npm - @exortek/fastify-mongo-sanitize - Versions diffs - 1.2.0 → 2.0.0 - Mend

@exortek/fastify-mongo-sanitize 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -1,215 +1,98 @@
 # @exortek/fastify-mongo-sanitize
-A comprehensive Fastify plugin designed to protect your MongoDB queries from injection attacks by sanitizing request data.
-Flexible options for request bodies, parameters, and query strings.
-Supports JavaScript & TypeScript.
+<p align="center">
+  <img src="https://img.shields.io/npm/v/@exortek/fastify-mongo-sanitize?style=flat-square&color=000000" alt="npm version">
+  <img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="license">
+</p>
+Fastify plugin for NoSQL injection prevention. Sanitizes request `body`, `params`, and `query` to protect MongoDB queries from operator injection attacks.
-## Compatibility
-| Plugin version | Fastify version |
-|----------------|:---------------:|
-| `^1.x`         |     `^4.x`      |
-| `^1.x`         |     `^5.x`      |
-## Key Features
-- Automatic sanitization of potentially dangerous MongoDB operators and special characters
-- Multiple operation modes (**auto**, **manual**)
-- **Recursive** or single-level sanitization control
-- Customizable sanitization patterns and replacement strategies
-- Configurable string and array handling options
-- Skip routes functionality with normalization
-- Allowed/denied key whitelisting/blacklisting
-- **Custom sanitizer** function support
-- Full TypeScript types & Fastify request augmentation
-- Detailed debug and logging options
-## Installation
+## 📦 Installation
 ```bash
 npm install @exortek/fastify-mongo-sanitize
 ```
-OR
 ```bash
-yarn add @exortek/fastify-mongo-sanitize
+yarn install @exortek/fastify-mongo-sanitize
 ```
-OR
 ```bash
-pnpm add @exortek/fastify-mongo-sanitize
+pnpm install @exortek/fastify-mongo-sanitize
 ```
-## Usage
+## ⚡ Quick Start
-Register the plugin with Fastify and specify the desired options.
+```js
+const fastify = require('fastify')();
+const mongoSanitize = require('@exortek/fastify-mongo-sanitize');
-```javascript
-const fastify = require('fastify')({ logger: true });
-const fastifyMongoSanitize = require('@exortek/fastify-mongo-sanitize');
+fastify.register(mongoSanitize);
-fastify.register(fastifyMongoSanitize);
-fastify.post('/api', async (req, reply) => {
-  // sanitized request.body, request.query, and request.params
-  return req.body;
+fastify.post('/login', async (request) => {
+  // request.body is sanitized — { "$ne": "" } becomes { "ne": "" }
+  return request.body;
 });
+```
-fastify.listen({ port: 3000 }, (err, address) => {
-  if (err) {
-    fastify.log.error(err);
-    process.exit(1);
+## ⚙️ Options
+```js
+fastify.register(mongoSanitize, {
+  replaceWith: '',           // Replace matched chars with this string
+  removeMatches: false,      // Remove entire key-value pair if pattern matches
+  sanitizeObjects: ['body', 'params', 'query'],  // Fields to sanitize
+  contentTypes: ['application/json', 'application/x-www-form-urlencoded'],
+  mode: 'auto',             // 'auto' | 'manual'
+  skipRoutes: [],            // Routes to skip (string or RegExp)
+  recursive: true,           // Sanitize nested objects
+  maxDepth: null,            // Max recursion depth (null = unlimited)
+  onSanitize: ({ key, originalValue, sanitizedValue }) => {
+    fastify.log.warn(`Sanitized ${key}`);
   }
-  fastify.log.info(`Server listening at ${address}`);
 });
 ```
-## TypeScript Usage
+> For the full list of options, see the [Core README](../core/README.md#configuration-options).
-```typescript
-import fastify from 'fastify';
-import mongoSanitize from '@exortek/fastify-mongo-sanitize';
+## 🛠 Features
-const app = fastify();
+### Manual Mode
-app.register(mongoSanitize, {
-  recursive: false,
-  debug: { enabled: true, level: 'debug' },
-});
+If you need fine-grained control over when sanitization occurs:
-app.post('/test', async (req, reply) => {
-  req.sanitize?.(); // TS'de otomatik olarak görünür!
-  return req.body;
-});
-```
+```js
+fastify.register(mongoSanitize, { mode: 'manual' });
-# Configuration Options
-The plugin accepts various configuration options to customize its behavior. Here's a detailed breakdown of all available
-options:
-## Core Options
-| Option            | Type           | Default                                            | Description                                                                                                                                                                                                                                                                               |
-|-------------------|----------------|----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `replaceWith`     | string         | `''`                                               | The string to replace the matched patterns with. Default is an empty string. If you want to replace the matched patterns with a different string, you can set this option.                                                                                                                |
-| 'removeMatches'   | boolean        | `false`                                            | Remove the matched patterns. Default is false. If you want to remove the matched patterns instead of replacing them, you can set this option to true.                                                                                                                                     |
-| `sanitizeObjects` | array          | `['body', 'params', 'query']`                      | The request properties to sanitize. Default is `['body', 'params', 'query']`. You can specify any request property that you want to sanitize. It must be an object.                                                                                                                       |
-| `mode`            | string         | `'auto'`                                           | The mode of operation. Default is 'auto'. You can set this option to 'auto', 'manual'. If you set it to 'auto', the plugin will automatically sanitize the request objects. If you set it to 'manual', you can sanitize the request objects manually using the request.sanitize() method. |
-| `skipRoutes`      | array          | `[]`                                               | An array of routes to skip. All entries and incoming request paths are normalized (leading/trailing slashes removed, query and fragment ignored). For example, adding `'/health'` will skip `/health`, `/health/`, and `/health?ping=1`.                                                  |                                                        |
-| `customSanitizer` | function\|null | `null`                                             | A custom sanitizer function. Default is null. If you want to use a custom sanitizer function, you can specify it here. The function must accept two arguments: the original data and the options object. It must return the sanitized data.                                               |
-| `recursive`       | boolean        | `true`                                             | Enable recursive sanitization. Default is true. If you want to recursively sanitize the nested objects, you can set this option to true.                                                                                                                                                  |
-| `removeEmpty`     | boolean        | `false`                                            | Remove empty values. Default is false. If you want to remove empty values after sanitization, you can set this option to true.                                                                                                                                                            |
-| `patterns`        | array          | `PATTERNS`                                         | An array of patterns to match. Default is an array of patterns that match illegal characters and sequences. You can specify your own patterns if you want to match different characters or sequences. Each pattern must be a regular expression.                                          |
-| `allowedKeys`     | array\|null    | `null`                                             | An array of allowed keys. Default is null. If you want to allow only certain keys in the object, you can specify the keys here. The keys must be strings. If a key is not in the allowedKeys array, it will be removed.                                                                   |
-| `deniedKeys`      | array\|null    | `null`                                             | An array of denied keys. Default is null. If you want to deny certain keys in the object, you can specify the keys here. The keys must be strings. If a key is in the deniedKeys array, it will be removed.                                                                               |
-| `stringOptions`   | object         | `{ trim: false,lowercase: false,maxLength: null }` | An object that controls string sanitization behavior. Default is an empty object. You can specify the following options: `trim`, `lowercase`, `maxLength`.                                                                                                                                |
-| `arrayOptions`    | object         | `{ filterNull: false, distinct: false}`            | An object that controls array sanitization behavior. Default is an empty object. You can specify the following options: `filterNull`, `distinct`.                                                                                                                                         |
-| `debug`           | object         | `{ enabled: false, level: 'info' }`                | Logging/debug options.                                                                                                                                                                                                                                                                    |
-> **Note on skipRoutes matching:**
-> All skipRoutes entries and request URLs are normalized before matching. This means:
-> - Trailing and leading slashes (`/path`, `/path/`, `///path//`) are treated as the same.
-> - Query strings and fragments are ignored (`/foo?bar=1`, `/foo#anchor` → `/foo`).
->
-> For example, if you set `skipRoutes: ['/api/users']`, then all of the following will be skipped:
-> - `/api/users`
-> - `/api/users/`
-> - `/api/users?role=admin`
-> - `/api/users#tab`
->
-> **Fastify's default behavior:**
-> Fastify treats `/foo` and `/foo/` as different routes. This plugin normalizes skipRoutes for skipping purposes only.
-> Make sure you have defined both routes in Fastify if you want both to respond.
-## String Options
-The `stringOptions` object controls string sanitization behavior:
-```javascript
-{
-  trim: false,      // Whether to trim whitespace from start/end
-  lowercase: false, // Whether to convert strings to lowercase
-  maxLength: null   // Maximum allowed string length (null for no limit)
-}
+fastify.post('/sensitive', async (request) => {
+  request.sanitize(); // Manually trigger sanitization
+  return request.body;
+});
 ```
-## Array Options
+### Content-Type Guard
-The `arrayOptions` object controls array sanitization behavior:
+By default, only `application/json` and `application/x-www-form-urlencoded` bodies are sanitized. You can customize this:
-```javascript
-{
-  filterNull: false, // Whether to remove null/undefined values
-  distinct: false    // Whether to remove duplicate values
-}
+```js
+fastify.register(mongoSanitize, { contentTypes: ['application/json', 'application/graphql'] });
 ```
-## Operation Modes
-### Mode: `auto`
-Sanitization is performed automatically on every request for the configured properties `(body, params, query)`.
+### TypeScript Support
-### Mode: `manual`
+Full TypeScript support is included out of the box, with request augmentation for the `sanitize` method:
-```javascript
-fastify.register(fastifyMongoSanitize, { mode: 'manual' });
+```typescript
+import fastify from 'fastify';
+import mongoSanitize from '@exortek/fastify-mongo-sanitize';
-fastify.post('/api', async (req, reply) => {
-  req.sanitize(); // Manual trigger!
-  // ...
-});
-```
+const app = fastify();
+app.register(mongoSanitize);
-## Recursive Option
-By default, `recursive` is `true`—all nested arrays and objects are sanitized.
-To only sanitize the first level (top-level keys/values), set:
-## Example Full Configuration
-```javascript
-fastify.register(require('@exortek/fastify-mongo-sanitize'), {
-  replaceWith: '_',
-  mode: 'manual',
-  skipRoutes: ['/health', '/metrics'],
-  recursive: true,
-  removeEmpty: true,
-  removeMatches: true, // Remove dangerous patterns completely
-  stringOptions: {
-    trim: true,
-    maxLength: 100,
-  },
-  arrayOptions: {
-    filterNull: true,
-    distinct: true,
-  },
-  debug: {
-    enabled: true,
-    level: 'debug',
-    logPatternMatches: true,
-    logSanitizedValues: true,
-    logSkippedRoutes: true,
-  }
+app.post('/test', async (request) => {
+  request.sanitize?.();
+  return request.body;
 });
 ```
-## Notes
-- All options are optional and will use their default values if not specified
-- Custom patterns must be valid RegExp objects
-- When using `allowedKeys` or `deniedKeys`, make sure to include all necessary keys for your application
-- The `customSanitizer` function should be thoroughly tested before use in production
-- String length limiting (`maxLength`) only applies to string values, not keys
-- Array options are applied after all other sanitization steps
-> removeEmpty: Removes all falsy values ('', 0, false, null, undefined).
-> Adjust this behavior if you need to preserve values like 0 or false.
-## License
-**[MIT](https://github.com/ExorTek/fastify-mongo-sanitize/blob/master/LICENSE)**<br>
+## 📜 License
-Copyright © 2025 ExorTek
+[MIT](../../LICENSE) — Created by **ExorTek**

package/package.json CHANGED Viewed

@@ -1,59 +1,67 @@
 {
   "name": "@exortek/fastify-mongo-sanitize",
-  "version": "1.2.0",
-  "description": "MongoDB query sanitizer for Fastify",
-  "main": "index.js",
+  "version": "2.0.0",
+  "description": "Fastify plugin for NoSQL injection prevention — sanitizes request data",
+  "main": "src/index.js",
   "type": "commonjs",
   "types": "types/index.d.ts",
+  "exports": {
+    ".": {
+      "require": "./src/index.js",
+      "types": "./types/index.d.ts"
+    }
+  },
   "scripts": {
-    "format": "prettier --write \"**/*.{js,ts,json}\"",
-    "test:tsd": "tsd",
-    "test:node": "node --test"
+    "test": "node --test test/*.test.js",
+    "prepublishOnly": "npm test"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/ExorTek/fastify-mongo-sanitize.git"
+    "url": "git+https://github.com/ExorTek/nosql-sanitize.git",
+    "directory": "packages/fastify"
+  },
+  "homepage": "https://github.com/ExorTek/nosql-sanitize/tree/main/packages/fastify#readme",
+  "bugs": {
+    "url": "https://github.com/ExorTek/nosql-sanitize/issues"
   },
   "keywords": [
     "fastify",
     "mongodb",
     "sanitize",
-    "mongoose",
-    "fastify-plugin",
-    "data-validation",
-    "input-sanitization",
+    "nosql",
     "security",
-    "web-application",
-    "nodejs",
-    "typescript",
-    "middleware",
-    "api-security",
-    "query-sanitization",
-    "no-sql",
-    "fastify-middleware",
-    "mongodb-sanitizer"
+    "plugin",
+    "injection",
+    "backend"
   ],
   "author": "ExorTek - https://github.com/ExorTek",
   "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/ExorTek/fastify-mongo-sanitize/issues"
+  "engines": {
+    "node": ">=18.0.0"
   },
-  "homepage": "https://github.com/ExorTek/fastify-mongo-sanitize#readme",
   "publishConfig": {
     "access": "public"
   },
-  "packageManager": "yarn@4.9.2",
-  "devDependencies": {
-    "fastify": "npm:fastify@5.3.3",
-    "fastify4": "npm:fastify@4.29.1",
-    "prettier": "^3.5.3",
-    "tsd": "^0.32.0"
-  },
   "dependencies": {
-    "fastify-plugin": "^5.0.1"
+    "@exortek/nosql-sanitize-core": "^2.0.0",
+    "fastify-plugin": "^5.1.0"
+  },
+  "peerDependencies": {
+    "fastify": ">=4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "fastify": {
+      "optional": false
+    }
+  },
+  "devDependencies": {
+    "fastify": "npm:fastify@5.7.4",
+    "fastify4": "npm:fastify@4.29.1"
   },
   "files": [
-    "index.js",
-    "types/index.d.ts"
+    "src/",
+    "types/",
+    "README.md",
+    "LICENSE"
   ]
 }

package/src/index.js ADDED Viewed

@@ -0,0 +1,43 @@
+'use strict';
+const fp = require('fastify-plugin');
+const { resolveOptions, handleRequest, shouldSkipRoute, log } = require('@exortek/nosql-sanitize-core');
+const fastifyMongoSanitize = (fastify, options, done) => {
+  const opts = resolveOptions({
+    sanitizeObjects: ['body', 'params', 'query'],
+    ...options,
+  });
+  log(opts.debug, 'info', 'PLUGIN', 'Initializing nosql-sanitize plugin', {
+    mode: opts.mode,
+    sanitizeObjects: [...opts.sanitizeObjects] || opts.sanitizeObjects,
+  });
+  if (opts.mode === 'manual') {
+    fastify.decorateRequest('sanitize', function (customOpts = {}) {
+      const finalOpts = Object.keys(customOpts).length ? resolveOptions({ ...options, ...customOpts }) : opts;
+      handleRequest(this, finalOpts);
+    });
+  }
+  if (opts.mode === 'auto') {
+    fastify.addHook('preHandler', (request, reply, done) => {
+      if (shouldSkipRoute(request.url, opts.skipRoutes, opts.debug)) {
+        return done();
+      }
+      handleRequest(request, opts);
+      done();
+    });
+  }
+  log(opts.debug, 'info', 'PLUGIN', 'Plugin initialized');
+  done();
+};
+module.exports = fp(fastifyMongoSanitize, {
+  name: 'fastify-mongo-sanitize',
+  fastify: '>=4.x.x',
+});
+module.exports.default = fastifyMongoSanitize;
+module.exports.fastifyMongoSanitize = fastifyMongoSanitize;

package/types/index.d.ts CHANGED Viewed

@@ -1,51 +1,54 @@
-import type { FastifyPluginCallback } from 'fastify';
-export interface FastifyMongoSanitizeOptions {
-  replaceWith?: string;
-  removeMatches?: boolean;
-  removeKeyMatches?: boolean;
-  removeValueMatches?: boolean;
-  sanitizeObjects?: string[];
-  mode?: 'auto' | 'manual';
-  skipRoutes?: string[];
-  customSanitizer?: (original: any, options: FastifyMongoSanitizeOptions) => any;
-  recursive?: boolean;
-  removeEmpty?: boolean;
-  patterns?: RegExp[];
-  allowedKeys?: string[] | null;
-  deniedKeys?: string[] | null;
-  stringOptions?: {
-    trim?: boolean;
-    lowercase?: boolean;
-    maxLength?: number | null;
-  };
-  arrayOptions?: {
-    filterNull?: boolean;
-    distinct?: boolean;
-  };
-  debug?: {
-    enabled?: boolean;
-    level?: 'silent' | 'error' | 'warn' | 'info' | 'debug' | 'trace';
-    logPatternMatches?: boolean;
-    logSanitizedValues?: boolean;
-    logSkippedRoutes?: boolean;
-  };
-}
+/// <reference types="node" />
-declare class FastifyMongoSanitizeError extends Error {
-  constructor(message: string, type?: string);
-  name: string;
-  type: string;
-}
+import { FastifyPluginCallback, FastifyRequest } from 'fastify';
+import { SanitizeOptions, ResolvedOptions, SanitizeEvent } from '@exortek/nosql-sanitize-core';
-import 'fastify';
 declare module 'fastify' {
   interface FastifyRequest {
-    sanitize?(options?: FastifyMongoSanitizeOptions): void;
+    /**
+     * Available when `mode: 'manual'`.
+     * Call to sanitize `request.body`, `request.params`, and/or `request.query`.
+     * Optionally pass overrides for this specific call.
+     */
+    sanitize?: (options?: fastifyMongoSanitize.SanitizeOptions) => void;
+  }
+}
+type FastifyMongoSanitize = FastifyPluginCallback<fastifyMongoSanitize.FastifyMongoSanitizeOptions>;
+declare namespace fastifyMongoSanitize {
+  export { SanitizeOptions, ResolvedOptions, SanitizeEvent };
+  /**
+   * Fastify-specific options (extends SanitizeOptions).
+   * Default `sanitizeObjects`: `['body', 'params', 'query']`
+   * (includes `params`, unlike Express).
+   */
+  export interface FastifyMongoSanitizeOptions extends SanitizeOptions {
+    /**
+     * Request fields to sanitize.
+     * @default ['body', 'params', 'query']
+     */
+    sanitizeObjects?: string[];
   }
+  /**
+   * Fastify plugin for NoSQL injection prevention.
+   * Wrapped with `fastify-plugin` — no encapsulation.
+   *
+   * Uses `preHandler` hook in auto mode.
+   *
+   * @example
+   * ```js
+   * const mongoSanitize = require('@exortek/fastify-mongo-sanitize');
+   * fastify.register(mongoSanitize);
+   * fastify.register(mongoSanitize, { mode: 'manual', maxDepth: 5 });
+   * ```
+   */
+  export const fastifyMongoSanitize: FastifyMongoSanitize;
+  export { fastifyMongoSanitize as default };
 }
-declare const fastifyMongoSanitize: FastifyPluginCallback<FastifyMongoSanitizeOptions>;
+declare function fastifyMongoSanitize(...params: Parameters<FastifyMongoSanitize>): ReturnType<FastifyMongoSanitize>;
-export default fastifyMongoSanitize;
-export { FastifyMongoSanitizeError, fastifyMongoSanitize };
+export = fastifyMongoSanitize;

package/LICENSE DELETED Viewed

@@ -1,21 +0,0 @@
-MIT License
-Copyright (c) 2024 Memet
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/index.js DELETED Viewed

@@ -1,310 +0,0 @@
-'use strict';
-const fp = require('fastify-plugin');
-const {
-  isString,
-  isArray,
-  isPlainObject,
-  isPrimitive,
-  isDate,
-  isEmail,
-  cleanUrl,
-  startTiming,
-  log,
-  validateOptions,
-} = require('./helpers');
-const FastifyMongoSanitizeError = require('./FastifyMongoSanitizeError');
-const { DEFAULT_OPTIONS } = require('./constants');
-/**
- * Sanitizes a string value according to provided options
- * @param {string} str - String to sanitize
- * @param {Object} options - Sanitization options
- * @param {boolean} isValue - Whether string is a value or key
- * @returns {string} Sanitized string
- */
-const sanitizeString = (str, options, isValue = false) => {
-  if (!isString(str) || isEmail(str)) {
-    log(options.debug, 'trace', 'STRING', `Skipping sanitization (not string or is email): ${typeof str}`);
-    return str;
-  }
-  const { replaceWith, patterns, stringOptions, debug } = options;
-  const originalStr = str;
-  let matchedPatterns = [];
-  let result = patterns.reduce((acc, pattern, index) => {
-    const matches = acc.match(pattern);
-    if (matches) {
-      matchedPatterns.push({ patternIndex: index, matches: matches.length });
-      log(debug, 'debug', 'STRING', `Pattern ${index} matched ${matches.length} times in string`);
-    }
-    return acc.replace(pattern, replaceWith);
-  }, str);
-  if (stringOptions.trim) result = result.trim();
-  if (stringOptions.lowercase) result = result.toLowerCase();
-  if (stringOptions.maxLength && isValue) result = result.slice(0, stringOptions.maxLength);
-  if (debug.logSanitizedValues && originalStr !== result) {
-    log(debug, 'debug', 'STRING', 'String sanitized', {
-      original: originalStr,
-      sanitized: result,
-      matchedPatterns,
-    });
-  }
-  if (debug.logPatternMatches && matchedPatterns.length > 0) {
-    log(debug, 'info', 'PATTERN', `Patterns matched in string`, matchedPatterns);
-  }
-  return result;
-};
-/**
- * Sanitizes an array according to provided options
- * @param {Array} arr - Array to sanitize
- * @param {Object} options - Sanitization options
- * @returns {Array} Sanitized array
- * @throws {FastifyMongoSanitizeError} If input is not an array
- */
-const sanitizeArray = (arr, options) => {
-  if (!isArray(arr)) {
-    const error = new FastifyMongoSanitizeError('Input must be an array', 'type_error');
-    log(options.debug, 'error', 'ARRAY', `Sanitization failed: ${error.message}`);
-    throw error;
-  }
-  const { arrayOptions, debug } = options;
-  const originalLength = arr.length;
-  log(debug, 'trace', 'ARRAY', `Sanitizing array with ${originalLength} items`);
-  let result = arr.map((item, index) => {
-    log(debug, 'trace', 'ARRAY', `Sanitizing item ${index}`);
-    return !options.recursive && (isPlainObject(item) || isArray(item)) ? item : sanitizeValue(item, options);
-  });
-  if (arrayOptions.filterNull) {
-    const beforeFilter = result.length;
-    result = result.filter(Boolean);
-    const filtered = beforeFilter - result.length;
-    if (filtered > 0) {
-      log(debug, 'debug', 'ARRAY', `Filtered ${filtered} null/falsy values`);
-    }
-  }
-  if (arrayOptions.distinct) {
-    const beforeDistinct = result.length;
-    result = [...new Set(result)];
-    const duplicates = beforeDistinct - result.length;
-    if (duplicates > 0) {
-      log(debug, 'debug', 'ARRAY', `Removed ${duplicates} duplicate values`);
-    }
-  }
-  log(debug, 'trace', 'ARRAY', `Array sanitization completed: ${originalLength} -> ${result.length} items`);
-  return result;
-};
-/**
- * Sanitizes an object according to provided options
- * @param {Object} obj - Object to sanitize
- * @param {Object} options - Sanitization options
- * @returns {Object} Sanitized object
- * @throws {FastifyMongoSanitizeError} If input is not an object
- */
-const sanitizeObject = (obj, options) => {
-  if (!isPlainObject(obj)) {
-    const error = new FastifyMongoSanitizeError('Input must be an object', 'type_error');
-    log(options.debug, 'error', 'OBJECT', `Sanitization failed: ${error.message}`);
-    throw error;
-  }
-  const { removeEmpty, allowedKeys, deniedKeys, removeMatches, patterns, debug } = options;
-  const originalKeys = Object.keys(obj);
-  log(debug, 'trace', 'OBJECT', `Sanitizing object with ${originalKeys.length} keys`);
-  const result = Object.entries(obj).reduce((acc, [key, value]) => {
-    if (allowedKeys && allowedKeys.length && !allowedKeys.includes(key)) {
-      log(debug, 'debug', 'OBJECT', `Key '${key}' not in allowedKeys, removing`);
-      return acc;
-    }
-    if (deniedKeys && deniedKeys.length && deniedKeys.includes(key)) {
-      log(debug, 'debug', 'OBJECT', `Key '${key}' in deniedKeys, removing`);
-      return acc;
-    }
-    const sanitizedKey = sanitizeString(key, options, false);
-    if (isString(value) && isEmail(value)) {
-      log(debug, 'trace', 'OBJECT', `Preserving email value for key '${key}'`);
-      acc[sanitizedKey] = value;
-      return acc;
-    }
-    if (
-      removeMatches &&
-      patterns.some((pattern) => {
-        const matches = pattern.test(key);
-        if (matches) {
-          log(debug, 'debug', 'OBJECT', `Key '${key}' matches removal pattern`);
-        }
-        return matches;
-      })
-    ) {
-      return acc;
-    }
-    if (removeEmpty && !sanitizedKey) {
-      log(debug, 'debug', 'OBJECT', `Empty key removed after sanitization`);
-      return acc;
-    }
-    if (
-      removeMatches &&
-      isString(value) &&
-      patterns.some((pattern) => {
-        const matches = pattern.test(value);
-        if (matches) {
-          log(debug, 'debug', 'OBJECT', `Value for key '${key}' matches removal pattern`);
-        }
-        return matches;
-      })
-    ) {
-      return acc;
-    }
-    const sanitizedValue =
-      !options.recursive && (isPlainObject(value) || isArray(value)) ? value : sanitizeValue(value, options, true);
-    if (removeEmpty && !sanitizedValue) {
-      log(debug, 'debug', 'OBJECT', `Empty value removed for key '${key}'`);
-      return acc;
-    }
-    acc[sanitizedKey] = sanitizedValue;
-    return acc;
-  }, {});
-  const finalKeys = Object.keys(result);
-  log(debug, 'trace', 'OBJECT', `Object sanitization completed: ${originalKeys.length} -> ${finalKeys.length} keys`);
-  return result;
-};
-/**
- * Sanitizes a value according to its type and provided options
- * @param {*} value - Value to sanitize
- * @param {Object} options - Sanitization options
- * @param {boolean} [isValue=false] - Whether value is a value or key
- * @returns {*} Sanitized value
- */
-const sanitizeValue = (value, options, isValue) => {
-  if (value == null || isPrimitive(value) || isDate(value)) return value;
-  if (isString(value)) return sanitizeString(value, options, isValue);
-  if (isArray(value)) return sanitizeArray(value, options);
-  if (isPlainObject(value)) return sanitizeObject(value, options);
-  return value;
-};
-/**
- * Handles request sanitization
- * @param {Object} request - Fastify request object
- * @param {Object} options - Sanitization options
- */
-const handleRequest = (request, options) => {
-  const { sanitizeObjects, customSanitizer, debug } = options;
-  const endTiming = startTiming(debug, 'Request Sanitization');
-  log(debug, 'info', 'REQUEST', `Sanitizing request: ${request.method} ${request.url}`);
-  for (const sanitizeObject of sanitizeObjects) {
-    if (request[sanitizeObject]) {
-      log(debug, 'debug', 'REQUEST', `Sanitizing ${sanitizeObject}`, request[sanitizeObject]);
-      const originalRequest = Object.assign({}, request[sanitizeObject]);
-      if (customSanitizer) {
-        log(debug, 'debug', 'REQUEST', `Using custom sanitizer for ${sanitizeObject}`);
-        request[sanitizeObject] = customSanitizer(originalRequest);
-      } else {
-        request[sanitizeObject] = sanitizeValue(originalRequest, options);
-      }
-      if (debug.logSanitizedValues) {
-        log(debug, 'debug', 'REQUEST', `${sanitizeObject} sanitized`, {
-          before: originalRequest,
-          after: request[sanitizeObject],
-        });
-      }
-    }
-  }
-  endTiming();
-  log(debug, 'info', 'REQUEST', `Request sanitization completed`);
-};
-/**
- * Fastify plugin for MongoDB query sanitization
- * @param {Object} fastify - Fastify instance
- * @param {Object} options - Plugin options
- * @param {Function} done - Callback to signal completion
- */
-const fastifyMongoSanitize = (fastify, options, done) => {
-  const opt = { ...DEFAULT_OPTIONS, ...options };
-  log(opt.debug, 'info', 'PLUGIN', 'Initializing fastify-mongo-sanitize plugin', {
-    mode: opt.mode,
-    sanitizeObjects: opt.sanitizeObjects,
-    skipRoutes: opt.skipRoutes,
-    debugLevel: opt.debug.level,
-  });
-  validateOptions(opt);
-  const skipRoutes = new Set((opt.skipRoutes || []).map(cleanUrl));
-  log(opt.debug, 'debug', 'PLUGIN', `Skip routes configured: ${skipRoutes.size} routes`);
-  if (opt.mode === 'manual') {
-    log(opt.debug, 'info', 'PLUGIN', 'Manual mode enabled - decorating request with sanitize method');
-    fastify.decorateRequest('sanitize', function (options = {}) {
-      const mergedOptions = { ...opt, ...options };
-      log(mergedOptions.debug, 'info', 'MANUAL', 'Manual sanitization triggered');
-      handleRequest(this, mergedOptions);
-    });
-  }
-  if (opt.mode === 'auto') {
-    log(opt.debug, 'info', 'PLUGIN', 'Auto mode enabled - adding preHandler hook');
-    fastify.addHook('preHandler', (request, reply, done) => {
-      if (skipRoutes.size) {
-        const url = cleanUrl(request.url);
-        if (skipRoutes.has(url)) {
-          if (opt.debug.logSkippedRoutes) {
-            log(opt.debug, 'info', 'SKIP', `Route skipped: ${request.method} ${request.url}`);
-          }
-          return done();
-        }
-      }
-      handleRequest(request, opt);
-      done();
-    });
-  }
-  log(opt.debug, 'info', 'PLUGIN', 'Plugin initialization completed');
-  done();
-};
-module.exports = fp(fastifyMongoSanitize, {
-  name: 'fastify-mongo-sanitize',
-  fastify: '>=4.x.x',
-});
-module.exports.default = fastifyMongoSanitize;
-module.exports.fastifyMongoSanitize = fastifyMongoSanitize;