -691,6 +691,42 @@ let AsReadableController = class AsReadableController {
 		const idx = url.indexOf("?");
 		return (0, _uniqu_url.parseUrl)(idx >= 0 ? url.slice(idx + 1) : "");
 	}
+	/**
+	* Parse a URL keeping only `$*` control keywords; report whether any
+	* non-control parts were present. Used by `/one` routes where the
+	* uniquery lexer cannot tokenise PK values containing `-` and other
+	* reserved chars, so non-control parts must be stripped before lexing.
+	* `/one/:id` rejects stray filter params with 400 via `hasNonControl`;
+	* `/one` (composite) ignores it because the composite-key params have
+	* already been extracted via `@Query()`.
+	*/
+	parseControlsOnlyFromUrl(url) {
+		const idx = url.indexOf("?");
+		const qs = idx >= 0 ? url.slice(idx + 1) : "";
+		if (!qs) return {
+			parsed: (0, _uniqu_url.parseUrl)(""),
+			hasNonControl: false
+		};
+		const kept = [];
+		let hasNonControl = false;
+		for (const part of qs.split("&")) {
+			if (!part) continue;
+			const eq = part.indexOf("=");
+			const rawKey = eq === -1 ? part : part.slice(0, eq);
+			let key;
+			try {
+				key = decodeURIComponent(rawKey);
+			} catch {
+				key = rawKey;
+			}
+			if (key.startsWith("$")) kept.push(part);
+			else hasNonControl = true;
+		}
+		return {
+			parsed: (0, _uniqu_url.parseUrl)(kept.join("&")),
+			hasNonControl
+		};
+	}
 	async returnOne(result) {
 		const item = await result;
 		if (!item) return new _moostjs_event_http.HttpError(404);
@@ -1298,9 +1334,9 @@ let AsDbReadableController = class AsDbReadableController extends AsReadableCont
 	* **GET /one/:id** — retrieves a single record by ID or unique property.
 	*/
 	async getOne(id, url) {
-		const parsed = this.parseQueryString(url);
+		const { parsed, hasNonControl } = this.parseControlsOnlyFromUrl(url);
+		if (hasNonControl) return new _moostjs_event_http.HttpError(400, "Filtering is not allowed for \"one\" endpoint");
 		this._coerceActionsControl(parsed.controls);
-		if (Object.keys(parsed.filter).length > 0) return new _moostjs_event_http.HttpError(400, "Filtering is not allowed for \"one\" endpoint");
 		const error = this.validateParsed(parsed, "getOne");
 		if (error) return error;
 		const rawSelect = await this.transformProjection(parsed.controls.$select);
@@ -1315,7 +1351,7 @@ let AsDbReadableController = class AsDbReadableController extends AsReadableCont
 	async getOneComposite(query, url) {
 		const idObj = this.extractIdShape(query);
 		if (idObj instanceof _moostjs_event_http.HttpError) return idObj;
-		const parsed = this.parseQueryString(url);
+		const { parsed } = this.parseControlsOnlyFromUrl(url);
 		this._coerceActionsControl(parsed.controls);
 		const rawSelect = await this.transformProjection(parsed.controls.$select);
 		const select = this.widenPreferredIdProjection(rawSelect);

package/dist/index.d.cts

@@ -1,4 +1,5 @@
 import * as _uniqu_url0 from "@uniqu/url";
+import { parseUrl } from "@uniqu/url";
 import { TAtscriptAnnotatedType, TAtscriptDataType, TSerializeOptions, TSerializedAnnotatedType, Validator } from "@atscript/typescript/utils";
 import { AtscriptDbReadable, AtscriptDbTable, FilterExpr, FlatOf, TCrudOp, TCrudPermissions, TCrudPermissions as TCrudPermissions$1, TDbActionInfo, TDbActionInfo as TDbActionInfo$1, TDbActionIntent, TDbActionIntent as TDbActionIntent$1, TDbActionLevel, TDbActionLevel as TDbActionLevel$1, TDbActionProcessor, TDbFieldMeta, TIdentification, TMetaResponse, Uniquery, UniqueryControls } from "@atscript/db";
 import { HttpError } from "@moostjs/event-http";
@@ -106,6 +107,19 @@ declare abstract class AsReadableController<T extends TAtscriptAnnotatedType = T
    */
   protected checkGates(filter: FilterExpr | undefined, controls: Record<string, unknown>, gates: ReadableGates): HttpError | undefined;
   protected parseQueryString(url: string): _uniqu_url0.UrlQuery;
+  /**
+   * Parse a URL keeping only `$*` control keywords; report whether any
+   * non-control parts were present. Used by `/one` routes where the
+   * uniquery lexer cannot tokenise PK values containing `-` and other
+   * reserved chars, so non-control parts must be stripped before lexing.
+   * `/one/:id` rejects stray filter params with 400 via `hasNonControl`;
+   * `/one` (composite) ignores it because the composite-key params have
+   * already been extracted via `@Query()`.
+   */
+  protected parseControlsOnlyFromUrl(url: string): {
+    parsed: ReturnType<typeof parseUrl>;
+    hasNonControl: boolean;
+  };
   protected returnOne(result: Promise<DataType | null>): Promise<DataType | HttpError>;
   /**
    * **GET /meta** — returns the bound interface's metadata envelope. The

package/dist/index.d.mts

@@ -3,6 +3,7 @@ import { HttpError } from "@moostjs/event-http";
 import * as moost from "moost";
 import { Moost, TConsoleBase } from "moost";
 import * as _uniqu_url0 from "@uniqu/url";
+import { parseUrl } from "@uniqu/url";
 import { AtscriptDbReadable, AtscriptDbTable, FilterExpr, FlatOf, TCrudOp, TCrudPermissions, TCrudPermissions as TCrudPermissions$1, TDbActionInfo, TDbActionInfo as TDbActionInfo$1, TDbActionIntent, TDbActionIntent as TDbActionIntent$1, TDbActionLevel, TDbActionLevel as TDbActionLevel$1, TDbActionProcessor, TDbFieldMeta, TIdentification, TMetaResponse, Uniquery, UniqueryControls } from "@atscript/db";
 import * as _wooksjs_event_core0 from "@wooksjs/event-core";
 
@@ -106,6 +107,19 @@ declare abstract class AsReadableController<T extends TAtscriptAnnotatedType = T
    */
   protected checkGates(filter: FilterExpr | undefined, controls: Record<string, unknown>, gates: ReadableGates): HttpError | undefined;
   protected parseQueryString(url: string): _uniqu_url0.UrlQuery;
+  /**
+   * Parse a URL keeping only `$*` control keywords; report whether any
+   * non-control parts were present. Used by `/one` routes where the
+   * uniquery lexer cannot tokenise PK values containing `-` and other
+   * reserved chars, so non-control parts must be stripped before lexing.
+   * `/one/:id` rejects stray filter params with 400 via `hasNonControl`;
+   * `/one` (composite) ignores it because the composite-key params have
+   * already been extracted via `@Query()`.
+   */
+  protected parseControlsOnlyFromUrl(url: string): {
+    parsed: ReturnType<typeof parseUrl>;
+    hasNonControl: boolean;
+  };
   protected returnOne(result: Promise<DataType | null>): Promise<DataType | HttpError>;
   /**
    * **GET /meta** — returns the bound interface's metadata envelope. The

package/dist/index.mjs

@@ -690,6 +690,42 @@ let AsReadableController = class AsReadableController {
 		const idx = url.indexOf("?");
 		return parseUrl(idx >= 0 ? url.slice(idx + 1) : "");
 	}
+	/**
+	* Parse a URL keeping only `$*` control keywords; report whether any
+	* non-control parts were present. Used by `/one` routes where the
+	* uniquery lexer cannot tokenise PK values containing `-` and other
+	* reserved chars, so non-control parts must be stripped before lexing.
+	* `/one/:id` rejects stray filter params with 400 via `hasNonControl`;
+	* `/one` (composite) ignores it because the composite-key params have
+	* already been extracted via `@Query()`.
+	*/
+	parseControlsOnlyFromUrl(url) {
+		const idx = url.indexOf("?");
+		const qs = idx >= 0 ? url.slice(idx + 1) : "";
+		if (!qs) return {
+			parsed: parseUrl(""),
+			hasNonControl: false
+		};
+		const kept = [];
+		let hasNonControl = false;
+		for (const part of qs.split("&")) {
+			if (!part) continue;
+			const eq = part.indexOf("=");
+			const rawKey = eq === -1 ? part : part.slice(0, eq);
+			let key;
+			try {
+				key = decodeURIComponent(rawKey);
+			} catch {
+				key = rawKey;
+			}
+			if (key.startsWith("$")) kept.push(part);
+			else hasNonControl = true;
+		}
+		return {
+			parsed: parseUrl(kept.join("&")),
+			hasNonControl
+		};
+	}
 	async returnOne(result) {
 		const item = await result;
 		if (!item) return new HttpError(404);
@@ -1297,9 +1333,9 @@ let AsDbReadableController = class AsDbReadableController extends AsReadableCont
 	* **GET /one/:id** — retrieves a single record by ID or unique property.
 	*/
 	async getOne(id, url) {
-		const parsed = this.parseQueryString(url);
+		const { parsed, hasNonControl } = this.parseControlsOnlyFromUrl(url);
+		if (hasNonControl) return new HttpError(400, "Filtering is not allowed for \"one\" endpoint");
 		this._coerceActionsControl(parsed.controls);
-		if (Object.keys(parsed.filter).length > 0) return new HttpError(400, "Filtering is not allowed for \"one\" endpoint");
 		const error = this.validateParsed(parsed, "getOne");
 		if (error) return error;
 		const rawSelect = await this.transformProjection(parsed.controls.$select);
@@ -1314,7 +1350,7 @@ let AsDbReadableController = class AsDbReadableController extends AsReadableCont
 	async getOneComposite(query, url) {
 		const idObj = this.extractIdShape(query);
 		if (idObj instanceof HttpError) return idObj;
-		const parsed = this.parseQueryString(url);
+		const { parsed } = this.parseControlsOnlyFromUrl(url);
 		this._coerceActionsControl(parsed.controls);
 		const rawSelect = await this.transformProjection(parsed.controls.$select);
 		const select = this.widenPreferredIdProjection(rawSelect);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atscript/moost-db",
-  "version": "0.1.62",
+  "version": "0.1.63",
   "description": "Generic database controller for Moost with Atscript.",
   "keywords": [
     "annotations",
@@ -58,7 +58,7 @@
     "@wooksjs/event-core": "^0.7.10",
     "@wooksjs/http-body": "^0.7.10",
     "moost": "^0.6.8",
-    "@atscript/db": "^0.1.62"
+    "@atscript/db": "^0.1.63"
   },
   "scripts": {
     "postinstall": "asc -f dts",