@bedrockio/model 0.1.0

package/src/access.js

@@ -0,0 +1,60 @@
+import { ImplementationError } from './errors';
+import warn from './warn';
+
+export function hasReadAccess(allowed, options) {
+  return hasAccess('read', allowed, options);
+}
+
+export function hasWriteAccess(allowed, options) {
+  return hasAccess('write', allowed, options);
+}
+
+export function hasAccess(type, allowed = 'all', options = {}) {
+  if (allowed === 'all') {
+    return true;
+  } else if (allowed === 'none') {
+    return false;
+  } else {
+    const { document, authUser } = options;
+    if (!Array.isArray(allowed)) {
+      allowed = [allowed];
+    }
+    const scopes = resolveScopes(options);
+    return allowed.some((token) => {
+      if (token === 'self') {
+        assertOptions(type, token, options);
+        return document.id == authUser.id;
+      } else if (token === 'user') {
+        assertOptions(type, token, options);
+        return document.user?.id == authUser.id;
+      } else if (token === 'owner') {
+        assertOptions(type, token, options);
+        return document.owner?.id == authUser.id;
+      } else {
+        return scopes?.includes(token);
+      }
+    });
+  }
+}
+
+function resolveScopes(options) {
+  if (!options.scope && !options.scopes) {
+    warn('Scopes were requested but not provided.');
+  }
+  const { scope, scopes = [] } = options;
+  return scope ? [scope] : scopes;
+}
+
+function assertOptions(type, token, options) {
+  if (!options.authUser || !options.document) {
+    if (type === 'read') {
+      throw new ImplementationError(
+        `Read access "${token}" requires .toObject({ authUser }).`
+      );
+    } else {
+      throw new ImplementationError(
+        `Write access "${token}" requires passing { document, authUser } to the validator.`
+      );
+    }
+  }
+}

package/src/assign.js

@@ -0,0 +1,45 @@
+import { isPlainObject } from 'lodash';
+
+import { isReferenceField, resolveField } from './utils';
+
+export function applyAssign(schema) {
+  schema.method('assign', function assign(fields) {
+    unsetReferenceFields(fields, schema.obj);
+    for (let [path, value] of Object.entries(flattenObject(fields))) {
+      if (value === null) {
+        this.set(path, undefined);
+        this.markModified(path);
+      } else {
+        this.set(path, value);
+      }
+    }
+  });
+}
+
+// Sets falsy reference fields to undefined to signal
+// removal. Passing attributes through this function
+// normalizes falsy values so they are not saved to the db.
+function unsetReferenceFields(fields, schema = {}) {
+  for (let [key, value] of Object.entries(fields)) {
+    if (!value && isReferenceField(schema, key)) {
+      fields[key] = undefined;
+    } else if (value && typeof value === 'object') {
+      unsetReferenceFields(value, resolveField(schema, key));
+    }
+  }
+}
+
+// Flattens nested objects to a dot syntax.
+// Effectively the inverse of lodash get:
+// { foo: { bar: 3 } } -> { 'foo.bar': 3 }
+function flattenObject(obj, root = {}, rootPath = []) {
+  for (let [key, val] of Object.entries(obj)) {
+    const path = [...rootPath, key];
+    if (isPlainObject(val)) {
+      flattenObject(val, root, path);
+    } else {
+      root[path.join('.')] = val;
+    }
+  }
+  return root;
+}

package/src/const.js

@@ -0,0 +1,9 @@
+export const SEARCH_DEFAULTS = {
+  limit: 50,
+  sort: {
+    field: 'createdAt',
+    order: 'desc',
+  },
+};
+
+export const POPULATE_MAX_DEPTH = 5;

package/src/errors.js

@@ -0,0 +1,9 @@
+export class PermissionsError extends Error {}
+export class ImplementationError extends Error {}
+
+export class ReferenceError extends Error {
+  constructor(message, references) {
+    super(message);
+    this.references = references;
+  }
+}

package/src/include.js

@@ -0,0 +1,209 @@
+import mongoose from 'mongoose';
+import { escapeRegExp } from 'lodash';
+
+import { resolveInnerField } from './utils';
+import { POPULATE_MAX_DEPTH } from './const';
+
+// Overloading mongoose Query prototype to
+// allow an "include" method for queries.
+mongoose.Query.prototype.include = function include(paths) {
+  const filter = this.getFilter();
+  filter.include = paths;
+  return this;
+};
+
+export function applyInclude(schema) {
+  schema.virtual('include').set(function (include) {
+    this.$locals.include = include;
+  });
+
+  schema.pre(/^find/, function (next) {
+    const filter = this.getFilter();
+    if (filter.include) {
+      const { select, populate } = getQueryIncludes(this, filter.include);
+      this.select(select);
+      this.populate(populate);
+      delete filter.include;
+    }
+    return next();
+  });
+
+  schema.pre('save', function () {
+    const { include } = this.$locals;
+    if (include) {
+      let { select, populate } = getDocumentIncludes(this, include);
+      const modifiedPaths = this.modifiedPaths();
+      populate = populate.filter((p) => {
+        return modifiedPaths.includes(p.path);
+      });
+      this.$locals.select = select;
+      this.$locals.populate = populate;
+    }
+  });
+
+  schema.post('save', async function () {
+    const { populate } = this.$locals;
+    if (populate) {
+      await this.populate(populate);
+      delete this.$locals.populate;
+    }
+  });
+}
+
+// "Selected" keys virtually project documents so that
+// they do not return the entire document down the wire.
+// This is to maintain parity with query projection used
+// with the includes feature.
+export function checkSelects(doc, ret) {
+  let { select } = doc.$locals;
+  if (select?.length) {
+    const includes = {};
+    const excludes = {};
+    select = [...select, 'id'];
+    let hasExcludes = false;
+    for (let path of select) {
+      if (path.startsWith('-')) {
+        excludes[path.slice(1)] = true;
+        hasExcludes = true;
+      } else {
+        includes[path] = true;
+      }
+    }
+    for (let key of Object.keys(ret)) {
+      // Always select populated fields.
+      if (doc.populated(key)) {
+        continue;
+      }
+      // Fields are either explicitly excluded with "-"
+      // or implicitly excluded by having only includes.
+      const implicitExclude = !hasExcludes && !includes[key];
+      if (excludes[key] || implicitExclude) {
+        delete ret[key];
+      }
+    }
+  }
+}
+
+// Exported for testing.
+export function getIncludes(modelName, arg) {
+  const paths = Array.isArray(arg) ? arg : [arg];
+  const node = pathsToNode(paths, modelName);
+  return nodeToPopulates(node);
+}
+
+function getQueryIncludes(query, arg) {
+  return getIncludes(query.model.modelName, arg);
+}
+
+function getDocumentIncludes(doc, arg) {
+  return getIncludes(doc.constructor.modelName, arg);
+}
+
+// Note that:
+// - An empty array for "select" will select all.
+// - Entries in the "populate" array will select the
+//   field even if not included in "select".
+function nodeToPopulates(node) {
+  const select = [];
+  const populate = [];
+  for (let [key, value] of Object.entries(node)) {
+    if (value) {
+      populate.push({
+        path: key,
+        ...nodeToPopulates(value),
+      });
+    } else {
+      select.push(key);
+    }
+  }
+  return {
+    select,
+    populate,
+  };
+}
+
+function pathsToNode(paths, modelName) {
+  const node = {};
+  for (let str of paths) {
+    let exclude = false;
+    if (str.startsWith('-')) {
+      exclude = true;
+      str = str.slice(1);
+    }
+    setNodePath(node, {
+      path: str.split('.'),
+      modelName,
+      exclude,
+    });
+  }
+  return node;
+}
+
+function setNodePath(node, options) {
+  const { path, modelName, exclude, depth = 0 } = options;
+  if (depth > POPULATE_MAX_DEPTH) {
+    throw new Error(`Cannot populate more than ${POPULATE_MAX_DEPTH} levels.`);
+  }
+  const schema = mongoose.models[modelName]?.schema;
+  if (!schema) {
+    throw new Error(`Could not derive schema for ${modelName}.`);
+  }
+  const parts = [];
+  for (let part of path) {
+    parts.push(part);
+    const str = parts.join('.');
+    const isExact = parts.length === path.length;
+    let halt = false;
+
+    for (let [key, type] of resolvePaths(schema, str)) {
+      if (type === 'real') {
+        const field = resolveInnerField(schema.obj, key);
+        // Only exclude the field if the match is exact, ie:
+        // -name - Exclude "name"
+        // -user.name - Implies population of "user" but exclude "user.name",
+        //  so continue traversing into object when part is "user".
+        if (isExact && exclude) {
+          node['-' + key] = null;
+        } else if (field.ref) {
+          node[key] ||= {};
+          setNodePath(node[key], {
+            modelName: field.ref,
+            path: path.slice(parts.length),
+            depth: depth + 1,
+            exclude,
+          });
+          halt = true;
+        } else {
+          node[key] = null;
+        }
+      } else if (type === 'virtual') {
+        node[key] = {};
+      } else if (type !== 'nested') {
+        throw new Error(`Unknown path on ${modelName}: ${key}.`);
+      }
+    }
+
+    if (halt) {
+      break;
+    }
+  }
+}
+
+function resolvePaths(schema, str) {
+  let paths;
+  if (str.includes('*')) {
+    let source = escapeRegExp(str);
+    source = source.replaceAll('\\*\\*', '.+');
+    source = source.replaceAll('\\*', '[^.]+');
+    source = `^${source}$`;
+    const reg = RegExp(source);
+    paths = Object.keys(schema.paths || {}).filter((path) => {
+      return !path.startsWith('_') && reg.test(path);
+    });
+  } else {
+    paths = [str];
+  }
+  return paths.map((path) => {
+    return [path, schema.pathType(path)];
+  });
+}

package/src/index.js

@@ -0,0 +1,5 @@
+export { createSchema } from './schema';
+export { loadModel, loadModelDir } from './load';
+export { addValidators } from './validation';
+export * from './testing';
+export * from './errors';

package/src/load.js

@@ -0,0 +1,37 @@
+import fs from 'fs';
+import path from 'path';
+
+import mongoose from 'mongoose';
+import { startCase } from 'lodash';
+
+import { createSchema } from './schema';
+
+export function loadModel(definition, name) {
+  if (!definition.attributes) {
+    throw new Error(`Invalid model definition for ${name}, need attributes`);
+  }
+  try {
+    const schema = createSchema(definition);
+    return mongoose.model(name, schema);
+  } catch (err) {
+    throw new Error(`${err.message} (loading ${name})`);
+  }
+}
+
+export function loadModelDir(dirPath) {
+  const files = fs.readdirSync(dirPath);
+  for (const file of files) {
+    const basename = path.basename(file, '.json');
+    if (file.match(/\.json$/)) {
+      const filePath = path.join(dirPath, file);
+      const data = fs.readFileSync(filePath);
+      const definition = JSON.parse(data);
+      const modelName =
+        definition.modelName || startCase(basename).replace(/\s/g, '');
+      if (!mongoose.models[modelName]) {
+        loadModel(definition, modelName);
+      }
+    }
+  }
+  return mongoose.models;
+}

package/src/references.js

@@ -0,0 +1,101 @@
+import mongoose from 'mongoose';
+
+import { ReferenceError } from './errors';
+
+const { ObjectId: SchemaObjectId } = mongoose.Schema.Types;
+
+export function applyReferences(schema) {
+  schema.method(
+    'assertNoReferences',
+    async function assertNoReferences(options = {}) {
+      const { except = [] } = options;
+      const { modelName } = this.constructor;
+
+      assertExceptions(except);
+
+      const references = getAllReferences(modelName);
+      const results = [];
+
+      for (let { model, paths } of references) {
+        const isAllowed = except.some((e) => {
+          return e === model || e === model.modelName;
+        });
+        if (isAllowed) {
+          return;
+        }
+
+        const query = {
+          $or: paths.map((path) => {
+            return { [path]: this.id };
+          }),
+        };
+
+        const docs = await model.find(
+          query,
+          {
+            _id: 1,
+          },
+          {
+            lean: true,
+          }
+        );
+        if (docs.length > 0) {
+          const ids = docs.map((doc) => {
+            return String(doc._id);
+          });
+          results.push({
+            ids,
+            model,
+            count: ids.length,
+          });
+        }
+      }
+
+      if (results.length) {
+        throw new ReferenceError('Refusing to delete.', results);
+      }
+    }
+  );
+}
+
+function assertExceptions(except) {
+  for (let val of except) {
+    if (typeof val === 'string' && !mongoose.models[val]) {
+      throw new Error(`Unknown model "${val}".`);
+    }
+  }
+}
+
+function getAllReferences(targetName) {
+  return Object.values(mongoose.models)
+    .map((model) => {
+      const paths = getModelReferences(model, targetName);
+      return { model, paths };
+    })
+    .filter(({ paths }) => {
+      return paths.length > 0;
+    });
+}
+
+function getModelReferences(model, targetName) {
+  const paths = [];
+  model.schema.eachPath((schemaPath, schemaType) => {
+    if (schemaType instanceof SchemaObjectId && schemaPath[0] !== '_') {
+      const { ref, refPath } = schemaType.options;
+      let refs;
+      if (ref) {
+        refs = [ref];
+      } else if (refPath) {
+        refs = model.schema.path(refPath).options.enum;
+      } else {
+        throw new Error(
+          `Cannot derive refs for ${model.modelName}#${schemaPath}.`
+        );
+      }
+      if (refs.includes(targetName)) {
+        paths.push(schemaPath);
+      }
+    }
+  });
+  return paths;
+}