@bedrockio/model 0.1.4 → 0.1.6

package/dist/cjs/access.js

@@ -29,19 +29,17 @@ function hasAccess(type, allowed = 'all', options = {}) {
       document,
       authUser
     } = options;
-    if (!Array.isArray(allowed)) {
-      allowed = [allowed];
-    }
     const scopes = resolveScopes(options);
+    allowed = resolveAllowed(allowed);
     return allowed.some(token => {
       if (token === 'self') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.id == authUser.id;
       } else if (token === 'user') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.user?.id == authUser.id;
       } else if (token === 'owner') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.owner?.id == authUser.id;
       } else {
         return scopes?.includes(token);
@@ -53,18 +51,34 @@ function resolveScopes(options) {
   if (!options.scope && !options.scopes) {
     (0, _warn.default)('Scopes were requested but not provided.');
   }
-  const {
-    scope,
-    scopes = []
-  } = options;
-  return scope ? [scope] : scopes;
+  let scopes;
+  if (options.scopes) {
+    scopes = options.scopes;
+  } else if (options.scope) {
+    scopes = [options.scope];
+  } else {
+    scopes = [];
+  }
+  return scopes;
 }
-function assertOptions(type, token, options) {
-  if (!options.authUser || !options.document) {
-    if (type === 'read') {
-      throw new _errors.ImplementationError(`Read access "${token}" requires .toObject({ authUser }).`);
+function resolveAllowed(arg) {
+  const allowed = Array.isArray(arg) ? arg : [arg];
+
+  // Sort allowed scopes to put "self" last allowing
+  // role based scopes to be fulfilled first.
+  allowed.sort((a, b) => {
+    if (a === b) {
+      return 0;
+    } else if (a === 'self') {
+      return 1;
     } else {
-      throw new _errors.ImplementationError(`Write access "${token}" requires passing { document, authUser } to the validator.`);
+      return -1;
     }
+  });
+  return allowed;
+}
+function assertOptions(token, options) {
+  if (!options.authUser || !options.document) {
+    throw new _errors.ImplementationError(token);
   }
 }

package/dist/cjs/errors.js

@@ -6,7 +6,12 @@ Object.defineProperty(exports, "__esModule", {
 exports.ReferenceError = exports.PermissionsError = exports.ImplementationError = void 0;
 class PermissionsError extends Error {}
 exports.PermissionsError = PermissionsError;
-class ImplementationError extends Error {}
+class ImplementationError extends Error {
+  constructor(name) {
+    super();
+    this.name = name;
+  }
+}
 exports.ImplementationError = ImplementationError;
 class ReferenceError extends Error {
   constructor(message, references) {

package/dist/cjs/search.js

@@ -84,7 +84,7 @@ function searchValidation(definition, options = {}) {
     sort,
     ...rest
   } = options;
-  return {
+  return _yada.default.object({
     ids: _yada.default.array(_validation.OBJECT_ID_SCHEMA),
     keyword: _yada.default.string().description('A keyword to perform a text search against.'),
     include: _yada.default.string().description('Fields to be selected or populated.'),
@@ -92,7 +92,7 @@ function searchValidation(definition, options = {}) {
     sort: _yada.default.allow(SORT_SCHEMA, _yada.default.array(SORT_SCHEMA)).default(sort),
     limit: _yada.default.number().positive().default(limit).description('Limits the number of results.'),
     ...rest
-  };
+  });
 }
 function validateDefinition(definition) {
   if (Array.isArray(definition.search)) {

package/dist/cjs/validation.js

@@ -104,6 +104,7 @@ function applyValidation(schema, definition) {
     return getSchemaFromMongoose(schema, {
       allowSearch: true,
       skipRequired: true,
+      expandDotSyntax: true,
       unwindArrayFields: true,
       requireReadAccess: true,
       appendSchema: (0, _search.searchValidation)(definition, searchOptions),
@@ -135,8 +136,10 @@ function getValidationSchema(attributes, options = {}) {
   } = options;
   let schema = getObjectSchema(attributes, options);
   if (assertUniqueOptions) {
-    schema = _yada.default.custom(async obj => {
-      await (0, _softDelete.assertUnique)(obj, {
+    schema = schema.custom(async (obj, {
+      root
+    }) => {
+      await (0, _softDelete.assertUnique)(root, {
         model: options.model,
         ...assertUniqueOptions
       });
@@ -148,9 +151,6 @@ function getValidationSchema(attributes, options = {}) {
   return schema;
 }
 function getObjectSchema(arg, options) {
-  const {
-    stripUnknown
-  } = options;
   if ((0, _utils.isSchemaTypedef)(arg)) {
     return getSchemaForTypedef(arg, options);
   } else if (arg instanceof _mongoose.default.Schema) {
@@ -158,6 +158,10 @@ function getObjectSchema(arg, options) {
   } else if (Array.isArray(arg)) {
     return getArraySchema(arg, options);
   } else if (typeof arg === 'object') {
+    const {
+      stripUnknown,
+      expandDotSyntax
+    } = options;
     const map = {};
     for (let [key, field] of Object.entries(arg)) {
       if (!isExcludedField(field, options)) {
@@ -170,6 +174,11 @@ function getObjectSchema(arg, options) {
         stripUnknown: true
       });
     }
+    if (expandDotSyntax) {
+      schema = schema.options({
+        expandDotSyntax: true
+      });
+    }
     return schema;
   } else {
     return getSchemaForType(arg);
@@ -324,14 +333,31 @@ function validateAccess(type, schema, allowed, options) {
   } = options.model;
   return schema.custom((val, options) => {
     const document = options[(0, _lodash.lowerFirst)(modelName)] || options['document'];
-    const isAllowed = (0, _access.hasAccess)(type, allowed, {
-      ...options,
-      document
-    });
+    let isAllowed;
+    try {
+      isAllowed = (0, _access.hasAccess)(type, allowed, {
+        ...options,
+        document
+      });
+    } catch (error) {
+      if (error instanceof _errors.ImplementationError) {
+        if (type === 'read') {
+          // Read access validation for search means that "self" access
+          // cannot be fulfilled as there is no single document to test
+          // against, so continue on to throw a normal permissions error
+          // here instead of raising a problem with the implementation.
+          isAllowed = false;
+        } else if (type === 'write') {
+          throw new Error(`Write access "${error.name}" requires passing { document, authUser } to the validator.`);
+        }
+      } else {
+        throw error;
+      }
+    }
     if (!isAllowed) {
       const currentValue = (0, _lodash.get)(document, options.path);
       if (val !== currentValue) {
-        throw new _errors.PermissionsError('requires write permissions.');
+        throw new _errors.PermissionsError(`requires ${type} permissions.`);
       }
     }
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrockio/model",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Bedrock utilities for model creation.",
   "type": "module",
   "scripts": {
@@ -29,7 +29,7 @@
     "lodash": "^4.17.21"
   },
   "peerDependencies": {
-    "@bedrockio/yada": "^1.0.18",
+    "@bedrockio/yada": "^1.0.25",
     "mongoose": "^6.9.0"
   },
   "devDependencies": {
@@ -37,7 +37,7 @@
     "@babel/core": "^7.20.12",
     "@babel/preset-env": "^7.20.2",
     "@bedrockio/prettier-config": "^1.0.2",
-    "@bedrockio/yada": "^1.0.18",
+    "@bedrockio/yada": "^1.0.25",
     "@shelf/jest-mongodb": "^4.1.6",
     "babel-plugin-import-replacement": "^1.0.1",
     "eslint": "^8.33.0",

package/src/access.js

@@ -19,19 +19,18 @@ export function hasAccess(type, allowed = 'all', options = {}) {
     return false;
   } else {
     const { document, authUser } = options;
-    if (!Array.isArray(allowed)) {
-      allowed = [allowed];
-    }
     const scopes = resolveScopes(options);
+
+    allowed = resolveAllowed(allowed);
     return allowed.some((token) => {
       if (token === 'self') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.id == authUser.id;
       } else if (token === 'user') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.user?.id == authUser.id;
       } else if (token === 'owner') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.owner?.id == authUser.id;
       } else {
         return scopes?.includes(token);
@@ -44,20 +43,39 @@ function resolveScopes(options) {
   if (!options.scope && !options.scopes) {
     warn('Scopes were requested but not provided.');
   }
-  const { scope, scopes = [] } = options;
-  return scope ? [scope] : scopes;
+
+  let scopes;
+  if (options.scopes) {
+    scopes = options.scopes;
+  } else if (options.scope) {
+    scopes = [options.scope];
+  } else {
+    scopes = [];
+  }
+
+  return scopes;
 }
 
-function assertOptions(type, token, options) {
-  if (!options.authUser || !options.document) {
-    if (type === 'read') {
-      throw new ImplementationError(
-        `Read access "${token}" requires .toObject({ authUser }).`
-      );
+function resolveAllowed(arg) {
+  const allowed = Array.isArray(arg) ? arg : [arg];
+
+  // Sort allowed scopes to put "self" last allowing
+  // role based scopes to be fulfilled first.
+  allowed.sort((a, b) => {
+    if (a === b) {
+      return 0;
+    } else if (a === 'self') {
+      return 1;
     } else {
-      throw new ImplementationError(
-        `Write access "${token}" requires passing { document, authUser } to the validator.`
-      );
+      return -1;
     }
+  });
+
+  return allowed;
+}
+
+function assertOptions(token, options) {
+  if (!options.authUser || !options.document) {
+    throw new ImplementationError(token);
   }
 }

package/src/errors.js

@@ -1,5 +1,11 @@
 export class PermissionsError extends Error {}
-export class ImplementationError extends Error {}
+
+export class ImplementationError extends Error {
+  constructor(name) {
+    super();
+    this.name = name;
+  }
+}
 
 export class ReferenceError extends Error {
   constructor(message, references) {

package/src/search.js

@@ -85,7 +85,7 @@ export function searchValidation(definition, options = {}) {
 
   const { limit, sort, ...rest } = options;
 
-  return {
+  return yd.object({
     ids: yd.array(OBJECT_ID_SCHEMA),
     keyword: yd
       .string()
@@ -99,7 +99,7 @@ export function searchValidation(definition, options = {}) {
       .default(limit)
       .description('Limits the number of results.'),
     ...rest,
-  };
+  });
 }
 
 function validateDefinition(definition) {

package/src/validation.js

@@ -5,7 +5,7 @@ import { get, omit, lowerFirst } from 'lodash';
 
 import { hasAccess } from './access';
 import { searchValidation } from './search';
-import { PermissionsError } from './errors';
+import { PermissionsError, ImplementationError } from './errors';
 import { hasUniqueConstraints, assertUnique } from './soft-delete';
 import { isMongooseSchema, isSchemaTypedef } from './utils';
 import { RESERVED_FIELDS } from './schema';
@@ -114,6 +114,7 @@ export function applyValidation(schema, definition) {
       return getSchemaFromMongoose(schema, {
         allowSearch: true,
         skipRequired: true,
+        expandDotSyntax: true,
         unwindArrayFields: true,
         requireReadAccess: true,
         appendSchema: searchValidation(definition, searchOptions),
@@ -142,8 +143,8 @@ export function getValidationSchema(attributes, options = {}) {
   const { appendSchema, assertUniqueOptions } = options;
   let schema = getObjectSchema(attributes, options);
   if (assertUniqueOptions) {
-    schema = yd.custom(async (obj) => {
-      await assertUnique(obj, {
+    schema = schema.custom(async (obj, { root }) => {
+      await assertUnique(root, {
         model: options.model,
         ...assertUniqueOptions,
       });
@@ -156,7 +157,6 @@ export function getValidationSchema(attributes, options = {}) {
 }
 
 function getObjectSchema(arg, options) {
-  const { stripUnknown } = options;
   if (isSchemaTypedef(arg)) {
     return getSchemaForTypedef(arg, options);
   } else if (arg instanceof mongoose.Schema) {
@@ -164,6 +164,7 @@ function getObjectSchema(arg, options) {
   } else if (Array.isArray(arg)) {
     return getArraySchema(arg, options);
   } else if (typeof arg === 'object') {
+    const { stripUnknown, expandDotSyntax } = options;
     const map = {};
     for (let [key, field] of Object.entries(arg)) {
       if (!isExcludedField(field, options)) {
@@ -178,6 +179,11 @@ function getObjectSchema(arg, options) {
         stripUnknown: true,
       });
     }
+    if (expandDotSyntax) {
+      schema = schema.options({
+        expandDotSyntax: true,
+      });
+    }
 
     return schema;
   } else {
@@ -362,14 +368,35 @@ function validateAccess(type, schema, allowed, options) {
   const { modelName } = options.model;
   return schema.custom((val, options) => {
     const document = options[lowerFirst(modelName)] || options['document'];
-    const isAllowed = hasAccess(type, allowed, {
-      ...options,
-      document,
-    });
+
+    let isAllowed;
+    try {
+      isAllowed = hasAccess(type, allowed, {
+        ...options,
+        document,
+      });
+    } catch (error) {
+      if (error instanceof ImplementationError) {
+        if (type === 'read') {
+          // Read access validation for search means that "self" access
+          // cannot be fulfilled as there is no single document to test
+          // against, so continue on to throw a normal permissions error
+          // here instead of raising a problem with the implementation.
+          isAllowed = false;
+        } else if (type === 'write') {
+          throw new Error(
+            `Write access "${error.name}" requires passing { document, authUser } to the validator.`
+          );
+        }
+      } else {
+        throw error;
+      }
+    }
+
     if (!isAllowed) {
       const currentValue = get(document, options.path);
       if (val !== currentValue) {
-        throw new PermissionsError('requires write permissions.');
+        throw new PermissionsError(`requires ${type} permissions.`);
       }
     }
   });

package/types/access.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.js"],"names":[],"mappings":"AAGA,mEAEC;AAED,oEAEC;AAED;;GAEG;AACH,+CAFW,MAAM,GAAC,MAAM,EAAE,yBA4BzB"}
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.js"],"names":[],"mappings":"AAGA,mEAEC;AAED,oEAEC;AAED;;GAEG;AACH,+CAFW,MAAM,GAAC,MAAM,EAAE,yBA2BzB"}

package/types/errors.d.ts

@@ -1,6 +1,8 @@
 export class PermissionsError extends Error {
 }
 export class ImplementationError extends Error {
+    constructor(name: any);
+    name: any;
 }
 export class ReferenceError extends Error {
     constructor(message: any, references: any);

package/types/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAC9C;CAAiD;AAEjD;IACE,2CAGC;IADC,gBAA4B;CAE/B"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAE9C;IACE,uBAGC;IADC,UAAgB;CAEnB;AAED;IACE,2CAGC;IADC,gBAA4B;CAE/B"}