@ditojs/server 2.32.1 → 2.32.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ditojs/server",
-  "version": "2.32.1",
+  "version": "2.32.2",
   "type": "module",
   "description": "Dito.js Server – Dito.js is a declarative and modern web framework, based on Objection.js, Koa.js and Vue.js",
   "repository": "https://github.com/ditojs/dito/tree/master/packages/server",
@@ -25,22 +25,22 @@
     "node >= 18"
   ],
   "dependencies": {
-    "@ditojs/admin": "^2.32.1",
-    "@ditojs/build": "^2.32.0",
-    "@ditojs/router": "^2.32.0",
-    "@ditojs/utils": "^2.32.0",
+    "@ditojs/admin": "^2.32.2",
+    "@ditojs/build": "^2.32.2",
+    "@ditojs/router": "^2.32.2",
+    "@ditojs/utils": "^2.32.2",
     "@koa/cors": "^5.0.0",
     "@koa/multer": "^3.0.2",
     "@originjs/vite-plugin-commonjs": "^1.0.3",
-    "@vitejs/plugin-vue": "^5.1.3",
-    "@vue/compiler-sfc": "3.5.2",
+    "@vitejs/plugin-vue": "^5.1.4",
+    "@vue/compiler-sfc": "^3.5.6",
     "ajv": "^8.17.1",
     "ajv-formats": "^2.1.1",
     "bcryptjs": "^2.4.3",
     "bytes": "^3.1.2",
     "data-uri-to-buffer": "^6.0.2",
     "eventemitter2": "^6.4.9",
-    "file-type": "^19.4.1",
+    "file-type": "^19.5.0",
     "koa": "^2.15.3",
     "koa-bodyparser": "^4.4.1",
     "koa-compose": "^4.1.0",
@@ -67,10 +67,10 @@
     "pino-pretty": "^11.2.2",
     "pluralize": "^8.0.0",
     "repl": "^0.1.3",
-    "type-fest": "^4.26.0",
+    "type-fest": "^4.26.1",
     "uuid": "^10.0.0",
-    "vite": "^5.4.3",
-    "vue": "^3.5.2"
+    "vite": "^5.4.6",
+    "vue": "^3.5.6"
   },
   "peerDependencies": {
     "@aws-sdk/client-s3": "^3.0.0",
@@ -87,11 +87,11 @@
     "@types/koa-session": "^6.4.5",
     "@types/koa-static": "^4.0.4",
     "@types/koa__cors": "^5.0.0",
-    "@types/node": "^22.5.4",
+    "@types/node": "^22.5.5",
     "knex": "^3.1.0",
     "objection": "^3.1.4",
-    "typescript": "^5.5.4"
+    "typescript": "^5.6.2"
   },
   "types": "types",
-  "gitHead": "22008a15e26380fa7b226ca115f0643bfa88334d"
+  "gitHead": "e39e6be34ced2fea17083c0d8a2cb90d41aaf435"
 }

package/src/controllers/CollectionController.js

@@ -197,7 +197,9 @@ export class CollectionController extends Controller {
   collection = this.convertToCoreActions({
     async get(ctx, modify) {
       const result = await this.execute(ctx, (query, trx) => {
-        query.find(ctx.query, this.allowParam).modify(getModify(modify, trx))
+        query
+          .find(ctx.filteredQuery, this.allowParam)
+          .modify(getModify(modify, trx))
         return this.isOneToOne ? query.first() : query
       })
       // This method doesn't always return an array:
@@ -210,7 +212,7 @@ export class CollectionController extends Controller {
       const count = await this.execute(ctx, (query, trx) =>
         query
           .ignoreScope()
-          .find(ctx.query, this.allowParam)
+          .find(ctx.filteredQuery, this.allowParam)
           .modify(query => this.isOneToOne && query.throwIfNotFound())
           .modify(getModify(modify, trx))
           .modify(query => (this.unrelate ? query.unrelate() : query.delete()))
@@ -248,7 +250,7 @@ export class CollectionController extends Controller {
       return this.execute(ctx, (query, trx) =>
         query
           .findById(ctx.memberId)
-          .find(ctx.query, this.allowParam)
+          .find(ctx.filteredQuery, this.allowParam)
           .throwIfNotFound()
           .modify(getModify(modify, trx))
       )
@@ -259,7 +261,7 @@ export class CollectionController extends Controller {
         query
           .ignoreScope()
           .findById(ctx.memberId)
-          .find(ctx.query, this.allowParam)
+          .find(ctx.filteredQuery, this.allowParam)
           .throwIfNotFound()
           .modify(getModify(modify, trx))
           .modify(query => (this.unrelate ? query.unrelate() : query.delete()))

package/src/controllers/ControllerAction.js

@@ -84,20 +84,33 @@ export default class ControllerAction {
   // - 'query': Use `ctx.request.query`, regardless of the action's method.
   // - 'body': Use `ctx.request.body`, regardless of the action's method.
   getParams(ctx, from = this.paramsName) {
-    const value = from === 'path' ? ctx.params : ctx.request[from]
+    const params = from === 'path' ? ctx.params : ctx.request[from]
     // koa-bodyparser always sets an object, even when there is no body.
     // Detect this here and return null instead.
     const isNull = (
       from === 'body' &&
       ctx.request.headers['content-length'] === '0' &&
-      Object.keys(value).length === 0
+      Object.keys(params).length === 0
     )
-    return isNull ? null : value
+    return isNull ? null : params
   }
 
   async callAction(ctx) {
     const params = await this.validateParameters(ctx)
-    const { args, member } = await this.collectArguments(ctx, params)
+    const { args, member } = await this.collectArguments(
+      ctx,
+      params
+    )
+    let filteredQuery = null
+    Object.defineProperty(ctx, 'filteredQuery', {
+      get: () => {
+        filteredQuery ??=
+          this.paramsName === 'query' ? this.filterParameters(params) : params
+        return filteredQuery
+      },
+      enumerable: false,
+      configurable: true
+    })
     await this.controller.handleAuthorization(this.authorization, ctx, member)
     const { identifier } = this
     await this.controller.emitHook(`before:${identifier}`, false, ctx, ...args)
@@ -119,11 +132,12 @@ export default class ControllerAction {
     if (!this.parameters.validate) {
       return null
     }
-    // Since validation also performs coercion, create a clone of the params
-    // so that this doesn't modify the data on `ctx`.
+    // Since validation also performs coercion, create a shallow clone  of the
+    // params so that this doesn't modify the data on `ctx`.Actually used values
+    // themselves are deep cloned below.
     // NOTE: The data can be either an object or an array.
-    const data = clone(this.getParams(ctx))
-    let params = data || {}
+    const data = { ...this.getParams(ctx) }
+    let params = {}
     const { dataName } = this.parameters
     let unwrapRoot = false
     const errors = []
@@ -152,12 +166,14 @@ export default class ControllerAction {
           params = {}
         }
         params[paramName] = data
+      } else {
+        params[paramName] = clone(data[paramName])
       }
       if (from) {
         // Allow parameters to be 'borrowed' from other objects.
-        const data = this.getParams(ctx, from)
+        const source = this.getParams(ctx, from)
         // See above for an explanation of `clone()`:
-        params[paramName] = clone(wrapRoot ? data : data?.[paramName])
+        params[paramName] = clone(wrapRoot ? source : source?.[paramName])
       }
       try {
         const value = params[paramName]
@@ -263,6 +279,21 @@ export default class ControllerAction {
     return { args, member }
   }
 
+  filterParameters(params) {
+    const filtered = {}
+    const consumedNames = Object.fromEntries(
+      this.parameters.list
+        .filter(param => !!param.name)
+        .map(param => [param.name, true])
+    )
+    for (const [key, value] of Object.entries(params)) {
+      if (!consumedNames[key]) {
+        filtered[key] = value
+      }
+    }
+    return filtered
+  }
+
   coerceValue(type, value, modelOptions) {
     // See if param needs additional coercion:
     if (value && ['date', 'datetime', 'timestamp'].includes(type)) {