@classytic/mongokit 3.0.6 → 3.1.0

package/dist/utils/index.js

@@ -1,4 +1,4 @@
-import mongoose2 from 'mongoose';
+import 'mongoose';
 
 // src/utils/field-selection.ts
 function getFieldsForUser(user, preset) {
@@ -45,339 +45,15 @@ function createFieldPreset(config) {
     admin: config.admin || []
   };
 }
-var QueryParser = class {
-  options;
-  operators = {
-    eq: "$eq",
-    ne: "$ne",
-    gt: "$gt",
-    gte: "$gte",
-    lt: "$lt",
-    lte: "$lte",
-    in: "$in",
-    nin: "$nin",
-    like: "$regex",
-    contains: "$regex",
-    regex: "$regex",
-    exists: "$exists",
-    size: "$size",
-    type: "$type"
-  };
-  /**
-   * Dangerous MongoDB operators that should never be accepted from user input
-   * Security: Prevent NoSQL injection attacks
-   */
-  dangerousOperators;
-  /**
-   * Regex pattern characters that can cause catastrophic backtracking (ReDoS)
-   */
-  dangerousRegexPatterns = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\([^)]*\))\1|\(\?[^)]*\)|[\[\]].*[\[\]])/;
-  constructor(options = {}) {
-    this.options = {
-      maxRegexLength: options.maxRegexLength ?? 500,
-      maxSearchLength: options.maxSearchLength ?? 200,
-      maxFilterDepth: options.maxFilterDepth ?? 10,
-      additionalDangerousOperators: options.additionalDangerousOperators ?? []
-    };
-    this.dangerousOperators = [
-      "$where",
-      "$function",
-      "$accumulator",
-      "$expr",
-      ...this.options.additionalDangerousOperators
-    ];
-  }
-  /**
-   * Parse query parameters into MongoDB query format
-   */
-  parseQuery(query) {
-    const {
-      page,
-      limit = 20,
-      sort = "-createdAt",
-      populate,
-      search,
-      after,
-      cursor,
-      ...filters
-    } = query || {};
-    const parsed = {
-      filters: this._parseFilters(filters),
-      limit: parseInt(String(limit), 10),
-      sort: this._parseSort(sort),
-      populate,
-      search: this._sanitizeSearch(search)
-    };
-    if (after || cursor) {
-      parsed.after = after || cursor;
-    } else if (page !== void 0) {
-      parsed.page = parseInt(String(page), 10);
-    } else {
-      parsed.page = 1;
-    }
-    const orGroup = this._parseOr(query);
-    if (orGroup) {
-      parsed.filters = { ...parsed.filters, $or: orGroup };
-    }
-    parsed.filters = this._enhanceWithBetween(parsed.filters);
-    return parsed;
-  }
-  /**
-   * Parse sort parameter
-   * Converts string like '-createdAt' to { createdAt: -1 }
-   * Handles multiple sorts: '-createdAt,name' → { createdAt: -1, name: 1 }
-   */
-  _parseSort(sort) {
-    if (!sort) return void 0;
-    if (typeof sort === "object") return sort;
-    const sortObj = {};
-    const fields = sort.split(",").map((s) => s.trim());
-    for (const field of fields) {
-      if (field.startsWith("-")) {
-        sortObj[field.substring(1)] = -1;
-      } else {
-        sortObj[field] = 1;
-      }
-    }
-    return sortObj;
-  }
-  /**
-   * Parse standard filter parameter (filter[field]=value)
-   */
-  _parseFilters(filters) {
-    const parsedFilters = {};
-    const regexFields = {};
-    for (const [key, value] of Object.entries(filters)) {
-      if (this.dangerousOperators.includes(key) || key.startsWith("$") && !["$or", "$and"].includes(key)) {
-        console.warn(`[mongokit] Blocked dangerous operator: ${key}`);
-        continue;
-      }
-      if (["page", "limit", "sort", "populate", "search", "select", "lean", "includeDeleted"].includes(key)) {
-        continue;
-      }
-      const operatorMatch = key.match(/^(.+)\[(.+)\]$/);
-      if (operatorMatch) {
-        const [, , operator] = operatorMatch;
-        if (this.dangerousOperators.includes("$" + operator)) {
-          console.warn(`[mongokit] Blocked dangerous operator: ${operator}`);
-          continue;
-        }
-        this._handleOperatorSyntax(parsedFilters, regexFields, operatorMatch, value);
-        continue;
-      }
-      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
-        this._handleBracketSyntax(key, value, parsedFilters);
-      } else {
-        parsedFilters[key] = this._convertValue(value);
-      }
-    }
-    return parsedFilters;
-  }
-  /**
-   * Handle operator syntax: field[operator]=value
-   */
-  _handleOperatorSyntax(filters, regexFields, operatorMatch, value) {
-    const [, field, operator] = operatorMatch;
-    if (operator.toLowerCase() === "options" && regexFields[field]) {
-      const fieldValue = filters[field];
-      if (typeof fieldValue === "object" && fieldValue !== null && "$regex" in fieldValue) {
-        fieldValue.$options = value;
-      }
-      return;
-    }
-    if (operator.toLowerCase() === "contains" || operator.toLowerCase() === "like") {
-      const safeRegex = this._createSafeRegex(value);
-      if (safeRegex) {
-        filters[field] = { $regex: safeRegex };
-        regexFields[field] = true;
-      }
-      return;
-    }
-    const mongoOperator = this._toMongoOperator(operator);
-    if (this.dangerousOperators.includes(mongoOperator)) {
-      console.warn(`[mongokit] Blocked dangerous operator in field[${operator}]: ${mongoOperator}`);
-      return;
-    }
-    if (mongoOperator === "$eq") {
-      filters[field] = value;
-    } else if (mongoOperator === "$regex") {
-      filters[field] = { $regex: value };
-      regexFields[field] = true;
-    } else {
-      if (typeof filters[field] !== "object" || filters[field] === null || Array.isArray(filters[field])) {
-        filters[field] = {};
-      }
-      let processedValue;
-      const op = operator.toLowerCase();
-      if (["gt", "gte", "lt", "lte", "size"].includes(op)) {
-        processedValue = parseFloat(String(value));
-        if (isNaN(processedValue)) return;
-      } else if (op === "in" || op === "nin") {
-        processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
-      } else {
-        processedValue = this._convertValue(value);
-      }
-      filters[field][mongoOperator] = processedValue;
-    }
-  }
-  /**
-   * Handle bracket syntax with object value
-   */
-  _handleBracketSyntax(field, operators, parsedFilters) {
-    if (!parsedFilters[field]) {
-      parsedFilters[field] = {};
-    }
-    for (const [operator, value] of Object.entries(operators)) {
-      if (operator === "between") {
-        parsedFilters[field].between = value;
-        continue;
-      }
-      if (this.operators[operator]) {
-        const mongoOperator = this.operators[operator];
-        let processedValue;
-        if (["gt", "gte", "lt", "lte", "size"].includes(operator)) {
-          processedValue = parseFloat(String(value));
-          if (isNaN(processedValue)) continue;
-        } else if (operator === "in" || operator === "nin") {
-          processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
-        } else if (operator === "like" || operator === "contains") {
-          const safeRegex = this._createSafeRegex(value);
-          if (!safeRegex) continue;
-          processedValue = safeRegex;
-        } else {
-          processedValue = this._convertValue(value);
-        }
-        parsedFilters[field][mongoOperator] = processedValue;
-      }
-    }
-  }
-  /**
-   * Convert operator to MongoDB format
-   */
-  _toMongoOperator(operator) {
-    const op = operator.toLowerCase();
-    return op.startsWith("$") ? op : "$" + op;
-  }
-  /**
-   * Create a safe regex pattern with protection against ReDoS attacks
-   * @param pattern - The pattern string from user input
-   * @param flags - Regex flags (default: 'i' for case-insensitive)
-   * @returns A safe RegExp or null if pattern is invalid/dangerous
-   */
-  _createSafeRegex(pattern, flags = "i") {
-    if (pattern === null || pattern === void 0) {
-      return null;
-    }
-    const patternStr = String(pattern);
-    if (patternStr.length > this.options.maxRegexLength) {
-      console.warn(`[mongokit] Regex pattern too long (${patternStr.length} > ${this.options.maxRegexLength}), truncating`);
-      return new RegExp(this._escapeRegex(patternStr.substring(0, this.options.maxRegexLength)), flags);
-    }
-    if (this.dangerousRegexPatterns.test(patternStr)) {
-      console.warn("[mongokit] Potentially dangerous regex pattern detected, escaping");
-      return new RegExp(this._escapeRegex(patternStr), flags);
-    }
-    try {
-      return new RegExp(patternStr, flags);
-    } catch {
-      return new RegExp(this._escapeRegex(patternStr), flags);
-    }
-  }
-  /**
-   * Escape special regex characters for literal matching
-   */
-  _escapeRegex(str) {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  }
-  /**
-   * Sanitize text search query for MongoDB $text search
-   * @param search - Raw search input from user
-   * @returns Sanitized search string or undefined
-   */
-  _sanitizeSearch(search) {
-    if (search === null || search === void 0 || search === "") {
-      return void 0;
-    }
-    let searchStr = String(search).trim();
-    if (!searchStr) {
-      return void 0;
-    }
-    if (searchStr.length > this.options.maxSearchLength) {
-      console.warn(`[mongokit] Search query too long (${searchStr.length} > ${this.options.maxSearchLength}), truncating`);
-      searchStr = searchStr.substring(0, this.options.maxSearchLength);
-    }
-    return searchStr;
-  }
-  /**
-   * Convert values based on operator type
-   */
-  _convertValue(value) {
-    if (value === null || value === void 0) return value;
-    if (Array.isArray(value)) return value.map((v) => this._convertValue(v));
-    if (typeof value === "object") return value;
-    const stringValue = String(value);
-    if (stringValue === "true") return true;
-    if (stringValue === "false") return false;
-    if (mongoose2.Types.ObjectId.isValid(stringValue) && stringValue.length === 24) {
-      return stringValue;
-    }
-    return stringValue;
-  }
-  /**
-   * Parse $or conditions
-   */
-  _parseOr(query) {
-    const orArray = [];
-    const raw = query?.or || query?.OR || query?.$or;
-    if (!raw) return void 0;
-    const items = Array.isArray(raw) ? raw : typeof raw === "object" ? Object.values(raw) : [];
-    for (const item of items) {
-      if (typeof item === "object" && item) {
-        orArray.push(this._parseFilters(item));
-      }
-    }
-    return orArray.length ? orArray : void 0;
-  }
-  /**
-   * Enhance filters with between operator
-   */
-  _enhanceWithBetween(filters) {
-    const output = { ...filters };
-    for (const [key, value] of Object.entries(filters || {})) {
-      if (value && typeof value === "object" && "between" in value) {
-        const between = value.between;
-        const [from, to] = String(between).split(",").map((s) => s.trim());
-        const fromDate = from ? new Date(from) : void 0;
-        const toDate = to ? new Date(to) : void 0;
-        const range = {};
-        if (fromDate && !isNaN(fromDate.getTime())) range.$gte = fromDate;
-        if (toDate && !isNaN(toDate.getTime())) range.$lte = toDate;
-        output[key] = range;
-      }
-    }
-    return output;
-  }
-};
-var defaultQueryParser = new QueryParser();
-var queryParser_default = defaultQueryParser;
-function isMongooseSchema(value) {
-  return value instanceof mongoose2.Schema;
-}
-function isPlainObject(value) {
-  return Object.prototype.toString.call(value) === "[object Object]";
-}
-function isObjectIdType(t) {
-  return t === mongoose2.Schema.Types.ObjectId || t === mongoose2.Types.ObjectId;
-}
 function buildCrudSchemasFromMongooseSchema(mongooseSchema, options = {}) {
-  const tree = mongooseSchema?.obj || {};
-  const jsonCreate = buildJsonSchemaForCreate(tree, options);
+  const jsonCreate = buildJsonSchemaFromPaths(mongooseSchema, options);
   const jsonUpdate = buildJsonSchemaForUpdate(jsonCreate, options);
   const jsonParams = {
     type: "object",
     properties: { id: { type: "string", pattern: "^[0-9a-fA-F]{24}$" } },
     required: ["id"]
   };
+  const tree = mongooseSchema?.obj || {};
   const jsonQuery = buildJsonSchemaForQuery(tree, options);
   return { createBody: jsonCreate, updateBody: jsonUpdate, params: jsonParams, listQuery: jsonQuery };
 }
@@ -431,88 +107,37 @@ function validateUpdateBody(body = {}, options = {}) {
     violations
   };
 }
-function jsonTypeFor(def, options, seen) {
-  if (Array.isArray(def)) {
-    if (def[0] === mongoose2.Schema.Types.Mixed) {
-      return { type: "array", items: { type: "object", additionalProperties: true } };
-    }
-    return { type: "array", items: jsonTypeFor(def[0] ?? String, options, seen) };
-  }
-  if (isPlainObject(def) && "type" in def) {
-    const typedDef = def;
-    if (typedDef.enum && Array.isArray(typedDef.enum) && typedDef.enum.length) {
-      return { type: "string", enum: typedDef.enum.map(String) };
-    }
-    if (Array.isArray(typedDef.type)) {
-      const inner = typedDef.type[0] !== void 0 ? typedDef.type[0] : String;
-      if (inner === mongoose2.Schema.Types.Mixed) {
-        return { type: "array", items: { type: "object", additionalProperties: true } };
+function buildJsonSchemaFromPaths(mongooseSchema, options) {
+  const properties = {};
+  const required = [];
+  const paths = mongooseSchema.paths;
+  const rootFields = /* @__PURE__ */ new Map();
+  for (const [path, schemaType] of Object.entries(paths)) {
+    if (path === "_id" || path === "__v") continue;
+    const parts = path.split(".");
+    const rootField = parts[0];
+    if (!rootFields.has(rootField)) {
+      rootFields.set(rootField, []);
+    }
+    rootFields.get(rootField).push({ path, schemaType });
+  }
+  for (const [rootField, fieldPaths] of rootFields.entries()) {
+    if (fieldPaths.length === 1 && fieldPaths[0].path === rootField) {
+      const schemaType = fieldPaths[0].schemaType;
+      properties[rootField] = schemaTypeToJsonSchema(schemaType);
+      if (schemaType.isRequired) {
+        required.push(rootField);
       }
-      return { type: "array", items: jsonTypeFor(inner, options, seen) };
-    }
-    if (typedDef.type === String) return { type: "string" };
-    if (typedDef.type === Number) return { type: "number" };
-    if (typedDef.type === Boolean) return { type: "boolean" };
-    if (typedDef.type === Date) {
-      const mode = options?.dateAs || "datetime";
-      return mode === "date" ? { type: "string", format: "date" } : { type: "string", format: "date-time" };
-    }
-    if (typedDef.type === Map || typedDef.type === mongoose2.Schema.Types.Map) {
-      const ofSchema = jsonTypeFor(typedDef.of || String, options, seen);
-      return { type: "object", additionalProperties: ofSchema };
-    }
-    if (typedDef.type === mongoose2.Schema.Types.Mixed) {
-      return { type: "object", additionalProperties: true };
-    }
-    if (isObjectIdType(typedDef.type)) {
-      return { type: "string", pattern: "^[0-9a-fA-F]{24}$" };
-    }
-    if (isMongooseSchema(typedDef.type)) {
-      const obj = typedDef.type.obj;
-      if (obj && typeof obj === "object") {
-        if (seen.has(obj)) return { type: "object", additionalProperties: true };
-        seen.add(obj);
-        return convertTreeToJsonSchema(obj, options, seen);
+    } else {
+      const nestedSchema = buildNestedJsonSchema(fieldPaths, rootField);
+      properties[rootField] = nestedSchema.schema;
+      if (nestedSchema.required) {
+        required.push(rootField);
       }
     }
   }
-  if (def === String) return { type: "string" };
-  if (def === Number) return { type: "number" };
-  if (def === Boolean) return { type: "boolean" };
-  if (def === Date) {
-    const mode = options?.dateAs || "datetime";
-    return mode === "date" ? { type: "string", format: "date" } : { type: "string", format: "date-time" };
-  }
-  if (isObjectIdType(def)) return { type: "string", pattern: "^[0-9a-fA-F]{24}$" };
-  if (isPlainObject(def)) {
-    if (seen.has(def)) return { type: "object", additionalProperties: true };
-    seen.add(def);
-    return convertTreeToJsonSchema(def, options, seen);
-  }
-  return {};
-}
-function convertTreeToJsonSchema(tree, options, seen = /* @__PURE__ */ new WeakSet()) {
-  if (!tree || typeof tree !== "object") {
-    return { type: "object", properties: {} };
-  }
-  if (seen.has(tree)) {
-    return { type: "object", additionalProperties: true };
-  }
-  seen.add(tree);
-  const properties = {};
-  const required = [];
-  for (const [key, val] of Object.entries(tree || {})) {
-    if (key === "__v" || key === "_id" || key === "id") continue;
-    const cfg = isPlainObject(val) && "type" in val ? val : { };
-    properties[key] = jsonTypeFor(val, options, seen);
-    if (cfg.required === true) required.push(key);
-  }
   const schema = { type: "object", properties };
   if (required.length) schema.required = required;
-  return schema;
-}
-function buildJsonSchemaForCreate(tree, options) {
-  const base = convertTreeToJsonSchema(tree, options, /* @__PURE__ */ new WeakSet());
   const fieldsToOmit = /* @__PURE__ */ new Set(["createdAt", "updatedAt", "__v"]);
   (options?.create?.omitFields || []).forEach((f) => fieldsToOmit.add(f));
   const fieldRules = options?.fieldRules || {};
@@ -522,37 +147,96 @@ function buildJsonSchemaForCreate(tree, options) {
     }
   });
   fieldsToOmit.forEach((field) => {
-    if (base.properties?.[field]) {
-      delete base.properties[field];
+    if (schema.properties?.[field]) {
+      delete schema.properties[field];
     }
-    if (base.required) {
-      base.required = base.required.filter((k) => k !== field);
+    if (schema.required) {
+      schema.required = schema.required.filter((k) => k !== field);
     }
   });
   const reqOv = options?.create?.requiredOverrides || {};
   const optOv = options?.create?.optionalOverrides || {};
-  base.required = base.required || [];
+  schema.required = schema.required || [];
   for (const [k, v] of Object.entries(reqOv)) {
-    if (v && !base.required.includes(k)) base.required.push(k);
+    if (v && !schema.required.includes(k)) schema.required.push(k);
   }
   for (const [k, v] of Object.entries(optOv)) {
-    if (v && base.required) base.required = base.required.filter((x) => x !== k);
+    if (v && schema.required) schema.required = schema.required.filter((x) => x !== k);
   }
   Object.entries(fieldRules).forEach(([field, rules]) => {
-    if (rules.optional && base.required) {
-      base.required = base.required.filter((x) => x !== field);
+    if (rules.optional && schema.required) {
+      schema.required = schema.required.filter((x) => x !== field);
     }
   });
   const schemaOverrides = options?.create?.schemaOverrides || {};
   for (const [k, override] of Object.entries(schemaOverrides)) {
-    if (base.properties?.[k]) {
-      base.properties[k] = override;
+    if (schema.properties?.[k]) {
+      schema.properties[k] = override;
     }
   }
   if (options?.strictAdditionalProperties === true) {
-    base.additionalProperties = false;
+    schema.additionalProperties = false;
+  }
+  return schema;
+}
+function buildNestedJsonSchema(fieldPaths, rootField) {
+  const properties = {};
+  const required = [];
+  let hasRequiredFields = false;
+  for (const { path, schemaType } of fieldPaths) {
+    const relativePath = path.substring(rootField.length + 1);
+    const parts = relativePath.split(".");
+    if (parts.length === 1) {
+      properties[parts[0]] = schemaTypeToJsonSchema(schemaType);
+      if (schemaType.isRequired) {
+        required.push(parts[0]);
+        hasRequiredFields = true;
+      }
+    } else {
+      const fieldName = parts[0];
+      if (!properties[fieldName]) {
+        properties[fieldName] = { type: "object", properties: {} };
+      }
+      const nestedObj = properties[fieldName];
+      if (!nestedObj.properties) nestedObj.properties = {};
+      const deepPath = parts.slice(1).join(".");
+      nestedObj.properties[deepPath] = schemaTypeToJsonSchema(schemaType);
+    }
   }
-  return base;
+  const schema = { type: "object", properties };
+  if (required.length) schema.required = required;
+  return { schema, required: hasRequiredFields };
+}
+function schemaTypeToJsonSchema(schemaType) {
+  const result = {};
+  const instance = schemaType.instance;
+  const options = schemaType.options || {};
+  if (instance === "String") {
+    result.type = "string";
+    if (typeof options.minlength === "number") result.minLength = options.minlength;
+    if (typeof options.maxlength === "number") result.maxLength = options.maxlength;
+    if (options.match instanceof RegExp) result.pattern = options.match.source;
+    if (options.enum && Array.isArray(options.enum)) result.enum = options.enum;
+  } else if (instance === "Number") {
+    result.type = "number";
+    if (typeof options.min === "number") result.minimum = options.min;
+    if (typeof options.max === "number") result.maximum = options.max;
+  } else if (instance === "Boolean") {
+    result.type = "boolean";
+  } else if (instance === "Date") {
+    result.type = "string";
+    result.format = "date-time";
+  } else if (instance === "ObjectId" || instance === "ObjectID") {
+    result.type = "string";
+    result.pattern = "^[0-9a-fA-F]{24}$";
+  } else if (instance === "Array") {
+    result.type = "array";
+    result.items = { type: "string" };
+  } else {
+    result.type = "object";
+    result.additionalProperties = true;
+  }
+  return result;
 }
 function buildJsonSchemaForUpdate(createJson, options) {
   const clone = JSON.parse(JSON.stringify(createJson));
@@ -573,6 +257,9 @@ function buildJsonSchemaForUpdate(createJson, options) {
   if (options?.strictAdditionalProperties === true) {
     clone.additionalProperties = false;
   }
+  if (options?.update?.requireAtLeastOne === true) {
+    clone.minProperties = 1;
+  }
   return clone;
 }
 function buildJsonSchemaForQuery(_tree, options) {
@@ -708,4 +395,4 @@ function listPattern(prefix, model) {
   return `${prefix}:list:${model}:*`;
 }
 
-export { QueryParser, buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, createError, createFieldPreset, createMemoryCache, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, queryParser_default as queryParser, validateUpdateBody, versionKey };
+export { buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, createError, createFieldPreset, createMemoryCache, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, validateUpdateBody, versionKey };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/mongokit",
-  "version": "3.0.6",
+  "version": "3.1.0",
   "description": "Production-grade MongoDB repositories with zero dependencies - smart pagination, events, and plugins",
   "type": "module",
   "main": "./dist/index.js",