@strapi/utils 4.7.2-exp.175f7ac70ee76d6c825e4429e15fc85ee78d23bb → 4.8.0

package/lib/index.js

@@ -41,8 +41,8 @@ const { pipeAsync, mapAsync, reduceAsync, forEachAsync } = require('./async');
 const convertQueryParams = require('./convert-query-params');
 const importDefault = require('./import-default');
 const template = require('./template');
-const traverse = require('./traverse');
 const file = require('./file');
+const traverse = require('./traverse');
 
 module.exports = {
   yup,
@@ -91,6 +91,6 @@ module.exports = {
   validateYupSchemaSync,
   convertQueryParams,
   importDefault,
-  traverse,
   file,
+  traverse,
 };

package/lib/sanitize/index.js

@@ -11,138 +11,128 @@ const traverseEntity = require('../traverse-entity');
 
 const { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } = require('../traverse');
 
-module.exports = {
-  contentAPI: {
-    input(data, schema, { auth } = {}) {
-      if (isArray(data)) {
-        return Promise.all(data.map((entry) => this.input(entry, schema, { auth })));
-      }
-
-      const nonWritableAttributes = getNonWritableAttributes(schema);
-
-      const transforms = [
-        // Remove non writable attributes
-        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
-      ];
+const createContentAPISanitizers = () => {
+  const sanitizeInput = (data, schema, { auth } = {}) => {
+    if (isArray(data)) {
+      return Promise.all(data.map((entry) => sanitizeInput(entry, schema, { auth })));
+    }
 
-      if (auth) {
-        // Remove restricted relations
-        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
-      }
+    const nonWritableAttributes = getNonWritableAttributes(schema);
 
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.input')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+    const transforms = [
+      // Remove non writable attributes
+      traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
+    ];
 
-      return pipeAsync(...transforms)(data);
-    },
+    if (auth) {
+      // Remove restricted relations
+      transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+    }
 
-    output(data, schema, { auth } = {}) {
-      if (isArray(data)) {
-        return Promise.all(data.map((entry) => this.output(entry, schema, { auth })));
-      }
+    // Apply sanitizers from registry if exists
+    strapi.sanitizers
+      .get('content-api.input')
+      .forEach((sanitizer) => transforms.push(sanitizer(schema)));
 
-      const transforms = [sanitizers.defaultSanitizeOutput(schema)];
+    return pipeAsync(...transforms)(data);
+  };
 
-      if (auth) {
-        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
-      }
+  const sanitizeOuput = (data, schema, { auth } = {}) => {
+    if (isArray(data)) {
+      return Promise.all(data.map((entry) => sanitizeOuput(entry, schema, { auth })));
+    }
 
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.output')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+    const transforms = [sanitizers.defaultSanitizeOutput(schema)];
 
-      return pipeAsync(...transforms)(data);
-    },
+    if (auth) {
+      transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+    }
 
-    async params(params, schema, { auth } = {}) {
-      const { filters, sort, fields, populate } = params;
+    // Apply sanitizers from registry if exists
+    strapi.sanitizers
+      .get('content-api.output')
+      .forEach((sanitizer) => transforms.push(sanitizer(schema)));
 
-      const sanitizedParams = cloneDeep(params);
+    return pipeAsync(...transforms)(data);
+  };
 
-      if (filters) {
-        Object.assign(sanitizedParams, { filters: await this.filters(filters, schema, { auth }) });
-      }
+  const sanitizeQuery = async (query, schema, { auth } = {}) => {
+    const { filters, sort, fields, populate } = query;
 
-      if (sort) {
-        Object.assign(sanitizedParams, { sort: await this.sort(sort, schema, { auth }) });
-      }
+    const sanitizedQuery = cloneDeep(query);
 
-      if (fields) {
-        Object.assign(sanitizedParams, { fields: await this.fields(fields, schema) });
-      }
+    if (filters) {
+      Object.assign(sanitizedQuery, { filters: await sanitizeFilters(filters, schema, { auth }) });
+    }
 
-      if (populate) {
-        Object.assign(sanitizedParams, { populate: await this.populate(populate, schema) });
-      }
+    if (sort) {
+      Object.assign(sanitizedQuery, { sort: await sanitizeSort(sort, schema, { auth }) });
+    }
 
-      return sanitizedParams;
-    },
+    if (fields) {
+      Object.assign(sanitizedQuery, { fields: await sanitizeFields(fields, schema) });
+    }
 
-    filters(filters, schema, { auth } = {}) {
-      if (isArray(filters)) {
-        return Promise.all(filters.map((filter) => this.filters(filter, schema, { auth })));
-      }
+    if (populate) {
+      Object.assign(sanitizedQuery, { populate: await sanitizePopulate(populate, schema) });
+    }
 
-      const transforms = [sanitizers.defaultSanitizeFilters(schema)];
+    return sanitizedQuery;
+  };
 
-      if (auth) {
-        transforms.push(traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema }));
-      }
+  const sanitizeFilters = (filters, schema, { auth } = {}) => {
+    if (isArray(filters)) {
+      return Promise.all(filters.map((filter) => sanitizeFilters(filter, schema, { auth })));
+    }
 
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.filters')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+    const transforms = [sanitizers.defaultSanitizeFilters(schema)];
 
-      return pipeAsync(...transforms)(filters);
-    },
+    if (auth) {
+      transforms.push(traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema }));
+    }
 
-    sort(sort, schema, { auth } = {}) {
-      const transforms = [sanitizers.defaultSanitizeSort(schema)];
+    return pipeAsync(...transforms)(filters);
+  };
 
-      if (auth) {
-        transforms.push(traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema }));
-      }
+  const sanitizeSort = (sort, schema, { auth } = {}) => {
+    const transforms = [sanitizers.defaultSanitizeSort(schema)];
 
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.sort')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+    if (auth) {
+      transforms.push(traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema }));
+    }
 
-      return pipeAsync(...transforms)(sort);
-    },
+    return pipeAsync(...transforms)(sort);
+  };
 
-    fields(fields, schema) {
-      const transforms = [sanitizers.defaultSanitizeFields(schema)];
+  const sanitizeFields = (fields, schema) => {
+    const transforms = [sanitizers.defaultSanitizeFields(schema)];
 
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.fields')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+    return pipeAsync(...transforms)(fields);
+  };
 
-      return pipeAsync(...transforms)(fields);
-    },
+  const sanitizePopulate = (populate, schema, { auth } = {}) => {
+    const transforms = [sanitizers.defaultSanitizePopulate(schema)];
 
-    populate(populate, schema, { auth } = {}) {
-      const transforms = [sanitizers.defaultSanitizePopulate(schema)];
+    if (auth) {
+      transforms.push(traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema }));
+    }
 
-      if (auth) {
-        transforms.push(
-          traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema })
-        );
-      }
+    return pipeAsync(...transforms)(populate);
+  };
 
-      // Apply sanitizers from registry if exists
-      strapi.sanitizers
-        .get('content-api.populate')
-        .forEach((sanitizer) => transforms.push(sanitizer(schema)));
+  return {
+    input: sanitizeInput,
+    output: sanitizeOuput,
+    query: sanitizeQuery,
+    filters: sanitizeFilters,
+    sort: sanitizeSort,
+    fields: sanitizeFields,
+    populate: sanitizePopulate,
+  };
+};
 
-      return pipeAsync(...transforms)(populate);
-    },
-  },
+module.exports = {
+  contentAPI: createContentAPISanitizers(),
 
   sanitizers,
   visitors,

package/lib/sanitize/sanitizers.js

@@ -38,6 +38,8 @@ const defaultSanitizeFilters = curry((schema, filters) => {
     traverseQueryFilters(removeDynamicZones, { schema }),
     // Remove morpTo relations from filters
     traverseQueryFilters(removeMorphToRelations, { schema }),
+    // Remove passwords from filters
+    traverseQueryFilters(removePassword, { schema }),
     // Remove private from filters
     traverseQueryFilters(removePrivate, { schema }),
     // Remove empty objects
@@ -69,6 +71,8 @@ const defaultSanitizeSort = curry((schema, sort) => {
     traverseQuerySort(removeMorphToRelations, { schema }),
     // Remove private from sort
     traverseQuerySort(removePrivate, { schema }),
+    // Remove passwords from filters
+    traverseQuerySort(removePassword, { schema }),
     // Remove keys for empty non-scalar values
     traverseQuerySort(
       ({ key, attribute, value }, { remove }) => {
@@ -94,6 +98,8 @@ const defaultSanitizeFields = curry((schema, fields) => {
     ),
     // Remove private fields
     traverseQueryFields(removePrivate, { schema }),
+    // Remove password fields
+    traverseQueryFields(removePassword, { schema }),
     // Remove nil values from fields array
     (value) => (isArray(value) ? value.filter((field) => !isNil(field)) : value)
   )(fields);

package/lib/traverse/query-filters.js

@@ -11,8 +11,8 @@ const filters = traverseFactory()
     async (visitor, options, filters, { recurse }) => {
       return Promise.all(
         filters.map((filter, i) => {
-          // In filters, only operators such as $and or $or can have a value
-          // array, thus we can update the raw path but not the attribute one
+          // In filters, only operators such as $and, $in, $notIn or $or and implicit operators like [...]
+          // can have a value array, thus we can update the raw path but not the attribute one
           const newPath = { ...options.path, raw: `${options.path.raw}[${i}]` };
 
           return recurse(visitor, { ...options, path: newPath }, filter);

package/lib/traverse/query-sort.js

@@ -3,6 +3,7 @@
 const {
   curry,
   isString,
+  isObject,
   map,
   trim,
   split,
@@ -21,6 +22,7 @@ const ORDER_VALUES = Object.values(ORDERS);
 
 const isSortOrder = (value) => ORDER_VALUES.includes(value.toLowerCase());
 const isStringArray = (value) => Array.isArray(value) && value.every(isString);
+const isObjectArray = (value) => Array.isArray(value) && value.every(isObject);
 const isNestedSorts = (value) => isString(value) && value.split(',').length > 1;
 
 const sort = traverseFactory()
@@ -45,6 +47,15 @@ const sort = traverseFactory()
       );
     }
   )
+  .intercept(
+    // Array of objects [{ foo: 'asc' }, { bar: 'desc', baz: 'asc' }] => map(recurse), then filter out empty items
+    isObjectArray,
+    async (visitor, options, sort, { recurse }) => {
+      return Promise.all(sort.map((nestedSort) => recurse(visitor, options, nestedSort))).then(
+        (res) => res.filter((nestedSort) => !isEmpty(nestedSort))
+      );
+    }
+  )
   // Parse string values
   .parse(
     (sort) => typeof sort === 'string',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/utils",
-  "version": "4.7.2-exp.175f7ac70ee76d6c825e4429e15fc85ee78d23bb",
+  "version": "4.8.0",
   "description": "Shared utilities for the Strapi packages",
   "keywords": [
     "strapi",
@@ -46,5 +46,5 @@
     "node": ">=14.19.1 <=18.x.x",
     "npm": ">=6.0.0"
   },
-  "gitHead": "175f7ac70ee76d6c825e4429e15fc85ee78d23bb"
+  "gitHead": "e239e408f99c9e61e6d02b38f01632ce67412f2a"
 }