@classytic/mongokit 3.0.3 → 3.0.5

package/dist/utils/index.d.ts

@@ -1,113 +1,6 @@
-export { b as createError, c as createFieldPreset, d as createMemoryCache, f as filterResponseData, g as getFieldsForUser, a as getMongooseProjection } from '../memory-cache-Bn_-Kk-0.js';
-import { v as ParsedQuery, x as SchemaBuilderOptions, y as CrudSchemas, V as ValidationResult, S as SelectSpec, g as PopulateSpec, h as SortSpec } from '../types-B3dPUKjs.js';
-import mongoose__default, { Schema } from 'mongoose';
-
-/**
- * Query Parser
- *
- * Parses HTTP query parameters into MongoDB-compatible query objects.
- * Supports operators, pagination, sorting, and filtering.
- */
-
-declare class QueryParser {
-    private operators;
-    /**
-     * Dangerous MongoDB operators that should never be accepted from user input
-     * Security: Prevent NoSQL injection attacks
-     */
-    private dangerousOperators;
-    /**
-     * Parse query parameters into MongoDB query format
-     */
-    parseQuery(query: Record<string, unknown> | null | undefined): ParsedQuery;
-    /**
-     * Parse sort parameter
-     * Converts string like '-createdAt' to { createdAt: -1 }
-     * Handles multiple sorts: '-createdAt,name' → { createdAt: -1, name: 1 }
-     */
-    private _parseSort;
-    /**
-     * Parse standard filter parameter (filter[field]=value)
-     */
-    private _parseFilters;
-    /**
-     * Handle operator syntax: field[operator]=value
-     */
-    private _handleOperatorSyntax;
-    /**
-     * Handle bracket syntax with object value
-     */
-    private _handleBracketSyntax;
-    /**
-     * Convert operator to MongoDB format
-     */
-    private _toMongoOperator;
-    /**
-     * Convert values based on operator type
-     */
-    private _convertValue;
-    /**
-     * Parse $or conditions
-     */
-    private _parseOr;
-    /**
-     * Enhance filters with between operator
-     */
-    private _enhanceWithBetween;
-}
-declare const _default: QueryParser;
-
-/**
- * Mongoose to JSON Schema Converter with Field Rules
- *
- * Generates Fastify JSON schemas from Mongoose models with declarative field rules.
- *
- * Field Rules (options.fieldRules):
- * - immutable: Field cannot be updated (omitted from update schema)
- * - immutableAfterCreate: Alias for immutable
- * - systemManaged: System-only field (omitted from create/update)
- * - optional: Remove from required array
- *
- * Additional Options:
- * - strictAdditionalProperties: Set to true to add "additionalProperties: false" to schemas
- *   This makes Fastify reject unknown fields at validation level (default: false for backward compatibility)
- *
- * @example
- * buildCrudSchemasFromModel(Model, {
- *   strictAdditionalProperties: true, // Reject unknown fields
- *   fieldRules: {
- *     organizationId: { immutable: true },
- *     status: { systemManaged: true },
- *   },
- *   create: { omitFields: ['verifiedAt'] },
- *   update: { omitFields: ['customerId'] }
- * })
- */
-
-/**
- * Build CRUD schemas from Mongoose schema
- */
-declare function buildCrudSchemasFromMongooseSchema(mongooseSchema: Schema, options?: SchemaBuilderOptions): CrudSchemas;
-/**
- * Build CRUD schemas from Mongoose model
- */
-declare function buildCrudSchemasFromModel(mongooseModel: mongoose__default.Model<unknown>, options?: SchemaBuilderOptions): CrudSchemas;
-/**
- * Get fields that are immutable (cannot be updated)
- */
-declare function getImmutableFields(options?: SchemaBuilderOptions): string[];
-/**
- * Get fields that are system-managed (cannot be set by users)
- */
-declare function getSystemManagedFields(options?: SchemaBuilderOptions): string[];
-/**
- * Check if field is allowed in update
- */
-declare function isFieldUpdateAllowed(fieldName: string, options?: SchemaBuilderOptions): boolean;
-/**
- * Validate update body against field rules
- */
-declare function validateUpdateBody(body?: Record<string, unknown>, options?: SchemaBuilderOptions): ValidationResult;
+export { F as FilterValue, O as OperatorMap, Q as QueryParser, b as QueryParserOptions, h as buildCrudSchemasFromModel, e as buildCrudSchemasFromMongooseSchema, l as createError, c as createFieldPreset, m as createMemoryCache, f as filterResponseData, g as getFieldsForUser, i as getImmutableFields, a as getMongooseProjection, j as getSystemManagedFields, k as isFieldUpdateAllowed, d as queryParser, v as validateUpdateBody } from '../queryParser-CxzCjzXd.js';
+import { S as SelectSpec, e as PopulateSpec, f as SortSpec } from '../types-CHIDluaP.js';
+import 'mongoose';
 
 /**
  * Cache Key Utilities
@@ -186,4 +79,4 @@ declare function modelPattern(prefix: string, model: string): string;
  */
 declare function listPattern(prefix: string, model: string): string;
 
-export { buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, getImmutableFields, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, _default as queryParser, validateUpdateBody, versionKey };
+export { byIdKey, byQueryKey, listPattern, listQueryKey, modelPattern, versionKey };

package/dist/utils/index.js

@@ -46,6 +46,7 @@ function createFieldPreset(config) {
   };
 }
 var QueryParser = class {
+  options;
   operators = {
     eq: "$eq",
     ne: "$ne",
@@ -66,7 +67,26 @@ var QueryParser = class {
    * Dangerous MongoDB operators that should never be accepted from user input
    * Security: Prevent NoSQL injection attacks
    */
-  dangerousOperators = ["$where", "$function", "$accumulator", "$expr"];
+  dangerousOperators;
+  /**
+   * Regex pattern characters that can cause catastrophic backtracking (ReDoS)
+   */
+  dangerousRegexPatterns = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\([^)]*\))\1|\(\?[^)]*\)|[\[\]].*[\[\]])/;
+  constructor(options = {}) {
+    this.options = {
+      maxRegexLength: options.maxRegexLength ?? 500,
+      maxSearchLength: options.maxSearchLength ?? 200,
+      maxFilterDepth: options.maxFilterDepth ?? 10,
+      additionalDangerousOperators: options.additionalDangerousOperators ?? []
+    };
+    this.dangerousOperators = [
+      "$where",
+      "$function",
+      "$accumulator",
+      "$expr",
+      ...this.options.additionalDangerousOperators
+    ];
+  }
   /**
    * Parse query parameters into MongoDB query format
    */
@@ -86,7 +106,7 @@ var QueryParser = class {
       limit: parseInt(String(limit), 10),
       sort: this._parseSort(sort),
       populate,
-      search
+      search: this._sanitizeSearch(search)
     };
     if (after || cursor) {
       parsed.after = after || cursor;
@@ -126,6 +146,7 @@ var QueryParser = class {
    */
   _parseFilters(filters) {
     const parsedFilters = {};
+    const regexFields = {};
     for (const [key, value] of Object.entries(filters)) {
       if (this.dangerousOperators.includes(key) || key.startsWith("$") && !["$or", "$and"].includes(key)) {
         console.warn(`[mongokit] Blocked dangerous operator: ${key}`);
@@ -141,7 +162,7 @@ var QueryParser = class {
           console.warn(`[mongokit] Blocked dangerous operator: ${operator}`);
           continue;
         }
-        this._handleOperatorSyntax(parsedFilters, {}, operatorMatch, value);
+        this._handleOperatorSyntax(parsedFilters, regexFields, operatorMatch, value);
         continue;
       }
       if (typeof value === "object" && value !== null && !Array.isArray(value)) {
@@ -165,8 +186,11 @@ var QueryParser = class {
       return;
     }
     if (operator.toLowerCase() === "contains" || operator.toLowerCase() === "like") {
-      filters[field] = { $regex: new RegExp(String(value), "i") };
-      regexFields[field] = true;
+      const safeRegex = this._createSafeRegex(value);
+      if (safeRegex) {
+        filters[field] = { $regex: safeRegex };
+        regexFields[field] = true;
+      }
       return;
     }
     const mongoOperator = this._toMongoOperator(operator);
@@ -217,7 +241,9 @@ var QueryParser = class {
         } else if (operator === "in" || operator === "nin") {
           processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
         } else if (operator === "like" || operator === "contains") {
-          processedValue = value !== void 0 && value !== null ? new RegExp(String(value), "i") : /.*/;
+          const safeRegex = this._createSafeRegex(value);
+          if (!safeRegex) continue;
+          processedValue = safeRegex;
         } else {
           processedValue = this._convertValue(value);
         }
@@ -232,6 +258,56 @@ var QueryParser = class {
     const op = operator.toLowerCase();
     return op.startsWith("$") ? op : "$" + op;
   }
+  /**
+   * Create a safe regex pattern with protection against ReDoS attacks
+   * @param pattern - The pattern string from user input
+   * @param flags - Regex flags (default: 'i' for case-insensitive)
+   * @returns A safe RegExp or null if pattern is invalid/dangerous
+   */
+  _createSafeRegex(pattern, flags = "i") {
+    if (pattern === null || pattern === void 0) {
+      return null;
+    }
+    const patternStr = String(pattern);
+    if (patternStr.length > this.options.maxRegexLength) {
+      console.warn(`[mongokit] Regex pattern too long (${patternStr.length} > ${this.options.maxRegexLength}), truncating`);
+      return new RegExp(this._escapeRegex(patternStr.substring(0, this.options.maxRegexLength)), flags);
+    }
+    if (this.dangerousRegexPatterns.test(patternStr)) {
+      console.warn("[mongokit] Potentially dangerous regex pattern detected, escaping");
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+    try {
+      return new RegExp(patternStr, flags);
+    } catch {
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+  }
+  /**
+   * Escape special regex characters for literal matching
+   */
+  _escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  /**
+   * Sanitize text search query for MongoDB $text search
+   * @param search - Raw search input from user
+   * @returns Sanitized search string or undefined
+   */
+  _sanitizeSearch(search) {
+    if (search === null || search === void 0 || search === "") {
+      return void 0;
+    }
+    let searchStr = String(search).trim();
+    if (!searchStr) {
+      return void 0;
+    }
+    if (searchStr.length > this.options.maxSearchLength) {
+      console.warn(`[mongokit] Search query too long (${searchStr.length} > ${this.options.maxSearchLength}), truncating`);
+      searchStr = searchStr.substring(0, this.options.maxSearchLength);
+    }
+    return searchStr;
+  }
   /**
    * Convert values based on operator type
    */
@@ -282,7 +358,8 @@ var QueryParser = class {
     return output;
   }
 };
-var queryParser_default = new QueryParser();
+var defaultQueryParser = new QueryParser();
+var queryParser_default = defaultQueryParser;
 function isMongooseSchema(value) {
   return value instanceof mongoose2.Schema;
 }
@@ -302,14 +379,7 @@ function buildCrudSchemasFromMongooseSchema(mongooseSchema, options = {}) {
     required: ["id"]
   };
   const jsonQuery = buildJsonSchemaForQuery(tree, options);
-  const crudSchemas = {
-    create: { body: jsonCreate },
-    update: { body: jsonUpdate, params: jsonParams },
-    get: { params: jsonParams },
-    list: { query: jsonQuery },
-    remove: { params: jsonParams }
-  };
-  return { createBody: jsonCreate, updateBody: jsonUpdate, params: jsonParams, listQuery: jsonQuery, crudSchemas };
+  return { createBody: jsonCreate, updateBody: jsonUpdate, params: jsonParams, listQuery: jsonQuery };
 }
 function buildCrudSchemasFromModel(mongooseModel, options = {}) {
   if (!mongooseModel || !mongooseModel.schema) {
@@ -638,4 +708,4 @@ function listPattern(prefix, model) {
   return `${prefix}:list:${model}:*`;
 }
 
-export { buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, createError, createFieldPreset, createMemoryCache, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, queryParser_default as queryParser, validateUpdateBody, versionKey };
+export { QueryParser, buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, createError, createFieldPreset, createMemoryCache, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, queryParser_default as queryParser, validateUpdateBody, versionKey };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/mongokit",
-  "version": "3.0.3",
+  "version": "3.0.5",
   "description": "Production-grade MongoDB repositories with zero dependencies - smart pagination, events, and plugins",
   "type": "module",
   "main": "./dist/index.js",

package/dist/memory-cache-Bn_-Kk-0.d.ts

@@ -1,142 +0,0 @@
-import { q as UserContext, F as FieldPreset, H as HttpError, T as CacheAdapter } from './types-B3dPUKjs.js';
-
-/**
- * Field Selection Utilities
- *
- * Provides explicit, performant field filtering using Mongoose projections.
- *
- * Philosophy:
- * - Explicit is better than implicit
- * - Filter at DB level (10x faster than in-memory)
- * - Progressive disclosure (show more fields as trust increases)
- *
- * @example
- * ```typescript
- * // For Mongoose queries (PREFERRED - 90% of cases)
- * const projection = getMongooseProjection(request.user, fieldPresets.gymPlans);
- * const plans = await GymPlan.find().select(projection).lean();
- *
- * // For complex data (10% of cases - aggregations, multiple sources)
- * const filtered = filterResponseData(complexData, fieldPresets.gymPlans, request.user);
- * ```
- */
-
-/**
- * Get allowed fields for a user based on their context
- *
- * @param user - User object from request.user (or null for public)
- * @param preset - Field preset configuration
- * @returns Array of allowed field names
- *
- * @example
- * const fields = getFieldsForUser(request.user, {
- *   public: ['id', 'name', 'price'],
- *   authenticated: ['description', 'features'],
- *   admin: ['createdAt', 'internalNotes']
- * });
- */
-declare function getFieldsForUser(user: UserContext | null | undefined, preset: FieldPreset): string[];
-/**
- * Get Mongoose projection string for query .select()
- *
- * @param user - User object from request.user
- * @param preset - Field preset configuration
- * @returns Space-separated field names for Mongoose .select()
- *
- * @example
- * const projection = getMongooseProjection(request.user, fieldPresets.gymPlans);
- * const plans = await GymPlan.find({ organizationId }).select(projection).lean();
- */
-declare function getMongooseProjection(user: UserContext | null | undefined, preset: FieldPreset): string;
-/**
- * Filter response data to include only allowed fields
- *
- * Use this for complex responses where Mongoose projections aren't applicable:
- * - Aggregation pipeline results
- * - Data from multiple sources
- * - Custom computed fields
- *
- * For simple DB queries, prefer getMongooseProjection() (10x faster)
- *
- * @param data - Data to filter
- * @param preset - Field preset configuration
- * @param user - User object from request.user
- * @returns Filtered data
- *
- * @example
- * const stats = await calculateComplexStats();
- * const filtered = filterResponseData(stats, fieldPresets.dashboard, request.user);
- * return reply.send(filtered);
- */
-declare function filterResponseData<T extends Record<string, unknown>>(data: T | T[], preset: FieldPreset, user?: UserContext | null): Partial<T> | Partial<T>[];
-/**
- * Helper to create field presets (module-level)
- *
- * Each module should define its own field preset in its own directory.
- * This keeps modules independent and self-contained.
- *
- * @param config - Field configuration
- * @returns Field preset
- *
- * @example
- * // In modules/gym-plan/gym-plan.fields.ts
- * export const gymPlanFieldPreset = createFieldPreset({
- *   public: ['id', 'name', 'price'],
- *   authenticated: ['features', 'description'],
- *   admin: ['createdAt', 'updatedAt', 'internalNotes']
- * });
- */
-declare function createFieldPreset(config: Partial<FieldPreset>): FieldPreset;
-
-/**
- * Error Utilities
- *
- * HTTP-compatible error creation for repository operations
- */
-
-/**
- * Creates an error with HTTP status code
- *
- * @param status - HTTP status code
- * @param message - Error message
- * @returns Error with status property
- *
- * @example
- * throw createError(404, 'Document not found');
- * throw createError(400, 'Invalid input');
- * throw createError(403, 'Access denied');
- */
-declare function createError(status: number, message: string): HttpError;
-
-/**
- * In-Memory Cache Adapter
- *
- * Simple cache adapter for development and testing.
- * NOT recommended for production - use Redis or similar.
- *
- * @example
- * ```typescript
- * import { cachePlugin, createMemoryCache } from '@classytic/mongokit';
- *
- * const repo = new Repository(UserModel, [
- *   cachePlugin({
- *     adapter: createMemoryCache(),
- *     ttl: 60,
- *   })
- * ]);
- * ```
- */
-
-/**
- * Creates an in-memory cache adapter
- *
- * Features:
- * - Automatic TTL expiration
- * - Pattern-based clearing (simple glob with *)
- * - Max entries limit to prevent memory leaks
- *
- * @param maxEntries - Maximum cache entries before oldest are evicted (default: 1000)
- */
-declare function createMemoryCache(maxEntries?: number): CacheAdapter;
-
-export { getMongooseProjection as a, createError as b, createFieldPreset as c, createMemoryCache as d, filterResponseData as f, getFieldsForUser as g };