@rvoh/psychic 1.6.4 → 1.7.1

package/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.7.1
+
+- compute openapi doc during intiialization, rather than problematically reading from a file cache
+
+## 1.7.0
+
+- `sanitizeResponseJson` config to automatically escape `<`, `>`, `&`, `/`, `\`, `'`, and `"` unicode representations when rendering json to satisfy security reviews (e.g., a pentest report recently called this out on one of our applications). For all practical purposes, this doesn't protect against anything (now that we have the `nosniff` header) since `JSON.parse` on the other end restores the original, dangerous string. Modern front end web frameworks already handle safely displaying arbitrary content, so further sanitization generally isn't needed. This version does provide the `sanitizeString` function that could be used to sanitize individual strings, replacing the above characters with string representations of the unicode characters that will survive Psychic converting to json and then parsing that json (i.e.: `<` will end up as the string "\u003c")
+
+- Fix openapi serializer fallback issue introduced in 1.6.3, where we mistakenly double render data that has already been serialized.
+
 ## 1.6.4
 
 Raise an exception if attempting to import an openapi file during PsychicApp.init when in production. We will still swallow the exception in non-prod environments so that one can create a new openapi configuration and run sync without getting an error.

package/dist/cjs/src/controller/helpers/renderDreamOrViewModel.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = renderDreamOrVewModel;
+const dream_1 = require("@rvoh/dream");
+function renderDreamOrVewModel(data, serializerKey, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+passthrough, renderOpts) {
+    const serializer = (0, dream_1.inferSerializerFromDreamOrViewModel)(data, serializerKey);
+    if (serializer && (0, dream_1.isDreamSerializer)(serializer)) {
+        // passthrough data going into the serializer is the argument that gets
+        // used in the custom attribute callback function
+        return serializer(data, passthrough).render(
+        // passthrough data must be passed both into the serializer and render
+        // because, if the serializer does accept passthrough data, then passing it in is how
+        // it gets into the serializer, but if it does not accept passthrough data, and therefore
+        // does not pass it into the call to DreamSerializer/ObjectSerializer,
+        // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
+        // handles passing its passthrough data into those
+        passthrough, renderOpts);
+    }
+    throw new Error(`${serializer?.constructor?.name} is not a Dream serializer`);
+}

package/dist/cjs/src/controller/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.controllerSerializerIndex = exports.ControllerSerializerIndex = exports.PsychicParamsPrimitiveLiterals = void 0;
+exports.PsychicParamsPrimitiveLiterals = void 0;
 const dream_1 = require("@rvoh/dream");
 const ParamValidationError_js_1 = __importDefault(require("../error/controller/ParamValidationError.js"));
 const BadGateway_js_1 = __importDefault(require("../error/http/BadGateway.js"));
@@ -37,10 +37,13 @@ const Unauthorized_js_1 = __importDefault(require("../error/http/Unauthorized.js
 const UnavailableForLegalReasons_js_1 = __importDefault(require("../error/http/UnavailableForLegalReasons.js"));
 const UnprocessableContent_js_1 = __importDefault(require("../error/http/UnprocessableContent.js"));
 const UnsupportedMediaType_js_1 = __importDefault(require("../error/http/UnsupportedMediaType.js"));
+const toJson_js_1 = __importDefault(require("../helpers/toJson.js"));
 const OpenapiPayloadValidator_js_1 = __importDefault(require("../openapi-renderer/helpers/OpenapiPayloadValidator.js"));
+const index_js_1 = __importDefault(require("../psychic-app/index.js"));
 const params_js_1 = __importDefault(require("../server/params.js"));
-const index_js_1 = __importDefault(require("../session/index.js"));
+const index_js_2 = __importDefault(require("../session/index.js"));
 const isPaginatedResult_js_1 = __importDefault(require("./helpers/isPaginatedResult.js"));
+const renderDreamOrViewModel_js_1 = __importDefault(require("./helpers/renderDreamOrViewModel.js"));
 exports.PsychicParamsPrimitiveLiterals = [
     'bigint',
     'bigint[]',
@@ -108,26 +111,6 @@ class PsychicController {
      */
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     static openapi;
-    /**
-     * Enables you to specify specific serializers to use
-     * when encountering specific models, i.e.
-     *
-     * ```ts
-     * class MyController extends AuthedController {
-     *   static {
-     *     this.serializes(User).with(UserCustomSerializer)
-     *   }
-     * }
-     * ````
-     */
-    static serializes(ModelClass) {
-        return {
-            with: (SerializerClass) => {
-                exports.controllerSerializerIndex.add(this, SerializerClass, ModelClass);
-                return this;
-            },
-        };
-    }
     /**
      * @internal
      *
@@ -192,14 +175,12 @@ class PsychicController {
     req;
     res;
     session;
-    config;
     action;
     renderOpts;
-    constructor(req, res, { config, action, }) {
+    constructor(req, res, { action, }) {
         this.req = req;
         this.res = res;
-        this.config = config;
-        this.session = new index_js_1.default(req, res);
+        this.session = new index_js_2.default(req, res);
         this.action = action;
         // TODO: read casing from Dream app config
         this.renderOpts = {
@@ -357,13 +338,13 @@ class PsychicController {
         return this.session.setCookie(name, data, opts);
     }
     startSession(user) {
-        return this.setCookie(this.config.sessionCookieName, JSON.stringify({
+        return this.setCookie(index_js_1.default.getOrFail().sessionCookieName, JSON.stringify({
             id: user.primaryKeyValue().toString(),
             modelKey: user.constructor.globalName,
         }));
     }
     endSession() {
-        return this.session.clearCookie(this.config.sessionCookieName);
+        return this.session.clearCookie(index_js_1.default.getOrFail().sessionCookieName);
     }
     singleObjectJson(data, opts) {
         if (!data)
@@ -373,8 +354,6 @@ class PsychicController {
         if (data instanceof dream_1.DreamSerializerBuilder || data instanceof dream_1.ObjectSerializerBuilder) {
             return data.render(this.defaultSerializerPassthrough, this.renderOpts);
         }
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
-        const lookup = exports.controllerSerializerIndex.lookupModel(this.constructor, data.constructor);
         const openapiDef = this.constructor?.openapi?.[this.action];
         // passthrough data must be passed both into the serializer and render
         // because, if the serializer does accept passthrough data, then passing it in is how
@@ -383,48 +362,38 @@ class PsychicController {
         // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
         // handles passing its passthrough data into those
         const passthrough = this.defaultSerializerPassthrough;
-        if (lookup?.length) {
-            const serializer = lookup?.[1];
-            if ((0, dream_1.isDreamSerializer)(serializer)) {
-                // passthrough data going into the serializer is the argument that gets
-                // used in the custom attribute callback function
+        if (data instanceof dream_1.Dream || data.serializers) {
+            if (!opts.serializerKey && (0, dream_1.isDreamSerializer)(openapiDef?.dreamsOrSerializers)) {
+                const serializer = openapiDef.dreamsOrSerializers;
                 return serializer(data, passthrough).render(passthrough, this.renderOpts);
             }
-        }
-        else if ((0, dream_1.isDreamSerializer)(openapiDef?.dreamsOrSerializers)) {
-            const serializer = openapiDef.dreamsOrSerializers;
-            return serializer(data, passthrough).render(passthrough, this.renderOpts);
-        }
-        else if (data instanceof dream_1.Dream || data.serializers) {
-            const serializer = (0, dream_1.inferSerializerFromDreamOrViewModel)(data, opts.serializerKey ||
+            return (0, renderDreamOrViewModel_js_1.default)(data, opts.serializerKey ||
                 psychicControllerClass['controllerActionMetadata'][this.action]?.['serializerKey'] ||
-                'default');
-            if (serializer && (0, dream_1.isDreamSerializer)(serializer)) {
-                // passthrough data going into the serializer is the argument that gets
-                // used in the custom attribute callback function
-                return serializer(data, passthrough).render(
-                // passthrough data must be passed both into the serializer and render
-                // because, if the serializer does accept passthrough data, then passing it in is how
-                // it gets into the serializer, but if it does not accept passthrough data, and therefore
-                // does not pass it into the call to DreamSerializer/ObjectSerializer,
-                // then it would be lost to serializers rendered via rendersOne/Many, and SerializerRenderer
-                // handles passing its passthrough data into those
-                passthrough, this.renderOpts);
-            }
+                'default', passthrough, this.renderOpts);
+        }
+        else {
+            return data;
         }
-        return data;
     }
     json(data, opts = {}) {
-        if (Array.isArray(data))
-            return this.validateAndRenderJsonResponse(data.map(d => 
+        return this.validateAndRenderJsonResponse(this._json(data, opts));
+    }
+    _json(data, opts = {}) {
+        if (Array.isArray(data)) {
             // eslint-disable-next-line @typescript-eslint/no-unsafe-return
-            this.singleObjectJson(d, opts)));
-        if ((0, isPaginatedResult_js_1.default)(data))
-            return this.validateAndRenderJsonResponse({
+            return data.map(d => this.singleObjectJson(d, opts));
+            //
+        }
+        else if ((0, isPaginatedResult_js_1.default)(data)) {
+            return {
                 ...data,
                 results: data.results.map(result => this.singleObjectJson(result, opts)),
-            });
-        return this.validateAndRenderJsonResponse(this.singleObjectJson(data, opts));
+            };
+            //
+        }
+        else {
+            return this.singleObjectJson(data, opts);
+        }
     }
     /**
      * Runs the data through openapi response validation, and then renders
@@ -436,7 +405,7 @@ class PsychicController {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     data) {
         this.validateOpenapiResponseBody(data);
-        this.res.json(data);
+        this.res.type('json').send((0, toJson_js_1.default)(data, index_js_1.default.getOrFail().sanitizeResponseJson));
     }
     defaultSerializerPassthrough = {};
     serializerPassthrough(passthrough) {
@@ -795,14 +764,3 @@ class PsychicController {
     }
 }
 exports.default = PsychicController;
-class ControllerSerializerIndex {
-    associations = [];
-    add(ControllerClass, SerializerClass, ModelClass) {
-        this.associations.push([ControllerClass, SerializerClass, ModelClass]);
-    }
-    lookupModel(ControllerClass, ModelClass) {
-        return this.associations.find(association => association[0] === ControllerClass && association[2] === ModelClass);
-    }
-}
-exports.ControllerSerializerIndex = ControllerSerializerIndex;
-exports.controllerSerializerIndex = new ControllerSerializerIndex();

package/dist/cjs/src/helpers/sanitizeString.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = sanitizeString;
+const CHARACTERS_TO_SANITIZE_REGEXP = /[\\&<>/'"]/g;
+function sanitizeString(str) {
+    if (str === null || str === undefined)
+        return str;
+    return str.replace(CHARACTERS_TO_SANITIZE_REGEXP, function (char) {
+        switch (char) {
+            case '\\':
+                return '\\u005c';
+            case '/':
+                return '\\u002f';
+            case '<':
+                return '\\u003c';
+            case '>':
+                return '\\u003e';
+            case '&':
+                return '\\u0026';
+            case "'":
+                return '\\u0027';
+            case '"':
+                return '\\u0022';
+            default:
+                return char;
+        }
+    });
+}

package/dist/cjs/src/helpers/toJson.js

@@ -0,0 +1,21 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = toJson;
+const sanitizeString_js_1 = __importDefault(require("./sanitizeString.js"));
+function toJson(data, sanitize) {
+    /**
+     * 'undefined' is invalid json, and `JSON.stringify(undefined)` returns `undefined`
+     * so follow the pattern established by Express and return '{}' for `undefined`
+     */
+    if (data === undefined)
+        return '{}';
+    if (sanitize) {
+        return JSON.stringify(data, (_, x) => (typeof x !== 'string' ? x : (0, sanitizeString_js_1.default)(x))).replace(/\\\\/g, '\\');
+    }
+    else {
+        return JSON.stringify(data);
+    }
+}

package/dist/cjs/src/index.js

@@ -3,8 +3,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Params = exports.PsychicServer = exports.getPsychicHttpInstance = exports.PsychicRouter = exports.PsychicApp = exports.PsychicImporter = exports.MissingControllerActionPairingInRoutes = exports.pathifyNestedObject = exports.cookieMaxAgeFromCookieOpts = exports.generateResource = exports.generateController = exports.HttpStatusUnsupportedMediaType = exports.HttpStatusUnprocessableContent = exports.HttpStatusUnavailableForLegalReasons = exports.HttpStatusUnauthorized = exports.HttpStatusTooManyRequests = exports.HttpStatusServiceUnavailable = exports.HttpStatusRequestHeaderFieldsTooLarge = exports.HttpStatusProxyAuthenticationRequired = exports.HttpStatusPreconditionRequired = exports.HttpStatusPreconditionFailed = exports.HttpStatusPaymentRequired = exports.HttpStatusNotImplemented = exports.HttpStatusNotFound = exports.HttpStatusNotExtended = exports.HttpStatusNotAcceptable = exports.HttpStatusMisdirectedRequest = exports.HttpStatusMethodNotAllowed = exports.HttpStatusLocked = exports.HttpStatusInternalServerError = exports.HttpStatusInsufficientStorage = exports.HttpStatusImATeapot = exports.HttpStatusGone = exports.HttpStatusGatewayTimeout = exports.HttpStatusForbidden = exports.HttpStatusFailedDependency = exports.HttpStatusExpectationFailed = exports.HttpStatusContentTooLarge = exports.HttpStatusConflict = exports.HttpStatusBadRequest = exports.HttpStatusBadGateway = exports.I18nProvider = exports.envLoader = exports.PsychicDevtools = exports.PsychicController = exports.OpenAPI = exports.BeforeAction = exports.PsychicCLI = exports.PsychicBin = exports.pluralize = void 0;
-exports.PsychicSession = exports.ParamValidationErrors = exports.ParamValidationError = void 0;
+exports.PsychicRouter = exports.PsychicApp = exports.PsychicImporter = exports.MissingControllerActionPairingInRoutes = exports.ParamValidationErrors = exports.ParamValidationError = exports.sanitizeString = exports.pathifyNestedObject = exports.cookieMaxAgeFromCookieOpts = exports.generateResource = exports.generateController = exports.HttpStatusUnsupportedMediaType = exports.HttpStatusUnprocessableContent = exports.HttpStatusUnavailableForLegalReasons = exports.HttpStatusUnauthorized = exports.HttpStatusTooManyRequests = exports.HttpStatusServiceUnavailable = exports.HttpStatusRequestHeaderFieldsTooLarge = exports.HttpStatusProxyAuthenticationRequired = exports.HttpStatusPreconditionRequired = exports.HttpStatusPreconditionFailed = exports.HttpStatusPaymentRequired = exports.HttpStatusNotImplemented = exports.HttpStatusNotFound = exports.HttpStatusNotExtended = exports.HttpStatusNotAcceptable = exports.HttpStatusMisdirectedRequest = exports.HttpStatusMethodNotAllowed = exports.HttpStatusLocked = exports.HttpStatusInternalServerError = exports.HttpStatusInsufficientStorage = exports.HttpStatusImATeapot = exports.HttpStatusGone = exports.HttpStatusGatewayTimeout = exports.HttpStatusForbidden = exports.HttpStatusFailedDependency = exports.HttpStatusExpectationFailed = exports.HttpStatusContentTooLarge = exports.HttpStatusConflict = exports.HttpStatusBadRequest = exports.HttpStatusBadGateway = exports.I18nProvider = exports.envLoader = exports.PsychicDevtools = exports.PsychicController = exports.OpenAPI = exports.BeforeAction = exports.PsychicCLI = exports.PsychicBin = exports.pluralize = void 0;
+exports.PsychicSession = exports.Params = exports.PsychicServer = exports.getPsychicHttpInstance = void 0;
 const pluralize_esm_1 = __importDefault(require("pluralize-esm"));
 exports.pluralize = pluralize_esm_1.default;
 var index_js_1 = require("./bin/index.js");
@@ -90,6 +90,12 @@ var cookieMaxAgeFromCookieOpts_js_1 = require("./helpers/cookieMaxAgeFromCookieO
 Object.defineProperty(exports, "cookieMaxAgeFromCookieOpts", { enumerable: true, get: function () { return __importDefault(cookieMaxAgeFromCookieOpts_js_1).default; } });
 var pathifyNestedObject_js_1 = require("./helpers/pathifyNestedObject.js");
 Object.defineProperty(exports, "pathifyNestedObject", { enumerable: true, get: function () { return __importDefault(pathifyNestedObject_js_1).default; } });
+var sanitizeString_js_1 = require("./helpers/sanitizeString.js");
+Object.defineProperty(exports, "sanitizeString", { enumerable: true, get: function () { return __importDefault(sanitizeString_js_1).default; } });
+var ParamValidationError_js_1 = require("./error/controller/ParamValidationError.js");
+Object.defineProperty(exports, "ParamValidationError", { enumerable: true, get: function () { return __importDefault(ParamValidationError_js_1).default; } });
+var ParamValidationErrors_js_1 = require("./error/controller/ParamValidationErrors.js");
+Object.defineProperty(exports, "ParamValidationErrors", { enumerable: true, get: function () { return __importDefault(ParamValidationErrors_js_1).default; } });
 var endpoint_js_1 = require("./openapi-renderer/endpoint.js");
 Object.defineProperty(exports, "MissingControllerActionPairingInRoutes", { enumerable: true, get: function () { return endpoint_js_1.MissingControllerActionPairingInRoutes; } });
 var PsychicImporter_js_1 = require("./psychic-app/helpers/PsychicImporter.js");
@@ -104,9 +110,5 @@ var index_js_6 = require("./server/index.js");
 Object.defineProperty(exports, "PsychicServer", { enumerable: true, get: function () { return __importDefault(index_js_6).default; } });
 var params_js_1 = require("./server/params.js");
 Object.defineProperty(exports, "Params", { enumerable: true, get: function () { return __importDefault(params_js_1).default; } });
-var ParamValidationError_js_1 = require("./error/controller/ParamValidationError.js");
-Object.defineProperty(exports, "ParamValidationError", { enumerable: true, get: function () { return __importDefault(ParamValidationError_js_1).default; } });
-var ParamValidationErrors_js_1 = require("./error/controller/ParamValidationErrors.js");
-Object.defineProperty(exports, "ParamValidationErrors", { enumerable: true, get: function () { return __importDefault(ParamValidationErrors_js_1).default; } });
 var index_js_7 = require("./session/index.js");
 Object.defineProperty(exports, "PsychicSession", { enumerable: true, get: function () { return __importDefault(index_js_7).default; } });

package/dist/cjs/src/psychic-app/helpers/import/importControllers.js

@@ -40,10 +40,7 @@ importCb) {
              * at decoration time such that the class of a property being decorated is only avilable during instance instantiation. In order
              * to only apply static values once, on boot, `globallyInitializingDecorators` is set to true on Dream, and all Dream models are instantiated.
              */
-            new controllerClass({}, {}, {
-                action: 'a',
-                config: psychicApp,
-            });
+            new controllerClass({}, {}, { action: 'a' });
         }
     }
     index_js_1.default['globallyInitializingDecorators'] = false;

package/dist/cjs/src/psychic-app/index.js

@@ -97,7 +97,10 @@ class PsychicApp {
             dreamApp.set('logger', psychicApp.logger);
             dreamApp.set('packageManager', psychicApp.packageManager);
             (0, cache_js_1.cachePsychicApp)(psychicApp);
-            await Promise.all([psychicApp.buildOpenapiCache(), psychicApp.buildRoutesCache()]);
+            // routes _must_ be built before openapi
+            // cache can be processed
+            await psychicApp.buildRoutesCache();
+            psychicApp.buildOpenapiCache();
         });
         return psychicApp;
     }
@@ -111,7 +114,7 @@ class PsychicApp {
     async buildRoutesCache() {
         if (this._routesCache)
             return;
-        const r = new index_js_1.default(null, this);
+        const r = new index_js_1.default(null);
         await this.routesCb(r);
         this._routesCache = r.routes;
     }
@@ -128,20 +131,40 @@ class PsychicApp {
      * request validation can look to the route cache
      * instead of having to build it from scratch.
      */
-    async buildOpenapiCache() {
-        // build caches for all files that are registered for validation
-        await Promise.all(Object.keys(this.openapi)
-            .filter(key => this.openapi[key]?.validate)
-            .map(async (openapiName) => {
-            await this.cacheOpenapiFile(openapiName);
-        }));
-        // ignore all files that are not registered for validation
-        Object.keys(this.openapi)
-            .filter(key => !this.openapi[key]?.validate)
-            .forEach(openapiName => {
-            this.ignoreOpenapiFile(openapiName);
+    buildOpenapiCache() {
+        Object.keys(this.openapi).forEach(openapiName => {
+            if (this.openapi[openapiName]?.validate) {
+                this.cacheOpenapiDoc(openapiName);
+            }
+            else {
+                this.ignoreOpenapiDoc(openapiName);
+            }
         });
     }
+    /**
+     * @internal
+     *
+     * When PsychicApp.init is called, a cache is built for each openapiName
+     * registered within your app config. For each openapiName, Psychic will
+     * read compute and cache the openapi document contents for that openapiName.
+     * It does this to enable the validation engine to read component
+     * schemas accross the entire document to perform individual endpoint validation.
+     *
+     * @param openapiName - the openapiName you want to look up the openapi cache for
+     */
+    cacheOpenapiDoc(openapiName) {
+        (0, openapi_cache_js_1.cacheOpenapiDoc)(openapiName, this.routesCache);
+    }
+    /**
+     * indicates to the underlying cache that this openapi file is intentionally
+     * being ignored, so that future lookups for the file cache do not raise
+     * an exception
+     *
+     * @param openapiName - the openapiName to ignore
+     */
+    ignoreOpenapiDoc(openapiName) {
+        (0, openapi_cache_js_1.ignoreOpenapiDoc)(openapiName);
+    }
     /**
      * Since javascript is inherently vulnerable to circular dependencies,
      * this function provides a workaround by enabling you to dynamically
@@ -273,6 +296,10 @@ Try setting it to something valid, like:
     get saltRounds() {
         return this._saltRounds;
     }
+    _sanitizeResponseJson = false;
+    get sanitizeResponseJson() {
+        return this._sanitizeResponseJson;
+    }
     _packageManager;
     get packageManager() {
         return this._packageManager;
@@ -285,35 +312,6 @@ Try setting it to something valid, like:
     get routesCb() {
         return this._routesCb;
     }
-    /**
-     * @internal
-     *
-     * When PsychicApp.init is called, a cache is built for each openapiName
-     * registered within your app config. For each openapiName, Psychic will
-     * read the openapi file (unless it has not been written yet) and cache the
-     * contents. It does this to enable the validation engine to read component
-     * schemas accross the entire document to perform individual endpoint validation.
-     *
-     * This function is used to cache the contents of this file during initialization,
-     * so that the validation engine can call down to the complementing method,
-     * `getOpenapiFileOrFail`, which will return the contents of the document, or undefined
-     * if it was not found.
-     *
-     * @param openapiName - the openapiName you want to look up the openapi cache for
-     */
-    async cacheOpenapiFile(openapiName) {
-        await (0, openapi_cache_js_1.readAndCacheOpenapiFile)(openapiName);
-    }
-    /**
-     * indicates to the underlying cache that this openapi file is intentionally
-     * being ignored, so that future lookups for the file cache do not raise
-     * an exception
-     *
-     * @param openapiName - the openapiName to ignore
-     */
-    ignoreOpenapiFile(openapiName) {
-        (0, openapi_cache_js_1.ignoreOpenapiFile)(openapiName);
-    }
     /**
      * @internal
      *
@@ -332,7 +330,7 @@ Try setting it to something valid, like:
      * @returns the scanned openapi document, or undefined if it could not be found.
      */
     getOpenapiFileOrFail(openapiName) {
-        return (0, openapi_cache_js_1.getOpenapiFileOrFail)(openapiName);
+        return (0, openapi_cache_js_1.getCachedOpenapiDocOrFail)(openapiName);
     }
     /**
      * @returns the entire openapi config, which includes configurations for each endpoint, indexed by their openapiNames
@@ -564,6 +562,9 @@ Try setting it to something valid, like:
             case 'saltRounds':
                 this._saltRounds = value;
                 break;
+            case 'sanitizeResponseJson':
+                this._sanitizeResponseJson = value;
+                break;
             case 'openapi':
                 this._openapi = {
                     ...this.openapi,

package/dist/cjs/src/psychic-app/openapi-cache.js

@@ -1,39 +1,13 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getOpenapiFileOrFail = getOpenapiFileOrFail;
-exports.readAndCacheOpenapiFile = readAndCacheOpenapiFile;
-exports.ignoreOpenapiFile = ignoreOpenapiFile;
-const fs = __importStar(require("node:fs/promises"));
-const openapiJsonPath_js_1 = __importDefault(require("../helpers/openapiJsonPath.js"));
+exports.getCachedOpenapiDocOrFail = getCachedOpenapiDocOrFail;
+exports.cacheOpenapiDoc = cacheOpenapiDoc;
+exports.ignoreOpenapiDoc = ignoreOpenapiDoc;
 const must_call_psychic_app_init_first_js_1 = __importDefault(require("../error/psychic-app/must-call-psychic-app-init-first.js"));
-const EnvInternal_js_1 = __importDefault(require("../helpers/EnvInternal.js"));
-const OpenapiFileNotFound_js_1 = __importDefault(require("../error/openapi/OpenapiFileNotFound.js"));
+const app_js_1 = __importDefault(require("../openapi-renderer/app.js"));
 const _openapiData = {};
 /**
  * Raises an exception if readAndCacheOpenapiFile was not called
@@ -42,7 +16,7 @@ const _openapiData = {};
  * @param openapiName - the openapiName you wish to look up
  * @returns the cached openapi file, or undefined if it was not found
  */
-function getOpenapiFileOrFail(openapiName) {
+function getCachedOpenapiDocOrFail(openapiName) {
     const val = _openapiData[openapiName];
     if (!val)
         throw new must_call_psychic_app_init_first_js_1.default();
@@ -59,29 +33,13 @@ function getOpenapiFileOrFail(openapiName) {
  *
  * @param openapiName - the openapiName you wish to look up
  */
-async function readAndCacheOpenapiFile(openapiName) {
+function cacheOpenapiDoc(openapiName, routes) {
     if (_openapiData[openapiName])
         return;
-    const openapiPath = (0, openapiJsonPath_js_1.default)(openapiName);
-    try {
-        const buffer = await fs.readFile(openapiPath);
-        const openapiDoc = JSON.parse(buffer.toString());
-        //  we only cache the components from the openapi files,
-        //  since that is all that we currently need for validation,
-        //  which is the only thing leveraging these cached openapi files.
-        _openapiData[openapiName] = openapiDoc?.components
-            ? { components: openapiDoc.components }
-            : FILE_DOES_NOT_EXIST;
-    }
-    catch {
-        if (EnvInternal_js_1.default.isProduction) {
-            throw new OpenapiFileNotFound_js_1.default(openapiName, openapiPath);
-        }
-        // if the openapi file is not generated yet and we are in our local
-        // environment, we don't want to raise an exception, since it could
-        // prevent someone from ever defining a new openapi configuration.
-        _openapiData[openapiName] = FILE_DOES_NOT_EXIST;
-    }
+    const openapiDoc = app_js_1.default._toObject(routes, openapiName);
+    _openapiData[openapiName] = openapiDoc?.components
+        ? { components: openapiDoc.components }
+        : FILE_DOES_NOT_EXIST;
 }
 /**
  * Reads the openapi file corresponding to the openapiName,
@@ -92,7 +50,7 @@ async function readAndCacheOpenapiFile(openapiName) {
  *
  * @param openapiName - the openapiName you wish to look up
  */
-function ignoreOpenapiFile(openapiName) {
+function ignoreOpenapiDoc(openapiName) {
     _openapiData[openapiName] = FILE_WAS_IGNORED;
 }
 const FILE_DOES_NOT_EXIST = 'FILE_DOES_NOT_EXIST';

package/dist/cjs/src/router/index.js

@@ -19,15 +19,10 @@ const route_manager_js_1 = __importDefault(require("./route-manager.js"));
 const types_js_1 = require("./types.js");
 class PsychicRouter {
     app;
-    config;
     currentNamespaces = [];
     routeManager = new route_manager_js_1.default();
-    constructor(app, config) {
+    constructor(app) {
         this.app = app;
-        this.config = config;
-    }
-    get routingMechanism() {
-        return this.app;
     }
     get routes() {
         return this.routeManager.routes;
@@ -115,13 +110,13 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
 `);
     }
     namespace(namespace, cb) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         this.runNestedCallbacks(namespace, nestedRouter, cb);
     }
     scope(scope, cb) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         this.runNestedCallbacks(scope, nestedRouter, cb, { treatNamespaceAsScope: true });
@@ -134,7 +129,7 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
     }
     collection(cb) {
         const replacedNamespaces = this.currentNamespaces.slice(0, this.currentNamespaces.length - 1);
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: replacedNamespaces,
         });
         const currentNamespace = replacedNamespaces[replacedNamespaces.length - 1];
@@ -156,7 +151,7 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
         }
     }
     _makeResource(path, options, cb, plural) {
-        const nestedRouter = new PsychicNestedRouter(this.app, this.config, this.routeManager, {
+        const nestedRouter = new PsychicNestedRouter(this.app, this.routeManager, {
             namespaces: this.currentNamespaces,
         });
         const { only, except } = options || {};
@@ -289,9 +284,9 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
                     index_js_1.default.log('ATTENTION: a server error was detected:');
                     index_js_1.default.logWithLevel('error', err);
                 }
-                if (this.config.specialHooks.serverError.length) {
+                if (index_js_1.default.getOrFail().specialHooks.serverError.length) {
                     try {
-                        for (const hook of this.config.specialHooks.serverError) {
+                        for (const hook of index_js_1.default.getOrFail().specialHooks.serverError) {
                             await hook(err, req, res);
                         }
                     }
@@ -321,7 +316,6 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
     }
     _initializeController(ControllerClass, req, res, action) {
         return new ControllerClass(req, res, {
-            config: this.config,
             action,
         });
     }
@@ -329,8 +323,8 @@ suggested fix:  "${(0, helpers_js_1.convertRouteParams)(path)}"
 exports.default = PsychicRouter;
 class PsychicNestedRouter extends PsychicRouter {
     router;
-    constructor(expressApp, config, routeManager, { namespaces = [], } = {}) {
-        super(expressApp, config);
+    constructor(expressApp, routeManager, { namespaces = [], } = {}) {
+        super(expressApp);
         this.router = (0, express_1.Router)();
         this.currentNamespaces = namespaces;
         this.routeManager = routeManager;