@rvoh/psychic 1.6.4 → 1.7.0

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.7.0
+
+- `sanitizeResponseJson` config to automatically escape `<`, `>`, `&`, `/`, `\`, `'`, and `"` unicode representations when rendering json to satisfy security reviews (e.g., a pentest report recently called this out on one of our applications). For all practical purposes, this doesn't protect against anything (now that we have the `nosniff` header) since `JSON.parse` on the other end restores the original, dangerous string. Modern front end web frameworks already handle safely displaying arbitrary content, so further sanitization generally isn't needed. This version does provide the `sanitizeString` function that could be used to sanitize individual strings, replacing the above characters with string representations of the unicode characters that will survive Psychic converting to json and then parsing that json (i.e.: `<` will end up as the string "\u003c")
+
+- Fix openapi serializer fallback issue introduced in 1.6.3, where we mistakenly double render data that has already been serialized.
+
 ## 1.6.4
 
 Raise an exception if attempting to import an openapi file during PsychicApp.init when in production. We will still swallow the exception in non-prod environments so that one can create a new openapi configuration and run sync without getting an error.

package/dist/cjs/src/controller/helpers/renderDreamOrViewModel.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = renderDreamOrVewModel;
+const dream_1 = require("@rvoh/dream");
+function renderDreamOrVewModel(data, serializerKey, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+passthrough, renderOpts) {
+    const serializer = (0, dream_1.inferSerializerFromDreamOrViewModel)(data, serializerKey);
+    if (serializer && (0, dream_1.isDreamSerializer)(serializer)) {
+        // passthrough data going into the serializer is the argument that gets
+        // used in the custom attribute callback function
+        return serializer(data, passthrough).render(
+        // passthrough data must be passed both into the serializer and render
+        // because, if the serializer does accept passthrough data, then passing it in is how
+        // it gets into the serializer, but if it does not accept passthrough data, and therefore
+        // does not pass it into the call to DreamSerializer/ObjectSerializer,
+        // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
+        // handles passing its passthrough data into those
+        passthrough, renderOpts);
+    }
+    throw new Error(`${serializer?.constructor?.name} is not a Dream serializer`);
+}

package/dist/cjs/src/controller/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.controllerSerializerIndex = exports.ControllerSerializerIndex = exports.PsychicParamsPrimitiveLiterals = void 0;
+exports.PsychicParamsPrimitiveLiterals = void 0;
 const dream_1 = require("@rvoh/dream");
 const ParamValidationError_js_1 = __importDefault(require("../error/controller/ParamValidationError.js"));
 const BadGateway_js_1 = __importDefault(require("../error/http/BadGateway.js"));
@@ -37,10 +37,13 @@ const Unauthorized_js_1 = __importDefault(require("../error/http/Unauthorized.js
 const UnavailableForLegalReasons_js_1 = __importDefault(require("../error/http/UnavailableForLegalReasons.js"));
 const UnprocessableContent_js_1 = __importDefault(require("../error/http/UnprocessableContent.js"));
 const UnsupportedMediaType_js_1 = __importDefault(require("../error/http/UnsupportedMediaType.js"));
+const toJson_js_1 = __importDefault(require("../helpers/toJson.js"));
 const OpenapiPayloadValidator_js_1 = __importDefault(require("../openapi-renderer/helpers/OpenapiPayloadValidator.js"));
+const index_js_1 = __importDefault(require("../psychic-app/index.js"));
 const params_js_1 = __importDefault(require("../server/params.js"));
-const index_js_1 = __importDefault(require("../session/index.js"));
+const index_js_2 = __importDefault(require("../session/index.js"));
 const isPaginatedResult_js_1 = __importDefault(require("./helpers/isPaginatedResult.js"));
+const renderDreamOrViewModel_js_1 = __importDefault(require("./helpers/renderDreamOrViewModel.js"));
 exports.PsychicParamsPrimitiveLiterals = [
     'bigint',
     'bigint[]',
@@ -108,26 +111,6 @@ class PsychicController {
      */
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     static openapi;
-    /**
-     * Enables you to specify specific serializers to use
-     * when encountering specific models, i.e.
-     *
-     * ```ts
-     * class MyController extends AuthedController {
-     *   static {
-     *     this.serializes(User).with(UserCustomSerializer)
-     *   }
-     * }
-     * ````
-     */
-    static serializes(ModelClass) {
-        return {
-            with: (SerializerClass) => {
-                exports.controllerSerializerIndex.add(this, SerializerClass, ModelClass);
-                return this;
-            },
-        };
-    }
     /**
      * @internal
      *
@@ -192,14 +175,12 @@ class PsychicController {
     req;
     res;
     session;
-    config;
     action;
     renderOpts;
-    constructor(req, res, { config, action, }) {
+    constructor(req, res, { action, }) {
         this.req = req;
         this.res = res;
-        this.config = config;
-        this.session = new index_js_1.default(req, res);
+        this.session = new index_js_2.default(req, res);
         this.action = action;
         // TODO: read casing from Dream app config
         this.renderOpts = {
@@ -357,13 +338,13 @@ class PsychicController {
         return this.session.setCookie(name, data, opts);
     }
     startSession(user) {
-        return this.setCookie(this.config.sessionCookieName, JSON.stringify({
+        return this.setCookie(index_js_1.default.getOrFail().sessionCookieName, JSON.stringify({
             id: user.primaryKeyValue().toString(),
             modelKey: user.constructor.globalName,
         }));
     }
     endSession() {
-        return this.session.clearCookie(this.config.sessionCookieName);
+        return this.session.clearCookie(index_js_1.default.getOrFail().sessionCookieName);
     }
     singleObjectJson(data, opts) {
         if (!data)
@@ -373,8 +354,6 @@ class PsychicController {
         if (data instanceof dream_1.DreamSerializerBuilder || data instanceof dream_1.ObjectSerializerBuilder) {
             return data.render(this.defaultSerializerPassthrough, this.renderOpts);
         }
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
-        const lookup = exports.controllerSerializerIndex.lookupModel(this.constructor, data.constructor);
         const openapiDef = this.constructor?.openapi?.[this.action];
         // passthrough data must be passed both into the serializer and render
         // because, if the serializer does accept passthrough data, then passing it in is how
@@ -383,48 +362,38 @@ class PsychicController {
         // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
         // handles passing its passthrough data into those
         const passthrough = this.defaultSerializerPassthrough;
-        if (lookup?.length) {
-            const serializer = lookup?.[1];
-            if ((0, dream_1.isDreamSerializer)(serializer)) {
-                // passthrough data going into the serializer is the argument that gets
-                // used in the custom attribute callback function
+        if (data instanceof dream_1.Dream || data.serializers) {
+            if (!opts.serializerKey && (0, dream_1.isDreamSerializer)(openapiDef?.dreamsOrSerializers)) {
+                const serializer = openapiDef.dreamsOrSerializers;
                 return serializer(data, passthrough).render(passthrough, this.renderOpts);
             }
-        }
-        else if ((0, dream_1.isDreamSerializer)(openapiDef?.dreamsOrSerializers)) {
-            const serializer = openapiDef.dreamsOrSerializers;
-            return serializer(data, passthrough).render(passthrough, this.renderOpts);
-        }
-        else if (data instanceof dream_1.Dream || data.serializers) {
-            const serializer = (0, dream_1.inferSerializerFromDreamOrViewModel)(data, opts.serializerKey ||
+            return (0, renderDreamOrViewModel_js_1.default)(data, opts.serializerKey ||
                 psychicControllerClass['controllerActionMetadata'][this.action]?.['serializerKey'] ||
-                'default');
-            if (serializer && (0, dream_1.isDreamSerializer)(serializer)) {
-                // passthrough data going into the serializer is the argument that gets
-                // used in the custom attribute callback function
-                return serializer(data, passthrough).render(
-                // passthrough data must be passed both into the serializer and render
-                // because, if the serializer does accept passthrough data, then passing it in is how
-                // it gets into the serializer, but if it does not accept passthrough data, and therefore
-                // does not pass it into the call to DreamSerializer/ObjectSerializer,
-                // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
-                // handles passing its passthrough data into those
-                passthrough, this.renderOpts);
-            }
+                'default', passthrough, this.renderOpts);
+        }
+        else {
+            return data;
         }
-        return data;
     }
     json(data, opts = {}) {
-        if (Array.isArray(data))
-            return this.validateAndRenderJsonResponse(data.map(d => 
+        return this.validateAndRenderJsonResponse(this._json(data, opts));
+    }
+    _json(data, opts = {}) {
+        if (Array.isArray(data)) {
             // eslint-disable-next-line @typescript-eslint/no-unsafe-return
-            this.singleObjectJson(d, opts)));
-        if ((0, isPaginatedResult_js_1.default)(data))
-            return this.validateAndRenderJsonResponse({
+            return data.map(d => this.singleObjectJson(d, opts));
+            //
+        }
+        else if ((0, isPaginatedResult_js_1.default)(data)) {
+            return {
                 ...data,
                 results: data.results.map(result => this.singleObjectJson(result, opts)),
-            });
-        return this.validateAndRenderJsonResponse(this.singleObjectJson(data, opts));
+            };
+            //
+        }
+        else {
+            return this.singleObjectJson(data, opts);
+        }
     }
     /**
      * Runs the data through openapi response validation, and then renders
@@ -436,7 +405,7 @@ class PsychicController {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     data) {
         this.validateOpenapiResponseBody(data);
-        this.res.json(data);
+        this.res.type('json').send((0, toJson_js_1.default)(data, index_js_1.default.getOrFail().sanitizeResponseJson));
     }
     defaultSerializerPassthrough = {};
     serializerPassthrough(passthrough) {
@@ -795,14 +764,3 @@ class PsychicController {
     }
 }
 exports.default = PsychicController;
-class ControllerSerializerIndex {
-    associations = [];
-    add(ControllerClass, SerializerClass, ModelClass) {
-        this.associations.push([ControllerClass, SerializerClass, ModelClass]);
-    }
-    lookupModel(ControllerClass, ModelClass) {
-        return this.associations.find(association => association[0] === ControllerClass && association[2] === ModelClass);
-    }
-}
-exports.ControllerSerializerIndex = ControllerSerializerIndex;
-exports.controllerSerializerIndex = new ControllerSerializerIndex();

package/dist/cjs/src/helpers/sanitizeString.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = sanitizeString;
+const CHARACTERS_TO_SANITIZE_REGEXP = /[\\&<>/'"]/g;
+function sanitizeString(str) {
+    if (str === null || str === undefined)
+        return str;
+    return str.replace(CHARACTERS_TO_SANITIZE_REGEXP, function (char) {
+        switch (char) {
+            case '\\':
+                return '\\u005c';
+            case '/':
+                return '\\u002f';
+            case '<':
+                return '\\u003c';
+            case '>':
+                return '\\u003e';
+            case '&':
+                return '\\u0026';
+            case "'":
+                return '\\u0027';
+            case '"':
+                return '\\u0022';
+            default:
+                return char;
+        }
+    });
+}

package/dist/cjs/src/helpers/toJson.js

@@ -0,0 +1,21 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = toJson;
+const sanitizeString_js_1 = __importDefault(require("./sanitizeString.js"));
+function toJson(data, sanitize) {
+    /**
+     * 'undefined' is invalid json, and `JSON.stringify(undefined)` returns `undefined`
+     * so follow the pattern established by Express and return '{}' for `undefined`
+     */
+    if (data === undefined)
+        return '{}';
+    if (sanitize) {
+        return JSON.stringify(data, (_, x) => (typeof x !== 'string' ? x : (0, sanitizeString_js_1.default)(x))).replace(/\\\\/g, '\\');
+    }
+    else {
+        return JSON.stringify(data);
+    }
+}

package/dist/cjs/src/index.js

@@ -3,8 +3,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Params = exports.PsychicServer = exports.getPsychicHttpInstance = exports.PsychicRouter = exports.PsychicApp = exports.PsychicImporter = exports.MissingControllerActionPairingInRoutes = exports.pathifyNestedObject = exports.cookieMaxAgeFromCookieOpts = exports.generateResource = exports.generateController = exports.HttpStatusUnsupportedMediaType = exports.HttpStatusUnprocessableContent = exports.HttpStatusUnavailableForLegalReasons = exports.HttpStatusUnauthorized = exports.HttpStatusTooManyRequests = exports.HttpStatusServiceUnavailable = exports.HttpStatusRequestHeaderFieldsTooLarge = exports.HttpStatusProxyAuthenticationRequired = exports.HttpStatusPreconditionRequired = exports.HttpStatusPreconditionFailed = exports.HttpStatusPaymentRequired = exports.HttpStatusNotImplemented = exports.HttpStatusNotFound = exports.HttpStatusNotExtended = exports.HttpStatusNotAcceptable = exports.HttpStatusMisdirectedRequest = exports.HttpStatusMethodNotAllowed = exports.HttpStatusLocked = exports.HttpStatusInternalServerError = exports.HttpStatusInsufficientStorage = exports.HttpStatusImATeapot = exports.HttpStatusGone = exports.HttpStatusGatewayTimeout = exports.HttpStatusForbidden = exports.HttpStatusFailedDependency = exports.HttpStatusExpectationFailed = exports.HttpStatusContentTooLarge = exports.HttpStatusConflict = exports.HttpStatusBadRequest = exports.HttpStatusBadGateway = exports.I18nProvider = exports.envLoader = exports.PsychicDevtools = exports.PsychicController = exports.OpenAPI = exports.BeforeAction = exports.PsychicCLI = exports.PsychicBin = exports.pluralize = void 0;
-exports.PsychicSession = exports.ParamValidationErrors = exports.ParamValidationError = void 0;
+exports.PsychicRouter = exports.PsychicApp = exports.PsychicImporter = exports.MissingControllerActionPairingInRoutes = exports.ParamValidationErrors = exports.ParamValidationError = exports.sanitizeString = exports.pathifyNestedObject = exports.cookieMaxAgeFromCookieOpts = exports.generateResource = exports.generateController = exports.HttpStatusUnsupportedMediaType = exports.HttpStatusUnprocessableContent = exports.HttpStatusUnavailableForLegalReasons = exports.HttpStatusUnauthorized = exports.HttpStatusTooManyRequests = exports.HttpStatusServiceUnavailable = exports.HttpStatusRequestHeaderFieldsTooLarge = exports.HttpStatusProxyAuthenticationRequired = exports.HttpStatusPreconditionRequired = exports.HttpStatusPreconditionFailed = exports.HttpStatusPaymentRequired = exports.HttpStatusNotImplemented = exports.HttpStatusNotFound = exports.HttpStatusNotExtended = exports.HttpStatusNotAcceptable = exports.HttpStatusMisdirectedRequest = exports.HttpStatusMethodNotAllowed = exports.HttpStatusLocked = exports.HttpStatusInternalServerError = exports.HttpStatusInsufficientStorage = exports.HttpStatusImATeapot = exports.HttpStatusGone = exports.HttpStatusGatewayTimeout = exports.HttpStatusForbidden = exports.HttpStatusFailedDependency = exports.HttpStatusExpectationFailed = exports.HttpStatusContentTooLarge = exports.HttpStatusConflict = exports.HttpStatusBadRequest = exports.HttpStatusBadGateway = exports.I18nProvider = exports.envLoader = exports.PsychicDevtools = exports.PsychicController = exports.OpenAPI = exports.BeforeAction = exports.PsychicCLI = exports.PsychicBin = exports.pluralize = void 0;
+exports.PsychicSession = exports.Params = exports.PsychicServer = exports.getPsychicHttpInstance = void 0;
 const pluralize_esm_1 = __importDefault(require("pluralize-esm"));
 exports.pluralize = pluralize_esm_1.default;
 var index_js_1 = require("./bin/index.js");
@@ -90,6 +90,12 @@ var cookieMaxAgeFromCookieOpts_js_1 = require("./helpers/cookieMaxAgeFromCookieO
 Object.defineProperty(exports, "cookieMaxAgeFromCookieOpts", { enumerable: true, get: function () { return __importDefault(cookieMaxAgeFromCookieOpts_js_1).default; } });
 var pathifyNestedObject_js_1 = require("./helpers/pathifyNestedObject.js");
 Object.defineProperty(exports, "pathifyNestedObject", { enumerable: true, get: function () { return __importDefault(pathifyNestedObject_js_1).default; } });
+var sanitizeString_js_1 = require("./helpers/sanitizeString.js");
+Object.defineProperty(exports, "sanitizeString", { enumerable: true, get: function () { return __importDefault(sanitizeString_js_1).default; } });
+var ParamValidationError_js_1 = require("./error/controller/ParamValidationError.js");
+Object.defineProperty(exports, "ParamValidationError", { enumerable: true, get: function () { return __importDefault(ParamValidationError_js_1).default; } });
+var ParamValidationErrors_js_1 = require("./error/controller/ParamValidationErrors.js");
+Object.defineProperty(exports, "ParamValidationErrors", { enumerable: true, get: function () { return __importDefault(ParamValidationErrors_js_1).default; } });
 var endpoint_js_1 = require("./openapi-renderer/endpoint.js");
 Object.defineProperty(exports, "MissingControllerActionPairingInRoutes", { enumerable: true, get: function () { return endpoint_js_1.MissingControllerActionPairingInRoutes; } });
 var PsychicImporter_js_1 = require("./psychic-app/helpers/PsychicImporter.js");
@@ -104,9 +110,5 @@ var index_js_6 = require("./server/index.js");
 Object.defineProperty(exports, "PsychicServer", { enumerable: true, get: function () { return __importDefault(index_js_6).default; } });
 var params_js_1 = require("./server/params.js");
 Object.defineProperty(exports, "Params", { enumerable: true, get: function () { return __importDefault(params_js_1).default; } });
-var ParamValidationError_js_1 = require("./error/controller/ParamValidationError.js");
-Object.defineProperty(exports, "ParamValidationError", { enumerable: true, get: function () { return __importDefault(ParamValidationError_js_1).default; } });
-var ParamValidationErrors_js_1 = require("./error/controller/ParamValidationErrors.js");
-Object.defineProperty(exports, "ParamValidationErrors", { enumerable: true, get: function () { return __importDefault(ParamValidationErrors_js_1).default; } });
 var index_js_7 = require("./session/index.js");
 Object.defineProperty(exports, "PsychicSession", { enumerable: true, get: function () { return __importDefault(index_js_7).default; } });

package/dist/cjs/src/psychic-app/helpers/import/importControllers.js

@@ -40,10 +40,7 @@ importCb) {
              * at decoration time such that the class of a property being decorated is only avilable during instance instantiation. In order
              * to only apply static values once, on boot, `globallyInitializingDecorators` is set to true on Dream, and all Dream models are instantiated.
              */
-            new controllerClass({}, {}, {
-                action: 'a',
-                config: psychicApp,
-            });
+            new controllerClass({}, {}, { action: 'a' });
         }
     }
     index_js_1.default['globallyInitializingDecorators'] = false;

package/dist/cjs/src/psychic-app/index.js

@@ -111,7 +111,7 @@ class PsychicApp {
     async buildRoutesCache() {
         if (this._routesCache)
             return;
-        const r = new index_js_1.default(null, this);
+        const r = new index_js_1.default(null);
         await this.routesCb(r);
         this._routesCache = r.routes;
     }
@@ -273,6 +273,10 @@ Try setting it to something valid, like:
     get saltRounds() {
         return this._saltRounds;
     }
+    _sanitizeResponseJson = false;
+    get sanitizeResponseJson() {
+        return this._sanitizeResponseJson;
+    }
     _packageManager;
     get packageManager() {
         return this._packageManager;
@@ -564,6 +568,9 @@ Try setting it to something valid, like:
             case 'saltRounds':
                 this._saltRounds = value;
                 break;
+            case 'sanitizeResponseJson':
+                this._sanitizeResponseJson = value;
+                break;
             case 'openapi':
                 this._openapi = {
                     ...this.openapi,

package/dist/cjs/src/router/index.js

@@ -19,15 +19,10 @@ const route_manager_js_1 = __importDefault(require("./route-manager.js"));
 const types_js_1 = require("./types.js");
 class PsychicRouter {
     app;
-    config;
     currentNamespaces = [];
     routeManager = new route_manager_js_1.default();
-    constructor(app, config) {
+    constructor(app) {
         this.app = app;
-        this.config = config;
-    }
-    get routingMechanism() {
-        return this.app;
     }
     get routes() {
         return this.routeManager.routes;
@@ -115,13 +110,13 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
 `);
     }
     namespace(namespace, cb) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         this.runNestedCallbacks(namespace, nestedRouter, cb);
     }
     scope(scope, cb) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         this.runNestedCallbacks(scope, nestedRouter, cb, { treatNamespaceAsScope: true });
@@ -134,7 +129,7 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
     }
     collection(cb) {
         const replacedNamespaces = this.currentNamespaces.slice(0, this.currentNamespaces.length - 1);
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: replacedNamespaces,
         });
         const currentNamespace = replacedNamespaces[replacedNamespaces.length - 1];
@@ -156,7 +151,7 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
         }
     }
     _makeResource(path, options, cb, plural) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         const { only, except } = options || {};
@@ -289,9 +284,9 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
                     index_js_1.default.log('ATTENTION: a server error was detected:');
                     index_js_1.default.logWithLevel('error', err);
                 }
-                if (this.config.specialHooks.serverError.length) {
+                if (index_js_1.default.getOrFail().specialHooks.serverError.length) {
                     try {
-                        for (const hook of this.config.specialHooks.serverError) {
+                        for (const hook of index_js_1.default.getOrFail().specialHooks.serverError) {
                             await hook(err, req, res);
                         }
                     }
@@ -321,7 +316,6 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
     }
     _initializeController(ControllerClass, req, res, action) {
         return new ControllerClass(req, res, {
-            config: this.config,
             action,
         });
     }
@@ -329,8 +323,8 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
 exports.default = PsychicRouter;
 class PsychicNestedRouter extends PsychicRouter {
     router;
-    constructor(expressApp, config, routeManager, { namespaces = [], } = {}) {
-        super(expressApp, config);
+    constructor(expressApp, routeManager, { namespaces = [], } = {}) {
+        super(expressApp);
         this.router = (0, express_1.Router)();
         this.currentNamespaces = namespaces;
         this.routeManager = routeManager;

package/dist/cjs/src/server/index.js

@@ -30,10 +30,10 @@ const dream_1 = require("@rvoh/dream");
 const cookieParser = __importStar(require("cookie-parser"));
 const cors = __importStar(require("cors"));
 const express = __importStar(require("express"));
+const EnvInternal_js_1 = __importDefault(require("../helpers/EnvInternal.js"));
 const index_js_1 = __importDefault(require("../psychic-app/index.js"));
 const index_js_2 = __importDefault(require("../router/index.js"));
 const startPsychicServer_js_1 = __importStar(require("./helpers/startPsychicServer.js"));
-const EnvInternal_js_1 = __importDefault(require("../helpers/EnvInternal.js"));
 // const debugEnabled = debuglog('psychic').enabled
 class PsychicServer {
     static async startPsychicServer(opts) {
@@ -51,13 +51,9 @@ class PsychicServer {
     constructor() {
         this.buildApp();
     }
-    get config() {
-        return index_js_1.default.getOrFail();
-    }
     async routes() {
-        const r = new index_js_2.default(this.expressApp, this.config);
-        const psychicApp = index_js_1.default.getOrFail();
-        await psychicApp.routesCb(r);
+        const r = new index_js_2.default(this.expressApp);
+        await index_js_1.default.getOrFail().routesCb(r);
         return r.routes;
     }
     async boot() {
@@ -71,13 +67,14 @@ class PsychicServer {
             });
             next();
         });
-        for (const serverInitBeforeMiddlewareHook of this.config.specialHooks.serverInitBeforeMiddleware) {
+        for (const serverInitBeforeMiddlewareHook of index_js_1.default.getOrFail().specialHooks
+            .serverInitBeforeMiddleware) {
             await serverInitBeforeMiddlewareHook(this);
         }
         this.initializeCors();
         this.initializeJSON();
         try {
-            await this.config.boot();
+            await index_js_1.default.getOrFail().boot();
         }
         catch (err) {
             const error = err;
@@ -87,11 +84,12 @@ class PsychicServer {
           ${error.message}
       `);
         }
-        for (const serverInitAfterMiddlewareHook of this.config.specialHooks.serverInitAfterMiddleware) {
+        for (const serverInitAfterMiddlewareHook of index_js_1.default.getOrFail().specialHooks
+            .serverInitAfterMiddleware) {
             await serverInitAfterMiddlewareHook(this);
         }
         await this.buildRoutes();
-        for (const afterRoutesHook of this.config.specialHooks.serverInitAfterRoutes) {
+        for (const afterRoutesHook of index_js_1.default.getOrFail().specialHooks.serverInitAfterRoutes) {
             await afterRoutesHook(this);
         }
         this.booted = true;
@@ -119,7 +117,7 @@ class PsychicServer {
             const httpServer = await (0, startPsychicServer_js_1.default)({
                 app: this.expressApp,
                 port: port || psychicApp.port,
-                sslCredentials: this.config.sslCredentials,
+                sslCredentials: index_js_1.default.getOrFail().sslCredentials,
             });
             this.httpServer = httpServer;
         }
@@ -146,8 +144,7 @@ class PsychicServer {
         process.exit();
     }
     async stop({ bypassClosingDbConnections = false } = {}) {
-        const psychicApp = index_js_1.default.getOrFail();
-        for (const hook of psychicApp.specialHooks.serverShutdown) {
+        for (const hook of index_js_1.default.getOrFail().specialHooks.serverShutdown) {
             await hook(this);
         }
         this.httpServer?.close();
@@ -156,8 +153,7 @@ class PsychicServer {
         }
     }
     async serveForRequestSpecs(block) {
-        const psychicApp = index_js_1.default.getOrFail();
-        const port = psychicApp.port;
+        const port = index_js_1.default.getOrFail().port;
         await this.boot();
         let server;
         await new Promise(accept => {
@@ -172,16 +168,16 @@ class PsychicServer {
         this.expressApp.use(cookieParser.default());
     }
     initializeCors() {
+        this.expressApp.use(
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        this.expressApp.use(cors.default(this.config.corsOptions));
+        cors.default(index_js_1.default.getOrFail().corsOptions));
     }
     initializeJSON() {
-        this.expressApp.use(express.json(this.config.jsonOptions));
+        this.expressApp.use(express.json(index_js_1.default.getOrFail().jsonOptions));
     }
     async buildRoutes() {
-        const r = new index_js_2.default(this.expressApp, this.config);
-        const psychicApp = index_js_1.default.getOrFail();
-        await psychicApp.routesCb(r);
+        const r = new index_js_2.default(this.expressApp);
+        await index_js_1.default.getOrFail().routesCb(r);
         r.commit();
     }
 }

package/dist/esm/src/controller/helpers/renderDreamOrViewModel.js

@@ -0,0 +1,19 @@
+import { inferSerializerFromDreamOrViewModel, isDreamSerializer, } from '@rvoh/dream';
+export default function renderDreamOrVewModel(data, serializerKey, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+passthrough, renderOpts) {
+    const serializer = inferSerializerFromDreamOrViewModel(data, serializerKey);
+    if (serializer && isDreamSerializer(serializer)) {
+        // passthrough data going into the serializer is the argument that gets
+        // used in the custom attribute callback function
+        return serializer(data, passthrough).render(
+        // passthrough data must be passed both into the serializer and render
+        // because, if the serializer does accept passthrough data, then passing it in is how
+        // it gets into the serializer, but if it does not accept passthrough data, and therefore
+        // does not pass it into the call to DreamSerializer/ObjectSerializer,
+        // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
+        // handles passing its passthrough data into those
+        passthrough, renderOpts);
+    }
+    throw new Error(`${serializer?.constructor?.name} is not a Dream serializer`);
+}

package/dist/esm/src/controller/index.js

@@ -1,4 +1,4 @@
-import { Dream, DreamSerializerBuilder, GlobalNameNotSet, inferSerializerFromDreamOrViewModel, isDreamSerializer, ObjectSerializerBuilder, } from '@rvoh/dream';
+import { Dream, DreamSerializerBuilder, GlobalNameNotSet, isDreamSerializer, ObjectSerializerBuilder, } from '@rvoh/dream';
 import ParamValidationError from '../error/controller/ParamValidationError.js';
 import HttpStatusBadGateway from '../error/http/BadGateway.js';
 import HttpStatusBadRequest from '../error/http/BadRequest.js';
@@ -31,10 +31,13 @@ import HttpStatusUnauthorized from '../error/http/Unauthorized.js';
 import HttpStatusUnavailableForLegalReasons from '../error/http/UnavailableForLegalReasons.js';
 import HttpStatusUnprocessableContent from '../error/http/UnprocessableContent.js';
 import HttpStatusUnsupportedMediaType from '../error/http/UnsupportedMediaType.js';
+import toJson from '../helpers/toJson.js';
 import OpenapiPayloadValidator from '../openapi-renderer/helpers/OpenapiPayloadValidator.js';
+import PsychicApp from '../psychic-app/index.js';
 import Params from '../server/params.js';
 import Session from '../session/index.js';
 import isPaginatedResult from './helpers/isPaginatedResult.js';
+import renderDreamOrVewModel from './helpers/renderDreamOrViewModel.js';
 export const PsychicParamsPrimitiveLiterals = [
     'bigint',
     'bigint[]',
@@ -102,26 +105,6 @@ export default class PsychicController {
      */
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     static openapi;
-    /**
-     * Enables you to specify specific serializers to use
-     * when encountering specific models, i.e.
-     *
-     * ```ts
-     * class MyController extends AuthedController {
-     *   static {
-     *     this.serializes(User).with(UserCustomSerializer)
-     *   }
-     * }
-     * ````
-     */
-    static serializes(ModelClass) {
-        return {
-            with: (SerializerClass) => {
-                controllerSerializerIndex.add(this, SerializerClass, ModelClass);
-                return this;
-            },
-        };
-    }
     /**
      * @internal
      *
@@ -186,13 +169,11 @@ export default class PsychicController {
     req;
     res;
     session;
-    config;
     action;
     renderOpts;
-    constructor(req, res, { config, action, }) {
+    constructor(req, res, { action, }) {
         this.req = req;
         this.res = res;
-        this.config = config;
         this.session = new Session(req, res);
         this.action = action;
         // TODO: read casing from Dream app config
@@ -351,13 +332,13 @@ export default class PsychicController {
         return this.session.setCookie(name, data, opts);
     }
     startSession(user) {
-        return this.setCookie(this.config.sessionCookieName, JSON.stringify({
+        return this.setCookie(PsychicApp.getOrFail().sessionCookieName, JSON.stringify({
             id: user.primaryKeyValue().toString(),
             modelKey: user.constructor.globalName,
         }));
     }
     endSession() {
-        return this.session.clearCookie(this.config.sessionCookieName);
+        return this.session.clearCookie(PsychicApp.getOrFail().sessionCookieName);
     }
     singleObjectJson(data, opts) {
         if (!data)
@@ -367,8 +348,6 @@ export default class PsychicController {
         if (data instanceof DreamSerializerBuilder || data instanceof ObjectSerializerBuilder) {
             return data.render(this.defaultSerializerPassthrough, this.renderOpts);
         }
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
-        const lookup = controllerSerializerIndex.lookupModel(this.constructor, data.constructor);
         const openapiDef = this.constructor?.openapi?.[this.action];
         // passthrough data must be passed both into the serializer and render
         // because, if the serializer does accept passthrough data, then passing it in is how
@@ -377,48 +356,38 @@ export default class PsychicController {
         // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
         // handles passing its passthrough data into those
         const passthrough = this.defaultSerializerPassthrough;
-        if (lookup?.length) {
-            const serializer = lookup?.[1];
-            if (isDreamSerializer(serializer)) {
-                // passthrough data going into the serializer is the argument that gets
-                // used in the custom attribute callback function
+        if (data instanceof Dream || data.serializers) {
+            if (!opts.serializerKey && isDreamSerializer(openapiDef?.dreamsOrSerializers)) {
+                const serializer = openapiDef.dreamsOrSerializers;
                 return serializer(data, passthrough).render(passthrough, this.renderOpts);
             }
-        }
-        else if (isDreamSerializer(openapiDef?.dreamsOrSerializers)) {
-            const serializer = openapiDef.dreamsOrSerializers;
-            return serializer(data, passthrough).render(passthrough, this.renderOpts);
-        }
-        else if (data instanceof Dream || data.serializers) {
-            const serializer = inferSerializerFromDreamOrViewModel(data, opts.serializerKey ||
+            return renderDreamOrVewModel(data, opts.serializerKey ||
                 psychicControllerClass['controllerActionMetadata'][this.action]?.['serializerKey'] ||
-                'default');
-            if (serializer && isDreamSerializer(serializer)) {
-                // passthrough data going into the serializer is the argument that gets
-                // used in the custom attribute callback function
-                return serializer(data, passthrough).render(
-                // passthrough data must be passed both into the serializer and render
-                // because, if the serializer does accept passthrough data, then passing it in is how
-                // it gets into the serializer, but if it does not accept passthrough data, and therefore
-                // does not pass it into the call to DreamSerializer/ObjectSerializer,
-                // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
-                // handles passing its passthrough data into those
-                passthrough, this.renderOpts);
-            }
+                'default', passthrough, this.renderOpts);
+        }
+        else {
+            return data;
         }
-        return data;
     }
     json(data, opts = {}) {
-        if (Array.isArray(data))
-            return this.validateAndRenderJsonResponse(data.map(d => 
+        return this.validateAndRenderJsonResponse(this._json(data, opts));
+    }
+    _json(data, opts = {}) {
+        if (Array.isArray(data)) {
             // eslint-disable-next-line @typescript-eslint/no-unsafe-return
-            this.singleObjectJson(d, opts)));
-        if (isPaginatedResult(data))
-            return this.validateAndRenderJsonResponse({
+            return data.map(d => this.singleObjectJson(d, opts));
+            //
+        }
+        else if (isPaginatedResult(data)) {
+            return {
                 ...data,
                 results: data.results.map(result => this.singleObjectJson(result, opts)),
-            });
-        return this.validateAndRenderJsonResponse(this.singleObjectJson(data, opts));
+            };
+            //
+        }
+        else {
+            return this.singleObjectJson(data, opts);
+        }
     }
     /**
      * Runs the data through openapi response validation, and then renders
@@ -430,7 +399,7 @@ export default class PsychicController {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     data) {
         this.validateOpenapiResponseBody(data);
-        this.res.json(data);
+        this.res.type('json').send(toJson(data, PsychicApp.getOrFail().sanitizeResponseJson));
     }
     defaultSerializerPassthrough = {};
     serializerPassthrough(passthrough) {
@@ -788,13 +757,3 @@ export default class PsychicController {
         }
     }
 }
-export class ControllerSerializerIndex {
-    associations = [];
-    add(ControllerClass, SerializerClass, ModelClass) {
-        this.associations.push([ControllerClass, SerializerClass, ModelClass]);
-    }
-    lookupModel(ControllerClass, ModelClass) {
-        return this.associations.find(association => association[0] === ControllerClass && association[2] === ModelClass);
-    }
-}
-export const controllerSerializerIndex = new ControllerSerializerIndex();

package/dist/esm/src/helpers/sanitizeString.js

@@ -0,0 +1,25 @@
+const CHARACTERS_TO_SANITIZE_REGEXP = /[\\&<>/'"]/g;
+export default function sanitizeString(str) {
+    if (str === null || str === undefined)
+        return str;
+    return str.replace(CHARACTERS_TO_SANITIZE_REGEXP, function (char) {
+        switch (char) {
+            case '\\':
+                return '\\u005c';
+            case '/':
+                return '\\u002f';
+            case '<':
+                return '\\u003c';
+            case '>':
+                return '\\u003e';
+            case '&':
+                return '\\u0026';
+            case "'":
+                return '\\u0027';
+            case '"':
+                return '\\u0022';
+            default:
+                return char;
+        }
+    });
+}

package/dist/esm/src/helpers/toJson.js

@@ -0,0 +1,15 @@
+import sanitizeString from './sanitizeString.js';
+export default function toJson(data, sanitize) {
+    /**
+     * 'undefined' is invalid json, and `JSON.stringify(undefined)` returns `undefined`
+     * so follow the pattern established by Express and return '{}' for `undefined`
+     */
+    if (data === undefined)
+        return '{}';
+    if (sanitize) {
+        return JSON.stringify(data, (_, x) => (typeof x !== 'string' ? x : sanitizeString(x))).replace(/\\\\/g, '\\');
+    }
+    else {
+        return JSON.stringify(data);
+    }
+}

package/dist/esm/src/index.js

@@ -41,6 +41,9 @@ export { default as generateController } from './generate/controller.js';
 export { default as generateResource } from './generate/resource.js';
 export { default as cookieMaxAgeFromCookieOpts } from './helpers/cookieMaxAgeFromCookieOpts.js';
 export { default as pathifyNestedObject } from './helpers/pathifyNestedObject.js';
+export { default as sanitizeString } from './helpers/sanitizeString.js';
+export { default as ParamValidationError } from './error/controller/ParamValidationError.js';
+export { default as ParamValidationErrors } from './error/controller/ParamValidationErrors.js';
 export { MissingControllerActionPairingInRoutes, } from './openapi-renderer/endpoint.js';
 export { default as PsychicImporter } from './psychic-app/helpers/PsychicImporter.js';
 export { default as PsychicApp, } from './psychic-app/index.js';
@@ -48,6 +51,4 @@ export { default as PsychicRouter } from './router/index.js';
 export { createPsychicHttpInstance as getPsychicHttpInstance } from './server/helpers/startPsychicServer.js';
 export { default as PsychicServer } from './server/index.js';
 export { default as Params } from './server/params.js';
-export { default as ParamValidationError } from './error/controller/ParamValidationError.js';
-export { default as ParamValidationErrors } from './error/controller/ParamValidationErrors.js';
 export { default as PsychicSession } from './session/index.js';

package/dist/esm/src/psychic-app/helpers/import/importControllers.js

@@ -32,10 +32,7 @@ importCb) {
              * at decoration time such that the class of a property being decorated is only avilable during instance instantiation. In order
              * to only apply static values once, on boot, `globallyInitializingDecorators` is set to true on Dream, and all Dream models are instantiated.
              */
-            new controllerClass({}, {}, {
-                action: 'a',
-                config: psychicApp,
-            });
+            new controllerClass({}, {}, { action: 'a' });
         }
     }
     PsychicController['globallyInitializingDecorators'] = false;

package/dist/esm/src/psychic-app/index.js

@@ -82,7 +82,7 @@ export default class PsychicApp {
     async buildRoutesCache() {
         if (this._routesCache)
             return;
-        const r = new PsychicRouter(null, this);
+        const r = new PsychicRouter(null);
         await this.routesCb(r);
         this._routesCache = r.routes;
     }
@@ -244,6 +244,10 @@ Try setting it to something valid, like:
     get saltRounds() {
         return this._saltRounds;
     }
+    _sanitizeResponseJson = false;
+    get sanitizeResponseJson() {
+        return this._sanitizeResponseJson;
+    }
     _packageManager;
     get packageManager() {
         return this._packageManager;
@@ -535,6 +539,9 @@ Try setting it to something valid, like:
             case 'saltRounds':
                 this._saltRounds = value;
                 break;
+            case 'sanitizeResponseJson':
+                this._sanitizeResponseJson = value;
+                break;
             case 'openapi':
                 this._openapi = {
                     ...this.openapi,

package/dist/esm/src/router/index.js

@@ -13,15 +13,10 @@ import RouteManager from './route-manager.js';
 import { ResourceMethods, ResourcesMethods, } from './types.js';
 export default class PsychicRouter {
     app;
-    config;
     currentNamespaces = [];
     routeManager = new RouteManager();
-    constructor(app, config) {
+    constructor(app) {
         this.app = app;
-        this.config = config;
-    }
-    get routingMechanism() {
-        return this.app;
     }
     get routes() {
         return this.routeManager.routes;
@@ -109,13 +104,13 @@ suggested fix:  "${convertRouteParams(path)}"
 `);
     }
     namespace(namespace, cb) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         this.runNestedCallbacks(namespace, nestedRouter, cb);
     }
     scope(scope, cb) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         this.runNestedCallbacks(scope, nestedRouter, cb, { treatNamespaceAsScope: true });
@@ -128,7 +123,7 @@ suggested fix:  "${convertRouteParams(path)}"
     }
     collection(cb) {
         const replacedNamespaces = this.currentNamespaces.slice(0, this.currentNamespaces.length - 1);
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: replacedNamespaces,
         });
         const currentNamespace = replacedNamespaces[replacedNamespaces.length - 1];
@@ -150,7 +145,7 @@ suggested fix:  "${convertRouteParams(path)}"
         }
     }
     _makeResource(path, options, cb, plural) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         const { only, except } = options || {};
@@ -283,9 +278,9 @@ suggested fix:  "${convertRouteParams(path)}"
                     PsychicApp.log('ATTENTION: a server error was detected:');
                     PsychicApp.logWithLevel('error', err);
                 }
-                if (this.config.specialHooks.serverError.length) {
+                if (PsychicApp.getOrFail().specialHooks.serverError.length) {
                     try {
-                        for (const hook of this.config.specialHooks.serverError) {
+                        for (const hook of PsychicApp.getOrFail().specialHooks.serverError) {
                             await hook(err, req, res);
                         }
                     }
@@ -315,15 +310,14 @@ suggested fix:  "${convertRouteParams(path)}"
     }
     _initializeController(ControllerClass, req, res, action) {
         return new ControllerClass(req, res, {
-            config: this.config,
             action,
         });
     }
 }
 export class PsychicNestedRouter extends PsychicRouter {
     router;
-    constructor(expressApp, config, routeManager, { namespaces = [], } = {}) {
-        super(expressApp, config);
+    constructor(expressApp, routeManager, { namespaces = [], } = {}) {
+        super(expressApp);
         this.router = Router();
         this.currentNamespaces = namespaces;
         this.routeManager = routeManager;

package/dist/esm/src/server/index.js

@@ -2,10 +2,10 @@ import { closeAllDbConnections, DreamLogos } from '@rvoh/dream';
 import * as cookieParser from 'cookie-parser';
 import * as cors from 'cors';
 import * as express from 'express';
+import EnvInternal from '../helpers/EnvInternal.js';
 import PsychicApp from '../psychic-app/index.js';
 import PsychicRouter from '../router/index.js';
 import startPsychicServer, { createPsychicHttpInstance, } from './helpers/startPsychicServer.js';
-import EnvInternal from '../helpers/EnvInternal.js';
 // const debugEnabled = debuglog('psychic').enabled
 export default class PsychicServer {
     static async startPsychicServer(opts) {
@@ -23,13 +23,9 @@ export default class PsychicServer {
     constructor() {
         this.buildApp();
     }
-    get config() {
-        return PsychicApp.getOrFail();
-    }
     async routes() {
-        const r = new PsychicRouter(this.expressApp, this.config);
-        const psychicApp = PsychicApp.getOrFail();
-        await psychicApp.routesCb(r);
+        const r = new PsychicRouter(this.expressApp);
+        await PsychicApp.getOrFail().routesCb(r);
         return r.routes;
     }
     async boot() {
@@ -43,13 +39,14 @@ export default class PsychicServer {
             });
             next();
         });
-        for (const serverInitBeforeMiddlewareHook of this.config.specialHooks.serverInitBeforeMiddleware) {
+        for (const serverInitBeforeMiddlewareHook of PsychicApp.getOrFail().specialHooks
+            .serverInitBeforeMiddleware) {
             await serverInitBeforeMiddlewareHook(this);
         }
         this.initializeCors();
         this.initializeJSON();
         try {
-            await this.config.boot();
+            await PsychicApp.getOrFail().boot();
         }
         catch (err) {
             const error = err;
@@ -59,11 +56,12 @@ export default class PsychicServer {
           ${error.message}
       `);
         }
-        for (const serverInitAfterMiddlewareHook of this.config.specialHooks.serverInitAfterMiddleware) {
+        for (const serverInitAfterMiddlewareHook of PsychicApp.getOrFail().specialHooks
+            .serverInitAfterMiddleware) {
             await serverInitAfterMiddlewareHook(this);
         }
         await this.buildRoutes();
-        for (const afterRoutesHook of this.config.specialHooks.serverInitAfterRoutes) {
+        for (const afterRoutesHook of PsychicApp.getOrFail().specialHooks.serverInitAfterRoutes) {
             await afterRoutesHook(this);
         }
         this.booted = true;
@@ -91,7 +89,7 @@ export default class PsychicServer {
             const httpServer = await startPsychicServer({
                 app: this.expressApp,
                 port: port || psychicApp.port,
-                sslCredentials: this.config.sslCredentials,
+                sslCredentials: PsychicApp.getOrFail().sslCredentials,
             });
             this.httpServer = httpServer;
         }
@@ -118,8 +116,7 @@ export default class PsychicServer {
         process.exit();
     }
     async stop({ bypassClosingDbConnections = false } = {}) {
-        const psychicApp = PsychicApp.getOrFail();
-        for (const hook of psychicApp.specialHooks.serverShutdown) {
+        for (const hook of PsychicApp.getOrFail().specialHooks.serverShutdown) {
             await hook(this);
         }
         this.httpServer?.close();
@@ -128,8 +125,7 @@ export default class PsychicServer {
         }
     }
     async serveForRequestSpecs(block) {
-        const psychicApp = PsychicApp.getOrFail();
-        const port = psychicApp.port;
+        const port = PsychicApp.getOrFail().port;
         await this.boot();
         let server;
         await new Promise(accept => {
@@ -144,16 +140,16 @@ export default class PsychicServer {
         this.expressApp.use(cookieParser.default());
     }
     initializeCors() {
+        this.expressApp.use(
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        this.expressApp.use(cors.default(this.config.corsOptions));
+        cors.default(PsychicApp.getOrFail().corsOptions));
     }
     initializeJSON() {
-        this.expressApp.use(express.json(this.config.jsonOptions));
+        this.expressApp.use(express.json(PsychicApp.getOrFail().jsonOptions));
     }
     async buildRoutes() {
-        const r = new PsychicRouter(this.expressApp, this.config);
-        const psychicApp = PsychicApp.getOrFail();
-        await psychicApp.routesCb(r);
+        const r = new PsychicRouter(this.expressApp);
+        await PsychicApp.getOrFail().routesCb(r);
         r.commit();
     }
 }

package/dist/types/src/controller/helpers/renderDreamOrViewModel.d.ts

@@ -0,0 +1,2 @@
+import { Dream, SerializerRendererOpts, ViewModel } from '@rvoh/dream';
+export default function renderDreamOrVewModel(data: Dream | ViewModel, serializerKey: string, passthrough: any, renderOpts: SerializerRendererOpts): Record<string, any> | null;

package/dist/types/src/controller/index.d.ts

@@ -1,9 +1,8 @@
-import { Dream, DreamModelSerializerType, DreamParamSafeAttributes, DreamParamSafeColumnNames, OpenapiSchemaBody, SerializerRendererOpts, SimpleObjectSerializerType, UpdateableProperties } from '@rvoh/dream';
+import { Dream, DreamParamSafeAttributes, DreamParamSafeColumnNames, OpenapiSchemaBody, SerializerRendererOpts, UpdateableProperties } from '@rvoh/dream';
 import { Request, Response } from 'express';
 import { ControllerHook } from '../controller/hooks.js';
 import { HttpStatusCodeInt, HttpStatusSymbol } from '../error/http/status-codes.js';
 import OpenapiEndpointRenderer from '../openapi-renderer/endpoint.js';
-import PsychicApp from '../psychic-app/index.js';
 import { ParamsCastOptions, ParamsForOpts, ValidatedAllowsNull, ValidatedReturnType } from '../server/params.js';
 import Session, { CustomSessionCookieOptions } from '../session/index.js';
 type SerializerResult = {
@@ -58,21 +57,6 @@ export default class PsychicController {
      * by using the `@Openapi` decorator on your controller methods
      */
     static openapi: Record<string, OpenapiEndpointRenderer<any, any>>;
-    /**
-     * Enables you to specify specific serializers to use
-     * when encountering specific models, i.e.
-     *
-     * ```ts
-     * class MyController extends AuthedController {
-     *   static {
-     *     this.serializes(User).with(UserCustomSerializer)
-     *   }
-     * }
-     * ````
-     */
-    static serializes(ModelClass: typeof Dream): {
-        with: (SerializerClass: DreamModelSerializerType | SimpleObjectSerializerType) => typeof PsychicController;
-    };
     /**
      * @internal
      *
@@ -118,11 +102,9 @@ export default class PsychicController {
     req: Request;
     res: Response;
     session: Session;
-    config: PsychicApp;
     action: string;
     renderOpts: SerializerRendererOpts;
-    constructor(req: Request, res: Response, { config, action, }: {
-        config: PsychicApp;
+    constructor(req: Request, res: Response, { action, }: {
         action: string;
     });
     /**
@@ -242,6 +224,7 @@ export default class PsychicController {
     endSession(): void;
     private singleObjectJson;
     json<T>(data: T, opts?: RenderOptions): any;
+    private _json;
     /**
      * Runs the data through openapi response validation, and then renders
      * the data if no errors were found.
@@ -359,16 +342,6 @@ export default class PsychicController {
      */
     runBeforeActionsFor(action: string): Promise<void>;
 }
-export declare class ControllerSerializerIndex {
-    associations: [
-        typeof PsychicController,
-        DreamModelSerializerType | SimpleObjectSerializerType,
-        typeof Dream
-    ][];
-    add(ControllerClass: typeof PsychicController, SerializerClass: DreamModelSerializerType | SimpleObjectSerializerType, ModelClass: typeof Dream): void;
-    lookupModel(ControllerClass: typeof PsychicController, ModelClass: typeof Dream): [typeof PsychicController, DreamModelSerializerType | SimpleObjectSerializerType, typeof Dream] | undefined;
-}
-export declare const controllerSerializerIndex: ControllerSerializerIndex;
 export type RenderOptions = {
     serializerKey?: string;
 };

package/dist/types/src/helpers/sanitizeString.d.ts

@@ -0,0 +1 @@
+export default function sanitizeString<T extends string | null | undefined>(str: T): T;

package/dist/types/src/helpers/toJson.d.ts

@@ -0,0 +1 @@
+export default function toJson<T>(data: T, sanitize: boolean): string;

package/dist/types/src/index.d.ts

@@ -50,6 +50,9 @@ export { default as generateController } from './generate/controller.js';
 export { default as generateResource } from './generate/resource.js';
 export { default as cookieMaxAgeFromCookieOpts } from './helpers/cookieMaxAgeFromCookieOpts.js';
 export { default as pathifyNestedObject } from './helpers/pathifyNestedObject.js';
+export { default as sanitizeString } from './helpers/sanitizeString.js';
+export { default as ParamValidationError } from './error/controller/ParamValidationError.js';
+export { default as ParamValidationErrors } from './error/controller/ParamValidationErrors.js';
 export { MissingControllerActionPairingInRoutes, type OpenapiContent, type OpenapiEndpointRendererOpts, type OpenapiEndpointResponse, type OpenapiHeaderOption, type OpenapiHeaders, type OpenapiHeaderType, type OpenapiMethodBody, type OpenapiParameterResponse, type OpenapiPathParams, type OpenapiQueryOption, type OpenapiResponses, type OpenapiSchema, type OpenapiPathParamOption as OpenapiUriOption, } from './openapi-renderer/endpoint.js';
 export { default as PsychicImporter } from './psychic-app/helpers/PsychicImporter.js';
 export { default as PsychicApp, type DefaultPsychicOpenapiOptions, type NamedPsychicOpenapiOptions, type PsychicAppInitOptions, } from './psychic-app/index.js';
@@ -59,6 +62,4 @@ export { type HttpMethod } from './router/types.js';
 export { createPsychicHttpInstance as getPsychicHttpInstance } from './server/helpers/startPsychicServer.js';
 export { default as PsychicServer } from './server/index.js';
 export { default as Params } from './server/params.js';
-export { default as ParamValidationError } from './error/controller/ParamValidationError.js';
-export { default as ParamValidationErrors } from './error/controller/ParamValidationErrors.js';
 export { default as PsychicSession } from './session/index.js';

package/dist/types/src/psychic-app/index.d.ts

@@ -127,6 +127,8 @@ export default class PsychicApp {
     get sslCredentials(): PsychicSslCredentials | undefined;
     private _saltRounds;
     get saltRounds(): number | undefined;
+    private _sanitizeResponseJson;
+    get sanitizeResponseJson(): boolean;
     private _packageManager;
     get packageManager(): "yarn" | "npm" | "pnpm";
     private _importExtension;
@@ -219,10 +221,10 @@ export default class PsychicApp {
     plugin(cb: (app: PsychicApp) => void | Promise<void>): void;
     on<T extends PsychicHookEventType>(hookEventType: T, cb: T extends 'server:error' ? (err: Error, req: Request, res: Response) => void | Promise<void> : T extends 'server:init:before-middleware' ? (psychicServer: PsychicServer) => void | Promise<void> : T extends 'server:init:after-middleware' ? (psychicServer: PsychicServer) => void | Promise<void> : T extends 'server:start' ? (psychicServer: PsychicServer) => void | Promise<void> : T extends 'server:shutdown' ? (psychicServer: PsychicServer) => void | Promise<void> : T extends 'server:init:after-routes' ? (psychicServer: PsychicServer) => void | Promise<void> : T extends 'cli:start' ? (program: Command) => void | Promise<void> : T extends 'cli:sync' ? () => any : (conf: PsychicApp) => void | Promise<void>): void;
     set(option: 'openapi', name: string, value: NamedPsychicOpenapiOptions): void;
-    set<Opt extends PsychicAppOption>(option: Opt, value: Opt extends 'appName' ? string : Opt extends 'apiOnly' ? boolean : Opt extends 'defaultResponseHeaders' ? Record<string, string | null> : Opt extends 'encryption' ? PsychicAppEncryptionOptions : Opt extends 'cors' ? CorsOptions : Opt extends 'cookie' ? CustomCookieOptions : Opt extends 'apiRoot' ? string : Opt extends 'importExtension' ? GeneratorImportStyle : Opt extends 'sessionCookieName' ? string : Opt extends 'clientRoot' ? string : Opt extends 'json' ? bodyParser.Options : Opt extends 'logger' ? PsychicLogger : Opt extends 'ssl' ? PsychicSslCredentials : Opt extends 'openapi' ? DefaultPsychicOpenapiOptions : Opt extends 'paths' ? PsychicPathOptions : Opt extends 'port' ? number : Opt extends 'saltRounds' ? number : Opt extends 'packageManager' ? DreamAppAllowedPackageManagersEnum : Opt extends 'inflections' ? () => void | Promise<void> : Opt extends 'routes' ? (r: PsychicRouter) => void | Promise<void> : never): void;
+    set<Opt extends PsychicAppOption>(option: Opt, value: Opt extends 'appName' ? string : Opt extends 'apiOnly' ? boolean : Opt extends 'defaultResponseHeaders' ? Record<string, string | null> : Opt extends 'encryption' ? PsychicAppEncryptionOptions : Opt extends 'cors' ? CorsOptions : Opt extends 'cookie' ? CustomCookieOptions : Opt extends 'apiRoot' ? string : Opt extends 'importExtension' ? GeneratorImportStyle : Opt extends 'sessionCookieName' ? string : Opt extends 'clientRoot' ? string : Opt extends 'json' ? bodyParser.Options : Opt extends 'logger' ? PsychicLogger : Opt extends 'ssl' ? PsychicSslCredentials : Opt extends 'openapi' ? DefaultPsychicOpenapiOptions : Opt extends 'paths' ? PsychicPathOptions : Opt extends 'port' ? number : Opt extends 'saltRounds' ? number : Opt extends 'sanitizeResponseJson' ? boolean : Opt extends 'packageManager' ? DreamAppAllowedPackageManagersEnum : Opt extends 'inflections' ? () => void | Promise<void> : Opt extends 'routes' ? (r: PsychicRouter) => void | Promise<void> : never): void;
     override<Override extends keyof PsychicAppOverrides>(override: Override, value: PsychicAppOverrides[Override]): void;
 }
-export type PsychicAppOption = 'appName' | 'apiOnly' | 'apiRoot' | 'importExtension' | 'encryption' | 'sessionCookieName' | 'clientRoot' | 'cookie' | 'cors' | 'defaultResponseHeaders' | 'inflections' | 'json' | 'logger' | 'openapi' | 'packageManager' | 'paths' | 'port' | 'routes' | 'saltRounds' | 'ssl';
+export type PsychicAppOption = 'appName' | 'apiOnly' | 'apiRoot' | 'importExtension' | 'encryption' | 'sessionCookieName' | 'clientRoot' | 'cookie' | 'cors' | 'defaultResponseHeaders' | 'inflections' | 'json' | 'logger' | 'openapi' | 'packageManager' | 'paths' | 'port' | 'routes' | 'saltRounds' | 'sanitizeResponseJson' | 'ssl';
 export interface PsychicAppSpecialHooks {
     cliSync: (() => any)[];
     serverInitBeforeMiddleware: ((server: PsychicServer) => void | Promise<void>)[];

package/dist/types/src/router/index.d.ts

@@ -1,16 +1,13 @@
 import { Application, Request, RequestHandler, Response, Router } from 'express';
 import PsychicController from '../controller/index.js';
-import PsychicApp from '../psychic-app/index.js';
 import { NamespaceConfig, PsychicControllerActions } from '../router/helpers.js';
 import RouteManager from './route-manager.js';
 import { HttpMethod, ResourcesOptions } from './types.js';
 export default class PsychicRouter {
     app: Application | null;
-    config: PsychicApp;
     currentNamespaces: NamespaceConfig[];
     routeManager: RouteManager;
-    constructor(app: Application | null, config: PsychicApp);
-    get routingMechanism(): Application | Router | null;
+    constructor(app: Application | null);
     get routes(): import("./route-manager.js").RouteConfig[];
     private get currentNamespacePaths();
     commit(): void;
@@ -56,7 +53,7 @@ export default class PsychicRouter {
 }
 export declare class PsychicNestedRouter extends PsychicRouter {
     router: Router;
-    constructor(expressApp: Application | null, config: PsychicApp, routeManager: RouteManager, { namespaces, }?: {
+    constructor(expressApp: Application | null, routeManager: RouteManager, { namespaces, }?: {
         namespaces?: NamespaceConfig[];
     });
 }

package/dist/types/src/server/index.d.ts

@@ -1,6 +1,6 @@
 import { Express } from 'express';
 import { Server } from 'node:http';
-import PsychicApp, { PsychicSslCredentials } from '../psychic-app/index.js';
+import { PsychicSslCredentials } from '../psychic-app/index.js';
 import { StartPsychicServerOptions } from './helpers/startPsychicServer.js';
 export default class PsychicServer {
     static startPsychicServer(opts: StartPsychicServerOptions): Promise<Server>;
@@ -10,7 +10,6 @@ export default class PsychicServer {
     httpServer: Server;
     private booted;
     constructor();
-    get config(): PsychicApp;
     routes(): Promise<import("../router/route-manager.js").RouteConfig[]>;
     boot(): Promise<true | undefined>;
     private setSecureDefaultHeaders;

package/package.json

@@ -2,7 +2,7 @@
   "type": "module",
   "name": "@rvoh/psychic",
   "description": "Typescript web framework",
-  "version": "1.6.4",
+  "version": "1.7.0",
   "author": "RVOHealth",
   "repository": {
     "type": "git",
@@ -62,7 +62,7 @@
   "devDependencies": {
     "@eslint/js": "^9.19.0",
     "@jest-mock/express": "^3.0.0",
-    "@rvoh/dream": "^1.5.2",
+    "@rvoh/dream": "^1.7.0",
     "@rvoh/dream-spec-helpers": "^1.1.1",
     "@rvoh/psychic-spec-helpers": "^1.0.0",
     "@types/express": "^5.0.1",