npm - @exortek/express-mongo-sanitize - Versions diffs - 1.1.1 → 2.0.1 - Mend

@exortek/express-mongo-sanitize 1.1.1 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -1,269 +1,98 @@
 # @exortek/express-mongo-sanitize
-A comprehensive Express middleware designed to protect your No(n)SQL queries from injection attacks by sanitizing request data.
-This middleware provides flexible sanitization options for request bodies and query strings, and an **optional handler for route parameters**.
+<p align="center">
+  <img src="https://img.shields.io/npm/v/@exortek/express-mongo-sanitize?style=flat-square&color=339933" alt="npm version">
+  <img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="license">
+</p>
-## Compatibility
+Express middleware for NoSQL injection prevention. Sanitizes request `body`, `query`, and `params` to protect MongoDB queries from operator injection attacks.
-| Middleware version | Express version |
-|--------------------|:---------------:|
-| `^1.x`             |     `^4.x`      |
-| `^1.x`             |     `^5.x`      |
+## 📦 Installation
-## Features
-- Automatic sanitization of `req.body` and `req.query` by default
-- Supports deep/nested objects, arrays, and string transformation
-- Allows custom sanitizer logic, key allow/deny lists, skip routes, and more
-- **Route params (`req.params`) can be sanitized with an explicit helper** (see below)
----
-## Installation
-```sh
-yarn add @exortek/express-mongo-sanitize
-# or
+```bash
 npm install @exortek/express-mongo-sanitize
 ```
+```bash
+yarn install @exortek/express-mongo-sanitize
+```
+```bash
+pnpm install @exortek/express-mongo-sanitize
+```
----
-## Usage
-### Basic usage
+## ⚡ Quick Start
 ```js
 const express = require('express');
-const expressMongoSanitize = require('@exortek/express-mongo-sanitize');
+const mongoSanitize = require('@exortek/express-mongo-sanitize');
 const app = express();
 app.use(express.json());
+app.use(mongoSanitize());
-// Body and query are sanitized automatically:
-app.use(expressMongoSanitize());
-app.post('/submit', (req, res) => {
+app.post('/login', (req, res) => {
+  // req.body is sanitized — { "$ne": "" } becomes { "ne": "" }
   res.json(req.body);
 });
 ```
----
-### Sanitizing Route Params (`req.params`)
-By default, only `body` and `query` are sanitized.
-**If you want to sanitize route parameters (`req.params`),**
-use the exported `paramSanitizeHandler` with Express's `app.param` or `router.param`:
+## ⚙️ Options
 ```js
-// Route parameter sanitization (recommended way):
-app.param('username', expressMongoSanitize.paramSanitizeHandler());
-// Example route:
-app.get('/user/:username', (req, res) => {
-  res.json({ username: req.params.username });
-});
+app.use(mongoSanitize({
+  replaceWith: '',           // Replace matched chars with this string
+  removeMatches: false,      // Remove entire key-value pair if pattern matches
+  sanitizeObjects: ['body', 'query'],  // Request fields to sanitize
+  contentTypes: ['application/json', 'application/x-www-form-urlencoded'],
+  mode: 'auto',             // 'auto' | 'manual'
+  skipRoutes: [],            // Routes to skip (string or RegExp)
+  recursive: true,           // Sanitize nested objects
+  maxDepth: null,            // Max recursion depth (null = unlimited)
+  onSanitize: ({ key, originalValue, sanitizedValue }) => {
+    console.log(`Sanitized ${key}`);
+  }
+}));
 ```
-**Note:**
-- You can attach this for any route param, e.g. `'id'`, `'slug'`, etc.
-- This gives you full control and doesn't require the middleware to know your routes.
----
+> For the full list of options, see the [Core README](../core/README.md#configuration-options).
-## Options
+## 🛠 Features
-| Option            | Type     | Default                             | Description                                                         |
-|-------------------|----------|-------------------------------------|---------------------------------------------------------------------|
-| `replaceWith`     | string   | `''`                                | String to replace matched patterns                                  |
-| `removeMatches`   | boolean  | `false`                             | Remove values matching patterns entirely                            |
-| `sanitizeObjects` | string[] | `['body', 'query']`                 | List of request objects to sanitize                                 |
-| `mode`            | string   | `'auto'`                            | `'auto'` for automatic, `'manual'` for explicit req.sanitize() call |
-| `skipRoutes`      | string[] | `[]`                                | List of paths to skip (e.g. ['/health'])                            |
-| `customSanitizer` | function | `null`                              | Custom sanitizer function, overrides built-in sanitizer             |
-| `recursive`       | boolean  | `true`                              | Recursively sanitize nested values                                  |
-| `removeEmpty`     | boolean  | `false`                             | Remove empty values after sanitization                              |
-| `patterns`        | RegExp[] | See source code                     | Patterns to match for sanitization                                  |
-| `allowedKeys`     | string[] | `[]`                                | Only allow these keys (all if empty)                                |
-| `deniedKeys`      | string[] | `[]`                                | Remove these keys (none if empty)                                   |
-| `stringOptions`   | object   | See below                           | String transform options (trim, lowercase, maxLength)               |
-| `arrayOptions`    | object   | See below                           | Array handling options (filterNull, distinct)                       |
-| `debug`           | object   | `{ enabled: false, level: "info" }` | Enables debug logging for middleware internals.                     |
+### Route Parameter Sanitization
-#### `stringOptions` default:
-```js
-{
-  trim: false,
-  lowercase: false,
-  maxLength: null
-}
-```
-#### `arrayOptions` default:
+While `body` and `query` are sanitized automatically, route parameters can be sanitized using the `paramSanitizeHandler`:
 ```js
-{
-  filterNull: false,
-  distinct: false
-}
-```
----
-## Manual Mode
-If you set `mode: 'manual'`, the middleware will not sanitize automatically.
-Call `req.sanitize()` manually in your route:
+const { paramSanitizeHandler } = require('@exortek/express-mongo-sanitize');
-```js
-app.use(expressMongoSanitize({ mode: 'manual' }));
+app.param('username', paramSanitizeHandler());
-app.post('/manual', (req, res) => {
-  req.sanitize({ replaceWith: '_' }); // custom options are supported here
-  res.json(req.body);
+app.get('/user/:username', (req, res) => {
+  // GET /user/$admin → req.params.username is "admin"
+  res.json({ username: req.params.username });
 });
 ```
----
-## Skipping Routes
-Skip certain routes by adding their paths to `skipRoutes`:
-```js
-app.use(expressMongoSanitize({ skipRoutes: ['/skip', '/status'] }));
-// These routes will NOT be sanitized
-```
----
-## Custom Sanitizer
+### Manual Mode
-Use a completely custom sanitizer function:
+If you need fine-grained control over when sanitization occurs:
 ```js
-app.use(expressMongoSanitize({
-  customSanitizer: (data, options) => {
-    // Your custom logic
-    return data;
-  }
-}));
-```
----
-## Route Parameter Sanitization
-> By default, only `body` and `query` are sanitized.
-> If you want to sanitize route parameters (`req.params`),
-> use the helper function with `app.param` or `router.param`:
->
-> ```js
-> app.param('username', expressMongoSanitize.paramSanitizeHandler());
-> ```
->
-> This ensures that, for example, `/user/$admin` will be returned as `{ username: 'admin' }`
-> in your handler.
+app.use(mongoSanitize({ mode: 'manual' }));
----
-## TypeScript
-Type definitions are included.
-You can use this plugin in both CommonJS and ESM projects.
----
-## Advanced Usage
-### Custom Sanitizer per Route
-You can override sanitizer options or use a completely custom sanitizer per route:
-```js
-app.post('/profile', (req, res, next) => {
-  req.sanitize({
-    customSanitizer: (data) => {
-      // For example, redact all strings:
-      if (typeof data === 'string') return '[REDACTED]';
-      return data;
-    }
-  });
+app.post('/sensitive', (req, res) => {
+  req.sanitize(); // Manually trigger sanitization
   res.json(req.body);
 });
 ```
-## Debugging & Logging
-You can enable debug logs to see the internal operation of the middleware.
-Useful for troubleshooting or when tuning sanitization behavior.
-```js
-app.use(
-  expressMongoSanitize({
-    debug: {
-      enabled: true,         // Turn on debug logs
-      level: 'debug',        // Log level: 'error' | 'warn' | 'info' | 'debug' | 'trace'
-      logSkippedRoutes: true // (optional) Log when routes are skipped
-    },
-    // ...other options
-  })
-);
-```
-### Logging Levels
-| Level   | Description                          |
-|---------|--------------------------------------|
-| `error` | Logs only errors                     |
-| `warn`  | Logs warnings and errors             |
-| `info`  | Logs informational messages          |
-| `debug` | Logs detailed debug information      |
-| `trace` | Logs very detailed trace information |
-### Using with Router
-```js
-const router = express.Router();
-router.use(expressMongoSanitize());
-// You can use paramSanitizeHandler on router params as well:
-router.param('userId', expressMongoSanitize.paramSanitizeHandler());
-```
----
-## Troubleshooting
-### Route parameters are not being sanitized
+### Content-Type Guard
-By default, only `body` and `query` are sanitized.
-To sanitize route parameters, use:
+By default, only `application/json` and `application/x-www-form-urlencoded` bodies are sanitized to avoid corrupting binary data or file uploads. You can customize this:
 ```js
-app.param('username', expressMongoSanitize.paramSanitizeHandler());
+app.use(mongoSanitize({ contentTypes: ['application/json', 'application/graphql'] }));
 ```
-### Skipping specific routes doesn't work as expected
-Make sure you use the exact path as in your route definition,
-and that you apply the middleware before your routes.
----
-### My request is not being sanitized
-- Ensure your route handler is after the middleware in the stack.
-- If you are using `mode: 'manual'`, you **must** call `req.sanitize()` yourself.
----
-For more troubleshooting, open an issue at [Github Issues](https://github.com/ExorTek/express-mongo-sanitize/issues)
----
-## License
-**[MIT](https://github.com/ExorTek/express-mongo-sanitize/blob/master/LICENSE)**<br>
+## 📜 License
-Copyright © 2025 ExorTek
+[MIT](../../LICENSE) — Created by **ExorTek**

package/package.json CHANGED Viewed

@@ -1,56 +1,68 @@
 {
   "name": "@exortek/express-mongo-sanitize",
-  "version": "1.1.1",
-  "description": "A comprehensive Express middleware designed to protect your No(n)SQL queries from injection attacks by sanitizing request data. This middleware provides flexible sanitization options for request bodies, parameters, and query strings.",
-  "main": "index.js",
+  "version": "2.0.1",
+  "description": "Express middleware for NoSQL injection prevention — sanitizes request data",
+  "main": "src/index.js",
   "type": "commonjs",
   "types": "types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./src/index.js",
+      "require": "./src/index.js",
+      "types": "./types/index.d.ts"
+    }
+  },
   "scripts": {
-    "format": "prettier --write \"**/*.{js,ts,json}\"",
-    "test:tsd": "tsd",
-    "test:node": "node --test"
+    "test": "node --test test/*.test.js",
+    "prepublishOnly": "npm test"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/ExorTek/express-mongo-sanitize.git"
+    "url": "git+https://github.com/ExorTek/nosql-sanitize.git",
+    "directory": "packages/express"
+  },
+  "homepage": "https://github.com/ExorTek/nosql-sanitize/packages/express#readme",
+  "bugs": {
+    "url": "https://github.com/ExorTek/nosql-sanitize/issues"
   },
   "keywords": [
     "express",
     "mongodb",
     "sanitize",
-    "mongoose",
-    "express-middleware",
-    "data-validation",
-    "input-sanitization",
+    "nosql",
     "security",
-    "web-application",
-    "nodejs",
-    "typescript",
     "middleware",
-    "api-security",
-    "query-sanitization",
-    "no-sql",
-    "mongodb-sanitizer"
+    "injection",
+    "backend"
   ],
   "author": "ExorTek - https://github.com/ExorTek",
   "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/ExorTek/express-mongo-sanitize/issues"
+  "engines": {
+    "node": ">=18.0.0"
   },
-  "homepage": "https://github.com/ExorTek/express-mongo-sanitize#readme",
   "publishConfig": {
     "access": "public"
   },
-  "packageManager": "yarn@4.9.2",
+  "dependencies": {
+    "@exortek/nosql-sanitize-core": "^2.0.0"
+  },
+  "peerDependencies": {
+    "express": ">=4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": false
+    }
+  },
   "devDependencies": {
-    "@types/express": "^5.0.3",
+    "@types/express": "^5.0.6",
     "express": "npm:express@5.1.0",
-    "express4": "npm:express@4.21.2",
-    "prettier": "^3.5.3",
-    "tsd": "^0.32.0"
+    "express4": "npm:express@4.21.2"
   },
   "files": [
-    "index.js",
-    "types/index.d.ts"
+    "src/",
+    "types/",
+    "README.md",
+    "LICENSE"
   ]
 }

package/src/index.js ADDED Viewed

@@ -0,0 +1,64 @@
+'use strict';
+const {
+  resolveOptions,
+  handleRequest,
+  shouldSkipRoute,
+  sanitizeString,
+  cleanUrl,
+  log,
+  isString,
+  NoSQLSanitizeError,
+} = require('@exortek/nosql-sanitize-core');
+/**
+ * Express middleware factory.
+ * @param {Object} [options={}]
+ * @returns {Function} Express middleware
+ */
+const expressMongoSanitize = (options = {}) => {
+  const opts = resolveOptions(options);
+  return (req, res, next) => {
+    const requestPath = req.path || req.url;
+    if (shouldSkipRoute(requestPath, opts.skipRoutes, opts.debug)) {
+      return next();
+    }
+    if (opts.mode === 'auto') {
+      handleRequest(req, opts);
+    }
+    if (opts.mode === 'manual') {
+      req.sanitize = (customOpts) => {
+        const finalOpts = customOpts ? resolveOptions({ ...options, ...customOpts }) : opts;
+        handleRequest(req, finalOpts);
+      };
+    }
+    next();
+  };
+};
+/**
+ * Route parameter sanitization handler.
+ * @param {Object} [options={}]
+ * @returns {Function} Express param handler
+ */
+const paramSanitizeHandler = (options = {}) => {
+  const opts = resolveOptions(options);
+  return function (req, res, next, value, paramName) {
+    const key = paramName || this?.name;
+    if (key && req.params && isString(value)) {
+      req.params[key] = sanitizeString(value, opts, true);
+    }
+    next();
+  };
+};
+module.exports = expressMongoSanitize;
+module.exports.default = expressMongoSanitize;
+module.exports.expressMongoSanitize = expressMongoSanitize;
+module.exports.paramSanitizeHandler = paramSanitizeHandler;

package/types/index.d.ts CHANGED Viewed

@@ -1,80 +1,55 @@
-import { RequestHandler, RequestParamHandler } from 'express';
+/// <reference types="node" />
-/**
- * String-specific sanitizer options.
- */
-export interface StringOptions {
-  /** Trim whitespace from strings */
-  trim?: boolean;
-  /** Convert strings to lowercase */
-  lowercase?: boolean;
-  /** Truncate strings to a maximum length (null = unlimited) */
-  maxLength?: number | null;
-}
+import { Request, Response, NextFunction, RequestHandler } from 'express';
+import { SanitizeOptions, ResolvedOptions, SanitizeEvent } from '@exortek/nosql-sanitize-core';
-/**
- * Array-specific sanitizer options.
- */
-export interface ArrayOptions {
-  /** Remove null values from arrays */
-  filterNull?: boolean;
-  /** Remove duplicate values from arrays */
-  distinct?: boolean;
+declare module 'express' {
+  interface Request {
+    /**
+     * Available when `mode: 'manual'`.
+     * Call to sanitize `req.body`, `req.query`, and/or `req.params`.
+     * Optionally pass overrides for this specific call.
+     */
+    sanitize?: (options?: expressMongoSanitize.SanitizeOptions) => void;
+  }
 }
-export interface DebugOptions {
-  /** Enable debug logging */
-  enabled?: boolean;
-  /** Log level (e.g., 'silent' | 'error' | 'warn' | 'info' | 'debug' | 'trace') */
-  level?: string;
-}
+type ExpressMongoSanitize = (options?: expressMongoSanitize.SanitizeOptions) => RequestHandler;
-/**
- * Main options for expressMongoSanitize middleware.
- */
-export interface ExpressMongoSanitizeOptions {
-  /** String to replace matched patterns with */
-  replaceWith?: string;
-  /** Remove values matching patterns */
-  removeMatches?: boolean;
-  /** Request objects to sanitize (default: ['body', 'query']) */
-  sanitizeObjects?: Array<'body' | 'query'>;
-  /** Automatic or manual mode */
-  mode?: 'auto' | 'manual';
-  /** Paths to skip sanitizing */
-  skipRoutes?: string[];
-  /** Completely custom sanitizer function */
-  customSanitizer?: (data: any, options: ExpressMongoSanitizeOptions) => any;
-  /** Recursively sanitize nested objects */
-  recursive?: boolean;
-  /** Remove empty values after sanitizing */
-  removeEmpty?: boolean;
-  /** Patterns to match for sanitization */
-  patterns?: RegExp[];
-  /** Only allow these keys in sanitized objects */
-  allowedKeys?: string[];
-  /** Remove these keys from sanitized objects */
-  deniedKeys?: string[];
-  /** String sanitizer options */
-  stringOptions?: StringOptions;
-  /** Array sanitizer options */
-  arrayOptions?: ArrayOptions;
-  /** Debugging options */
-  debug?: DebugOptions;
-}
+declare namespace expressMongoSanitize {
+  export { SanitizeOptions, ResolvedOptions, SanitizeEvent };
-/**
- * Middleware for automatic sanitization of request objects.
- */
-declare function expressMongoSanitize(options?: ExpressMongoSanitizeOptions): RequestHandler;
+  /**
+   * Express middleware factory for NoSQL injection prevention.
+   *
+   * Sanitizes `req.body` and `req.query` by default.
+   * Supports `mode: 'auto'` (default) and `mode: 'manual'`.
+   *
+   * @example
+   * ```js
+   * const mongoSanitize = require('@exortek/express-mongo-sanitize');
+   * app.use(mongoSanitize());
+   * ```
+   */
+  export const expressMongoSanitize: ExpressMongoSanitize;
+  /**
+   * Express route parameter sanitization handler.
+   *
+   * @example
+   * ```js
+   * const { paramSanitizeHandler } = require('@exortek/express-mongo-sanitize');
+   * app.param('userId', paramSanitizeHandler());
+   * app.param('slug', paramSanitizeHandler({ replaceWith: '_' }));
+   * ```
+   */
+  export function paramSanitizeHandler(
+    options?: SanitizeOptions,
+  ): (req: Request, res: Response, next: NextFunction, value: string, paramName: string) => void;
+  export { expressMongoSanitize as default };
+}
-/**
- * Middleware for sanitizing individual route parameters.
- */
-declare function paramSanitizeHandler(options?: ExpressMongoSanitizeOptions): RequestParamHandler;
+declare function expressMongoSanitize(...params: Parameters<ExpressMongoSanitize>): ReturnType<ExpressMongoSanitize>;
-/**
- * Main export for express-mongo-sanitize middleware.
- */
-export default expressMongoSanitize;
-export { expressMongoSanitize, paramSanitizeHandler };
+export = expressMongoSanitize;

package/LICENSE DELETED Viewed

@@ -1,21 +0,0 @@
-MIT License
-Copyright (c) 2024 Memet
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/index.js DELETED Viewed

@@ -1,479 +0,0 @@
-'use strict';
-/**
- * Regular expression patterns used for sanitizing input data.
- * These patterns match common MongoDB injection attack vectors.
- * @constant {ReadonlyArray<RegExp>}
- */
-const PATTERNS = Object.freeze([
-  /\$/g,
-  /\./g,
-  /[\\\/{}.(*+?|[\]^)]/g,
-  /[\u0000-\u001F\u007F-\u009F]/g,
-  /\{\s*\$|\$?\{(.|\r?\n)*\}/g,
-]);
-/**
- * Default configuration options for the sanitizer.
- * @constant {Object}
- * @property {string} replaceWith - String to replace sanitized content with
- * @property {boolean} removeMatches - Whether to remove matches entirely
- * @property {string[]} sanitizeObjects - Request objects to sanitize
- * @property {string} mode - Operation mode ('auto' or 'manual')
- * @property {string[]} skipRoutes - Routes to skip sanitization
- * @property {Function|null} customSanitizer - Custom sanitization function
- * @property {boolean} recursive - Whether to sanitize recursively
- * @property {boolean} removeEmpty - Whether to remove empty values
- * @property {RegExp[]} patterns - Patterns to match for sanitization
- * @property {string[]} allowedKeys - Keys that are allowed
- * @property {string[]} deniedKeys - Keys that are denied
- * @property {Object} stringOptions - String-specific options
- * @property {Object} arrayOptions - Array-specific options
- * @property {Object} debug - Debug configuration
- */
-const DEFAULT_OPTIONS = Object.freeze({
-  replaceWith: '',
-  removeMatches: false,
-  sanitizeObjects: ['body', 'query'],
-  mode: 'auto',
-  skipRoutes: [],
-  customSanitizer: null,
-  recursive: true,
-  removeEmpty: false,
-  patterns: PATTERNS,
-  allowedKeys: [],
-  deniedKeys: [],
-  stringOptions: {
-    trim: false,
-    lowercase: false,
-    maxLength: null,
-  },
-  arrayOptions: {
-    filterNull: false,
-    distinct: false,
-  },
-  debug: {
-    enabled: false,
-    level: 'info',
-    logSkippedRoutes: false,
-  },
-});
-/**
- * Log level priority mapping for filtering debug output.
- * @constant {Object<string, number>}
- */
-const LOG_LEVELS = Object.freeze({
-  silent: 0,
-  error: 1,
-  warn: 2,
-  info: 3,
-  debug: 4,
-  trace: 5,
-});
-/**
- * ANSI color codes for console output formatting.
- * @constant {Object<string, string>}
- */
-const LOG_COLORS = Object.freeze({
-  error: '\x1b[31m',
-  warn: '\x1b[33m',
-  info: '\x1b[36m',
-  debug: '\x1b[90m',
-  trace: '\x1b[35m',
-  reset: '\x1b[0m',
-});
-/**
- * Logs debug messages with colored output and formatting.
- * @param {Object} debugOpts - Debug configuration options
- * @param {string} level - Log level (error, warn, info, debug, trace)
- * @param {string} context - Context identifier for the log message
- * @param {string} message - Main log message
- * @param {*} [data=null] - Optional data to include in the log
- */
-const log = (debugOpts, level, context, message, data = null) => {
-  if (!debugOpts?.enabled || LOG_LEVELS[debugOpts.level || 'silent'] < LOG_LEVELS[level]) return;
-  const color = LOG_COLORS[level] || '';
-  const reset = LOG_COLORS.reset;
-  const timestamp = new Date().toISOString();
-  let logMessage = `${color}[mongo-sanitize:${level.toUpperCase()}]${reset} ${timestamp} [${context}] ${message}`;
-  if (data !== null) {
-    if (typeof data === 'object') {
-      console.log(logMessage);
-      console.log(`${color}Data:${reset}`, JSON.stringify(data, null, 2));
-    } else {
-      console.log(logMessage, data);
-    }
-  } else {
-    console.log(logMessage);
-  }
-};
-/**
- * Checks if a value is a string.
- * @param {*} value - Value to check
- * @returns {boolean} True if value is a string
- */
-const isString = (value) => typeof value === 'string';
-/**
- * Validates if a string is a valid email address.
- * @param {*} val - Value to validate
- * @returns {boolean} True if value is a valid email
- */
-const isEmail = (val) =>
-  isString(val) &&
-  /^(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])$/i.test(
-    val
-  );
-/**
- * Checks if a value is a plain object (not array, date, etc.).
- * @param {*} obj - Value to check
- * @returns {boolean} True if value is a plain object
- */
-const isPlainObject = (obj) => !!obj && Object.prototype.toString.call(obj) === '[object Object]';
-/**
- * Checks if an object is empty (has no own properties).
- * @param {*} obj - Object to check
- * @returns {boolean} True if object is empty
- */
-const isObjectEmpty = (obj) => {
-  if (!isPlainObject(obj)) return false;
-  return !Object.keys(obj).length;
-};
-/**
- * Checks if a value is an array.
- * @param {*} value - Value to check
- * @returns {boolean} True if value is an array
- */
-const isArray = (value) => Array.isArray(value);
-/**
- * Checks if a value is a primitive type (null, boolean, number).
- * @param {*} value - Value to check
- * @returns {boolean} True if value is primitive
- */
-const isPrimitive = (value) => value == null || typeof value === 'boolean' || typeof value === 'number';
-/**
- * Checks if a value is a Date object.
- * @param {*} value - Value to check
- * @returns {boolean} True if value is a Date
- */
-const isDate = (value) => value instanceof Date;
-/**
- * Checks if a value is a function.
- * @param {*} value - Value to check
- * @returns {boolean} True if value is a function
- */
-const isFunction = (value) => typeof value === 'function';
-/**
- * Custom error class for express-mongo-sanitize specific errors.
- * @extends Error
- */
-class ExpressMongoSanitizeError extends Error {
-  cause;
-  message;
-  stack;
-  /**
-   * Creates a new ExpressMongoSanitizeError.
-   * @param {string} message - Error message
-   * @param {string} [type='generic'] - Error type identifier
-   */
-  constructor(message, type = 'generic') {
-    super(message);
-    this.name = 'ExpressMongoSanitizeError';
-    this.type = type;
-    Error.captureStackTrace(this, this.constructor);
-  }
-  code() {
-    return this.type;
-  }
-  view() {
-    return `${this.name} [${this.type}]: ${this.message}\n${this.stack}`;
-  }
-}
-/**
- * Sanitizes a string by removing or replacing dangerous patterns.
- * @param {string} str - String to sanitize
- * @param {Object} options - Sanitization options
- * @param {boolean} [isValue=false] - Whether this is a value (affects length limits)
- * @returns {string} Sanitized string
- */
-const sanitizeString = (str, options, isValue = false) => {
-  const { debug } = options;
-  if (!isString(str) || isEmail(str)) {
-    log(debug, 'trace', 'STRING', `Skipping: not a string or is email`, str);
-    return str;
-  }
-  const { replaceWith, patterns, stringOptions } = options;
-  const combinedPattern = new RegExp(patterns.map((pattern) => pattern.source).join('|'), 'g');
-  const original = str;
-  let result = str.replace(combinedPattern, replaceWith);
-  if (stringOptions.trim) result = result.trim();
-  if (stringOptions.lowercase) result = result.toLowerCase();
-  if (stringOptions.maxLength && isValue) result = result.slice(0, stringOptions.maxLength);
-  if (debug?.enabled && original !== result) {
-    log(debug, 'debug', 'STRING', `Sanitized string`, { original, result });
-  }
-  return result;
-};
-/**
- * Sanitizes an array by processing each element and applying array-specific options.
- * @param {Array} arr - Array to sanitize
- * @param {Object} options - Sanitization options
- * @returns {Array} Sanitized array
- * @throws {ExpressMongoSanitizeError} If input is not an array
- */
-const sanitizeArray = (arr, options) => {
-  const { debug } = options;
-  if (!isArray(arr)) {
-    log(debug, 'error', 'ARRAY', `Input is not array`, arr);
-    throw new ExpressMongoSanitizeError('Input must be an array', 'type_error');
-  }
-  log(debug, 'trace', 'ARRAY', `Sanitizing array of length ${arr.length}`);
-  let result = arr.map((item) => sanitizeValue(item, options, true));
-  if (options.arrayOptions.filterNull) {
-    const before = result.length;
-    result = result.filter(Boolean);
-    log(debug, 'debug', 'ARRAY', `Filtered nulls: ${before} → ${result.length}`);
-  }
-  if (options.arrayOptions.distinct) {
-    const before = result.length;
-    result = [...new Set(result)];
-    log(debug, 'debug', 'ARRAY', `Removed duplicates: ${before} → ${result.length}`);
-  }
-  return result;
-};
-/**
- * Sanitizes an object by processing keys and values according to configuration.
- * @param {Object} obj - Object to sanitize
- * @param {Object} options - Sanitization options
- * @returns {Object} Sanitized object
- * @throws {ExpressMongoSanitizeError} If input is not an object
- */
-const sanitizeObject = (obj, options) => {
-  const { debug, removeEmpty, allowedKeys, deniedKeys, removeMatches, patterns } = options;
-  if (!isPlainObject(obj)) {
-    log(debug, 'error', 'OBJECT', `Input is not object`, obj);
-    throw new ExpressMongoSanitizeError('Input must be an object', 'type_error');
-  }
-  log(debug, 'trace', 'OBJECT', `Sanitizing object with keys: ${Object.keys(obj)}`);
-  return Object.entries(obj).reduce((acc, [key, val]) => {
-    if ((allowedKeys.size && !allowedKeys.has(key)) || deniedKeys.has(key)) {
-      log(debug, 'debug', 'OBJECT', `Key '${key}' removed (allowed/denied filter)`);
-      return acc;
-    }
-    const sanitizedKey = sanitizeString(key, options);
-    if (removeMatches && patterns.some((pattern) => pattern.test(key))) {
-      log(debug, 'debug', 'OBJECT', `Key '${key}' matches removal pattern`);
-      return acc;
-    }
-    if (removeEmpty && !sanitizedKey) {
-      log(debug, 'debug', 'OBJECT', `Key '${key}' removed (empty after sanitize)`);
-      return acc;
-    }
-    if (isEmail(val) && deniedKeys.has(key)) {
-      acc[sanitizedKey] = val;
-      log(debug, 'trace', 'OBJECT', `Email field preserved: ${key}`);
-      return acc;
-    }
-    if (removeMatches && isString(val) && patterns.some((pattern) => pattern.test(val))) {
-      log(debug, 'debug', 'OBJECT', `Value for key '${key}' matches removal pattern`);
-      return acc;
-    }
-    const sanitizedValue = sanitizeValue(val, options, true);
-    if (!removeEmpty || sanitizedValue) acc[sanitizedKey] = sanitizedValue;
-    return acc;
-  }, {});
-};
-/**
- * Main sanitization function that routes values to appropriate sanitizers.
- * @param {*} value - Value to sanitize
- * @param {Object} options - Sanitization options
- * @param {boolean} [isValue=false] - Whether this is a value context
- * @returns {*} Sanitized value
- */
-const sanitizeValue = (value, options, isValue = false) => {
-  if (!value || isPrimitive(value) || isDate(value)) return value;
-  if (Array.isArray(value)) return sanitizeArray(value, options);
-  if (isPlainObject(value)) return sanitizeObject(value, options);
-  return isString(value) ? sanitizeString(value, options, isValue) : value;
-};
-/**
- * Validates the provided options object against expected schema.
- * @param {Object} options - Options to validate
- * @throws {ExpressMongoSanitizeError} If any option is invalid
- */
-const validateOptions = (options) => {
-  const validators = {
-    replaceWith: isString,
-    removeMatches: isPrimitive,
-    sanitizeObjects: isArray,
-    mode: (value) => ['auto', 'manual'].includes(value),
-    skipRoutes: isArray,
-    customSanitizer: (value) => value === null || isFunction(value),
-    recursive: isPrimitive,
-    removeEmpty: isPrimitive,
-    patterns: isArray,
-    allowedKeys: (value) => value === null || isArray(value),
-    deniedKeys: (value) => value === null || isArray(value),
-    stringOptions: isPlainObject,
-    arrayOptions: isPlainObject,
-  };
-  for (const [key, validate] of Object.entries(validators)) {
-    if (!validate(options[key])) {
-      throw new ExpressMongoSanitizeError(`Invalid configuration: "${key}" with value "${options[key]}"`, 'type_error');
-    }
-  }
-};
-/**
- * Checks if a property is writable on an object or its prototype chain.
- * @param {Object} obj - Object to check
- * @param {string} prop - Property name to check
- * @returns {boolean} True if property is writable
- */
-const isWritable = (obj, prop) => {
-  let cur = obj;
-  while (cur) {
-    const descriptor = Object.getOwnPropertyDescriptor(cur, prop);
-    if (descriptor) return !!descriptor.writable;
-    cur = Object.getPrototypeOf(cur);
-  }
-  return true;
-};
-/**
- * Handles sanitization of Express request objects.
- * @param {Object} request - Express request object
- * @param {Object} options - Sanitization options
- */
-const handleRequest = (request, options) => {
-  const { sanitizeObjects, customSanitizer, debug } = options;
-  log(debug, 'info', 'REQUEST', `Sanitizing request`, { url: request.originalUrl || request.url });
-  sanitizeObjects.forEach((sanitizeObject) => {
-    const requestObject = request[sanitizeObject];
-    if (requestObject && !isObjectEmpty(requestObject)) {
-      log(debug, 'debug', 'REQUEST', `Sanitizing '${sanitizeObject}'`, requestObject);
-      const originalRequest = Object.assign(Array.isArray(requestObject) ? [] : {}, requestObject);
-      const sanitized = customSanitizer
-        ? customSanitizer(originalRequest, options)
-        : sanitizeValue(originalRequest, options);
-      if (debug?.enabled && JSON.stringify(originalRequest) !== JSON.stringify(sanitized)) {
-        log(debug, 'debug', 'REQUEST', `'${sanitizeObject}' sanitized`, {
-          before: originalRequest,
-          after: sanitized,
-        });
-      }
-      if (isWritable(request, sanitizeObject)) {
-        request[sanitizeObject] = sanitized;
-      } else if (isPlainObject(request[sanitizeObject]) && sanitizeObject === 'query') {
-        Object.defineProperty(request, 'query', {
-          value: Object.setPrototypeOf(sanitized, null),
-          writable: true,
-          enumerable: true,
-          configurable: true,
-        });
-      }
-    }
-  });
-};
-/**
- * Cleans and normalizes a URL path for comparison.
- * @param {string} url - URL to clean
- * @returns {string|null} Cleaned URL path or null if invalid
- */
-const cleanUrl = (url) => {
-  if (typeof url !== 'string' || !url) return null;
-  const [path] = url.split(/[?#]/);
-  const trimmed = path.replace(/^\/+|\/+$/g, '');
-  return trimmed ? '/' + trimmed : '/';
-};
-/**
- * Main middleware factory function for Express MongoDB sanitization.
- * @param {Object} [options={}] - Configuration options
- * @returns {Function} Express middleware function
- * @throws {ExpressMongoSanitizeError} If options are invalid
- */
-const expressMongoSanitize = (options = {}) => {
-  if (!isPlainObject(options)) throw new ExpressMongoSanitizeError('Options must be an object', 'type_error');
-  const userOpts = { ...DEFAULT_OPTIONS, ...options };
-  validateOptions(userOpts);
-  const opts = {
-    ...userOpts,
-    skipRoutes: new Set(options.skipRoutes || DEFAULT_OPTIONS.skipRoutes),
-    allowedKeys: new Set(options.allowedKeys || DEFAULT_OPTIONS.allowedKeys),
-    deniedKeys: new Set(options.deniedKeys || DEFAULT_OPTIONS.deniedKeys),
-    debug: { ...DEFAULT_OPTIONS.debug, ...(options.debug || {}) },
-  };
-  return (req, res, next) => {
-    log(opts.debug, 'trace', 'MIDDLEWARE', `Incoming request`, { url: req.originalUrl || req.url, method: req.method });
-    const cleanedRequestPath = cleanUrl(req.path || req.url);
-    const shouldSkip = Array.from(opts.skipRoutes).some((skipPath) => cleanUrl(skipPath) === cleanedRequestPath);
-    if (shouldSkip) {
-      if (opts.debug?.logSkippedRoutes)
-        log(opts.debug, 'info', 'SKIP', `Skipped route: ${req.method} ${cleanedRequestPath}`);
-      return next();
-    }
-    if (opts.mode === 'auto') {
-      log(opts.debug, 'trace', 'MIDDLEWARE', `Auto mode: running sanitizer`);
-      handleRequest(req, opts);
-    }
-    if (opts.mode === 'manual') {
-      log(opts.debug, 'trace', 'MIDDLEWARE', `Manual mode: exposing req.sanitize`);
-      req.sanitize = (customOpts) => {
-        const finalOpts = { ...opts, ...customOpts };
-        handleRequest(req, finalOpts);
-      };
-    }
-    next();
-  };
-};
-/**
- * Creates a parameter sanitization handler for Express route parameters.
- * @param {Object} [options={}] - Configuration options
- * @returns {Function} Express parameter handler function
- */
-const paramSanitizeHandler = (options = {}) => {
-  const opts = {
-    ...DEFAULT_OPTIONS,
-    ...options,
-    debug: { ...DEFAULT_OPTIONS.debug, ...(options.debug || {}) },
-  };
-  return function (req, res, next, value, paramName) {
-    const key = paramName || this?.name;
-    if (key && req.params && isString(value)) {
-      const before = req.params[key];
-      req.params[key] = sanitizeString(value, opts, true);
-      log(opts.debug, 'debug', 'PARAM', `Sanitized param '${key}'`, { before, after: req.params[key] });
-    }
-    next();
-  };
-};
-module.exports = expressMongoSanitize;
-module.exports.default = expressMongoSanitize;
-module.exports.expressMongoSanitize = expressMongoSanitize;
-module.exports.paramSanitizeHandler = paramSanitizeHandler;
-exports.default = expressMongoSanitize;