@lenne.tech/nest-server 11.4.2 → 11.4.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.4.2",
+  "version": "11.4.4",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/core/common/helpers/input.helper.ts

@@ -197,9 +197,9 @@ export function assignPlain(target: Record<any, any>, ...args: Record<any, any>[
     target,
     ...args.map(
       // Prepare records
-      item =>
+      (item) =>
         // Return item if not an object or cloned record with undefined properties removed
-        !item ? item : filterProperties(clone(item, { circles: false }), prop => prop !== undefined),
+        !item ? item : filterProperties(clone(item, { circles: false }), (prop) => prop !== undefined),
     ),
   );
 }
@@ -249,20 +249,20 @@ export async function check(
     // Check access
     if (
       // check if any user, including users who are not logged in, can access
-      roles.includes(RoleEnum.S_EVERYONE)
+      roles.includes(RoleEnum.S_EVERYONE) ||
       // check if user is logged in
-      || (roles.includes(RoleEnum.S_USER) && user?.id)
+      (roles.includes(RoleEnum.S_USER) && user?.id) ||
       // check if the user has at least one of the required roles
-      || user?.hasRole?.(roles)
+      user?.hasRole?.(roles) ||
       // check if the user is herself / himself
-      || (roles.includes(RoleEnum.S_SELF) && equalIds(config.dbObject, user))
+      (roles.includes(RoleEnum.S_SELF) && equalIds(config.dbObject, user)) ||
       // check if the user is the creator
-      || (roles.includes(RoleEnum.S_CREATOR)
-        && ((config.dbObject && 'createdBy' in config.dbObject && equalIds(config.dbObject.createdBy, user))
-          || (config.allowCreatorOfParent
-            && config.dbObject
-            && !('createdBy' in config.dbObject)
-            && config.isCreatorOfParent)))
+      (roles.includes(RoleEnum.S_CREATOR) &&
+        ((config.dbObject && 'createdBy' in config.dbObject && equalIds(config.dbObject.createdBy, user)) ||
+          (config.allowCreatorOfParent &&
+            config.dbObject &&
+            !('createdBy' in config.dbObject) &&
+            config.isCreatorOfParent)))
     ) {
       valid = true;
     }
@@ -299,7 +299,7 @@ export async function check(
       if ((metatype as any)?.map) {
         value = (metatype as any)?.map(value);
       } else {
-        value = plainToInstance(metatype, value);
+        value = plainToInstanceClean(metatype, value);
       }
     }
   }
@@ -435,7 +435,7 @@ export function filterProperties<T = Record<string, any>>(
   filterFunction: (value?: any, key?: string, obj?: T) => boolean,
 ): Partial<T> {
   return Object.keys(obj)
-    .filter(key => filterFunction(obj[key], key, obj))
+    .filter((key) => filterFunction(obj[key], key, obj))
     .reduce((res, key) => Object.assign(res, { [key]: obj[key] }), {});
 }
 
@@ -546,12 +546,12 @@ export function isFalse(parameter: any, falseFunction: (...params) => any = erro
  * Check if parameter is a valid file
  */
 export function isFile(parameter: any, falseFunction: (...params) => any = errorFunction): boolean {
-  return parameter !== null
-    && typeof parameter !== 'undefined'
-    && parameter.name
-    && parameter.path
-    && parameter.type
-    && parameter.size > 0
+  return parameter !== null &&
+    typeof parameter !== 'undefined' &&
+    parameter.name &&
+    parameter.path &&
+    parameter.type &&
+    parameter.size > 0
     ? true
     : falseFunction(isFile);
 }
@@ -589,10 +589,10 @@ export function isLower(
  * Check if parameter is a non empty array
  */
 export function isNonEmptyArray(parameter: any, falseFunction: (...params) => any = errorFunction): boolean {
-  return parameter !== null
-    && typeof parameter !== 'undefined'
-    && parameter.constructor === Array
-    && parameter.length > 0
+  return parameter !== null &&
+    typeof parameter !== 'undefined' &&
+    parameter.constructor === Array &&
+    parameter.length > 0
     ? true
     : falseFunction(isNonEmptyArray);
 }
@@ -601,10 +601,10 @@ export function isNonEmptyArray(parameter: any, falseFunction: (...params) => an
  * Check if parameter is a non empty object
  */
 export function isNonEmptyObject(parameter: any, falseFunction: (...params) => any = errorFunction): boolean {
-  return parameter !== null
-    && typeof parameter !== 'undefined'
-    && parameter.constructor === Object
-    && Object.keys(parameter).length !== 0
+  return parameter !== null &&
+    typeof parameter !== 'undefined' &&
+    parameter.constructor === Object &&
+    Object.keys(parameter).length !== 0
     ? true
     : falseFunction(isNonEmptyObject);
 }
@@ -696,13 +696,51 @@ export function mergePlain(target: Record<any, any>, ...args: Record<any, any>[]
     target,
     ...args.map(
       // Prepare records
-      item =>
+      (item) =>
         // Return item if not an object or cloned record with undefined properties removed
-        !item ? item : filterProperties(clone(item, { circles: false }), prop => prop !== undefined),
+        !item ? item : filterProperties(clone(item, { circles: false }), (prop) => prop !== undefined),
     ),
   );
 }
 
+/**
+ * Transforms a plain object to an instance of the specified class and removes properties
+ * that did not exist in the source and have undefined as class default value.
+ *
+ * This function handles the special case where:
+ * - Property does not exist in source AND class default is undefined → property is deleted
+ * - Property exists in source (even with undefined value) → property is kept
+ * - Property has non-undefined class default → property is kept
+ *
+ * @param cls The class to instantiate
+ * @param plain The plain object to transform
+ * @returns Instance of cls with cleaned properties
+ */
+export function plainToInstanceClean<T>(cls: new (...args: any[]) => T, plain: any): T {
+  if (!plain || typeof plain !== 'object' || Array.isArray(plain)) {
+    return plain;
+  }
+
+  // Transform to instance
+  const instance = plainToInstance(cls, plain);
+
+  // Get class defaults to check which properties have undefined as initial value
+  const classDefaults = new cls();
+
+  // Remove properties that did not exist in source and have undefined as class default
+  for (const key in instance) {
+    if (
+      Object.prototype.hasOwnProperty.call(instance, key) &&
+      !Object.prototype.hasOwnProperty.call(plain, key) &&
+      classDefaults[key] === undefined
+    ) {
+      delete instance[key];
+    }
+  }
+
+  return instance;
+}
+
 /**
  * Helper to avoid very slow merge of serviceOptions
  */
@@ -759,21 +797,21 @@ export function processDeep(
 
   // Process array
   if (Array.isArray(data)) {
-    return func(data.map(item => processDeep(item, func, { processedObjects, specialClasses })));
+    return func(data.map((item) => processDeep(item, func, { processedObjects, specialClasses })));
   }
 
   // Process object
   if (typeof data === 'object') {
     if (
-      specialFunctions.find(sF => typeof data[sF] === 'function')
-      || specialProperties.find(sP => Object.getOwnPropertyNames(data).includes(sP))
+      specialFunctions.find((sF) => typeof data[sF] === 'function') ||
+      specialProperties.find((sP) => Object.getOwnPropertyNames(data).includes(sP))
     ) {
       return func(data);
     }
     for (const specialClass of specialClasses) {
       if (
-        (typeof specialClass === 'string' && specialClass === data.constructor?.name)
-        || (typeof specialClass !== 'string' && data instanceof specialClass)
+        (typeof specialClass === 'string' && specialClass === data.constructor?.name) ||
+        (typeof specialClass !== 'string' && data instanceof specialClass)
       ) {
         return func(data);
       }
@@ -818,7 +856,7 @@ export function removePropertiesDeep(
 
   // Process array
   if (Array.isArray(data)) {
-    return data.map(item => removePropertiesDeep(item, properties, { processedObjects }));
+    return data.map((item) => removePropertiesDeep(item, properties, { processedObjects }));
   }
 
   // Process object

package/src/core/common/helpers/model.helper.ts

@@ -1,7 +1,6 @@
-import { plainToInstance } from 'class-transformer';
 import { Types } from 'mongoose';
 
-import { clone } from './input.helper';
+import { clone, plainToInstanceClean } from './input.helper';
 
 /**
  * Helper class for models
@@ -142,7 +141,7 @@ export function mapClasses<T = Record<string, any>>(
             if (targetClass.map) {
               arr.push(targetClass.map(item));
             } else {
-              arr.push(plainToInstance(targetClass, item));
+              arr.push(plainToInstanceClean(targetClass, item));
             }
           } else {
             arr.push(item);
@@ -162,7 +161,7 @@ export function mapClasses<T = Record<string, any>>(
           if (targetClass.map) {
             target[prop] = targetClass.map(value);
           } else {
-            target[prop] = plainToInstance(targetClass, value) as any;
+            target[prop] = plainToInstanceClean(targetClass, value) as any;
           }
         }
 
@@ -229,7 +228,7 @@ export async function mapClassesAsync<T = Record<string, any>>(
             if (targetClass.map) {
               arr.push(await targetClass.map(item));
             } else {
-              arr.push(plainToInstance(targetClass, item));
+              arr.push(plainToInstanceClean(targetClass, item));
             }
           } else {
             arr.push(item);
@@ -249,7 +248,7 @@ export async function mapClassesAsync<T = Record<string, any>>(
           if (targetClass.map) {
             target[prop] = await targetClass.map(value);
           } else {
-            target[prop] = plainToInstance(targetClass, value) as any;
+            target[prop] = plainToInstanceClean(targetClass, value) as any;
           }
         }
 
@@ -351,12 +350,12 @@ export function prepareMap<T = Record<string, any>>(
   // Update properties
   for (const key of Object.keys(target)) {
     if (
-      (!['_id', 'id'].includes(key) || config.mapId)
-      && source[key] !== undefined
-      && (config.funcAllowed || typeof (source[key] !== 'function'))
+      (!['_id', 'id'].includes(key) || config.mapId) &&
+      source[key] !== undefined &&
+      (config.funcAllowed || typeof (source[key] !== 'function'))
     ) {
-      result[key]
-        = source[key] !== 'function' && config.cloneDeep
+      result[key] =
+        source[key] !== 'function' && config.cloneDeep
           ? clone(source[key], { circles: config.circles, proto: config.proto })
           : source[key];
     } else if (key === 'id' && !config.mapId) {

package/src/core/common/helpers/service.helper.ts

@@ -1,6 +1,5 @@
 import { UnauthorizedException } from '@nestjs/common';
 import bcrypt = require('bcrypt');
-import { plainToInstance } from 'class-transformer';
 import { sha256 } from 'js-sha256';
 import _ = require('lodash');
 import { Types } from 'mongoose';
@@ -12,7 +11,7 @@ import { ResolveSelector } from '../interfaces/resolve-selector.interface';
 import { ServiceOptions } from '../interfaces/service-options.interface';
 import { ConfigService } from '../services/config.service';
 import { getStringIds } from './db.helper';
-import { clone, processDeep } from './input.helper';
+import { clone, plainToInstanceClean, processDeep } from './input.helper';
 
 /**
  * Helper class for services
@@ -137,7 +136,7 @@ export async function prepareInput<T = any>(
     if ((config.targetModel as any)?.map) {
       input = await (config.targetModel as any).map(input);
     } else {
-      input = plainToInstance(config.targetModel, input);
+      input = plainToInstanceClean(config.targetModel, input);
     }
   }
 
@@ -238,7 +237,7 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
     if ((config.targetModel as any)?.map) {
       output = await (config.targetModel as any).map(output);
     } else {
-      output = plainToInstance(config.targetModel, output);
+      output = plainToInstanceClean(config.targetModel, output);
     }
   }
 

package/src/core/common/pipes/map-and-validate.pipe.ts

@@ -1,8 +1,8 @@
 import { ArgumentMetadata, BadRequestException, Injectable, PipeTransform } from '@nestjs/common';
-import { plainToInstance } from 'class-transformer';
 import { validate, ValidationError } from 'class-validator';
+import { inspect } from 'util';
 
-import { isBasicType } from '../helpers/input.helper';
+import { isBasicType, plainToInstanceClean } from '../helpers/input.helper';
 
 // Debug mode can be enabled via environment variable: DEBUG_VALIDATION=true
 const DEBUG_VALIDATION = process.env.DEBUG_VALIDATION === 'true';
@@ -20,7 +20,7 @@ export class MapAndValidatePipe implements PipeTransform {
         type: metadata.type,
       });
       console.debug('Input value type:', typeof value);
-      console.debug('Input value:', JSON.stringify(value, null, 2));
+      console.debug('Input value:', inspect(value, { colors: true, depth: 3 }));
     }
 
     if (!value || typeof value !== 'object' || !metatype || isBasicType(metatype)) {
@@ -40,11 +40,11 @@ export class MapAndValidatePipe implements PipeTransform {
         value = (metatype as any)?.map(value);
       } else {
         if (DEBUG_VALIDATION) {
-          console.debug('Using plainToInstance to transform to:', metatype.name);
+          console.debug('Using plainToInstanceClean to transform to:', metatype.name);
         }
-        value = plainToInstance(metatype, value);
+        value = plainToInstanceClean(metatype, value);
         if (DEBUG_VALIDATION) {
-          console.debug('Transformed value:', JSON.stringify(value, null, 2));
+          console.debug('Transformed value:', inspect(value, { colors: true, depth: 3 }));
           console.debug('Transformed value instance of:', value?.constructor?.name);
         }
       }
@@ -80,6 +80,7 @@ export class MapAndValidatePipe implements PipeTransform {
       }
 
       const result = {};
+      const errorSummary: string[] = [];
 
       const processErrors = (errorList: ValidationError[], parentKey = '') => {
         errorList.forEach((e) => {
@@ -89,6 +90,11 @@ export class MapAndValidatePipe implements PipeTransform {
             processErrors(e.children, key);
           } else {
             result[key] = e.constraints;
+            // Build error summary without exposing values
+            if (e.constraints) {
+              const constraintTypes = Object.keys(e.constraints).join(', ');
+              errorSummary.push(`${key} (${constraintTypes})`);
+            }
           }
         });
       };
@@ -97,12 +103,30 @@ export class MapAndValidatePipe implements PipeTransform {
 
       if (DEBUG_VALIDATION) {
         console.debug('\nProcessed validation result:');
-        console.debug(JSON.stringify(result, null, 2));
+        console.debug(inspect(result, { colors: true, depth: 5 }));
         console.debug('Result is empty:', Object.keys(result).length === 0);
+        console.debug('Error summary:', errorSummary);
         console.debug('=== End Debug ===\n');
       }
 
-      throw new BadRequestException(result);
+      // Create meaningful error message without exposing sensitive values
+      let errorMessage = 'Validation failed';
+      if (errorSummary.length > 0) {
+        const fieldCount = errorSummary.length;
+        const fieldWord = fieldCount === 1 ? 'field' : 'fields';
+        errorMessage = `Validation failed for ${fieldCount} ${fieldWord}: ${errorSummary.join('; ')}`;
+      } else if (errors.length > 0) {
+        // Handle case where there are validation errors but no constraints (nested errors only)
+        const topLevelProperties = errors.map((e) => e.property).join(', ');
+        errorMessage = `Validation failed for properties: ${topLevelProperties} (nested validation errors)`;
+      }
+
+      // Throw with message and validation errors (backward compatible structure)
+      // Add message property to result object for better error messages
+      throw new BadRequestException({
+        message: errorMessage,
+        ...result,
+      });
     }
 
     if (DEBUG_VALIDATION) {