@bedrockio/model 0.1.5 → 0.1.7

package/dist/cjs/access.js

@@ -29,19 +29,17 @@ function hasAccess(type, allowed = 'all', options = {}) {
       document,
       authUser
     } = options;
-    if (!Array.isArray(allowed)) {
-      allowed = [allowed];
-    }
     const scopes = resolveScopes(options);
+    allowed = resolveAllowed(allowed);
     return allowed.some(token => {
       if (token === 'self') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.id == authUser.id;
       } else if (token === 'user') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.user?.id == authUser.id;
       } else if (token === 'owner') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.owner?.id == authUser.id;
       } else {
         return scopes?.includes(token);
@@ -53,18 +51,34 @@ function resolveScopes(options) {
   if (!options.scope && !options.scopes) {
     (0, _warn.default)('Scopes were requested but not provided.');
   }
-  const {
-    scope,
-    scopes = []
-  } = options;
-  return scope ? [scope] : scopes;
+  let scopes;
+  if (options.scopes) {
+    scopes = options.scopes;
+  } else if (options.scope) {
+    scopes = [options.scope];
+  } else {
+    scopes = [];
+  }
+  return scopes;
 }
-function assertOptions(type, token, options) {
-  if (!options.authUser || !options.document) {
-    if (type === 'read') {
-      throw new _errors.ImplementationError(`Read access "${token}" requires .toObject({ authUser }).`);
+function resolveAllowed(arg) {
+  const allowed = Array.isArray(arg) ? arg : [arg];
+
+  // Sort allowed scopes to put "self" last allowing
+  // role based scopes to be fulfilled first.
+  allowed.sort((a, b) => {
+    if (a === b) {
+      return 0;
+    } else if (a === 'self') {
+      return 1;
     } else {
-      throw new _errors.ImplementationError(`Write access "${token}" requires passing { document, authUser } to the validator.`);
+      return -1;
     }
+  });
+  return allowed;
+}
+function assertOptions(token, options) {
+  if (!options.authUser || !options.document) {
+    throw new _errors.ImplementationError(token);
   }
 }

package/dist/cjs/errors.js

@@ -6,7 +6,12 @@ Object.defineProperty(exports, "__esModule", {
 exports.ReferenceError = exports.PermissionsError = exports.ImplementationError = void 0;
 class PermissionsError extends Error {}
 exports.PermissionsError = PermissionsError;
-class ImplementationError extends Error {}
+class ImplementationError extends Error {
+  constructor(name) {
+    super();
+    this.name = name;
+  }
+}
 exports.ImplementationError = ImplementationError;
 class ReferenceError extends Error {
   constructor(message, references) {

package/dist/cjs/include.js

@@ -3,11 +3,13 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+exports.INCLUDE_FIELD_SCHEMA = void 0;
 exports.applyInclude = applyInclude;
 exports.checkSelects = checkSelects;
 exports.getIncludes = getIncludes;
 var _mongoose = _interopRequireDefault(require("mongoose"));
 var _lodash = require("lodash");
+var _yada = _interopRequireDefault(require("@bedrockio/yada"));
 var _utils = require("./utils");
 var _const = require("./const");
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
@@ -19,6 +21,11 @@ _mongoose.default.Query.prototype.include = function include(paths) {
   filter.include = paths;
   return this;
 };
+const DESCRIPTION = 'Field to be selected or populated.';
+const INCLUDE_FIELD_SCHEMA = _yada.default.object({
+  include: _yada.default.allow(_yada.default.string().description(DESCRIPTION), _yada.default.array(_yada.default.string().description(DESCRIPTION)))
+});
+exports.INCLUDE_FIELD_SCHEMA = INCLUDE_FIELD_SCHEMA;
 function applyInclude(schema) {
   schema.virtual('include').set(function (include) {
     this.$locals.include = include;
@@ -138,6 +145,9 @@ function nodeToPopulates(node) {
 function pathsToNode(paths, modelName) {
   const node = {};
   for (let str of paths) {
+    if (typeof str !== 'string') {
+      throw new Error('Provided include path was not as string.');
+    }
     let exclude = false;
     if (str.startsWith('-')) {
       exclude = true;

package/dist/cjs/search.js

@@ -87,7 +87,6 @@ function searchValidation(definition, options = {}) {
   return _yada.default.object({
     ids: _yada.default.array(_validation.OBJECT_ID_SCHEMA),
     keyword: _yada.default.string().description('A keyword to perform a text search against.'),
-    include: _yada.default.string().description('Fields to be selected or populated.'),
     skip: _yada.default.number().default(0).description('Number of records to skip.'),
     sort: _yada.default.allow(SORT_SCHEMA, _yada.default.array(SORT_SCHEMA)).default(sort),
     limit: _yada.default.number().positive().default(limit).description('Limits the number of results.'),
@@ -227,8 +226,10 @@ function isNestedQuery(key, value) {
     return !isMongoOperator(key);
   });
 }
+
+// Exclude "include" here as a special case.
 function isArrayQuery(key, value) {
-  return !isMongoOperator(key) && Array.isArray(value);
+  return !isMongoOperator(key) && !isInclude(key) && Array.isArray(value);
 }
 function isRangeQuery(schema, key, value) {
   // Range queries only allowed on Date and Number fields.
@@ -247,6 +248,9 @@ function mapOperatorQuery(obj) {
 function isMongoOperator(str) {
   return str.startsWith('$');
 }
+function isInclude(str) {
+  return str === 'include';
+}
 
 // Regex queries
 

package/dist/cjs/validation.js

@@ -18,6 +18,7 @@ var _errors = require("./errors");
 var _softDelete = require("./soft-delete");
 var _utils = require("./utils");
 var _schema = require("./schema");
+var _include = require("./include");
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 const DATE_SCHEMA = _yada.default.date().iso().tag({
   'x-schema': 'DateTime',
@@ -74,6 +75,7 @@ function applyValidation(schema, definition) {
     return getSchemaFromMongoose(schema, {
       model: this,
       appendSchema,
+      allowIncludes: true,
       stripReserved: true,
       requireWriteAccess: true,
       ...(hasUnique && {
@@ -104,6 +106,7 @@ function applyValidation(schema, definition) {
     return getSchemaFromMongoose(schema, {
       allowSearch: true,
       skipRequired: true,
+      allowIncludes: true,
       expandDotSyntax: true,
       unwindArrayFields: true,
       requireReadAccess: true,
@@ -132,7 +135,8 @@ function getSchemaFromMongoose(schema, options = {}) {
 function getValidationSchema(attributes, options = {}) {
   const {
     appendSchema,
-    assertUniqueOptions
+    assertUniqueOptions,
+    allowIncludes
   } = options;
   let schema = getObjectSchema(attributes, options);
   if (assertUniqueOptions) {
@@ -148,6 +152,9 @@ function getValidationSchema(attributes, options = {}) {
   if (appendSchema) {
     schema = schema.append(appendSchema);
   }
+  if (allowIncludes) {
+    schema = schema.append(_include.INCLUDE_FIELD_SCHEMA);
+  }
   return schema;
 }
 function getObjectSchema(arg, options) {
@@ -333,14 +340,31 @@ function validateAccess(type, schema, allowed, options) {
   } = options.model;
   return schema.custom((val, options) => {
     const document = options[(0, _lodash.lowerFirst)(modelName)] || options['document'];
-    const isAllowed = (0, _access.hasAccess)(type, allowed, {
-      ...options,
-      document
-    });
+    let isAllowed;
+    try {
+      isAllowed = (0, _access.hasAccess)(type, allowed, {
+        ...options,
+        document
+      });
+    } catch (error) {
+      if (error instanceof _errors.ImplementationError) {
+        if (type === 'read') {
+          // Read access validation for search means that "self" access
+          // cannot be fulfilled as there is no single document to test
+          // against, so continue on to throw a normal permissions error
+          // here instead of raising a problem with the implementation.
+          isAllowed = false;
+        } else if (type === 'write') {
+          throw new Error(`Write access "${error.name}" requires passing { document, authUser } to the validator.`);
+        }
+      } else {
+        throw error;
+      }
+    }
     if (!isAllowed) {
       const currentValue = (0, _lodash.get)(document, options.path);
       if (val !== currentValue) {
-        throw new _errors.PermissionsError('requires write permissions.');
+        throw new _errors.PermissionsError(`requires ${type} permissions.`);
       }
     }
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrockio/model",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "Bedrock utilities for model creation.",
   "type": "module",
   "scripts": {
@@ -29,7 +29,7 @@
     "lodash": "^4.17.21"
   },
   "peerDependencies": {
-    "@bedrockio/yada": "^1.0.20",
+    "@bedrockio/yada": "^1.0.25",
     "mongoose": "^6.9.0"
   },
   "devDependencies": {
@@ -37,7 +37,7 @@
     "@babel/core": "^7.20.12",
     "@babel/preset-env": "^7.20.2",
     "@bedrockio/prettier-config": "^1.0.2",
-    "@bedrockio/yada": "^1.0.20",
+    "@bedrockio/yada": "^1.0.25",
     "@shelf/jest-mongodb": "^4.1.6",
     "babel-plugin-import-replacement": "^1.0.1",
     "eslint": "^8.33.0",

package/src/access.js

@@ -19,19 +19,18 @@ export function hasAccess(type, allowed = 'all', options = {}) {
     return false;
   } else {
     const { document, authUser } = options;
-    if (!Array.isArray(allowed)) {
-      allowed = [allowed];
-    }
     const scopes = resolveScopes(options);
+
+    allowed = resolveAllowed(allowed);
     return allowed.some((token) => {
       if (token === 'self') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.id == authUser.id;
       } else if (token === 'user') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.user?.id == authUser.id;
       } else if (token === 'owner') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.owner?.id == authUser.id;
       } else {
         return scopes?.includes(token);
@@ -44,20 +43,39 @@ function resolveScopes(options) {
   if (!options.scope && !options.scopes) {
     warn('Scopes were requested but not provided.');
   }
-  const { scope, scopes = [] } = options;
-  return scope ? [scope] : scopes;
+
+  let scopes;
+  if (options.scopes) {
+    scopes = options.scopes;
+  } else if (options.scope) {
+    scopes = [options.scope];
+  } else {
+    scopes = [];
+  }
+
+  return scopes;
 }
 
-function assertOptions(type, token, options) {
-  if (!options.authUser || !options.document) {
-    if (type === 'read') {
-      throw new ImplementationError(
-        `Read access "${token}" requires .toObject({ authUser }).`
-      );
+function resolveAllowed(arg) {
+  const allowed = Array.isArray(arg) ? arg : [arg];
+
+  // Sort allowed scopes to put "self" last allowing
+  // role based scopes to be fulfilled first.
+  allowed.sort((a, b) => {
+    if (a === b) {
+      return 0;
+    } else if (a === 'self') {
+      return 1;
     } else {
-      throw new ImplementationError(
-        `Write access "${token}" requires passing { document, authUser } to the validator.`
-      );
+      return -1;
     }
+  });
+
+  return allowed;
+}
+
+function assertOptions(token, options) {
+  if (!options.authUser || !options.document) {
+    throw new ImplementationError(token);
   }
 }

package/src/errors.js

@@ -1,5 +1,11 @@
 export class PermissionsError extends Error {}
-export class ImplementationError extends Error {}
+
+export class ImplementationError extends Error {
+  constructor(name) {
+    super();
+    this.name = name;
+  }
+}
 
 export class ReferenceError extends Error {
   constructor(message, references) {

package/src/include.js

@@ -1,5 +1,6 @@
 import mongoose from 'mongoose';
 import { escapeRegExp } from 'lodash';
+import yd from '@bedrockio/yada';
 
 import { resolveInnerField } from './utils';
 import { POPULATE_MAX_DEPTH } from './const';
@@ -13,6 +14,15 @@ mongoose.Query.prototype.include = function include(paths) {
   return this;
 };
 
+const DESCRIPTION = 'Field to be selected or populated.';
+
+export const INCLUDE_FIELD_SCHEMA = yd.object({
+  include: yd.allow(
+    yd.string().description(DESCRIPTION),
+    yd.array(yd.string().description(DESCRIPTION))
+  ),
+});
+
 export function applyInclude(schema) {
   schema.virtual('include').set(function (include) {
     this.$locals.include = include;
@@ -126,6 +136,9 @@ function nodeToPopulates(node) {
 function pathsToNode(paths, modelName) {
   const node = {};
   for (let str of paths) {
+    if (typeof str !== 'string') {
+      throw new Error('Provided include path was not as string.');
+    }
     let exclude = false;
     if (str.startsWith('-')) {
       exclude = true;

package/src/search.js

@@ -90,7 +90,6 @@ export function searchValidation(definition, options = {}) {
     keyword: yd
       .string()
       .description('A keyword to perform a text search against.'),
-    include: yd.string().description('Fields to be selected or populated.'),
     skip: yd.number().default(0).description('Number of records to skip.'),
     sort: yd.allow(SORT_SCHEMA, yd.array(SORT_SCHEMA)).default(sort),
     limit: yd
@@ -230,8 +229,9 @@ function isNestedQuery(key, value) {
   });
 }
 
+// Exclude "include" here as a special case.
 function isArrayQuery(key, value) {
-  return !isMongoOperator(key) && Array.isArray(value);
+  return !isMongoOperator(key) && !isInclude(key) && Array.isArray(value);
 }
 
 function isRangeQuery(schema, key, value) {
@@ -254,6 +254,10 @@ function isMongoOperator(str) {
   return str.startsWith('$');
 }
 
+function isInclude(str) {
+  return str === 'include';
+}
+
 // Regex queries
 
 const REGEX_QUERY = /^\/(.+)\/(\w*)$/;

package/src/validation.js

@@ -5,10 +5,11 @@ import { get, omit, lowerFirst } from 'lodash';
 
 import { hasAccess } from './access';
 import { searchValidation } from './search';
-import { PermissionsError } from './errors';
+import { PermissionsError, ImplementationError } from './errors';
 import { hasUniqueConstraints, assertUnique } from './soft-delete';
 import { isMongooseSchema, isSchemaTypedef } from './utils';
 import { RESERVED_FIELDS } from './schema';
+import { INCLUDE_FIELD_SCHEMA } from './include';
 
 const DATE_SCHEMA = yd.date().iso().tag({
   'x-schema': 'DateTime',
@@ -76,6 +77,7 @@ export function applyValidation(schema, definition) {
       return getSchemaFromMongoose(schema, {
         model: this,
         appendSchema,
+        allowIncludes: true,
         stripReserved: true,
         requireWriteAccess: true,
         ...(hasUnique && {
@@ -114,6 +116,7 @@ export function applyValidation(schema, definition) {
       return getSchemaFromMongoose(schema, {
         allowSearch: true,
         skipRequired: true,
+        allowIncludes: true,
         expandDotSyntax: true,
         unwindArrayFields: true,
         requireReadAccess: true,
@@ -140,7 +143,7 @@ function getSchemaFromMongoose(schema, options = {}) {
 
 // Exported for testing
 export function getValidationSchema(attributes, options = {}) {
-  const { appendSchema, assertUniqueOptions } = options;
+  const { appendSchema, assertUniqueOptions, allowIncludes } = options;
   let schema = getObjectSchema(attributes, options);
   if (assertUniqueOptions) {
     schema = schema.custom(async (obj, { root }) => {
@@ -153,6 +156,9 @@ export function getValidationSchema(attributes, options = {}) {
   if (appendSchema) {
     schema = schema.append(appendSchema);
   }
+  if (allowIncludes) {
+    schema = schema.append(INCLUDE_FIELD_SCHEMA);
+  }
   return schema;
 }
 
@@ -368,14 +374,35 @@ function validateAccess(type, schema, allowed, options) {
   const { modelName } = options.model;
   return schema.custom((val, options) => {
     const document = options[lowerFirst(modelName)] || options['document'];
-    const isAllowed = hasAccess(type, allowed, {
-      ...options,
-      document,
-    });
+
+    let isAllowed;
+    try {
+      isAllowed = hasAccess(type, allowed, {
+        ...options,
+        document,
+      });
+    } catch (error) {
+      if (error instanceof ImplementationError) {
+        if (type === 'read') {
+          // Read access validation for search means that "self" access
+          // cannot be fulfilled as there is no single document to test
+          // against, so continue on to throw a normal permissions error
+          // here instead of raising a problem with the implementation.
+          isAllowed = false;
+        } else if (type === 'write') {
+          throw new Error(
+            `Write access "${error.name}" requires passing { document, authUser } to the validator.`
+          );
+        }
+      } else {
+        throw error;
+      }
+    }
+
     if (!isAllowed) {
       const currentValue = get(document, options.path);
       if (val !== currentValue) {
-        throw new PermissionsError('requires write permissions.');
+        throw new PermissionsError(`requires ${type} permissions.`);
       }
     }
   });

package/types/access.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.js"],"names":[],"mappings":"AAGA,mEAEC;AAED,oEAEC;AAED;;GAEG;AACH,+CAFW,MAAM,GAAC,MAAM,EAAE,yBA4BzB"}
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.js"],"names":[],"mappings":"AAGA,mEAEC;AAED,oEAEC;AAED;;GAEG;AACH,+CAFW,MAAM,GAAC,MAAM,EAAE,yBA2BzB"}

package/types/errors.d.ts

@@ -1,6 +1,8 @@
 export class PermissionsError extends Error {
 }
 export class ImplementationError extends Error {
+    constructor(name: any);
+    name: any;
 }
 export class ReferenceError extends Error {
     constructor(message: any, references: any);

package/types/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAC9C;CAAiD;AAEjD;IACE,2CAGC;IADC,gBAA4B;CAE/B"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAE9C;IACE,uBAGC;IADC,UAAgB;CAEnB;AAED;IACE,2CAGC;IADC,gBAA4B;CAE/B"}

package/types/include.d.ts

@@ -1,4 +1,44 @@
 export function applyInclude(schema: any): void;
 export function checkSelects(doc: any, ret: any): void;
 export function getIncludes(modelName: any, arg: any): any;
+export const INCLUDE_FIELD_SCHEMA: {
+    setup: any;
+    getFields: any;
+    append(arg: import("@bedrockio/yada/types/object").SchemaMap | import("@bedrockio/yada/types/Schema").default): any;
+    pick(...names?: string[]): any;
+    omit(...names?: string[]): any;
+    format(name: any, fn: any): import("@bedrockio/yada/types/TypeSchema").default;
+    toString(): any;
+    assertions: any[];
+    meta: {};
+    required(): any;
+    default(value: any): any;
+    custom(...args: import("@bedrockio/yada/types/Schema").CustomSignature): any;
+    strip(strip: any): any;
+    allow(...set: any[]): any;
+    reject(...set: any[]): any;
+    message(message: any): any;
+    tag(tags: any): any;
+    description(description: any): any;
+    options(options: any): any;
+    validate(value: any, options?: {}): Promise<any>;
+    clone(meta: any): any;
+    toOpenApi(extra: any): any;
+    expandExtra(extra?: {}): {};
+    assertEnum(set: any, allow: any): any;
+    assert(type: any, fn: any): any;
+    pushAssertion(assertion: any): void;
+    transform(fn: any): any;
+    getSortIndex(type: any): number;
+    runAssertion(assertion: any, value: any, options?: {}): Promise<any>;
+    enumToOpenApi(): {
+        type: "string" | "number" | "bigint" | "boolean" | "symbol" | "undefined" | "object" | "function";
+        enum: any;
+        oneOf?: undefined;
+    } | {
+        oneOf: any[];
+        type?: undefined;
+        enum?: undefined;
+    };
+};
 //# sourceMappingURL=include.d.ts.map

package/types/include.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"include.d.ts","sourceRoot":"","sources":["../src/include.js"],"names":[],"mappings":"AAeA,gDAoCC;AAMD,uDA4BC;AAGD,2DAIC"}
+{"version":3,"file":"include.d.ts","sourceRoot":"","sources":["../src/include.js"],"names":[],"mappings":"AAyBA,gDAoCC;AAMD,uDA4BC;AAGD,2DAIC;AApFD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAKG"}

package/types/search.d.ts

@@ -2,7 +2,9 @@ export function applySearch(schema: any, definition: any): void;
 export function searchValidation(definition: any, options?: {}): {
     setup: any;
     getFields: any;
-    append(arg: import("@bedrockio/yada/types/Schema").default | import("@bedrockio/yada/types/object").SchemaMap): any;
+    append(arg: import("@bedrockio/yada/types/object").SchemaMap | import("@bedrockio/yada/types/Schema").default): any;
+    pick(...names?: string[]): any;
+    omit(...names?: string[]): any;
     format(name: any, fn: any): import("@bedrockio/yada/types/TypeSchema").default;
     toString(): any;
     assertions: any[];
@@ -20,6 +22,7 @@ export function searchValidation(definition: any, options?: {}): {
     validate(value: any, options?: {}): Promise<any>;
     clone(meta: any): any;
     toOpenApi(extra: any): any;
+    expandExtra(extra?: {}): {};
     assertEnum(set: any, allow: any): any;
     assert(type: any, fn: any): any;
     pushAssertion(assertion: any): void;

package/types/search.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"search.d.ts","sourceRoot":"","sources":["../src/search.js"],"names":[],"mappings":"AAmBA,gEAyDC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwBC"}
+{"version":3,"file":"search.d.ts","sourceRoot":"","sources":["../src/search.js"],"names":[],"mappings":"AAmBA,gEAyDC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuBC"}

package/types/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.js"],"names":[],"mappings":"AAiEA,kDAEC;AAED,oEA2DC;AAaD,wEAeC;AAqOD;;;EAEC;AAED;;;EAOC;AArXD,8EAUK"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.js"],"names":[],"mappings":"AAkEA,kDAEC;AAED,oEA6DC;AAaD,wEAkBC;AA0PD;;;EAEC;AAED;;;EAOC;AA/YD,8EAUK"}