@objectstack/runtime 3.0.9 → 3.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/.turbo/turbo-build.log +8 -8
  2. package/CHANGELOG.md +10 -0
  3. package/dist/index.cjs +8 -4
  4. package/dist/index.cjs.map +1 -1
  5. package/dist/index.js +8 -4
  6. package/dist/index.js.map +1 -1
  7. package/package.json +5 -5
  8. package/src/http-dispatcher.ts +11 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@objectstack/runtime",
3
- "version": "3.0.9",
3
+ "version": "3.0.10",
4
4
  "license": "Apache-2.0",
5
5
  "description": "ObjectStack Core Runtime & Query Engine",
6
6
  "type": "module",
@@ -15,10 +15,10 @@
15
15
  },
16
16
  "dependencies": {
17
17
  "zod": "^4.3.6",
18
- "@objectstack/rest": "3.0.9",
19
- "@objectstack/core": "3.0.9",
20
- "@objectstack/spec": "3.0.9",
21
- "@objectstack/types": "3.0.9"
18
+ "@objectstack/core": "3.0.10",
19
+ "@objectstack/rest": "3.0.10",
20
+ "@objectstack/spec": "3.0.10",
21
+ "@objectstack/types": "3.0.10"
22
22
  },
23
23
  "devDependencies": {
24
24
  "typescript": "^5.0.0",
package/src/http-dispatcher.ts CHANGED
@@ -377,8 +377,14 @@ export class HttpDispatcher {
377
377
  // GET /data/:object/:id
378
378
  if (parts.length === 2 && m === 'GET') {
379
379
  const id = parts[1];
380
+ // Spec: Only select/expand are allowlisted query params for GET by ID.
381
+ // All other query parameters are discarded to prevent parameter pollution.
382
+ const { select, expand } = query || {};
383
+ const allowedParams: Record<string, unknown> = {};
384
+ if (select != null) allowedParams.select = select;
385
+ if (expand != null) allowedParams.expand = expand;
380
386
  // Spec: broker returns GetDataResponse = { object, id, record }
381
- const result = await broker.call('data.get', { object: objectName, id, ...query }, { request: context.request });
387
+ const result = await broker.call('data.get', { object: objectName, id, ...allowedParams }, { request: context.request });
382
388
  return { handled: true, response: this.success(result) };
383
389
  }
384
390
 
@@ -401,7 +407,7 @@ export class HttpDispatcher {
401
407
  // GET /data/:object (List)
402
408
  if (m === 'GET') {
403
409
  // Spec: broker returns FindDataResponse = { object, records, total?, hasMore? }
404
- const result = await broker.call('data.query', { object: objectName, filters: query }, { request: context.request });
410
+ const result = await broker.call('data.query', { object: objectName, query }, { request: context.request });
405
411
  return { handled: true, response: this.success(result) };
406
412
  }
407
413
 
@@ -941,8 +947,9 @@ export class HttpDispatcher {
941
947
  const { object, operation } = endpoint.objectParams;
942
948
  // Map standard CRUD operations
943
949
  if (operation === 'find') {
944
- const result = await broker.call('data.query', { object, filters: query }, { request: context.request });
945
- return { handled: true, response: this.success(result.data, { count: result.count }) };
950
+ const result = await broker.call('data.query', { object, query }, { request: context.request });
951
+ // Spec: FindDataResponse = { object, records, total?, hasMore? }
952
+ return { handled: true, response: this.success(result.records, { total: result.total }) };
946
953
  }
947
954
  if (operation === 'get' && query.id) {
948
955
  const result = await broker.call('data.get', { object, id: query.id }, { request: context.request });