@exortek/express-mongo-sanitize 1.0.0 → 1.1.0

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2024 Memet
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2024 Memet
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,185 +1,269 @@
-# @exortek/express-mongo-sanitize
-
-A middleware designed for sanitizing incoming requests to an Express application, particularly when working with
-MongoDB (NoSQL). It ensures that certain patterns, such as special characters or malicious input, are removed or
-replaced from the request body, query, and parameters, preventing potential injection attacks in NoSQL.
-
-### Key Features
-
-- Automatic sanitization of potentially dangerous MongoDB operators and special characters.
-- Multiple operation modes (auto, manual)
-- Customizable sanitization patterns and replacement strategies
-- Support for nested objects and arrays
-- Configurable string and array handling options
-- Skip routes functionality
-- Custom sanitizer support
-- Email address preservation during sanitization
-- Option to remove matched patterns entirely
-- Enhanced security with request object cloning
-
-## Installation
-
-```bash
-npm install @exortek/express-mongo-sanitize
-```
-
-OR
-
-```bash
-yarn add @exortek/express-mongo-sanitize
-```
-
-## Usage
-
-Register the middleware in your Express application before defining your routes.
-
-### App route example
-
-```javascript
-
-const express = require('express');
-const expressMongoSanitize = require('@exortek/express-mongo-sanitize');
-
-const app = express();
-
-app.use(exppress.json());
-
-// Register the middleware
-app.use(expressMongoSanitize());
-
-// Define your routes
-app.get('/users', (req, res) => {
-  // Your route logic here
-});
-
-app.post('/users', (req, res) => {
-  // Your route logic here
-});
-
-app.listen(3000, () => {
-  console.log('Server is running on port 3000');
-});
-
-```
-
-### Route-specific example
-
-```javascript
-
-const express = require('express');
-const expressMongoSanitize = require('@exortek/express-mongo-sanitize');
-const router = require('./router');
-
-const app = express();
-
-app.use(express.json());
-
-// Register the middleware
-app.use(expressMongoSanitize());
-
-// Define your routes
-app.use('/api', router);
-
-app.listen(3000, () => {
-  console.log('Server is running on port 3000');
-});
-
-```
-
-# Configuration Options
-
-The middleware accepts various configuration options to customize its behavior. Here's a detailed breakdown of all
-available
-options:
-
-## Core Options
-
-| Option            | Type           | Default                                            | Description                                                                                                                                                                                                                                                                               |
-|-------------------|----------------|----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `app`             | Application    | `null`                                             | The Express app instance. Default is null. You can specify the app instance if you want to sanitize the params(Path variables) of the app.                                                                                                                                                |
-| `router`          | Router         | `null`                                             | The Express router instance. Default is null. You can specify the router instance if you want to sanitize the params(Path variables) of the router.                                                                                                                                       |
-| `routerBasePath`  | string         | `api`                                              | // The base path of the router. Default is an 'api'. You can specify the base path of the router.                                                                                                                                                                                         |
-| `replaceWith`     | string         | `''`                                               | The string to replace the matched patterns with. Default is an empty string. If you want to replace the matched patterns with a different string, you can set this option.                                                                                                                |
-| `removeMatches`   | boolean        | `false`                                            | Remove the matched patterns. Default is false. If you want to remove the matched patterns instead of replacing them, you can set this option to true.                                                                                                                                     |
-| `sanitizeObjects` | array          | `['body', 'params', 'query']`                      | The request properties to sanitize. Default is `['body', 'params', 'query']`. You can specify any request property that you want to sanitize. It must be an object.                                                                                                                       |
-| `mode`            | string         | `'auto'`                                           | The mode of operation. Default is 'auto'. You can set this option to 'auto', 'manual'. If you set it to 'auto', the plugin will automatically sanitize the request objects. If you set it to 'manual', you can sanitize the request objects manually using the request.sanitize() method. |
-| `skipRoutes`      | array          | `[]`                                               | An array of routes to skip. Default is an empty array. If you want to skip certain routes from sanitization, you can specify the routes here. The routes must be in the format `/path`. For example, `['/health', '/metrics']`.                                                           |
-| `customSanitizer` | function\|null | `null`                                             | A custom sanitizer function. Default is null. If you want to use a custom sanitizer function, you can specify it here. The function must accept two arguments: the original data and the options object. It must return the sanitized data.                                               |
-| `recursive`       | boolean        | `true`                                             | Enable recursive sanitization. Default is true. If you want to recursively sanitize the nested objects, you can set this option to true.                                                                                                                                                  |
-| `removeEmpty`     | boolean        | `false`                                            | Remove empty values. Default is false. If you want to remove empty values after sanitization, you can set this option to true.                                                                                                                                                            |
-| `patterns`        | array          | `PATTERNS`                                         | An array of patterns to match. Default is an array of patterns that match illegal characters and sequences. You can specify your own patterns if you want to match different characters or sequences. Each pattern must be a regular expression.                                          |
-| `allowedKeys`     | array\|null    | `null`                                             | An array of allowed keys. Default is null. If you want to allow only certain keys in the object, you can specify the keys here. The keys must be strings. If a key is not in the allowedKeys array, it will be removed.                                                                   |
-| `deniedKeys`      | array\|null    | `null`                                             | An array of denied keys. Default is null. If you want to deny certain keys in the object, you can specify the keys here. The keys must be strings. If a key is in the deniedKeys array, it will be removed.                                                                               |
-| `stringOptions`   | object         | `{ trim: false,lowercase: false,maxLength: null }` | An object that controls string sanitization behavior. Default is an empty object. You can specify the following options: `trim`, `lowercase`, `maxLength`.                                                                                                                                |
-| `arrayOptions`    | object         | `{ filterNull: false, distinct: false}`            | An object that controls array sanitization behavior. Default is an empty object. You can specify the following options: `filterNull`, `distinct`.                                                                                                                                         |    
-
-## String Options
-
-The `stringOptions` object controls string sanitization behavior:
-
-```javascript
-{
-  trim: false,      // Whether to trim whitespace from start/end
-  lowercase: false, // Whether to convert strings to lowercase
-  maxLength: null   // Maximum allowed string length (null for no limit)
-}
-```
-
-## Array Options
-
-The `arrayOptions` object controls array sanitization behavior:
-
-```javascript
-{
-  filterNull: false, // Whether to remove null/undefined values
-  distinct: false    // Whether to remove duplicate values
-}
-```
-
-## Example Configuration
-
-Here's an example of how you can configure the middleware with custom options:
-
-```javascript
-app.use(expressMongoSanitize({
-    app: app,
-    router: router,
-    routerBasePath: 'api',
-    replaceWith: 'REPLACED',
-    removeMatches: false,
-    sanitizeObjects: ['body', 'params', 'query'],
-    mode: 'auto',
-    skipRoutes: ['/health', '/metrics'],
-    customSanitizer: (data, options) => {
-      // Custom sanitizer logic here
-      return data;
-    },
-    recursive: true,
-    removeEmpty: false,
-    patterns: [/pattern1/, /pattern2/],
-    allowedKeys: ['key1', 'key2'],
-    deniedKeys: ['key3', 'key4'],
-    stringOptions: {
-      trim: true,
-      lowercase: true,
-      maxLength: 100
-    },
-    arrayOptions: {
-      filterNull: true,
-      distinct: true
-    }
-}));
-```
-
-## Notes
-
-- The middleware is designed to work with Express applications and is not compatible with other frameworks.
-- If the app or router instances are not provided to the `@exortek/express-mongo-sanitize` middleware, the route parameters (path variables) cannot be sanitized. The middleware will skip sanitizing the route parameters and display a warning message indicating that sanitization was not performed for the path variables. Ensure that both the app and router instances are properly passed to the middleware to enable route parameter sanitization.
-- All options are optional and will use their default values if not specified.
-- Custom patterns must be valid RegExp objects
-
-## License
-
-**[MIT](https://github.com/ExorTek/express-mongo-sanitize/blob/master/LICENSE)**<br>
-
-Copyright © 2024 ExorTek
+# @exortek/express-mongo-sanitize
+
+A comprehensive Express middleware designed to protect your No(n)SQL queries from injection attacks by sanitizing request data.  
+This middleware provides flexible sanitization options for request bodies and query strings, and an **optional handler for route parameters**.
+
+## Compatibility
+
+| Middleware version | Express version |
+|--------------------|:---------------:|
+| `^1.x`             |     `^4.x`      |
+| `^1.x`             |     `^5.x`      |
+
+## Features
+
+- Automatic sanitization of `req.body` and `req.query` by default
+- Supports deep/nested objects, arrays, and string transformation
+- Allows custom sanitizer logic, key allow/deny lists, skip routes, and more
+- **Route params (`req.params`) can be sanitized with an explicit helper** (see below)
+
+---
+
+## Installation
+
+```sh
+yarn add @exortek/express-mongo-sanitize
+# or
+npm install @exortek/express-mongo-sanitize
+```
+
+---
+
+## Usage
+
+### Basic usage
+
+```js
+const express = require('express');
+const expressMongoSanitize = require('@exortek/express-mongo-sanitize');
+
+const app = express();
+app.use(express.json());
+
+// Body and query are sanitized automatically:
+app.use(expressMongoSanitize());
+
+app.post('/submit', (req, res) => {
+  res.json(req.body);
+});
+```
+
+---
+
+### Sanitizing Route Params (`req.params`)
+
+By default, only `body` and `query` are sanitized.  
+**If you want to sanitize route parameters (`req.params`),**  
+use the exported `paramSanitizeHandler` with Express's `app.param` or `router.param`:
+
+```js
+// Route parameter sanitization (recommended way):
+app.param('username', expressMongoSanitize.paramSanitizeHandler());
+
+// Example route:
+app.get('/user/:username', (req, res) => {
+  res.json({ username: req.params.username });
+});
+```
+
+**Note:**
+- You can attach this for any route param, e.g. `'id'`, `'slug'`, etc.
+- This gives you full control and doesn't require the middleware to know your routes.
+
+---
+
+## Options
+
+| Option            | Type     | Default                             | Description                                                         |
+|-------------------|----------|-------------------------------------|---------------------------------------------------------------------|
+| `replaceWith`     | string   | `''`                                | String to replace matched patterns                                  |
+| `removeMatches`   | boolean  | `false`                             | Remove values matching patterns entirely                            |
+| `sanitizeObjects` | string[] | `['body', 'query']`                 | List of request objects to sanitize                                 |
+| `mode`            | string   | `'auto'`                            | `'auto'` for automatic, `'manual'` for explicit req.sanitize() call |
+| `skipRoutes`      | string[] | `[]`                                | List of paths to skip (e.g. ['/health'])                            |
+| `customSanitizer` | function | `null`                              | Custom sanitizer function, overrides built-in sanitizer             |
+| `recursive`       | boolean  | `true`                              | Recursively sanitize nested values                                  |
+| `removeEmpty`     | boolean  | `false`                             | Remove empty values after sanitization                              |
+| `patterns`        | RegExp[] | See source code                     | Patterns to match for sanitization                                  |
+| `allowedKeys`     | string[] | `[]`                                | Only allow these keys (all if empty)                                |
+| `deniedKeys`      | string[] | `[]`                                | Remove these keys (none if empty)                                   |
+| `stringOptions`   | object   | See below                           | String transform options (trim, lowercase, maxLength)               |
+| `arrayOptions`    | object   | See below                           | Array handling options (filterNull, distinct)                       |
+| `debug`           | object   | `{ enabled: false, level: "info" }` | Enables debug logging for middleware internals.                     |
+
+
+#### `stringOptions` default:
+
+```js
+{
+  trim: false,
+  lowercase: false,
+  maxLength: null
+}
+```
+
+#### `arrayOptions` default:
+
+```js
+{
+  filterNull: false,
+  distinct: false
+}
+```
+
+---
+
+## Manual Mode
+
+If you set `mode: 'manual'`, the middleware will not sanitize automatically.  
+Call `req.sanitize()` manually in your route:
+
+```js
+app.use(expressMongoSanitize({ mode: 'manual' }));
+
+app.post('/manual', (req, res) => {
+  req.sanitize({ replaceWith: '_' }); // custom options are supported here
+  res.json(req.body);
+});
+```
+
+---
+
+## Skipping Routes
+
+Skip certain routes by adding their paths to `skipRoutes`:
+
+```js
+app.use(expressMongoSanitize({ skipRoutes: ['/skip', '/status'] }));
+
+// These routes will NOT be sanitized
+```
+
+---
+
+## Custom Sanitizer
+
+Use a completely custom sanitizer function:
+
+```js
+app.use(expressMongoSanitize({
+  customSanitizer: (data, options) => {
+    // Your custom logic
+    return data;
+  }
+}));
+```
+
+---
+
+## Route Parameter Sanitization
+
+> By default, only `body` and `query` are sanitized.
+> If you want to sanitize route parameters (`req.params`),  
+> use the helper function with `app.param` or `router.param`:
+>
+> ```js
+> app.param('username', expressMongoSanitize.paramSanitizeHandler());
+> ```
+>
+> This ensures that, for example, `/user/$admin` will be returned as `{ username: 'admin' }`  
+> in your handler.
+
+---
+
+## TypeScript
+
+Type definitions are included.  
+You can use this plugin in both CommonJS and ESM projects.
+
+---
+
+## Advanced Usage
+
+### Custom Sanitizer per Route
+
+You can override sanitizer options or use a completely custom sanitizer per route:
+
+```js
+app.post('/profile', (req, res, next) => {
+  req.sanitize({
+    customSanitizer: (data) => {
+      // For example, redact all strings:
+      if (typeof data === 'string') return '[REDACTED]';
+      return data;
+    }
+  });
+  res.json(req.body);
+});
+```
+## Debugging & Logging
+
+You can enable debug logs to see the internal operation of the middleware.  
+Useful for troubleshooting or when tuning sanitization behavior.
+
+```js
+app.use(
+  expressMongoSanitize({
+    debug: {
+      enabled: true,         // Turn on debug logs
+      level: 'debug',        // Log level: 'error' | 'warn' | 'info' | 'debug' | 'trace'
+      logSkippedRoutes: true // (optional) Log when routes are skipped
+    },
+    // ...other options
+  })
+);
+```
+### Logging Levels
+| Level   | Description                          |
+|---------|--------------------------------------|
+| `error` | Logs only errors                     |
+| `warn`  | Logs warnings and errors             |
+| `info`  | Logs informational messages          |
+| `debug` | Logs detailed debug information      |
+| `trace` | Logs very detailed trace information |
+
+### Using with Router
+
+```js
+const router = express.Router();
+router.use(expressMongoSanitize());
+// You can use paramSanitizeHandler on router params as well:
+router.param('userId', expressMongoSanitize.paramSanitizeHandler());
+```
+
+---
+
+## Troubleshooting
+
+### Route parameters are not being sanitized
+
+By default, only `body` and `query` are sanitized.  
+To sanitize route parameters, use:
+
+```js
+app.param('username', expressMongoSanitize.paramSanitizeHandler());
+```
+
+### Skipping specific routes doesn't work as expected
+
+Make sure you use the exact path as in your route definition,  
+and that you apply the middleware before your routes.
+
+---
+
+### My request is not being sanitized
+
+- Ensure your route handler is after the middleware in the stack.
+- If you are using `mode: 'manual'`, you **must** call `req.sanitize()` yourself.
+
+---
+
+For more troubleshooting, open an issue at [Github Issues](https://github.com/ExorTek/express-mongo-sanitize/issues)
+
+---
+
+## License
+
+**[MIT](https://github.com/ExorTek/express-mongo-sanitize/blob/master/LICENSE)**<br>
+
+Copyright © 2025 ExorTek

package/index.js

@@ -1,116 +1,188 @@
 'use strict';
 
 /**
- * Collection of regular expression patterns used for sanitization
- * @constant {RegExp[]}
+ * Regular expression patterns used for sanitizing input data.
+ * These patterns match common MongoDB injection attack vectors.
+ * @constant {ReadonlyArray<RegExp>}
  */
 const PATTERNS = Object.freeze([
-  /[\$]/g, // Finds all '$' (dollar) characters in the text.
-  /\./g, // Finds all '.' (dot) characters in the text.
-  /[\\\/{}.(*+?|[\]^)]/g, // Finds special characters (\, /, {, }, (, ., *, +, ?, |, [, ], ^, )) that need to be escaped.
-  /[\u0000-\u001F\u007F-\u009F]/g, // Finds ASCII control characters (0x00-0x1F and 0x7F-0x9F range).
-  /\{\s*\$|\$?\{(.|\r?\n)*\}/g, // Finds placeholders or variables in the format `${...}` or `{ $... }`.
+  /\$/g,
+  /\./g,
+  /[\\\/{}.(*+?|[\]^)]/g,
+  /[\u0000-\u001F\u007F-\u009F]/g,
+  /\{\s*\$|\$?\{(.|\r?\n)*\}/g,
 ]);
 
 /**
- * Default configuration options for the plugin
+ * Default configuration options for the sanitizer.
  * @constant {Object}
+ * @property {string} replaceWith - String to replace sanitized content with
+ * @property {boolean} removeMatches - Whether to remove matches entirely
+ * @property {string[]} sanitizeObjects - Request objects to sanitize
+ * @property {string} mode - Operation mode ('auto' or 'manual')
+ * @property {string[]} skipRoutes - Routes to skip sanitization
+ * @property {Function|null} customSanitizer - Custom sanitization function
+ * @property {boolean} recursive - Whether to sanitize recursively
+ * @property {boolean} removeEmpty - Whether to remove empty values
+ * @property {RegExp[]} patterns - Patterns to match for sanitization
+ * @property {string[]} allowedKeys - Keys that are allowed
+ * @property {string[]} deniedKeys - Keys that are denied
+ * @property {Object} stringOptions - String-specific options
+ * @property {Object} arrayOptions - Array-specific options
+ * @property {Object} debug - Debug configuration
  */
 const DEFAULT_OPTIONS = Object.freeze({
-  app: null, // The Express app instance. Default is null. You can specify the app instance if you want to sanitize the params(Path variables) of the app.
-  router: null, // The Express router instance. Default is null. You can specify the router instance if you want to sanitize the params(Path variables) of the router.
-  routerBasePath: 'api', // The base path of the router. Default is an 'api'. You can specify the base path of the router.
-  replaceWith: '', // The string to replace the matched patterns with. Default is an empty string. If you want to replace the matched patterns with a different string, you can set this option.
-  removeMatches: false, // Remove the matched patterns. Default is false. If you want to remove the matched patterns instead of replacing them, you can set this option to true.
-  sanitizeObjects: ['body', 'params', 'query'], // The request properties to sanitize. Default is ['body', 'params', 'query']. You can specify any request property that you want to sanitize. It must be an object.
-  mode: 'auto', // The mode of operation. Default is 'auto'. You can set this option to 'auto', 'manual'. If you set it to 'auto', the plugin will automatically sanitize the request objects. If you set it to 'manual', you can sanitize the request objects manually using the request.sanitize() method.
-  skipRoutes: [], // An array of routes to skip. Default is an empty array. If you want to skip certain routes from sanitization, you can specify the routes here. The routes must be in the format '/path'. For example, ['/health', '/metrics'].
-  customSanitizer: null, // A custom sanitizer function. Default is null. If you want to use a custom sanitizer function, you can specify it here. The function must accept two arguments: the original data and the options object. It must return the sanitized data.
-  recursive: true, // Enable recursive sanitization. Default is true. If you want to recursively sanitize the nested objects, you can set this option to true.
-  removeEmpty: false, // Remove empty values. Default is false. If you want to remove empty values after sanitization, you can set this option to true.
-  patterns: PATTERNS, // An array of patterns to match. Default is an array of patterns that match illegal characters and sequences. You can specify your own patterns if you want to match different characters or sequences. Each pattern must be a regular expression.
-  allowedKeys: [], // An array of allowed keys. Default is array. If you want to allow only certain keys in the object, you can specify the keys here. The keys must be strings. If a key is not in the allowedKeys array, it will be removed.
-  deniedKeys: [], // An array of denied keys. Default is array. If you want to deny certain keys in the object, you can specify the keys here. The keys must be strings. If a key is in the deniedKeys array, it will be removed.
+  replaceWith: '',
+  removeMatches: false,
+  sanitizeObjects: ['body', 'query'],
+  mode: 'auto',
+  skipRoutes: [],
+  customSanitizer: null,
+  recursive: true,
+  removeEmpty: false,
+  patterns: PATTERNS,
+  allowedKeys: [],
+  deniedKeys: [],
   stringOptions: {
-    // String sanitization options.
-    trim: false, // Trim whitespace. Default is false. If you want to trim leading and trailing whitespace from the string, you can set this option to true.
-    lowercase: false, // Convert to lowercase. Default is false. If you want to convert the string to lowercase, you can set this option to true.
-    maxLength: null, // Maximum length. Default is null. If you want to limit the maximum length of the string, you can set this option to a number. If the string length exceeds the maximum length, it will be truncated.
+    trim: false,
+    lowercase: false,
+    maxLength: null,
   },
   arrayOptions: {
-    // Array sanitization options.
-    filterNull: false, // Filter null values. Default is false. If you want to remove null values from the array, you can set this option to true.
-    distinct: false, // Remove duplicate values. Default is false. If you want to remove duplicate values from the array, you can set this option to true.
+    filterNull: false,
+    distinct: false,
+  },
+  debug: {
+    enabled: false,
+    level: 'info',
+    logSkippedRoutes: false,
   },
 });
 
 /**
- * Checks if value is a string
+ * Log level priority mapping for filtering debug output.
+ * @constant {Object<string, number>}
+ */
+const LOG_LEVELS = Object.freeze({
+  silent: 0,
+  error: 1,
+  warn: 2,
+  info: 3,
+  debug: 4,
+  trace: 5,
+});
+
+/**
+ * ANSI color codes for console output formatting.
+ * @constant {Object<string, string>}
+ */
+const LOG_COLORS = Object.freeze({
+  error: '\x1b[31m',
+  warn: '\x1b[33m',
+  info: '\x1b[36m',
+  debug: '\x1b[90m',
+  trace: '\x1b[35m',
+  reset: '\x1b[0m',
+});
+
+/**
+ * Logs debug messages with colored output and formatting.
+ * @param {Object} debugOpts - Debug configuration options
+ * @param {string} level - Log level (error, warn, info, debug, trace)
+ * @param {string} context - Context identifier for the log message
+ * @param {string} message - Main log message
+ * @param {*} [data=null] - Optional data to include in the log
+ */
+const log = (debugOpts, level, context, message, data = null) => {
+  if (!debugOpts?.enabled || LOG_LEVELS[debugOpts.level || 'silent'] < LOG_LEVELS[level]) return;
+  const color = LOG_COLORS[level] || '';
+  const reset = LOG_COLORS.reset;
+  const timestamp = new Date().toISOString();
+  let logMessage = `${color}[mongo-sanitize:${level.toUpperCase()}]${reset} ${timestamp} [${context}] ${message}`;
+  if (data !== null) {
+    if (typeof data === 'object') {
+      console.log(logMessage);
+      console.log(`${color}Data:${reset}`, JSON.stringify(data, null, 2));
+    } else {
+      console.log(logMessage, data);
+    }
+  } else {
+    console.log(logMessage);
+  }
+};
+
+/**
+ * Checks if a value is a string.
  * @param {*} value - Value to check
- * @returns {boolean} True if value is string
+ * @returns {boolean} True if value is a string
  */
 const isString = (value) => typeof value === 'string';
 
 /**
- * Checks if value is a valid email address
- * @param {string} val - Value to check
- * @returns {boolean} True if value is a valid email address
+ * Validates if a string is a valid email address.
+ * @param {*} val - Value to validate
+ * @returns {boolean} True if value is a valid email
  */
 const isEmail = (val) =>
   isString(val) &&
-  // RFC 5322 compliant email regex
   /^(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])$/i.test(
     val
   );
 
 /**
- * Checks if value is a plain object
+ * Checks if a value is a plain object (not array, date, etc.).
  * @param {*} obj - Value to check
- * @returns {boolean} True if value is plain object
+ * @returns {boolean} True if value is a plain object
  */
 const isPlainObject = (obj) => !!obj && Object.prototype.toString.call(obj) === '[object Object]';
 
+/**
+ * Checks if an object is empty (has no own properties).
+ * @param {*} obj - Object to check
+ * @returns {boolean} True if object is empty
+ */
 const isObjectEmpty = (obj) => {
   if (!isPlainObject(obj)) return false;
   return !Object.hasOwn(obj, Object.keys(obj)[0]);
 };
 
 /**
- * Checks if value is an array
+ * Checks if a value is an array.
  * @param {*} value - Value to check
- * @returns {boolean} True if value is array
+ * @returns {boolean} True if value is an array
  */
 const isArray = (value) => Array.isArray(value);
 
 /**
- * Checks if value is a primitive (null, number, or boolean)
+ * Checks if a value is a primitive type (null, boolean, number).
  * @param {*} value - Value to check
  * @returns {boolean} True if value is primitive
  */
 const isPrimitive = (value) => value == null || typeof value === 'boolean' || typeof value === 'number';
 
 /**
- * Checks if value is a Date object
+ * Checks if a value is a Date object.
  * @param {*} value - Value to check
- * @returns {boolean} True if value is Date
+ * @returns {boolean} True if value is a Date
  */
 const isDate = (value) => value instanceof Date;
 
 /**
- * Checks if value is a function
+ * Checks if a value is a function.
  * @param {*} value - Value to check
- * @returns {boolean} True if value is function
+ * @returns {boolean} True if value is a function
  */
 const isFunction = (value) => typeof value === 'function';
 
 /**
- * Error class for ExpressMongoSanitize
+ * Custom error class for express-mongo-sanitize specific errors.
+ * @extends Error
  */
 class ExpressMongoSanitizeError extends Error {
   /**
-   * Creates a new ExpressMongoSanitizeError
+   * Creates a new ExpressMongoSanitizeError.
    * @param {string} message - Error message
-   * @param {string} [type='generic'] - Error type
+   * @param {string} [type='generic'] - Error type identifier
    */
   constructor(message, type = 'generic') {
     super(message);
@@ -121,90 +193,107 @@ class ExpressMongoSanitizeError extends Error {
 }
 
 /**
- * Create a colorized warning message
- * @param {string} message - Warning message
- * @returns {void}
- */
-const createColorizedWarningMessage = (message) => console.log(`\x1b[33m%s\x1b[0m`, message);
-
-/**
- * Sanitizes a string value according to provided options
+ * Sanitizes a string by removing or replacing dangerous patterns.
  * @param {string} str - String to sanitize
  * @param {Object} options - Sanitization options
- * @param {boolean} isValue - Whether string is a value or key
+ * @param {boolean} [isValue=false] - Whether this is a value (affects length limits)
  * @returns {string} Sanitized string
  */
 const sanitizeString = (str, options, isValue = false) => {
-  if (!isString(str) || isEmail(str)) return str;
-
+  const { debug } = options;
+  if (!isString(str) || isEmail(str)) {
+    log(debug, 'trace', 'STRING', `Skipping: not a string or is email`, str);
+    return str;
+  }
   const { replaceWith, patterns, stringOptions } = options;
-
   const combinedPattern = new RegExp(patterns.map((pattern) => pattern.source).join('|'), 'g');
-
+  const original = str;
   let result = str.replace(combinedPattern, replaceWith);
-
   if (stringOptions.trim) result = result.trim();
   if (stringOptions.lowercase) result = result.toLowerCase();
   if (stringOptions.maxLength && isValue) result = result.slice(0, stringOptions.maxLength);
-
+  if (debug?.enabled && original !== result) {
+    log(debug, 'debug', 'STRING', `Sanitized string`, { original, result });
+  }
   return result;
 };
 
 /**
- * Sanitizes an array according to provided options
+ * Sanitizes an array by processing each element and applying array-specific options.
  * @param {Array} arr - Array to sanitize
  * @param {Object} options - Sanitization options
  * @returns {Array} Sanitized array
  * @throws {ExpressMongoSanitizeError} If input is not an array
  */
 const sanitizeArray = (arr, options) => {
-  if (!isArray(arr)) throw new ExpressMongoSanitizeError('Input must be an array', 'type_error');
-
-  const { arrayOptions } = options;
+  const { debug } = options;
+  if (!isArray(arr)) {
+    log(debug, 'error', 'ARRAY', `Input is not array`, arr);
+    throw new ExpressMongoSanitizeError('Input must be an array', 'type_error');
+  }
+  log(debug, 'trace', 'ARRAY', `Sanitizing array of length ${arr.length}`);
   let result = arr.map((item) => sanitizeValue(item, options, true));
-
-  if (arrayOptions.filterNull) result = result.filter(Boolean);
-  if (arrayOptions.distinct) result = [...new Set(result)];
+  if (options.arrayOptions.filterNull) {
+    const before = result.length;
+    result = result.filter(Boolean);
+    log(debug, 'debug', 'ARRAY', `Filtered nulls: ${before} → ${result.length}`);
+  }
+  if (options.arrayOptions.distinct) {
+    const before = result.length;
+    result = [...new Set(result)];
+    log(debug, 'debug', 'ARRAY', `Removed duplicates: ${before} → ${result.length}`);
+  }
   return result;
 };
 
 /**
- * Sanitizes an object according to provided options
+ * Sanitizes an object by processing keys and values according to configuration.
  * @param {Object} obj - Object to sanitize
  * @param {Object} options - Sanitization options
  * @returns {Object} Sanitized object
  * @throws {ExpressMongoSanitizeError} If input is not an object
  */
 const sanitizeObject = (obj, options) => {
-  if (!isPlainObject(obj)) throw new ExpressMongoSanitizeError('Input must be an object', 'type_error');
-
-  const { removeEmpty, allowedKeys, deniedKeys, removeMatches, patterns } = options;
+  const { debug, removeEmpty, allowedKeys, deniedKeys, removeMatches, patterns } = options;
+  if (!isPlainObject(obj)) {
+    log(debug, 'error', 'OBJECT', `Input is not object`, obj);
+    throw new ExpressMongoSanitizeError('Input must be an object', 'type_error');
+  }
+  log(debug, 'trace', 'OBJECT', `Sanitizing object with keys: ${Object.keys(obj)}`);
   return Object.entries(obj).reduce((acc, [key, val]) => {
-    if ((allowedKeys.size && !allowedKeys.has(key)) || deniedKeys.has(key)) return acc;
-
+    if ((allowedKeys.size && !allowedKeys.has(key)) || deniedKeys.has(key)) {
+      log(debug, 'debug', 'OBJECT', `Key '${key}' removed (allowed/denied filter)`);
+      return acc;
+    }
     const sanitizedKey = sanitizeString(key, options);
-    if (removeMatches && patterns.some((pattern) => pattern.test(key))) return acc;
-    if (removeEmpty && !sanitizedKey) return acc;
-
+    if (removeMatches && patterns.some((pattern) => pattern.test(key))) {
+      log(debug, 'debug', 'OBJECT', `Key '${key}' matches removal pattern`);
+      return acc;
+    }
+    if (removeEmpty && !sanitizedKey) {
+      log(debug, 'debug', 'OBJECT', `Key '${key}' removed (empty after sanitize)`);
+      return acc;
+    }
     if (isEmail(val) && deniedKeys.has(key)) {
       acc[sanitizedKey] = val;
+      log(debug, 'trace', 'OBJECT', `Email field preserved: ${key}`);
+      return acc;
+    }
+    if (removeMatches && isString(val) && patterns.some((pattern) => pattern.test(val))) {
+      log(debug, 'debug', 'OBJECT', `Value for key '${key}' matches removal pattern`);
       return acc;
     }
-
-    if (removeMatches && isString(val) && patterns.some((pattern) => pattern.test(val))) return acc;
-
     const sanitizedValue = sanitizeValue(val, options, true);
     if (!removeEmpty || sanitizedValue) acc[sanitizedKey] = sanitizedValue;
-
     return acc;
   }, {});
 };
 
 /**
- * Sanitizes a value according to its type and provided options
+ * Main sanitization function that routes values to appropriate sanitizers.
  * @param {*} value - Value to sanitize
  * @param {Object} options - Sanitization options
- * @param {boolean} [isValue=false] - Whether value is a value or key
+ * @param {boolean} [isValue=false] - Whether this is a value context
  * @returns {*} Sanitized value
  */
 const sanitizeValue = (value, options, isValue = false) => {
@@ -215,15 +304,12 @@ const sanitizeValue = (value, options, isValue = false) => {
 };
 
 /**
- * Validates plugin options
+ * Validates the provided options object against expected schema.
  * @param {Object} options - Options to validate
  * @throws {ExpressMongoSanitizeError} If any option is invalid
  */
 const validateOptions = (options) => {
   const validators = {
-    app: (value) => !value || isFunction(value),
-    router: (value) => !value || isFunction(value),
-    routerBasePath: isString,
     replaceWith: isString,
     removeMatches: isPrimitive,
     sanitizeObjects: isArray,
@@ -238,7 +324,6 @@ const validateOptions = (options) => {
     stringOptions: isPlainObject,
     arrayOptions: isPlainObject,
   };
-
   for (const [key, validate] of Object.entries(validators)) {
     if (!validate(options[key])) {
       throw new ExpressMongoSanitizeError(`Invalid configuration: "${key}" with value "${options[key]}"`, 'type_error');
@@ -247,86 +332,67 @@ const validateOptions = (options) => {
 };
 
 /**
- * Handles request sanitization
+ * Checks if a property is writable on an object or its prototype chain.
+ * @param {Object} obj - Object to check
+ * @param {string} prop - Property name to check
+ * @returns {boolean} True if property is writable
+ */
+const isWritable = (obj, prop) => {
+  let cur = obj;
+  while (cur) {
+    const descriptor = Object.getOwnPropertyDescriptor(cur, prop);
+    if (descriptor) return !!descriptor.writable;
+    cur = Object.getPrototypeOf(cur);
+  }
+  return true;
+};
+
+/**
+ * Handles sanitization of Express request objects.
  * @param {Object} request - Express request object
  * @param {Object} options - Sanitization options
  */
 const handleRequest = (request, options) => {
-  const { sanitizeObjects, customSanitizer } = options;
-
-  return sanitizeObjects.reduce((acc, sanitizeObject) => {
+  const { sanitizeObjects, customSanitizer, debug } = options;
+  log(debug, 'info', 'REQUEST', `Sanitizing request`, { url: request.originalUrl || request.url });
+  sanitizeObjects.forEach((sanitizeObject) => {
     const requestObject = request[sanitizeObject];
     if (requestObject && !isObjectEmpty(requestObject)) {
-      const originalRequest = Object.assign({}, requestObject);
-
-      request[sanitizeObject] = customSanitizer
+      log(debug, 'debug', 'REQUEST', `Sanitizing '${sanitizeObject}'`, requestObject);
+      const originalRequest = Object.assign(Array.isArray(requestObject) ? [] : {}, requestObject);
+      const sanitized = customSanitizer
         ? customSanitizer(originalRequest, options)
         : sanitizeValue(originalRequest, options);
+      if (debug?.enabled && JSON.stringify(originalRequest) !== JSON.stringify(sanitized)) {
+        log(debug, 'debug', 'REQUEST', `'${sanitizeObject}' sanitized`, {
+          before: originalRequest,
+          after: sanitized,
+        });
+      }
+      if (isWritable(request, sanitizeObject)) {
+        request[sanitizeObject] = sanitized;
+      } else if (typeof request[sanitizeObject] === 'object' && request[sanitizeObject] !== null) {
+        Object.keys(request[sanitizeObject]).forEach((k) => delete request[sanitizeObject][k]);
+        Object.assign(request[sanitizeObject], sanitized);
+      }
     }
-
-    return acc;
-  }, {});
+  });
 };
 
 /**
- * Get all route parameters from the Express app
- * @param {Object[]} stack - Express app stack
- * @param {string} basePath - Base path of the router
- * @returns {string[]} All route parameters in the Express app
+ * Cleans and normalizes a URL path for comparison.
+ * @param {string} url - URL to clean
+ * @returns {string|null} Cleaned URL path or null if invalid
  */
-const getAllRouteParams = (stack, basePath) => {
-  const uniqueParams = new Set();
-  const pathStack = [{ currentStack: stack, basePath }];
-  const cache = new Map();
-
-  while (pathStack.length > 0) {
-    const { currentStack, basePath } = pathStack.pop();
-
-    for (let i = 0; i < currentStack.length; i++) {
-      const middleware = currentStack[i];
-
-      if (cache.has(middleware)) {
-        const cachedPath = cache.get(middleware);
-        if (cachedPath) uniqueParams.add(...cachedPath);
-        continue;
-      }
-
-      if (middleware.route) {
-        const routePath = basePath + middleware.route.path;
-        const paramRegex = /:([^/]+)/g;
-        const params = [];
-        let paramMatch;
-
-        while ((paramMatch = paramRegex.exec(routePath))) {
-          params.push(paramMatch[1]);
-          uniqueParams.add(paramMatch[1]);
-        }
-
-        cache.set(middleware, params);
-      } else if (middleware.name === 'router' && middleware.handle?.stack) {
-        let newBasePath = '';
-
-        if (middleware.regexp) {
-          const regexpStr = middleware.regexp.toString();
-          const match = regexpStr.match(/^\/\^\\\/\?((?:[^\\]|\\.)*)\\\/\?\$\/$/);
-
-          if (match?.[1]) {
-            newBasePath = match[1].replace(/\\\//g, '/');
-          }
-        }
-        pathStack.push({
-          currentStack: middleware.handle.stack,
-          basePath: basePath + newBasePath,
-        });
-        cache.set(middleware, null);
-      }
-    }
-  }
-  return [...uniqueParams];
+const cleanUrl = (url) => {
+  if (typeof url !== 'string' || !url) return null;
+  const [path] = url.split(/[?#]/);
+  const trimmed = path.replace(/^\/+|\/+$/g, '');
+  return trimmed ? '/' + trimmed : '/';
 };
 
 /**
- * Express middleware for sanitizing request objects
+ * Main middleware factory function for Express MongoDB sanitization.
  * @param {Object} [options={}] - Configuration options
  * @returns {Function} Express middleware function
  * @throws {ExpressMongoSanitizeError} If options are invalid
@@ -334,11 +400,7 @@ const getAllRouteParams = (stack, basePath) => {
 const expressMongoSanitize = (options = {}) => {
   if (!isPlainObject(options)) throw new ExpressMongoSanitizeError('Options must be an object', 'type_error');
 
-  const userOpts = {
-    ...DEFAULT_OPTIONS,
-    ...options,
-  };
-
+  const userOpts = { ...DEFAULT_OPTIONS, ...options };
   validateOptions(userOpts);
 
   const opts = {
@@ -346,53 +408,51 @@ const expressMongoSanitize = (options = {}) => {
     skipRoutes: new Set(options.skipRoutes || DEFAULT_OPTIONS.skipRoutes),
     allowedKeys: new Set(options.allowedKeys || DEFAULT_OPTIONS.allowedKeys),
     deniedKeys: new Set(options.deniedKeys || DEFAULT_OPTIONS.deniedKeys),
+    debug: { ...DEFAULT_OPTIONS.debug, ...(options.debug || {}) },
   };
 
-  const { mode, app, router, routerBasePath } = opts;
-
-  if (!app)
-    createColorizedWarningMessage(
-      'ExpressMongoSanitizer: You must provide an Express app instance to sanitize route parameters. Skipping route parameter sanitization.'
-    );
-
-  if (!router)
-    createColorizedWarningMessage(
-      'ExpressMongoSanitizer: You must provide an Express router instance to sanitize route parameters. Skipping route parameter sanitization.'
-    );
-
   return (req, res, next) => {
-    if (opts.skipRoutes.has(req.url)) return next();
-
-    if (app) {
-      const allRouteParams = getAllRouteParams(app._router.stack, routerBasePath);
-      app.param(allRouteParams, (req, res, next, value, name) => {
-        req.params[name] = sanitizeString(value, opts);
-        next();
-      });
-    }
-
-    if (router) {
-      const allRouteParams = getAllRouteParams(app._router.stack, routerBasePath);
-      while (allRouteParams.length) {
-        const param = allRouteParams.pop();
-        router.param(param, (req, res, next, value, name) => {
-          req.params[name] = sanitizeString(value, opts);
-          next();
-        });
-      }
+    log(opts.debug, 'trace', 'MIDDLEWARE', `Incoming request`, { url: req.originalUrl || req.url, method: req.method });
+    const cleanedRequestPath = cleanUrl(req.path || req.url);
+    const shouldSkip = Array.from(opts.skipRoutes).some((skipPath) => cleanUrl(skipPath) === cleanedRequestPath);
+    if (shouldSkip) {
+      if (opts.debug?.logSkippedRoutes)
+        log(opts.debug, 'info', 'SKIP', `Skipped route: ${req.method} ${cleanedRequestPath}`);
+      return next();
     }
-
-    if (mode === 'auto') {
+    if (opts.mode === 'auto') {
+      log(opts.debug, 'trace', 'MIDDLEWARE', `Auto mode: running sanitizer`);
       handleRequest(req, opts);
     }
-
-    if (mode === 'manual') {
+    if (opts.mode === 'manual') {
+      log(opts.debug, 'trace', 'MIDDLEWARE', `Manual mode: exposing req.sanitize`);
       req.sanitize = (customOpts) => {
         const finalOpts = { ...opts, ...customOpts };
         handleRequest(req, finalOpts);
       };
     }
+    next();
+  };
+};
 
+/**
+ * Creates a parameter sanitization handler for Express route parameters.
+ * @param {Object} [options={}] - Configuration options
+ * @returns {Function} Express parameter handler function
+ */
+const paramSanitizeHandler = (options = {}) => {
+  const opts = {
+    ...DEFAULT_OPTIONS,
+    ...options,
+    debug: { ...DEFAULT_OPTIONS.debug, ...(options.debug || {}) },
+  };
+  return function (req, res, next, value, paramName) {
+    const key = paramName || this?.name;
+    if (key && req.params && isString(value)) {
+      const before = req.params[key];
+      req.params[key] = sanitizeString(value, opts, true);
+      log(opts.debug, 'debug', 'PARAM', `Sanitized param '${key}'`, { before, after: req.params[key] });
+    }
     next();
   };
 };
@@ -400,3 +460,5 @@ const expressMongoSanitize = (options = {}) => {
 module.exports = expressMongoSanitize;
 module.exports.default = expressMongoSanitize;
 module.exports.expressMongoSanitize = expressMongoSanitize;
+module.exports.paramSanitizeHandler = paramSanitizeHandler;
+exports.default = expressMongoSanitize;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exortek/express-mongo-sanitize",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "A comprehensive Express middleware designed to protect your No(n)SQL queries from injection attacks by sanitizing request data. This middleware provides flexible sanitization options for request bodies, parameters, and query strings.",
   "main": "index.js",
   "type": "commonjs",
@@ -41,12 +41,13 @@
   "publishConfig": {
     "access": "public"
   },
-  "packageManager": "yarn@4.5.1",
+  "packageManager": "yarn@4.9.2",
   "devDependencies": {
-    "@types/express": "^5.0.0",
-    "express": "^4.21.1",
-    "prettier": "^3.3.3",
-    "tsd": "^0.31.2"
+    "@types/express": "^5.0.3",
+    "express": "npm:express@5.1.0",
+    "express4": "npm:express@4.21.2",
+    "prettier": "^3.5.3",
+    "tsd": "^0.32.0"
   },
   "files": [
     "index.js",

package/types/index.d.ts

@@ -1,62 +1,80 @@
-import type { Application, Router, Handler } from 'express';
+import { RequestHandler, RequestParamHandler } from 'express';
 
-export type SanitizeMode = 'auto' | 'manual';
-export type SanitizeObject = 'body' | 'params' | 'query';
-
-export interface StringSanitizeOptions {
+/**
+ * String-specific sanitizer options.
+ */
+export interface StringOptions {
+  /** Trim whitespace from strings */
   trim?: boolean;
+  /** Convert strings to lowercase */
   lowercase?: boolean;
+  /** Truncate strings to a maximum length (null = unlimited) */
   maxLength?: number | null;
 }
 
-export interface ArraySanitizeOptions {
+/**
+ * Array-specific sanitizer options.
+ */
+export interface ArrayOptions {
+  /** Remove null values from arrays */
   filterNull?: boolean;
+  /** Remove duplicate values from arrays */
   distinct?: boolean;
 }
 
+export interface DebugOptions {
+  /** Enable debug logging */
+  enabled?: boolean;
+  /** Log level (e.g., 'silent' | 'error' | 'warn' | 'info' | 'debug' | 'trace') */
+  level?: string;
+}
+
+/**
+ * Main options for expressMongoSanitize middleware.
+ */
 export interface ExpressMongoSanitizeOptions {
-  /** Express application instance */
-  app?: Application | null;
-  /** Express router instance */
-  router?: Router | null;
-  /** Base path for the router */
-  routerBasePath?: string | 'api';
   /** String to replace matched patterns with */
   replaceWith?: string;
-  /** Whether to remove matches instead of replacing them */
+  /** Remove values matching patterns */
   removeMatches?: boolean;
-  /** Request objects to sanitize */
-  sanitizeObjects?: SanitizeObject[];
-  /** Sanitization mode */
-  mode?: SanitizeMode;
-  /** Routes to skip sanitization */
+  /** Request objects to sanitize (default: ['body', 'query']) */
+  sanitizeObjects?: Array<'body' | 'query'>;
+  /** Automatic or manual mode */
+  mode?: 'auto' | 'manual';
+  /** Paths to skip sanitizing */
   skipRoutes?: string[];
-  /** Custom sanitizer function */
-  customSanitizer?: ((data: unknown, options: ExpressMongoSanitizeOptions) => unknown) | null;
-  /** Whether to recursively sanitize nested objects */
+  /** Completely custom sanitizer function */
+  customSanitizer?: (data: any, options: ExpressMongoSanitizeOptions) => any;
+  /** Recursively sanitize nested objects */
   recursive?: boolean;
-  /** Whether to remove empty values after sanitization */
+  /** Remove empty values after sanitizing */
   removeEmpty?: boolean;
   /** Patterns to match for sanitization */
   patterns?: RegExp[];
-  /** Allowed keys in objects */
-  allowedKeys?: string[] | null;
-  /** Denied keys in objects */
-  deniedKeys?: string[] | null;
-  /** String sanitization options */
-  stringOptions?: StringSanitizeOptions;
-  /** Array sanitization options */
-  arrayOptions?: ArraySanitizeOptions;
+  /** Only allow these keys in sanitized objects */
+  allowedKeys?: string[];
+  /** Remove these keys from sanitized objects */
+  deniedKeys?: string[];
+  /** String sanitizer options */
+  stringOptions?: StringOptions;
+  /** Array sanitizer options */
+  arrayOptions?: ArrayOptions;
+  /** Debugging options */
+  debug?: DebugOptions;
 }
 
-declare class ExpressMongoSanitizeError extends Error {
-  constructor(message: string, type?: string);
-  message: string;
-  type: string;
-}
+/**
+ * Middleware for automatic sanitization of request objects.
+ */
+declare function expressMongoSanitize(options?: ExpressMongoSanitizeOptions): RequestHandler;
 
-declare const expressMongoSanitize: (options?: ExpressMongoSanitizeOptions) => Handler;
+/**
+ * Middleware for sanitizing individual route parameters.
+ */
+declare function paramSanitizeHandler(options?: ExpressMongoSanitizeOptions): RequestParamHandler;
 
+/**
+ * Main export for express-mongo-sanitize middleware.
+ */
 export default expressMongoSanitize;
-
-export { ExpressMongoSanitizeError, expressMongoSanitize };
+export { expressMongoSanitize, paramSanitizeHandler };