@flowerforce/flowerbase 1.8.4-beta.3 → 1.8.4-beta.5

package/src/services/mongodb-atlas/__tests__/utils.test.ts

@@ -1,4 +1,4 @@
-import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline } from '../utils'
+import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline, mergeProjections } from '../utils'
 import { Role } from '../../../utils/roles/interface'
 
 describe('MongoDB Atlas aggregate helpers', () => {
@@ -165,4 +165,89 @@ describe('MongoDB Atlas aggregate helpers', () => {
       })
     })
   })
+
+  describe('mergeProjections', () => {
+    it('returns undefined when both sides are empty', () => {
+      expect(mergeProjections(undefined, undefined)).toBeUndefined()
+      expect(mergeProjections({}, null)).toBeUndefined()
+    })
+
+    it('returns the client projection when rules have none', () => {
+      expect(mergeProjections({ a: 1, b: 1 }, null)).toEqual({ a: 1, b: 1 })
+    })
+
+    it('normalizes the rules projection when client has none', () => {
+      // Mixed inclusion/exclusion rules are normalized to pure inclusion mode.
+      expect(
+        mergeProjections(undefined, { item: 1, status: 1, instock: 0 })
+      ).toEqual({ item: 1, status: 1 })
+    })
+
+    it('merges plain inclusion projections (rules wins on conflict)', () => {
+      expect(
+        mergeProjections(
+          { item: 1, price: 1 },
+          { item: 1, status: 1 }
+        )
+      ).toEqual({ item: 1, status: 1, price: 1 })
+    })
+
+    it('supports dotted client keys alongside plain rules keys', () => {
+      expect(
+        mergeProjections(
+          { price: 1 },
+          { item: 1, status: 1, 'instock.qty': 1 }
+        )
+      ).toEqual({ item: 1, status: 1, 'instock.qty': 1, price: 1 })
+    })
+
+    it('drops client dotted keys when rules exclude the top-level field', () => {
+      // Rules: include item/status, exclude the whole `instock` subtree.
+      // Client tries to read `instock.qty` — it must be stripped.
+      expect(
+        mergeProjections(
+          { item: 1, status: 1, 'instock.qty': 1 },
+          { item: 1, status: 1, instock: 0 }
+        )
+      ).toEqual({ item: 1, status: 1 })
+    })
+
+    it('drops every client inclusion whose top-level is excluded by rules', () => {
+      expect(
+        mergeProjections(
+          {
+            item: 1,
+            'instock.qty': 1,
+            'instock.warehouse': 1,
+            price: 1
+          },
+          { item: 1, instock: 0 }
+        )
+      ).toEqual({ item: 1, price: 1 })
+    })
+
+    it('produces pure exclusion output when neither side has inclusions', () => {
+      expect(
+        mergeProjections({ secretA: 0 }, { secretB: 0 })
+      ).toEqual({ secretA: 0, secretB: 0 })
+    })
+
+    it('drops non-_id client exclusions when switching to inclusion mode', () => {
+      // Can't mix `{ price: 0, item: 1 }` in MongoDB — rules force inclusion
+      // mode so the client exclusion is silently dropped (price is implicitly
+      // excluded because it is not included).
+      expect(
+        mergeProjections({ price: 0 }, { item: 1 })
+      ).toEqual({ item: 1 })
+    })
+
+    it('keeps _id: 0 alongside inclusion mode', () => {
+      expect(
+        mergeProjections({ _id: 0 }, { item: 1 })
+      ).toEqual({ _id: 0, item: 1 })
+      expect(
+        mergeProjections({ item: 1 }, { _id: 0 })
+      ).toEqual({ _id: 0, item: 1 })
+    })
+  })
 })

package/src/services/mongodb-atlas/index.ts

@@ -35,6 +35,7 @@ import {
   getFormattedProjection,
   getFormattedQuery,
   getHiddenFieldsFromRulesConfig,
+  mergeProjections,
   normalizeQuery
 } from './utils'
 
@@ -491,6 +492,26 @@ const areUpdatedFieldsAllowed = (
   return updatedPaths.every((path) => isEqual(get(filtered, path), get(updated, path)))
 }
 
+const appendDistinctValue = (values: unknown[], candidate: unknown) => {
+  if (typeof candidate === 'undefined') return
+  if (!values.some((entry) => isEqual(entry, candidate))) {
+    values.push(candidate)
+  }
+}
+
+const collectDistinctValues = (documents: Document[], key: string) =>
+  documents.reduce<unknown[]>((values, document) => {
+    const currentValue = get(document, key)
+
+    if (Array.isArray(currentValue)) {
+      currentValue.forEach((entry) => appendDistinctValue(values, entry))
+      return values
+    }
+
+    appendDistinctValue(values, currentValue)
+    return values
+  }, [])
+
 const getOperators: GetOperatorsFunction = (
   mongo,
   { rules, dbName, collName, user, run_as_system, monitoringOrigin }
@@ -534,7 +555,48 @@ const getOperators: GetOperatorsFunction = (
     })
   }
 
-  return {
+  const validateReadableDocument = async (currentDoc: Document) => {
+    const winningRole = await getWinningRoleAsync(currentDoc, user, roles)
+
+    logDebug('find winningRole', {
+      collection: collName,
+      userId: getUserId(user),
+      winningRoleName: winningRole?.name ?? null,
+      rolesLength: roles.length
+    })
+
+    const { status, document } = winningRole
+      ? await checkValidation(
+        winningRole,
+        {
+          type: 'read',
+          roles,
+          cursor: currentDoc,
+          expansions: getValidationExpansions(currentDoc)
+        },
+        user
+      )
+      : fallbackAccess(currentDoc)
+
+    return status ? document : undefined
+  }
+
+  const getScopedQuery = (query: MongoFilter<Document> = {}) => {
+    const formattedQuery = getFormattedQuery(filters, query, user)
+    const currentQuery = formattedQuery.length ? { $and: formattedQuery } : {}
+    const safeQuery = Array.isArray(formattedQuery)
+      ? normalizeQuery(formattedQuery)
+      : formattedQuery
+
+    return {
+      formattedQuery,
+      currentQuery,
+      safeQuery,
+      builtQuery: buildAndQuery(safeQuery)
+    }
+  }
+
+  const operators: ReturnType<GetOperatorsFunction> = {
     /**
      * Finds a single document in a MongoDB collection with optional role-based filtering and validation.
      *
@@ -558,13 +620,6 @@ const getOperators: GetOperatorsFunction = (
           projectionOrOptions,
           options
         )
-        const resolvedOptions =
-          projection || normalizedOptions
-            ? {
-              ...(normalizedOptions ?? {}),
-              ...(projection ? { projection } : {})
-            }
-            : undefined
         const resolvedQuery = query ?? {}
         if (!run_as_system) {
           checkDenyOperation(
@@ -574,6 +629,17 @@ const getOperators: GetOperatorsFunction = (
           )
           // Apply access control filters to the query
           const formattedQuery = getFormattedQuery(filters, resolvedQuery, user)
+          // Rules-level projection has priority over client-provided projection.
+          // The merged projection is passed natively to MongoDB.
+          const rulesProjection = getFormattedProjection(filters, user)
+          const finalProjection = mergeProjections(projection, rulesProjection)
+          const resolvedOptions =
+            finalProjection || normalizedOptions
+              ? {
+                ...(normalizedOptions ?? {}),
+                ...(finalProjection ? { projection: finalProjection } : {})
+              }
+              : undefined
           logDebug('update formattedQuery', {
             collection: collName,
             query,
@@ -629,8 +695,15 @@ const getOperators: GetOperatorsFunction = (
           emitMongoEvent('findOne')
           return Promise.resolve(response)
         }
-        // System mode: no validation applied
-        const response = await collection.findOne(resolvedQuery, resolvedOptions)
+        // System mode: no validation applied, only client-provided projection/options.
+        const systemOptions =
+          projection || normalizedOptions
+            ? {
+              ...(normalizedOptions ?? {}),
+              ...(projection ? { projection } : {})
+            }
+            : undefined
+        const response = await collection.findOne(resolvedQuery, systemOptions)
         emitMongoEvent('findOne')
         return response
       } catch (error) {
@@ -1023,13 +1096,6 @@ const getOperators: GetOperatorsFunction = (
           projectionOrOptions,
           options
         )
-        const resolvedOptions =
-          projection || normalizedOptions
-            ? {
-              ...(normalizedOptions ?? {}),
-              ...(projection ? { projection } : {})
-            }
-            : undefined
         if (!run_as_system) {
           checkDenyOperation(
             normalizedRules,
@@ -1039,6 +1105,17 @@ const getOperators: GetOperatorsFunction = (
           // Pre-query filtering based on access control rules
           const formattedQuery = getFormattedQuery(filters, query, user)
           const currentQuery = formattedQuery.length ? { $and: formattedQuery } : {}
+          // Rules-level projection has priority over client-provided projection.
+          // The merged projection is passed natively to MongoDB.
+          const rulesProjection = getFormattedProjection(filters, user)
+          const finalProjection = mergeProjections(projection, rulesProjection)
+          const resolvedOptions =
+            finalProjection || normalizedOptions
+              ? {
+                ...(normalizedOptions ?? {}),
+                ...(finalProjection ? { projection: finalProjection } : {})
+              }
+              : undefined
           // aggiunto filter per evitare questo errore: $and argument's entries must be objects
           const cursor = collection.find(currentQuery, resolvedOptions)
           const originalToArray = cursor.toArray.bind(cursor)
@@ -1052,30 +1129,7 @@ const getOperators: GetOperatorsFunction = (
             const response = await originalToArray()
 
             const filteredResponse = await Promise.all(
-              response.map(async (currentDoc) => {
-                const winningRole = await getWinningRoleAsync(currentDoc, user, roles)
-
-                logDebug('find winningRole', {
-                  collection: collName,
-                  userId: getUserId(user),
-                  winningRoleName: winningRole?.name ?? null,
-                  rolesLength: roles.length
-                })
-                const { status, document } = winningRole
-                  ? await checkValidation(
-                    winningRole,
-                    {
-                      type: 'read',
-                      roles,
-                      cursor: currentDoc,
-                      expansions: getValidationExpansions(currentDoc)
-                    },
-                    user
-                  )
-                  : fallbackAccess(currentDoc)
-
-                return status ? document : undefined
-              })
+              response.map((currentDoc) => validateReadableDocument(currentDoc))
             )
 
             return filteredResponse.filter(Boolean) as WithId<Document>[]
@@ -1084,8 +1138,15 @@ const getOperators: GetOperatorsFunction = (
           emitMongoEvent('find')
           return cursor
         }
-        // System mode: return original unfiltered cursor
-        const cursor = collection.find(query, resolvedOptions)
+        // System mode: return original unfiltered cursor (only client projection/options).
+        const systemOptions =
+          projection || normalizedOptions
+            ? {
+              ...(normalizedOptions ?? {}),
+              ...(projection ? { projection } : {})
+            }
+            : undefined
+        const cursor = collection.find(query, systemOptions)
         emitMongoEvent('find')
         return cursor
       } catch (error) {
@@ -1141,6 +1202,45 @@ const getOperators: GetOperatorsFunction = (
         throw error
       }
     },
+    distinct: async (key, query = {}, options) => {
+      try {
+        if (!key) {
+          throw new Error('distinct key is required')
+        }
+
+        if (!run_as_system) {
+          checkDenyOperation(
+            normalizedRules,
+            collection.collectionName,
+            CRUD_OPERATIONS.READ
+          )
+
+          const { currentQuery } = getScopedQuery(query)
+          const projectedOptions = {
+            ...(options ?? {}),
+            projection: { _id: 1, [key]: 1 }
+          } as FindOptions
+          const documents = await collection.find(currentQuery, projectedOptions).toArray()
+          const readableDocuments = (
+            await Promise.all(documents.map((currentDoc) => validateReadableDocument(currentDoc)))
+          ).filter(Boolean) as Document[]
+          const result = collectDistinctValues(readableDocuments, key)
+
+          emitMongoEvent('distinct')
+          return result
+        }
+
+        const result =
+          typeof options === 'undefined'
+            ? await collection.distinct(key, query)
+            : await collection.distinct(key, query, options)
+        emitMongoEvent('distinct')
+        return result
+      } catch (error) {
+        emitMongoEvent('distinct', undefined, error)
+        throw error
+      }
+    },
     /**
      * Watches changes on a MongoDB collection with optional role-based filtering of change events.
      *
@@ -1327,7 +1427,7 @@ const getOperators: GetOperatorsFunction = (
           formattedQuery,
           pipeline
         })
-        const projection = getFormattedProjection(filters)
+        const projection = getFormattedProjection(filters, user)
         const hiddenFields = getHiddenFieldsFromRulesConfig(rulesConfig)
 
         const sanitizedPipeline = applyAccessControlToPipeline(
@@ -1427,6 +1527,24 @@ const getOperators: GetOperatorsFunction = (
         throw error
       }
     },
+    bulkWrite: async (operations, options) => {
+      try {
+        if (!run_as_system) {
+          throw new Error('bulkWrite is available only when run_as_system is enabled')
+        }
+
+        const result = await collection.bulkWrite(operations, options)
+        emitMongoEvent('bulkWrite', { operations: operations.length })
+        return result
+      } catch (error) {
+        emitMongoEvent(
+          'bulkWrite',
+          { operations: Array.isArray(operations) ? operations.length : 0 },
+          error
+        )
+        throw error
+      }
+    },
     updateMany: async (query, data, options) => {
       try {
         const normalizedData = normalizeUpdatePayload(data as Document)
@@ -1579,6 +1697,8 @@ const getOperators: GetOperatorsFunction = (
       }
     }
   }
+
+  return operators
 }
 
 const MongodbAtlas: MongodbAtlasFunction = (

package/src/services/mongodb-atlas/model.ts

@@ -93,6 +93,14 @@ export type GetOperatorsFunction = (
   aggregate: (
     ...params: [...Parameters<Method<'aggregate'>>, isClient: boolean]
   ) => ReturnType<Method<'aggregate'>>
+  distinct: (
+    key: Parameters<Method<'distinct'>>[0],
+    filter?: Parameters<Method<'distinct'>>[1],
+    options?: Parameters<Method<'distinct'>>[2]
+  ) => ReturnType<Method<'distinct'>>
+  bulkWrite: (
+    ...params: Parameters<Method<'bulkWrite'>>
+  ) => ReturnType<Method<'bulkWrite'>>
   insertMany: (
     ...params: Parameters<Method<'insertMany'>>
   ) => ReturnType<Method<'insertMany'>>

package/src/services/mongodb-atlas/utils.ts

@@ -76,20 +76,89 @@ export const getFormattedProjection = (
   filters: Filter[] = [],
   user?: User
 ): Projection | null => {
-  const projections = filters
-    .filter((filter) => {
-      if (filter.projection) {
-        const preFilter = getValidRule({ filters, user })
-        const isValidPreFilter = !!preFilter?.length
-        return isValidPreFilter
-      }
-      return false
-    })
-    .map((f) => f.projection)
+  const projections = getValidRule({ filters, user })
+    .filter((f) => !!f.projection)
+    .map((f) => f.projection as Projection)
   if (!projections.length) return null
   return Object.assign({}, ...projections)
 }
 
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+export const mergeProjections = (
+  clientProjection: Projection | Document | undefined,
+  rulesProjection: Projection | null | undefined
+): Projection | Document | undefined => {
+  const hasClient = !!clientProjection && Object.keys(clientProjection).length > 0
+  const hasRules = !!rulesProjection && Object.keys(rulesProjection).length > 0
+  if (!hasClient && !hasRules) return undefined
+
+  const client = (hasClient ? (clientProjection as Projection) : {}) as Projection
+  const rules = (hasRules ? (rulesProjection as Projection) : {}) as Projection
+
+  const getTopLevel = (key: string) => key.split('.')[0]
+
+  const rulesEntries = Object.entries(rules)
+  const rulesIncludeKeys = rulesEntries
+    .filter(([, value]) => value === 1)
+    .map(([key]) => key)
+  const rulesExcludeKeys = rulesEntries
+    .filter(([, value]) => value === 0)
+    .map(([key]) => key)
+
+  // Top-level fields excluded by rules (excluding `_id` which has special
+  // MongoDB semantics and is allowed alongside inclusion projections).
+  const excludedTopLevel = new Set(
+    rulesExcludeKeys.map(getTopLevel).filter((key) => key !== '_id')
+  )
+
+  const filteredClient: Record<string, 0 | 1> = {}
+  for (const [key, value] of Object.entries(client)) {
+    if (excludedTopLevel.has(getTopLevel(key))) continue
+    filteredClient[key] = value as 0 | 1
+  }
+
+  const hasInclusion =
+    rulesIncludeKeys.some((key) => key !== '_id') ||
+    Object.entries(filteredClient).some(([key, value]) => value === 1 && key !== '_id')
+
+  const merged: Record<string, 0 | 1> = {}
+
+  if (hasInclusion) {
+    // Inclusion mode: keep only client inclusions, then overlay rules inclusions.
+    // Client exclusions (other than `_id: 0`) are incompatible with inclusion
+    // mode and are dropped; not-included fields are implicitly excluded anyway.
+    for (const [key, value] of Object.entries(filteredClient)) {
+      if (value === 1 || key === '_id') merged[key] = value
+    }
+    for (const key of rulesIncludeKeys) merged[key] = 1
+    // Allow `_id: 0` to be forced by rules in inclusion mode.
+    for (const key of rulesExcludeKeys) {
+      if (key === '_id') merged[key] = 0
+    }
+  } else {
+    // Pure exclusion mode: combine all exclusions from both sides.
+    for (const [key, value] of Object.entries(filteredClient)) {
+      if (value === 0) merged[key] = 0
+    }
+    for (const key of rulesExcludeKeys) merged[key] = 0
+  }
+
+  return Object.keys(merged).length > 0 ? merged : undefined
+}
+
 export const applyAccessControlToPipeline = (
   pipeline: AggregationPipeline,
   rules: Record<
@@ -120,7 +189,7 @@ export const applyAccessControlToPipeline = (
       checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const lookupRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(lookupRules.filters, {}, user)
-      const projection = getFormattedProjection(lookupRules.filters)
+      const projection = getFormattedProjection(lookupRules.filters, user)
 
       const nestedPipeline = applyAccessControlToPipeline(
         lookUpStage.pipeline || [],
@@ -155,7 +224,7 @@ export const applyAccessControlToPipeline = (
       checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const unionRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(unionRules.filters, {}, user)
-      const projection = getFormattedProjection(unionRules.filters)
+      const projection = getFormattedProjection(unionRules.filters, user)
 
       if (isSimpleStage) {
         return stage

package/tsconfig.json

@@ -8,13 +8,8 @@
     "declarationMap": true,
     "noImplicitAny": true,
     "strict": true,
-    "moduleResolution": "node",
     "esModuleInterop": true,
     "skipLibCheck": true,
-    "baseUrl": ".",  
-    "paths": {
-      "*": ["../../node_modules/*"]
-    },
     "lib": ["ES2021", "DOM"]
   },
   "include": ["src/**/*"],

package/tsconfig.spec.json

@@ -3,5 +3,6 @@
   "compilerOptions": {
     "types": ["node", "jest"]
   },
-  "include": ["src/**/*.test.ts", "src/**/*.spec.ts"]
+  "include": ["src/**/*.test.ts", "src/**/*.spec.ts"],
+  "exclude": ["node_modules", "dist"]
 }