@bedrockio/model 0.9.1 → 0.10.1

package/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.10.1
+
+- Fix to not expose details on unique constraint errors.
+
+## 0.10.0
+
+- Unique constraints now run sequentially and will not run on nested validations
+  unless their parent fields are passed.
+
 ## 0.9.1
 
 - Allowed deriving individual paths from a create schema.

package/README.md

@@ -9,9 +9,10 @@ Bedrock utilities for model creation.
 - [Schema Extensions](#schema-extensions)
   - [Attributes](#attributes)
   - [Scopes](#scopes)
-  - [Tuples](#tuples)
+  - [Unique Constraints](#unique-constraints)
   - [Array Extensions](#array-extensions)
   - [String Trimming](#string-trimming)
+  - [Tuples](#tuples)
 - [Modules](#modules)
   - [Soft Delete](#soft-delete)
   - [Validation](#validation)
@@ -214,8 +215,8 @@ type `Scope` helps make this possible:
     "readAccess": "none",
     "writeAccess": "none",
     "attributes": {
-      "firstName": "String",
-      "lastName": "String",
+      "token": "String",
+      "hashedPassword": "String",
     }
   }
 };
@@ -225,12 +226,12 @@ This syntax expands into the following:
 
 ```js
 {
-  "firstName": {
+  "token": {
     "type": "String",
     "readAccess": "none",
     "writeAccess": "none",
   },
-  "lastName": {
+  "hashedPassword": {
     "type": "String",
     "readAccess": "none",
     "writeAccess": "none",
@@ -437,9 +438,8 @@ an error:
 
 #### Unique Constraints
 
-Note that although monogoose allows a `unique` option on fields, this will add a
-unique index to the mongo collection itself which is incompatible with soft
-deletion.
+Although monogoose allows a `unique` option on fields, this will add a unique
+index to the mongo collection itself which is incompatible with soft deletion.
 
 This module will intercept `unique: true` to create a soft delete compatible
 validation which will:
@@ -462,7 +462,7 @@ validation which will:
 > unique field exists on any document **including the document being updated**.
 > This is an intentional constraint that allows `updateOne` better peformance by
 > not having to fetch the ids of the documents being updated in order to exclude
-> them. To avoid this call `Document.save` instead.
+> them. To avoid this call `Document#save` instead.
 >
 > Note also that calling `Model.updateMany` with a unique field passed will
 > always throw an error as the result would inherently be non-unique.
@@ -525,8 +525,8 @@ Named validations can be specified on the model:
 }
 ```
 
-Validator functions are derived from
-[yada](https://github.com/bedrockio/yada#methods). Note that:
+Validator functions are [yada](https://github.com/bedrockio/yada#methods)
+schemas. Note that:
 
 - `email` - Will additionally downcase any input.
 - `password` - Is not supported as it requires options to be passed and is not a
@@ -538,6 +538,19 @@ Validator functions are derived from
 - `max` - Defined instead directly on the field with `maxLength` for strings and
   `max` for numbers.
 
+Schemas may also be
+[merged together](https://github.com/bedrockio/yada#merging-fields) to produce
+new ones:
+
+```js
+import yd from '@bedrockio/yada';
+
+const signupSchema = yd.object({
+  ...User.getCreateSchema().export(),
+  additionalField: yd.string().required(),
+});
+```
+
 ### Search
 
 Models are extended with a `search` method that allows for complex searching:

package/dist/cjs/errors.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.ReferenceError = exports.PermissionsError = exports.ImplementationError = void 0;
+exports.UniqueConstraintError = exports.ReferenceError = exports.PermissionsError = exports.ImplementationError = void 0;
 class PermissionsError extends Error {}
 exports.PermissionsError = PermissionsError;
 class ImplementationError extends Error {
@@ -19,4 +19,17 @@ class ReferenceError extends Error {
     this.details = details;
   }
 }
-exports.ReferenceError = ReferenceError;
+exports.ReferenceError = ReferenceError;
+class UniqueConstraintError extends Error {
+  constructor(message, details) {
+    super(message);
+    this.details = details;
+  }
+  toJSON() {
+    return {
+      type: 'unique',
+      message: this.message
+    };
+  }
+}
+exports.UniqueConstraintError = UniqueConstraintError;

package/dist/cjs/soft-delete.js

@@ -5,16 +5,52 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.applySoftDelete = applySoftDelete;
 exports.assertUnique = assertUnique;
-exports.hasUniqueConstraints = hasUniqueConstraints;
-var _mongoose = _interopRequireDefault(require("mongoose"));
 var _lodash = require("lodash");
 var _query = require("./query");
-function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+var _errors = require("./errors");
 function applySoftDelete(schema) {
   applyQueries(schema);
   applyUniqueConstraints(schema);
   applyHookPatch(schema);
 }
+async function assertUnique(options) {
+  let {
+    id,
+    model,
+    path,
+    value
+  } = options;
+  if (!value) {
+    return;
+  }
+  const field = Array.isArray(path) ? path.join('.') : path;
+  const query = {
+    [field]: value,
+    _id: {
+      $ne: id
+    }
+  };
+  const exists = await model.exists(query);
+  if (exists) {
+    const message = getUniqueErrorMessage(model, field);
+    throw new _errors.UniqueConstraintError(message, {
+      model,
+      field,
+      value
+    });
+  }
+}
+function getUniqueErrorMessage(model, field) {
+  const {
+    modelName
+  } = model;
+  if (modelName === 'User' && !field.includes('.')) {
+    const name = field === 'phone' ? 'phone number' : field;
+    return `A user with that ${name} already exists.`;
+  } else {
+    return `"${field}" already exists.`;
+  }
+}
 
 // Soft Delete Querying
 
@@ -235,20 +271,24 @@ function getWithDeletedQuery() {
 // Unique Constraints
 
 function applyUniqueConstraints(schema) {
-  const hasUnique = hasUniqueConstraints(schema);
-  if (!hasUnique) {
+  const uniquePaths = getUniqueConstraints(schema);
+  if (!uniquePaths.length) {
     return;
   }
   schema.pre('save', async function () {
-    await assertUnique(this, {
-      operation: this.isNew ? 'create' : 'update',
-      model: this.constructor,
-      schema
-    });
+    for (let path of uniquePaths) {
+      await assertUnique({
+        path,
+        id: this.id,
+        value: this.get(path),
+        model: this.constructor
+      });
+    }
   });
   schema.pre(/^(update|replace)/, async function () {
     await assertUniqueForQuery(this, {
-      schema
+      schema,
+      uniquePaths
     });
   });
   schema.pre('insertMany', async function (next, obj) {
@@ -258,54 +298,39 @@ function applyUniqueConstraints(schema) {
     // as the last argument, however as we are passing an async
     // function it appears to not stop the middleware if we
     // don't call it directly.
-    await assertUnique(obj, {
-      operation: 'create',
+
+    await runUniqueConstraints(obj, {
       model: this,
-      schema
+      uniquePaths
     });
   });
 }
-async function assertUnique(obj, options) {
+async function runUniqueConstraints(arg, options) {
   const {
-    operation,
-    model,
-    schema
+    uniquePaths,
+    model
   } = options;
-  const id = getId(obj);
-  const objFields = resolveUnique(schema, obj);
-  if (Object.keys(objFields).length === 0) {
-    return;
-  }
-  const query = {
-    $or: getUniqueQueries(objFields),
-    ...(id && {
-      _id: {
-        $ne: id
+  // Updates or inserts
+  const operations = Array.isArray(arg) ? arg : [arg];
+  for (let operation of operations) {
+    for (let path of uniquePaths) {
+      const value = operation[path];
+      if (value) {
+        await assertUnique({
+          path,
+          value,
+          model
+        });
       }
-    })
-  };
-  const found = await model.findOne(query, {}, {
-    lean: true
-  });
-  if (found) {
-    const {
-      modelName
-    } = model;
-    const foundFields = resolveUnique(schema, found);
-    const collisions = getCollisions(objFields, foundFields).join(', ');
-    throw new Error(`Cannot ${operation} ${modelName}. Duplicate fields exist: ${collisions}.`);
+    }
   }
 }
-function getId(arg) {
-  const id = arg.id || arg._id;
-  return id ? String(id) : null;
-}
 
 // Asserts than an update or insert query will not
 // result in duplicate unique fields being present
 // within non-deleted documents.
 async function assertUniqueForQuery(query, options) {
-  let update = query.getUpdate();
+  const update = query.getUpdate();
   const operation = getOperationForQuery(update);
   // Note: No need to check unique constraints
   // if the operation is a delete.
@@ -314,6 +339,7 @@ async function assertUniqueForQuery(query, options) {
       model
     } = query;
     const filter = query.getFilter();
+    let updates;
     if (operation === 'restore') {
       // A restore operation is functionally identical to a new
       // insert so we need to fetch the deleted documents with
@@ -321,18 +347,30 @@ async function assertUniqueForQuery(query, options) {
       const docs = await model.findWithDeleted(filter, {}, {
         lean: true
       });
-      update = docs.map(doc => {
+      updates = docs.map(doc => {
         return {
           ...doc,
           ...update
         };
       });
+    } else {
+      updates = [update];
+    }
+    const {
+      uniquePaths
+    } = options;
+    for (let update of updates) {
+      for (let path of uniquePaths) {
+        const value = update[path];
+        if (value) {
+          await assertUnique({
+            path,
+            value,
+            model
+          });
+        }
+      }
     }
-    await assertUnique(update, {
-      ...options,
-      operation,
-      model
-    });
   }
 }
 function getOperationForQuery(update) {
@@ -344,9 +382,9 @@ function getOperationForQuery(update) {
     return 'update';
   }
 }
-function hasUniqueConstraints(schema) {
+function getUniqueConstraints(schema) {
   const paths = [...Object.keys(schema.paths), ...Object.keys(schema.subpaths)];
-  return paths.some(key => {
+  return paths.filter(key => {
     return isUniquePath(schema, key);
   });
 }
@@ -354,67 +392,6 @@ function isUniquePath(schema, key) {
   return schema.path(key)?.options?.softUnique === true;
 }
 
-// Returns a flattened map of key -> [...values]
-// consisting of only paths defined as unique on the schema.
-function resolveUnique(schema, obj, map = {}, path = []) {
-  if (Array.isArray(obj)) {
-    for (let el of obj) {
-      resolveUnique(schema, el, map, path);
-    }
-  } else if (obj instanceof _mongoose.default.Document) {
-    obj.schema.eachPath(key => {
-      const val = obj.get(key);
-      resolveUnique(schema, val, map, [...path, key]);
-    });
-  } else if (obj && typeof obj === 'object') {
-    for (let [key, val] of Object.entries(obj)) {
-      resolveUnique(schema, val, map, [...path, key]);
-    }
-  } else if (obj) {
-    const key = path.join('.');
-    if (isUniquePath(schema, key)) {
-      map[key] ||= [];
-      map[key].push(obj);
-    }
-  }
-  return map;
-}
-
-// Argument is guaranteed to be flattened.
-function getUniqueQueries(obj) {
-  return Object.entries(obj).map(([key, val]) => {
-    if (val.length > 1) {
-      return {
-        [key]: {
-          $in: val
-        }
-      };
-    } else {
-      return {
-        [key]: val[0]
-      };
-    }
-  });
-}
-
-// Both arguments here are guaranteed to be flattened
-// maps of key -> [values] of unique fields only.
-function getCollisions(obj1, obj2) {
-  const collisions = [];
-  for (let [key, arr1] of Object.entries(obj1)) {
-    const arr2 = obj2[key];
-    if (arr2) {
-      const hasCollision = arr1.some(val => {
-        return arr2.includes(val);
-      });
-      if (hasCollision) {
-        collisions.push(key);
-      }
-    }
-  }
-  return collisions;
-}
-
 // Hook Patch
 
 function applyHookPatch(schema) {

package/dist/cjs/validation.js

@@ -14,8 +14,8 @@ var _yada = _interopRequireDefault(require("@bedrockio/yada"));
 var _lodash = require("lodash");
 var _access = require("./access");
 var _search = require("./search");
-var _errors = require("./errors");
 var _softDelete = require("./soft-delete");
+var _errors = require("./errors");
 var _utils = require("./utils");
 var _include = require("./include");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
@@ -75,7 +75,6 @@ function addValidators(schemas) {
   Object.assign(NAMED_SCHEMAS, schemas);
 }
 function applyValidation(schema, definition) {
-  const hasUnique = (0, _softDelete.hasUniqueConstraints)(schema);
   schema.static('getCreateValidation', function getCreateValidation(options = {}) {
     const {
       allowInclude,
@@ -90,13 +89,7 @@ function applyValidation(schema, definition) {
       stripTimestamps: true,
       allowDefaultTags: true,
       allowExpandedRefs: true,
-      requireWriteAccess: true,
-      ...(hasUnique && {
-        assertUniqueOptions: {
-          schema,
-          operation: 'create'
-        }
-      })
+      requireWriteAccess: true
     });
   });
   schema.static('getUpdateValidation', function getUpdateValidation(options = {}) {
@@ -115,13 +108,7 @@ function applyValidation(schema, definition) {
       stripTimestamps: true,
       allowExpandedRefs: true,
       requireWriteAccess: true,
-      updateAccess: definition.access?.update,
-      ...(hasUnique && {
-        assertUniqueOptions: {
-          schema,
-          operation: 'update'
-        }
-      })
+      updateAccess: definition.access?.update
     });
   });
   schema.static('getSearchValidation', function getSearchValidation(options = {}) {
@@ -192,21 +179,10 @@ function getMongooseFields(schema, options) {
 function getValidationSchema(attributes, options = {}) {
   const {
     appendSchema,
-    assertUniqueOptions,
     allowInclude,
     updateAccess
   } = options;
   let schema = getObjectSchema(attributes, options);
-  if (assertUniqueOptions) {
-    schema = schema.custom(async (obj, {
-      root
-    }) => {
-      await (0, _softDelete.assertUnique)(root, {
-        model: options.model,
-        ...assertUniqueOptions
-      });
-    });
-  }
   if (appendSchema) {
     schema = schema.append(appendSchema);
   }
@@ -353,6 +329,22 @@ function getSchemaForTypedef(typedef, options = {}) {
   if (typedef.writeAccess && options.requireWriteAccess) {
     schema = validateAccess('write', schema, typedef.writeAccess, options);
   }
+  if (typedef.softUnique) {
+    schema = schema.custom(async (value, {
+      path,
+      originalRoot
+    }) => {
+      const {
+        id
+      } = originalRoot;
+      await (0, _softDelete.assertUnique)({
+        ...options,
+        value,
+        path,
+        id
+      });
+    });
+  }
   return schema;
 }
 function getSchemaForType(type, options) {
@@ -507,7 +499,9 @@ function validateAccess(type, schema, allowed, options) {
           // throw the error.
           return;
         }
-        message ||= `Field "${path.join('.')}" requires ${type} permissions.`;
+
+        // Default to not exposing the existence of this field.
+        message ||= `Unknown field "${path.join('.')}".`;
       }
       throw new _errors.PermissionsError(message);
     }

package/eslint.config.js

@@ -0,0 +1,3 @@
+import { jest, recommended, nodeImports } from '@bedrockio/eslint-plugin';
+
+export default [jest, recommended, nodeImports];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrockio/model",
-  "version": "0.9.1",
+  "version": "0.10.1",
   "description": "Bedrock utilities for model creation.",
   "type": "module",
   "scripts": {
@@ -37,11 +37,11 @@
     "@babel/cli": "^7.26.4",
     "@babel/core": "^7.26.0",
     "@babel/preset-env": "^7.26.0",
+    "@bedrockio/eslint-plugin": "^1.1.7",
     "@bedrockio/prettier-config": "^1.0.2",
-    "@bedrockio/yada": "^1.3.0",
+    "@bedrockio/yada": "^1.4.1",
     "@shelf/jest-mongodb": "^4.3.2",
-    "eslint": "^8.33.0",
-    "eslint-plugin-bedrock": "^1.0.26",
+    "eslint": "^9.19.0",
     "jest": "^29.7.0",
     "jest-environment-node": "^29.7.0",
     "mongodb": "^6.12.0",
@@ -49,11 +49,9 @@
     "prettier": "^3.4.2",
     "typescript": "^5.7.2"
   },
-  "resolutions": {
-    "whatwg-url": "14.1.0"
-  },
+  "prettier": "@bedrockio/prettier-config",
   "volta": {
-    "node": "22.13.0",
+    "node": "23.7.0",
     "yarn": "1.22.22"
   }
 }

package/src/delete-hooks.js

@@ -147,7 +147,7 @@ async function errorOnForeignReferences(doc, options) {
           {
             [path]: doc.id,
           },
-          { _id: 1 }
+          { _id: 1 },
         )
         .lean();
 
@@ -226,7 +226,7 @@ function getModelReferences(model, targetName) {
         refs = model.schema.path(refPath).options.enum;
       } else {
         throw new Error(
-          `Cannot derive refs for ${model.modelName}#${schemaPath}.`
+          `Cannot derive refs for ${model.modelName}#${schemaPath}.`,
         );
       }
       if (refs.includes(targetName)) {

package/src/disallowed.js

@@ -4,7 +4,7 @@ export function applyDisallowed(schema) {
   schema.method('deleteOne', function () {
     warn(
       'The "deleteOne" method on documents is disallowed due to ambiguity',
-      'Use either "delete" or "deleteOne" on the model.'
+      'Use either "delete" or "deleteOne" on the model.',
     );
     throw new Error('Method not allowed.');
   });
@@ -12,7 +12,7 @@ export function applyDisallowed(schema) {
   schema.static('findOneAndRemove', function () {
     warn(
       'The "findOneAndRemove" method on models is disallowed due to ambiguity.',
-      'To permanently delete a document use "findOneAndDestroy", otherwise "findOneAndDelete".'
+      'To permanently delete a document use "findOneAndDestroy", otherwise "findOneAndDelete".',
     );
     throw new Error('Method not allowed.');
   });
@@ -20,14 +20,14 @@ export function applyDisallowed(schema) {
   schema.static('findByIdAndRemove', function () {
     warn(
       'The "findByIdAndRemove" method on models is disallowed due to ambiguity.',
-      'To permanently delete a document use "findByIdAndDestroy", otherwise "findByIdAndDelete".'
+      'To permanently delete a document use "findByIdAndDestroy", otherwise "findByIdAndDelete".',
     );
     throw new Error('Method not allowed.');
   });
 
   schema.static('count', function () {
     warn(
-      'The "count" method on models is deprecated. Use "countDocuments" instead.'
+      'The "count" method on models is deprecated. Use "countDocuments" instead.',
     );
     throw new Error('Method not allowed.');
   });

package/src/errors.js

@@ -13,3 +13,17 @@ export class ReferenceError extends Error {
     this.details = details;
   }
 }
+
+export class UniqueConstraintError extends Error {
+  constructor(message, details) {
+    super(message);
+    this.details = details;
+  }
+
+  toJSON() {
+    return {
+      type: 'unique',
+      message: this.message,
+    };
+  }
+}

package/src/include.js

@@ -21,7 +21,7 @@ const DESCRIPTION = 'Field to be selected or populated.';
 export const INCLUDE_FIELD_SCHEMA = yd.object({
   include: yd.allow(
     yd.string().description(DESCRIPTION),
-    yd.array(yd.string().description(DESCRIPTION))
+    yd.array(yd.string().description(DESCRIPTION)),
   ),
 });
 
@@ -58,7 +58,7 @@ export function applyInclude(schema) {
         await doc.include(include);
       }
       return doc;
-    }
+    },
   );
 
   // Synchronous method assigns the includes to locals.

package/src/slug.js

@@ -13,7 +13,7 @@ export function applySlug(schema) {
       return find(this, str, args, {
         deleted: true,
       });
-    }
+    },
   );
 
   schema.static(
@@ -22,7 +22,7 @@ export function applySlug(schema) {
       return find(this, str, args, {
         deleted: { $in: [true, false] },
       });
-    }
+    },
   );
 }
 
@@ -42,6 +42,6 @@ function find(Model, str, args, deleted) {
       ...deleted,
       ...query,
     },
-    ...args
+    ...args,
   );
 }

package/src/soft-delete.js

@@ -1,7 +1,7 @@
-import mongoose from 'mongoose';
 import { isEqual } from 'lodash';
 
 import { wrapQuery } from './query';
+import { UniqueConstraintError } from './errors';
 
 export function applySoftDelete(schema) {
   applyQueries(schema);
@@ -9,6 +9,41 @@ export function applySoftDelete(schema) {
   applyHookPatch(schema);
 }
 
+export async function assertUnique(options) {
+  let { id, model, path, value } = options;
+
+  if (!value) {
+    return;
+  }
+
+  const field = Array.isArray(path) ? path.join('.') : path;
+
+  const query = {
+    [field]: value,
+    _id: { $ne: id },
+  };
+
+  const exists = await model.exists(query);
+  if (exists) {
+    const message = getUniqueErrorMessage(model, field);
+    throw new UniqueConstraintError(message, {
+      model,
+      field,
+      value,
+    });
+  }
+}
+
+function getUniqueErrorMessage(model, field) {
+  const { modelName } = model;
+  if (modelName === 'User' && !field.includes('.')) {
+    const name = field === 'phone' ? 'phone number' : field;
+    return `A user with that ${name} already exists.`;
+  } else {
+    return `"${field}" already exists.`;
+  }
+}
+
 // Soft Delete Querying
 
 function applyQueries(schema) {
@@ -58,7 +93,7 @@ function applyQueries(schema) {
         deleted: false,
       },
       update,
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
     return wrapQuery(query, async (promise) => {
       const res = await promise;
@@ -77,7 +112,7 @@ function applyQueries(schema) {
         deleted: false,
       },
       update,
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
     return wrapQuery(query, async (promise) => {
       const res = await promise;
@@ -95,7 +130,7 @@ function applyQueries(schema) {
         deleted: false,
       },
       getDelete(),
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
   });
 
@@ -106,7 +141,7 @@ function applyQueries(schema) {
         deleted: true,
       },
       getRestore(),
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
     return wrapQuery(query, async (promise) => {
       const res = await promise;
@@ -124,7 +159,7 @@ function applyQueries(schema) {
         deleted: true,
       },
       getRestore(),
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
     return wrapQuery(query, async (promise) => {
       const res = await promise;
@@ -139,7 +174,7 @@ function applyQueries(schema) {
     // Following Mongoose patterns here
     const query = new this.Query({}, {}, this, this.collection).deleteOne(
       conditions,
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
     return wrapQuery(query, async (promise) => {
       const res = await promise;
@@ -154,7 +189,7 @@ function applyQueries(schema) {
     // Following Mongoose patterns here
     const query = new this.Query({}, {}, this, this.collection).deleteMany(
       conditions,
-      ...omitCallback(rest)
+      ...omitCallback(rest),
     );
     return wrapQuery(query, async (promise) => {
       const res = await promise;
@@ -205,7 +240,7 @@ function applyQueries(schema) {
         deleted: true,
       };
       return this.countDocuments(filter, ...omitCallback(rest));
-    }
+    },
   );
 
   schema.static('findWithDeleted', function findWithDeleted(filter, ...rest) {
@@ -224,7 +259,7 @@ function applyQueries(schema) {
         ...getWithDeletedQuery(),
       };
       return this.findOne(filter, ...omitCallback(rest));
-    }
+    },
   );
 
   schema.static(
@@ -235,7 +270,7 @@ function applyQueries(schema) {
         ...getWithDeletedQuery(),
       };
       return this.findOne(filter, ...omitCallback(rest));
-    }
+    },
   );
 
   schema.static(
@@ -246,7 +281,7 @@ function applyQueries(schema) {
         ...getWithDeletedQuery(),
       };
       return this.exists(filter, ...omitCallback(rest));
-    }
+    },
   );
 
   schema.static(
@@ -257,7 +292,7 @@ function applyQueries(schema) {
         ...getWithDeletedQuery(),
       };
       return this.countDocuments(filter, ...omitCallback(rest));
-    }
+    },
   );
 }
 
@@ -284,23 +319,27 @@ function getWithDeletedQuery() {
 // Unique Constraints
 
 function applyUniqueConstraints(schema) {
-  const hasUnique = hasUniqueConstraints(schema);
+  const uniquePaths = getUniqueConstraints(schema);
 
-  if (!hasUnique) {
+  if (!uniquePaths.length) {
     return;
   }
 
   schema.pre('save', async function () {
-    await assertUnique(this, {
-      operation: this.isNew ? 'create' : 'update',
-      model: this.constructor,
-      schema,
-    });
+    for (let path of uniquePaths) {
+      await assertUnique({
+        path,
+        id: this.id,
+        value: this.get(path),
+        model: this.constructor,
+      });
+    }
   });
 
   schema.pre(/^(update|replace)/, async function () {
     await assertUniqueForQuery(this, {
       schema,
+      uniquePaths,
     });
   });
 
@@ -311,71 +350,73 @@ function applyUniqueConstraints(schema) {
     // as the last argument, however as we are passing an async
     // function it appears to not stop the middleware if we
     // don't call it directly.
-    await assertUnique(obj, {
-      operation: 'create',
+
+    await runUniqueConstraints(obj, {
       model: this,
-      schema,
+      uniquePaths,
     });
   });
 }
 
-export async function assertUnique(obj, options) {
-  const { operation, model, schema } = options;
-  const id = getId(obj);
-  const objFields = resolveUnique(schema, obj);
-  if (Object.keys(objFields).length === 0) {
-    return;
-  }
-  const query = {
-    $or: getUniqueQueries(objFields),
-    ...(id && {
-      _id: { $ne: id },
-    }),
-  };
-  const found = await model.findOne(query, {}, { lean: true });
-  if (found) {
-    const { modelName } = model;
-    const foundFields = resolveUnique(schema, found);
-    const collisions = getCollisions(objFields, foundFields).join(', ');
-    throw new Error(
-      `Cannot ${operation} ${modelName}. Duplicate fields exist: ${collisions}.`
-    );
+async function runUniqueConstraints(arg, options) {
+  const { uniquePaths, model } = options;
+  // Updates or inserts
+  const operations = Array.isArray(arg) ? arg : [arg];
+  for (let operation of operations) {
+    for (let path of uniquePaths) {
+      const value = operation[path];
+      if (value) {
+        await assertUnique({
+          path,
+          value,
+          model,
+        });
+      }
+    }
   }
 }
 
-function getId(arg) {
-  const id = arg.id || arg._id;
-  return id ? String(id) : null;
-}
-
 // Asserts than an update or insert query will not
 // result in duplicate unique fields being present
 // within non-deleted documents.
 async function assertUniqueForQuery(query, options) {
-  let update = query.getUpdate();
+  const update = query.getUpdate();
   const operation = getOperationForQuery(update);
   // Note: No need to check unique constraints
   // if the operation is a delete.
   if (operation === 'restore' || operation === 'update') {
     const { model } = query;
     const filter = query.getFilter();
+
+    let updates;
     if (operation === 'restore') {
       // A restore operation is functionally identical to a new
       // insert so we need to fetch the deleted documents with
       // all fields available to check against.
       const docs = await model.findWithDeleted(filter, {}, { lean: true });
-      update = docs.map((doc) => {
+      updates = docs.map((doc) => {
         return {
           ...doc,
           ...update,
         };
       });
+    } else {
+      updates = [update];
+    }
+
+    const { uniquePaths } = options;
+    for (let update of updates) {
+      for (let path of uniquePaths) {
+        const value = update[path];
+        if (value) {
+          await assertUnique({
+            path,
+            value,
+            model,
+          });
+        }
+      }
     }
-    await assertUnique(update, {
-      ...options,
-      operation,
-      model,
-    });
   }
 }
 
@@ -389,9 +430,9 @@ function getOperationForQuery(update) {
   }
 }
 
-export function hasUniqueConstraints(schema) {
+function getUniqueConstraints(schema) {
   const paths = [...Object.keys(schema.paths), ...Object.keys(schema.subpaths)];
-  return paths.some((key) => {
+  return paths.filter((key) => {
     return isUniquePath(schema, key);
   });
 }
@@ -400,61 +441,6 @@ function isUniquePath(schema, key) {
   return schema.path(key)?.options?.softUnique === true;
 }
 
-// Returns a flattened map of key -> [...values]
-// consisting of only paths defined as unique on the schema.
-function resolveUnique(schema, obj, map = {}, path = []) {
-  if (Array.isArray(obj)) {
-    for (let el of obj) {
-      resolveUnique(schema, el, map, path);
-    }
-  } else if (obj instanceof mongoose.Document) {
-    obj.schema.eachPath((key) => {
-      const val = obj.get(key);
-      resolveUnique(schema, val, map, [...path, key]);
-    });
-  } else if (obj && typeof obj === 'object') {
-    for (let [key, val] of Object.entries(obj)) {
-      resolveUnique(schema, val, map, [...path, key]);
-    }
-  } else if (obj) {
-    const key = path.join('.');
-    if (isUniquePath(schema, key)) {
-      map[key] ||= [];
-      map[key].push(obj);
-    }
-  }
-  return map;
-}
-
-// Argument is guaranteed to be flattened.
-function getUniqueQueries(obj) {
-  return Object.entries(obj).map(([key, val]) => {
-    if (val.length > 1) {
-      return { [key]: { $in: val } };
-    } else {
-      return { [key]: val[0] };
-    }
-  });
-}
-
-// Both arguments here are guaranteed to be flattened
-// maps of key -> [values] of unique fields only.
-function getCollisions(obj1, obj2) {
-  const collisions = [];
-  for (let [key, arr1] of Object.entries(obj1)) {
-    const arr2 = obj2[key];
-    if (arr2) {
-      const hasCollision = arr1.some((val) => {
-        return arr2.includes(val);
-      });
-      if (hasCollision) {
-        collisions.push(key);
-      }
-    }
-  }
-  return collisions;
-}
-
 // Hook Patch
 
 function applyHookPatch(schema) {

package/src/validation.js

@@ -5,8 +5,8 @@ import { get, omit, lowerFirst } from 'lodash';
 
 import { hasAccess } from './access';
 import { searchValidation } from './search';
+import { assertUnique } from './soft-delete';
 import { PermissionsError, ImplementationError } from './errors';
-import { hasUniqueConstraints, assertUnique } from './soft-delete';
 import { isMongooseSchema, isSchemaTypedef } from './utils';
 import { INCLUDE_FIELD_SCHEMA } from './include';
 
@@ -38,7 +38,7 @@ const REFERENCE_SCHEMA = yd
       })
       .custom((obj) => {
         return obj.id;
-      })
+      }),
   )
   .message('Must be an id or object containing an "id" field.')
   .tag({
@@ -87,8 +87,6 @@ export function addValidators(schemas) {
 }
 
 export function applyValidation(schema, definition) {
-  const hasUnique = hasUniqueConstraints(schema);
-
   schema.static(
     'getCreateValidation',
     function getCreateValidation(options = {}) {
@@ -103,14 +101,8 @@ export function applyValidation(schema, definition) {
         allowDefaultTags: true,
         allowExpandedRefs: true,
         requireWriteAccess: true,
-        ...(hasUnique && {
-          assertUniqueOptions: {
-            schema,
-            operation: 'create',
-          },
-        }),
       });
-    }
+    },
   );
 
   schema.static(
@@ -129,14 +121,8 @@ export function applyValidation(schema, definition) {
         allowExpandedRefs: true,
         requireWriteAccess: true,
         updateAccess: definition.access?.update,
-        ...(hasUnique && {
-          assertUniqueOptions: {
-            schema,
-            operation: 'update',
-          },
-        }),
       });
-    }
+    },
   );
 
   schema.static(
@@ -160,7 +146,7 @@ export function applyValidation(schema, definition) {
           appendSchema,
         }),
       });
-    }
+    },
   );
 
   schema.static('getDeleteValidation', function getDeleteValidation() {
@@ -205,17 +191,10 @@ function getMongooseFields(schema, options) {
 
 // Exported for testing
 export function getValidationSchema(attributes, options = {}) {
-  const { appendSchema, assertUniqueOptions, allowInclude, updateAccess } =
-    options;
+  const { appendSchema, allowInclude, updateAccess } = options;
+
   let schema = getObjectSchema(attributes, options);
-  if (assertUniqueOptions) {
-    schema = schema.custom(async (obj, { root }) => {
-      await assertUnique(root, {
-        model: options.model,
-        ...assertUniqueOptions,
-      });
-    });
-  }
+
   if (appendSchema) {
     schema = schema.append(appendSchema);
   }
@@ -374,6 +353,18 @@ function getSchemaForTypedef(typedef, options = {}) {
     schema = validateAccess('write', schema, typedef.writeAccess, options);
   }
 
+  if (typedef.softUnique) {
+    schema = schema.custom(async (value, { path, originalRoot }) => {
+      const { id } = originalRoot;
+      await assertUnique({
+        ...options,
+        value,
+        path,
+        id,
+      });
+    });
+  }
+
   return schema;
 }
 
@@ -423,10 +414,10 @@ function getSearchSchema(schema, type) {
             'x-schema': 'NumberRange',
             'x-description':
               'An object representing numbers falling within a range.',
-          })
+          }),
       )
       .description(
-        'Allows searching by a value, array of values, or a numeric range.'
+        'Allows searching by a value, array of values, or a numeric range.',
       );
   } else if (type === 'Date') {
     return yd
@@ -468,7 +459,7 @@ function getSearchSchema(schema, type) {
             'x-schema': 'DateRange',
             'x-description':
               'An object representing dates falling within a range.',
-          })
+          }),
       )
       .description('Allows searching by a date, array of dates, or a range.');
   } else if (type === 'String' || type === 'ObjectId') {
@@ -543,7 +534,7 @@ function validateAccess(type, schema, allowed, options) {
           isAllowed = false;
         } else {
           throw new Error(
-            `Access validation "${error.name}" requires passing { document, authUser } to the validator.`
+            `Access validation "${error.name}" requires passing { document, authUser } to the validator.`,
           );
         }
       } else {
@@ -560,7 +551,9 @@ function validateAccess(type, schema, allowed, options) {
           // throw the error.
           return;
         }
-        message ||= `Field "${path.join('.')}" requires ${type} permissions.`;
+
+        // Default to not exposing the existence of this field.
+        message ||= `Unknown field "${path.join('.')}".`;
       }
       throw new PermissionsError(message);
     }

package/types/errors.d.ts

@@ -8,4 +8,12 @@ export class ReferenceError extends Error {
     constructor(message: any, details: any);
     details: any;
 }
+export class UniqueConstraintError extends Error {
+    constructor(message: any, details: any);
+    details: any;
+    toJSON(): {
+        type: string;
+        message: string;
+    };
+}
 //# sourceMappingURL=errors.d.ts.map

package/types/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAE9C;IACE,uBAGC;IADC,UAAgB;CAEnB;AAED;IACE,wCAGC;IADC,aAAsB;CAEzB"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAE9C;IACE,uBAGC;IADC,UAAgB;CAEnB;AAED;IACE,wCAGC;IADC,aAAsB;CAEzB;AAED;IACE,wCAGC;IADC,aAAsB;IAGxB;;;MAKC;CACF"}

package/types/include.d.ts

@@ -4,11 +4,13 @@ export function getParams(modelName: any, arg: any): any;
 export function getDocumentParams(doc: any, arg: any, options?: {}): any;
 export const INCLUDE_FIELD_SCHEMA: {
     setup(): void;
-    getFields(): any;
-    append(arg: import("@bedrockio/yada/types/object").SchemaMap | import("@bedrockio/yada/types/Schema").default): /*elided*/ any;
     get(path?: string | Array<string>): any;
+    unwind(path?: string | Array<string>): any;
     pick(...names?: string[]): /*elided*/ any;
     omit(...names?: string[]): /*elided*/ any;
+    require(...fields: string[]): /*elided*/ any;
+    export(): any;
+    append(arg: import("@bedrockio/yada/types/object").SchemaMap | import("@bedrockio/yada/types/Schema").default): /*elided*/ any;
     format(name: any, fn: any): /*elided*/ any;
     toString(): any;
     assertions: any[];

package/types/include.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"include.d.ts","sourceRoot":"","sources":["../src/include.js"],"names":[],"mappings":"AA2BA,gDAuEC;AAMD,uDA4BC;AAGD,yDAIC;AAaD,yEAUC;AA9ID;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAsDoB,CAAC;;;;;;;;;;;;;;;;;EAjDlB"}
+{"version":3,"file":"include.d.ts","sourceRoot":"","sources":["../src/include.js"],"names":[],"mappings":"AA2BA,gDAuEC;AAMD,uDA4BC;AAGD,yDAIC;AAaD,yEAUC;AA9ID;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAsDsB,CAAC;;;;;;;;;;;;;;;;;EAjDpB"}

package/types/search.d.ts

@@ -1,11 +1,13 @@
 export function applySearch(schema: any, definition: any): void;
 export function searchValidation(options?: {}): {
     setup(): void;
-    getFields(): any;
-    append(arg: import("@bedrockio/yada/types/object").SchemaMap | import("@bedrockio/yada/types/Schema").default): /*elided*/ any;
     get(path?: string | Array<string>): any;
+    unwind(path?: string | Array<string>): any;
     pick(...names?: string[]): /*elided*/ any;
     omit(...names?: string[]): /*elided*/ any;
+    require(...fields: string[]): /*elided*/ any;
+    export(): any;
+    append(arg: import("@bedrockio/yada/types/object").SchemaMap | import("@bedrockio/yada/types/Schema").default): /*elided*/ any;
     format(name: any, fn: any): /*elided*/ any;
     toString(): any;
     assertions: any[];

package/types/search.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"search.d.ts","sourceRoot":"","sources":["../src/search.js"],"names":[],"mappings":"AAsBA,gEAwDC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAWS,CAAA;;;;;;;;;;;;;;;;;EAcR"}
+{"version":3,"file":"search.d.ts","sourceRoot":"","sources":["../src/search.js"],"names":[],"mappings":"AAsBA,gEAwDC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAWY,CAAC;;;;;;;;;;;;;;;;;EAcZ"}

package/types/soft-delete.d.ts

@@ -1,4 +1,3 @@
 export function applySoftDelete(schema: any): void;
-export function assertUnique(obj: any, options: any): Promise<void>;
-export function hasUniqueConstraints(schema: any): boolean;
+export function assertUnique(options: any): Promise<void>;
 //# sourceMappingURL=soft-delete.d.ts.map

package/types/soft-delete.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"soft-delete.d.ts","sourceRoot":"","sources":["../src/soft-delete.js"],"names":[],"mappings":"AAKA,mDAIC;AAwTD,oEAsBC;AAgDD,2DAKC"}
+{"version":3,"file":"soft-delete.d.ts","sourceRoot":"","sources":["../src/soft-delete.js"],"names":[],"mappings":"AAKA,mDAIC;AAED,0DAuBC"}

package/types/validation.d.ts

@@ -84,7 +84,7 @@ export const OBJECT_ID_SCHEMA: {
     options(options: any): /*elided*/ any;
     validate(value: any, options?: {}): Promise<any>;
     clone(meta: any): /*elided*/ any;
-    append(schema: any): /*elided*/ any;
+    append(schema: any): import("@bedrockio/yada/types/Schema").default;
     toOpenApi(extra: any): any;
     getAnyType(): {
         type: string[];

package/types/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.js"],"names":[],"mappings":"AAoFA,kDAEC;AAED,oEAgGC;AAsBD,wEA2BC;AAkVD;;;EAEC;AAED;;;EAOC;AApjBD;;;;;;;;;;;;;;;;eAwBE,CAAF;;;;;;;;;;;;iBAcmC,CAAC;kBAC3B,CAAC;kBAEH,CAAC;oBACA,CAAC;oBACF,CAAC;;;wBAkBkB,CAAC;8BAEf,CAAC;oBAGD,CAAC;oBACV,CAAC;oCAGG,CAAC;uBAAkC,CAAC;8BACb,CAAC;uBAEjB,CAAC;iBAEX,CAAJ;;;mBAa6B,CAAC;yBAEjB,CAAC;0BAEN,CAAF;yBAKE,CAAC;sBACgB,CAAC;yBACS,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAhDxB,CAAC;;;;;;;;;;;;;;;;;;EA3CR"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.js"],"names":[],"mappings":"AAoFA,kDAEC;AAED,oEAkFC;AAsBD,wEAoBC;AAgWD;;;EAEC;AAED;;;EAOC;AA7iBD;;;;;;;;;;;;;;;;eAwBoB,CAAC;;;;;;;;;;;;iBAenB,CAAA;kBAEA,CAAF;kBAA4B,CAAC;oBACA,CAAC;oBAE5B,CAAC;;;wBAkBc,CAAC;8BAIjB,CAAC;oBAA+B,CAAC;oBACV,CAAC;oCAGG,CAAC;uBACpB,CAAC;8BAEH,CAAC;uBAAmC,CAAA;iBACrB,CAAC;;;mBAkBX,CAAC;yBAAoC,CAAC;0BACpB,CAAC;yBAEvB,CAAN;sBACW,CAAC;yBAEN,CAAJ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eA9CC,CAAC;;;;;;;;;;;;;;;;;;EA5CD"}

package/.prettierrc.cjs

@@ -1 +0,0 @@
-module.exports = require('@bedrockio/prettier-config');