@strapi/utils 5.46.0 → 5.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/dist/content-api-constants.d.ts +2 -2
  2. package/dist/content-api-constants.d.ts.map +1 -1
  3. package/dist/content-api-constants.js +2 -0
  4. package/dist/content-api-constants.js.map +1 -1
  5. package/dist/content-api-constants.mjs +2 -0
  6. package/dist/content-api-constants.mjs.map +1 -1
  7. package/dist/convert-query-params.d.ts +4 -2
  8. package/dist/convert-query-params.d.ts.map +1 -1
  9. package/dist/convert-query-params.js.map +1 -1
  10. package/dist/convert-query-params.mjs.map +1 -1
  11. package/dist/has-published-version-param.d.ts +9 -0
  12. package/dist/has-published-version-param.d.ts.map +1 -0
  13. package/dist/has-published-version-param.js +24 -0
  14. package/dist/has-published-version-param.js.map +1 -0
  15. package/dist/has-published-version-param.mjs +21 -0
  16. package/dist/has-published-version-param.mjs.map +1 -0
  17. package/dist/index.d.ts +2 -0
  18. package/dist/index.d.ts.map +1 -1
  19. package/dist/index.js +7 -0
  20. package/dist/index.js.map +1 -1
  21. package/dist/index.mjs +2 -0
  22. package/dist/index.mjs.map +1 -1
  23. package/dist/package-manager.d.ts +2 -1
  24. package/dist/package-manager.d.ts.map +1 -1
  25. package/dist/package-manager.js +2 -1
  26. package/dist/package-manager.js.map +1 -1
  27. package/dist/package-manager.mjs +2 -1
  28. package/dist/package-manager.mjs.map +1 -1
  29. package/dist/publication-filter.d.ts +14 -0
  30. package/dist/publication-filter.d.ts.map +1 -0
  31. package/dist/publication-filter.js +189 -0
  32. package/dist/publication-filter.js.map +1 -0
  33. package/dist/publication-filter.mjs +185 -0
  34. package/dist/publication-filter.mjs.map +1 -0
  35. package/dist/sanitize/index.d.ts.map +1 -1
  36. package/dist/sanitize/index.js +4 -0
  37. package/dist/sanitize/index.js.map +1 -1
  38. package/dist/sanitize/index.mjs +4 -0
  39. package/dist/sanitize/index.mjs.map +1 -1
  40. package/dist/validate/index.d.ts.map +1 -1
  41. package/dist/validate/index.js +5 -0
  42. package/dist/validate/index.js.map +1 -1
  43. package/dist/validate/index.mjs +5 -0
  44. package/dist/validate/index.mjs.map +1 -1
  45. package/package.json +3 -3
package/dist/publication-filter.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"publication-filter.mjs","sources":["../src/publication-filter.ts"],"sourcesContent":["import type { Model } from './types';\nimport { ApplicationError, ValidationError } from './errors';\nimport { hasDraftAndPublish } from './content-types';\n\nexport type PublicationFilterMode =\n | 'never-published'\n | 'has-published-version'\n | 'modified'\n | 'unmodified'\n | 'never-published-document'\n | 'has-published-version-document'\n | 'published-without-draft'\n | 'published-with-draft';\n\nconst ALLOWED: PublicationFilterMode[] = [\n 'never-published',\n 'has-published-version',\n 'modified',\n 'unmodified',\n 'never-published-document',\n 'has-published-version-document',\n 'published-without-draft',\n 'published-with-draft',\n];\n\nexport const parsePublicationFilter = (value: unknown): PublicationFilterMode | undefined => {\n if (value === undefined || value === null) {\n return undefined;\n }\n\n if (typeof value === 'string' && (ALLOWED as string[]).includes(value)) {\n return value as PublicationFilterMode;\n }\n\n throw new ValidationError(\n `Invalid value for 'publicationFilter'. Expected one of: ${ALLOWED.join(', ')}.`\n );\n};\n\ntype QueryParamDetails = { source?: string; param?: string; [key: string]: unknown };\n\n/**\n * Validates a `publicationFilter` query value for Content API `validate.query` / `sanitize.query`.\n * Attaches `details.source` and `details.param` so HTTP layer maps to 400 with correct field context.\n */\nexport const validatePublicationFilterQueryParam = (value: unknown): void => {\n if (value === undefined || value === null) {\n return;\n }\n\n try {\n parsePublicationFilter(value);\n } catch (e) {\n if (e instanceof ValidationError) {\n const prev = e.details as QueryParamDetails | undefined;\n e.details = {\n ...(prev && typeof prev === 'object' ? prev : {}),\n source: 'query',\n param: 'publicationFilter',\n };\n }\n throw e;\n }\n};\n\nconst columnName = (meta: any, attr: string): string => {\n const a = meta?.attributes?.[attr];\n if (!a) {\n throw new ApplicationError(\n `Cannot build publicationFilter SQL: attribute '${attr}' is missing from metadata for table '${meta?.tableName ?? '<unknown>'}'.`\n );\n }\n if (!('columnName' in a) || !a.columnName) {\n throw new ApplicationError(\n `Cannot build publicationFilter SQL: attribute '${attr}' on table '${meta?.tableName ?? '<unknown>'}' has no resolved columnName.`\n );\n }\n return a.columnName as string;\n};\n\nconst emptyIdSelection = (knex: any, table: string, idCol: string) =>\n knex(table).select(`${table}.${idCol}`).whereRaw('0 = 1');\n\n/**\n * Extra `id IN (subquery)` filter for publicationFilter, scoped to (documentId, locale) when i18n is enabled.\n * Document-scoped modes use `documentId` only. Returns null when the model does not use draft & publish.\n */\nexport const buildPublicationFilterWhere = (\n knex: any,\n meta: any,\n model: Model | undefined,\n mode: PublicationFilterMode,\n status: 'draft' | 'published'\n): Record<string, unknown> | null => {\n if (!model || !hasDraftAndPublish(model)) {\n return null;\n }\n\n const table = meta.tableName;\n const idCol = columnName(meta, 'id');\n const docCol = columnName(meta, 'documentId');\n const pubCol = columnName(meta, 'publishedAt');\n const updatedCol = columnName(meta, 'updatedAt');\n const hasLocale = Boolean(meta.attributes.locale);\n const localeCol = hasLocale ? columnName(meta, 'locale') : null;\n\n const pairOn = (aliasA: string, aliasB: string) => {\n const parts = [`${aliasA}.${docCol} = ${aliasB}.${docCol}`];\n if (localeCol) {\n parts.push(\n `(${aliasA}.${localeCol} = ${aliasB}.${localeCol} OR (${aliasA}.${localeCol} IS NULL AND ${aliasB}.${localeCol} IS NULL))`\n );\n }\n return parts.join(' AND ');\n };\n\n const documentOn = (aliasA: string, aliasB: string) =>\n `${aliasA}.${docCol} = ${aliasB}.${docCol}`;\n\n const idIn = (sub: any) => ({ id: { $in: sub } });\n\n switch (mode) {\n case 'never-published': {\n if (status === 'published') {\n return idIn(emptyIdSelection(knex, table, idCol));\n }\n\n const sub = knex(`${table} as d`)\n .select(`d.${idCol}`)\n .whereNull(`d.${pubCol}`)\n .whereNotExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as p`)\n .whereRaw(pairOn('p', 'd'))\n .whereNotNull(`p.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'has-published-version': {\n if (status === 'draft') {\n const sub = knex(`${table} as d`)\n .select(`d.${idCol}`)\n .whereNull(`d.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as p`)\n .whereRaw(pairOn('p', 'd'))\n .whereNotNull(`p.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n const sub = knex(`${table} as p`)\n .select(`p.${idCol}`)\n .whereNotNull(`p.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as d`)\n .whereRaw(pairOn('d', 'p'))\n .whereNull(`d.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'modified': {\n if (status === 'draft') {\n const sub = knex(`${table} as d`)\n .select(`d.${idCol}`)\n .whereNull(`d.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as p`)\n .whereRaw(pairOn('p', 'd'))\n .whereNotNull(`p.${pubCol}`)\n .whereRaw(`d.${updatedCol} > p.${updatedCol}`);\n });\n\n return idIn(sub);\n }\n\n const sub = knex(`${table} as p`)\n .select(`p.${idCol}`)\n .whereNotNull(`p.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as d`)\n .whereRaw(pairOn('d', 'p'))\n .whereNull(`d.${pubCol}`)\n .whereRaw(`d.${updatedCol} > p.${updatedCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'unmodified': {\n if (status === 'draft') {\n const sub = knex(`${table} as d`)\n .select(`d.${idCol}`)\n .whereNull(`d.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as p`)\n .whereRaw(pairOn('p', 'd'))\n .whereNotNull(`p.${pubCol}`)\n .whereRaw(`d.${updatedCol} <= p.${updatedCol}`);\n });\n\n return idIn(sub);\n }\n\n const sub = knex(`${table} as p`)\n .select(`p.${idCol}`)\n .whereNotNull(`p.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as d`)\n .whereRaw(pairOn('d', 'p'))\n .whereNull(`d.${pubCol}`)\n .whereRaw(`d.${updatedCol} <= p.${updatedCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'never-published-document': {\n if (status === 'published') {\n return idIn(emptyIdSelection(knex, table, idCol));\n }\n\n const sub = knex(`${table} as d`)\n .select(`d.${idCol}`)\n .whereNull(`d.${pubCol}`)\n .whereNotExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as p`)\n .whereRaw(documentOn('p', 'd'))\n .whereNotNull(`p.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'has-published-version-document': {\n if (status === 'draft') {\n const sub = knex(`${table} as d`)\n .select(`d.${idCol}`)\n .whereNull(`d.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as p`)\n .whereRaw(documentOn('p', 'd'))\n .whereNotNull(`p.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n const sub = knex(`${table} as p`)\n .select(`p.${idCol}`)\n .whereNotNull(`p.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as d`)\n .whereRaw(documentOn('d', 'p'))\n .whereNull(`d.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'published-without-draft': {\n if (status === 'draft') {\n return idIn(emptyIdSelection(knex, table, idCol));\n }\n\n const sub = knex(`${table} as p`)\n .select(`p.${idCol}`)\n .whereNotNull(`p.${pubCol}`)\n .whereNotExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as d`)\n .whereRaw(pairOn('d', 'p'))\n .whereNull(`d.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n case 'published-with-draft': {\n if (status === 'draft') {\n return idIn(emptyIdSelection(knex, table, idCol));\n }\n\n const sub = knex(`${table} as p`)\n .select(`p.${idCol}`)\n .whereNotNull(`p.${pubCol}`)\n .whereExists(function (this: any) {\n this.select(knex.raw('1'))\n .from(`${table} as d`)\n .whereRaw(pairOn('d', 'p'))\n .whereNull(`d.${pubCol}`);\n });\n\n return idIn(sub);\n }\n\n default: {\n return null;\n }\n }\n};\n"],"names":["ALLOWED","parsePublicationFilter","value","undefined","includes","ValidationError","join","validatePublicationFilterQueryParam","e","prev","details","source","param","columnName","meta","attr","a","attributes","ApplicationError","tableName","emptyIdSelection","knex","table","idCol","select","whereRaw","buildPublicationFilterWhere","model","mode","status","hasDraftAndPublish","docCol","pubCol","updatedCol","hasLocale","Boolean","locale","localeCol","pairOn","aliasA","aliasB","parts","push","documentOn","idIn","sub","id","$in","whereNull","whereNotExists","raw","from","whereNotNull","whereExists"],"mappings":";;;AAcA,MAAMA,OAAAA,GAAmC;AACvC,IAAA,iBAAA;AACA,IAAA,uBAAA;AACA,IAAA,UAAA;AACA,IAAA,YAAA;AACA,IAAA,0BAAA;AACA,IAAA,gCAAA;AACA,IAAA,yBAAA;AACA,IAAA;AACD,CAAA;AAEM,MAAMC,yBAAyB,CAACC,KAAAA,GAAAA;IACrC,IAAIA,KAAAA,KAAUC,SAAAA,IAAaD,KAAAA,KAAU,IAAA,EAAM;QACzC,OAAOC,SAAAA;AACT,IAAA;AAEA,IAAA,IAAI,OAAOD,KAAAA,KAAU,QAAA,IAAY,OAACF,CAAqBI,QAAQ,CAACF,KAAAA,CAAAA,EAAQ;QACtE,OAAOA,KAAAA;AACT,IAAA;IAEA,MAAM,IAAIG,eAAAA,CACR,CAAC,wDAAwD,EAAEL,QAAQM,IAAI,CAAC,IAAA,CAAA,CAAM,CAAC,CAAC,CAAA;AAEpF;AAIA;;;IAIO,MAAMC,mCAAAA,GAAsC,CAACL,KAAAA,GAAAA;IAClD,IAAIA,KAAAA,KAAUC,SAAAA,IAAaD,KAAAA,KAAU,IAAA,EAAM;AACzC,QAAA;AACF,IAAA;IAEA,IAAI;QACFD,sBAAAA,CAAuBC,KAAAA,CAAAA;AACzB,IAAA,CAAA,CAAE,OAAOM,CAAAA,EAAG;AACV,QAAA,IAAIA,aAAaH,eAAAA,EAAiB;YAChC,MAAMI,IAAAA,GAAOD,EAAEE,OAAO;AACtBF,YAAAA,CAAAA,CAAEE,OAAO,GAAG;AACV,gBAAA,GAAID,QAAQ,OAAOA,IAAAA,KAAS,QAAA,GAAWA,IAAAA,GAAO,EAAE;gBAChDE,MAAAA,EAAQ,OAAA;gBACRC,KAAAA,EAAO;AACT,aAAA;AACF,QAAA;QACA,MAAMJ,CAAAA;AACR,IAAA;AACF;AAEA,MAAMK,UAAAA,GAAa,CAACC,IAAAA,EAAWC,IAAAA,GAAAA;AAC7B,IAAA,MAAMC,CAAAA,GAAIF,IAAAA,EAAMG,UAAAA,GAAaF,IAAAA,CAAK;AAClC,IAAA,IAAI,CAACC,CAAAA,EAAG;AACN,QAAA,MAAM,IAAIE,gBAAAA,CACR,CAAC,+CAA+C,EAAEH,IAAAA,CAAK,sCAAsC,EAAED,IAAAA,EAAMK,SAAAA,IAAa,WAAA,CAAY,EAAE,CAAC,CAAA;AAErI,IAAA;IACA,IAAI,EAAE,YAAA,IAAgBH,CAAAA,KAAM,CAACA,CAAAA,CAAEH,UAAU,EAAE;AACzC,QAAA,MAAM,IAAIK,gBAAAA,CACR,CAAC,+CAA+C,EAAEH,IAAAA,CAAK,YAAY,EAAED,IAAAA,EAAMK,SAAAA,IAAa,WAAA,CAAY,6BAA6B,CAAC,CAAA;AAEtI,IAAA;AACA,IAAA,OAAOH,EAAEH,UAAU;AACrB,CAAA;AAEA,MAAMO,mBAAmB,CAACC,IAAAA,EAAWC,KAAAA,EAAeC,KAAAA,GAClDF,KAAKC,KAAAA,CAAAA,CAAOE,MAAM,CAAC,CAAA,EAAGF,MAAM,CAAC,EAAEC,KAAAA,CAAAA,CAAO,CAAA,CAAEE,QAAQ,CAAC,OAAA,CAAA;AAEnD;;;AAGC,IACM,MAAMC,2BAAAA,GAA8B,CACzCL,IAAAA,EACAP,IAAAA,EACAa,OACAC,IAAAA,EACAC,MAAAA,GAAAA;AAEA,IAAA,IAAI,CAACF,KAAAA,IAAS,CAACG,kBAAAA,CAAmBH,KAAAA,CAAAA,EAAQ;QACxC,OAAO,IAAA;AACT,IAAA;IAEA,MAAML,KAAAA,GAAQR,KAAKK,SAAS;IAC5B,MAAMI,KAAAA,GAAQV,WAAWC,IAAAA,EAAM,IAAA,CAAA;IAC/B,MAAMiB,MAAAA,GAASlB,WAAWC,IAAAA,EAAM,YAAA,CAAA;IAChC,MAAMkB,MAAAA,GAASnB,WAAWC,IAAAA,EAAM,aAAA,CAAA;IAChC,MAAMmB,UAAAA,GAAapB,WAAWC,IAAAA,EAAM,WAAA,CAAA;AACpC,IAAA,MAAMoB,SAAAA,GAAYC,OAAAA,CAAQrB,IAAAA,CAAKG,UAAU,CAACmB,MAAM,CAAA;AAChD,IAAA,MAAMC,SAAAA,GAAYH,SAAAA,GAAYrB,UAAAA,CAAWC,IAAAA,EAAM,QAAA,CAAA,GAAY,IAAA;IAE3D,MAAMwB,MAAAA,GAAS,CAACC,MAAAA,EAAgBC,MAAAA,GAAAA;AAC9B,QAAA,MAAMC,KAAAA,GAAQ;YAAC,CAAA,EAAGF,MAAAA,CAAO,CAAC,EAAER,MAAAA,CAAO,GAAG,EAAES,MAAAA,CAAO,CAAC,EAAET,MAAAA,CAAAA;AAAS,SAAA;AAC3D,QAAA,IAAIM,SAAAA,EAAW;AACbI,YAAAA,KAAAA,CAAMC,IAAI,CACR,CAAC,CAAC,EAAEH,MAAAA,CAAO,CAAC,EAAEF,SAAAA,CAAU,GAAG,EAAEG,MAAAA,CAAO,CAAC,EAAEH,SAAAA,CAAU,KAAK,EAAEE,MAAAA,CAAO,CAAC,EAAEF,SAAAA,CAAU,aAAa,EAAEG,MAAAA,CAAO,CAAC,EAAEH,SAAAA,CAAU,UAAU,CAAC,CAAA;AAE9H,QAAA;QACA,OAAOI,KAAAA,CAAMnC,IAAI,CAAC,OAAA,CAAA;AACpB,IAAA,CAAA;AAEA,IAAA,MAAMqC,UAAAA,GAAa,CAACJ,MAAAA,EAAgBC,MAAAA,GAClC,GAAGD,MAAAA,CAAO,CAAC,EAAER,MAAAA,CAAO,GAAG,EAAES,MAAAA,CAAO,CAAC,EAAET,MAAAA,CAAAA,CAAQ;IAE7C,MAAMa,IAAAA,GAAO,CAACC,GAAAA,IAAc;YAAEC,EAAAA,EAAI;gBAAEC,GAAAA,EAAKF;AAAI;SAAE,CAAA;IAE/C,OAAQjB,IAAAA;QACN,KAAK,iBAAA;AAAmB,YAAA;AACtB,gBAAA,IAAIC,WAAW,WAAA,EAAa;oBAC1B,OAAOe,IAAAA,CAAKxB,gBAAAA,CAAiBC,IAAAA,EAAMC,KAAAA,EAAOC,KAAAA,CAAAA,CAAAA;AAC5C,gBAAA;gBAEA,MAAMsB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnByB,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBiB,cAAc,CAAC,WAAA;oBACd,IAAI,CAACzB,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBc,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA;AAC/B,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,uBAAA;AAAyB,YAAA;AAC5B,gBAAA,IAAIhB,WAAW,OAAA,EAAS;oBACtB,MAAMgB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnByB,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBqB,WAAW,CAAC,WAAA;wBACX,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBc,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA;AAC/B,oBAAA,CAAA,CAAA;AAEF,oBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,gBAAA;gBAEA,MAAMA,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnB6B,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BqB,WAAW,CAAC,WAAA;oBACX,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBU,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA;AAC5B,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,UAAA;AAAY,YAAA;AACf,gBAAA,IAAIhB,WAAW,OAAA,EAAS;oBACtB,MAAMgB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnByB,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBqB,WAAW,CAAC,WAAA;AACX,wBAAA,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,GAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBc,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BP,QAAQ,CAAC,CAAC,EAAE,EAAEQ,UAAAA,CAAW,KAAK,EAAEA,UAAAA,CAAAA,CAAY,CAAA;AACjD,oBAAA,CAAA,CAAA;AAEF,oBAAA,OAAOW,IAAAA,CAAKC,GAAAA,CAAAA;AACd,gBAAA;gBAEA,MAAMA,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnB6B,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BqB,WAAW,CAAC,WAAA;AACX,oBAAA,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,GAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBU,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBP,QAAQ,CAAC,CAAC,EAAE,EAAEQ,UAAAA,CAAW,KAAK,EAAEA,UAAAA,CAAAA,CAAY,CAAA;AACjD,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOW,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,YAAA;AAAc,YAAA;AACjB,gBAAA,IAAIhB,WAAW,OAAA,EAAS;oBACtB,MAAMgB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnByB,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBqB,WAAW,CAAC,WAAA;AACX,wBAAA,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,GAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBc,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BP,QAAQ,CAAC,CAAC,EAAE,EAAEQ,UAAAA,CAAW,MAAM,EAAEA,UAAAA,CAAAA,CAAY,CAAA;AAClD,oBAAA,CAAA,CAAA;AAEF,oBAAA,OAAOW,IAAAA,CAAKC,GAAAA,CAAAA;AACd,gBAAA;gBAEA,MAAMA,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnB6B,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BqB,WAAW,CAAC,WAAA;AACX,oBAAA,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,GAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBU,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBP,QAAQ,CAAC,CAAC,EAAE,EAAEQ,UAAAA,CAAW,MAAM,EAAEA,UAAAA,CAAAA,CAAY,CAAA;AAClD,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOW,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,0BAAA;AAA4B,YAAA;AAC/B,gBAAA,IAAIhB,WAAW,WAAA,EAAa;oBAC1B,OAAOe,IAAAA,CAAKxB,gBAAAA,CAAiBC,IAAAA,EAAMC,KAAAA,EAAOC,KAAAA,CAAAA,CAAAA;AAC5C,gBAAA;gBAEA,MAAMsB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnByB,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBiB,cAAc,CAAC,WAAA;oBACd,IAAI,CAACzB,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACkB,UAAAA,CAAW,GAAA,EAAK,GAAA,CAAA,CAAA,CACzBS,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA;AAC/B,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,gCAAA;AAAkC,YAAA;AACrC,gBAAA,IAAIhB,WAAW,OAAA,EAAS;oBACtB,MAAMgB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnByB,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA,CACvBqB,WAAW,CAAC,WAAA;wBACX,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACkB,UAAAA,CAAW,GAAA,EAAK,GAAA,CAAA,CAAA,CACzBS,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA;AAC/B,oBAAA,CAAA,CAAA;AAEF,oBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,gBAAA;gBAEA,MAAMA,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnB6B,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BqB,WAAW,CAAC,WAAA;oBACX,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACkB,UAAAA,CAAW,GAAA,EAAK,GAAA,CAAA,CAAA,CACzBK,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA;AAC5B,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,yBAAA;AAA2B,YAAA;AAC9B,gBAAA,IAAIhB,WAAW,OAAA,EAAS;oBACtB,OAAOe,IAAAA,CAAKxB,gBAAAA,CAAiBC,IAAAA,EAAMC,KAAAA,EAAOC,KAAAA,CAAAA,CAAAA;AAC5C,gBAAA;gBAEA,MAAMsB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnB6B,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BiB,cAAc,CAAC,WAAA;oBACd,IAAI,CAACzB,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBU,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA;AAC5B,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;QAEA,KAAK,sBAAA;AAAwB,YAAA;AAC3B,gBAAA,IAAIhB,WAAW,OAAA,EAAS;oBACtB,OAAOe,IAAAA,CAAKxB,gBAAAA,CAAiBC,IAAAA,EAAMC,KAAAA,EAAOC,KAAAA,CAAAA,CAAAA;AAC5C,gBAAA;gBAEA,MAAMsB,GAAAA,GAAMxB,KAAK,CAAA,EAAGC,KAAAA,CAAM,KAAK,CAAC,CAAA,CAC7BE,MAAM,CAAC,CAAC,EAAE,EAAED,KAAAA,CAAAA,CAAO,CAAA,CACnB6B,YAAY,CAAC,CAAC,EAAE,EAAEpB,MAAAA,CAAAA,CAAQ,CAAA,CAC1BqB,WAAW,CAAC,WAAA;oBACX,IAAI,CAAC7B,MAAM,CAACH,IAAAA,CAAK6B,GAAG,CAAC,GAAA,CAAA,CAAA,CAClBC,IAAI,CAAC,CAAA,EAAG7B,KAAAA,CAAM,KAAK,CAAC,CAAA,CACpBG,QAAQ,CAACa,MAAAA,CAAO,GAAA,EAAK,GAAA,CAAA,CAAA,CACrBU,SAAS,CAAC,CAAC,EAAE,EAAEhB,MAAAA,CAAAA,CAAQ,CAAA;AAC5B,gBAAA,CAAA,CAAA;AAEF,gBAAA,OAAOY,IAAAA,CAAKC,GAAAA,CAAAA;AACd,YAAA;AAEA,QAAA;AAAS,YAAA;gBACP,OAAO,IAAA;AACT,YAAA;AACF;AACF;;;;"}
package/dist/sanitize/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitize/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAM1C,OAAO,EACL,KAAK,SAAS,EAGf,MAAM,6BAA6B,CAAC;AAGrC,OAAO,KAAK,QAAQ,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAI3C,OAAO,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAE5C,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;OAGG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACxB,CAAC,MAAM,EAAE,KAAK,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACxD;AACD,MAAM,WAAW,YAAY;IAC3B,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACrE;AAED,MAAM,MAAM,yBAAyB,GAAG,CACtC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,wBAAwB,GAAG,CACrC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,KAAK,CAAC;CACpC;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;CACtB;AAED,QAAA,MAAM,mBAAmB,SAAU,UAAU;;;mBAoHlC,OAAO,MAAM,EAAE,OAAO,CAAC,UACtB,KAAK,kCAC0B,OAAO;;;;;CAsHjD,CAAC;AAEF,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAErD,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitize/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAM1C,OAAO,EACL,KAAK,SAAS,EAGf,MAAM,6BAA6B,CAAC;AAGrC,OAAO,KAAK,QAAQ,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAI3C,OAAO,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAG5C,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;OAGG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACxB,CAAC,MAAM,EAAE,KAAK,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACxD;AACD,MAAM,WAAW,YAAY;IAC3B,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACrE;AAED,MAAM,MAAM,yBAAyB,GAAG,CACtC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,wBAAwB,GAAG,CACrC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,KAAK,CAAC;CACpC;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;CACtB;AAED,QAAA,MAAM,mBAAmB,SAAU,UAAU;;;mBAoHlC,OAAO,MAAM,EAAE,OAAO,CAAC,UACtB,KAAK,kCAC0B,OAAO;;;;;CA0HjD,CAAC;AAEF,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAErD,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}
package/dist/sanitize/index.js CHANGED
@@ -12,6 +12,7 @@ var queryFilters = require('../traverse/query-filters.js');
12
12
  var querySort = require('../traverse/query-sort.js');
13
13
  var queryPopulate = require('../traverse/query-populate.js');
14
14
  require('../traverse/query-fields.js');
15
+ var publicationFilter = require('../publication-filter.js');
15
16
  var removeUnrecognizedFields = require('./visitors/remove-unrecognized-fields.js');
16
17
  var removeRestrictedRelations = require('./visitors/remove-restricted-relations.js');
17
18
  var removeRestrictedFields = require('./visitors/remove-restricted-fields.js');
@@ -127,6 +128,9 @@ const createAPISanitizers = (opts)=>{
127
128
  }
128
129
  const { filters, sort, fields, populate } = query;
129
130
  const sanitizedQuery = fp.cloneDeep(query);
131
+ if ('publicationFilter' in sanitizedQuery) {
132
+ publicationFilter.validatePublicationFilterQueryParam(sanitizedQuery.publicationFilter);
133
+ }
130
134
  if (filters) {
131
135
  Object.assign(sanitizedQuery, {
132
136
  filters: await sanitizeFilters(filters, schema, {
package/dist/sanitize/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sources":["../../src/sanitize/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, cloneDeep, omit, pick } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { constants, getNonWritableAttributes } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\n\nimport * as visitors from './visitors';\nimport * as sanitizers from './sanitizers';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\nimport type { Model, Data } from '../types';\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, removes fields that are not declared in the schema (input) or keeps only allowed query param keys (query).\n * Defaults to false for backward compatibility.\n * TODO: In Strapi 6, strictParams will default to true (and may be removed as an option)\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated/sanitized with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Sanitizer {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface SanitizeFunc {\n (data: unknown, schema: Model, options?: Options): Promise<unknown>;\n}\n\nexport type SanitizeQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport type SanitizeBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport interface APIOptions {\n sanitizers?: Sanitizers;\n getModel: (model: string) => Model;\n}\n\nexport interface Sanitizers {\n input?: Sanitizer[];\n output?: Sanitizer[];\n}\n\nconst createAPISanitizers = (opts: APIOptions) => {\n const { getModel } = opts;\n\n const sanitizeInput: SanitizeFunc = (\n data: unknown,\n schema: Model,\n { auth, strictParams = false, route } = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeInput');\n }\n if (isArray(data)) {\n return Promise.all(\n data.map((entry) => sanitizeInput(entry, schema, { auth, strictParams, route }))\n );\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n // Remove first level ID in inputs\n omit(constants.ID_ATTRIBUTE),\n omit(constants.DOC_ID_ATTRIBUTE),\n // Remove non-writable attributes\n traverseEntity(visitors.removeRestrictedFields(nonWritableAttributes), { schema, getModel }),\n ];\n\n if (strictParams) {\n // Remove unrecognized fields (allowedExtraRootKeys = registered input param keys)\n transforms.push(\n traverseEntity(visitors.removeUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n })\n );\n }\n\n if (auth) {\n // Remove restricted relations\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.input?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n /**\n * For each extra root key from the route's body schema present in data, run Zod safeParse.\n * If parsing fails, the key is removed from the output.\n *\n * Content-api sends the document payload as body.data; the controller calls sanitizeInput(body.data, ctx),\n * so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n * The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n * the main document payload is already sanitized above by traverseEntity (removeUnrecognizedFields, etc.);\n * relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n * Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n */\n const routeBodySanitizeTransform = async (data: Data): Promise<Data> => {\n if (!data || typeof data !== 'object' || Array.isArray(data)) return data;\n const obj = data as Record<string, unknown>;\n const bodySchema = route?.request?.body?.['application/json'];\n if (bodySchema && typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in obj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(obj[key]);\n if (result.success) {\n obj[key] = result.data;\n } else {\n delete obj[key];\n }\n }\n }\n }\n return data;\n };\n (transforms as Array<(data: Data) => Data | Promise<Data>>).push(routeBodySanitizeTransform);\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeOutput: SanitizeFunc = async (data, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeOutput');\n }\n if (isArray(data)) {\n const res = new Array(data.length);\n for (let i = 0; i < data.length; i += 1) {\n res[i] = await sanitizeOutput(data[i], schema, { auth });\n }\n return res;\n }\n\n const transforms = [\n (data: Data) => sanitizers.defaultSanitizeOutput({ schema, getModel }, data),\n ];\n\n if (auth) {\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.output?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeQuery');\n }\n const { filters, sort, fields, populate } = query;\n\n const sanitizedQuery = cloneDeep(query);\n\n if (filters) {\n Object.assign(sanitizedQuery, { filters: await sanitizeFilters(filters, schema, { auth }) });\n }\n\n if (sort) {\n Object.assign(sanitizedQuery, { sort: await sanitizeSort(sort, schema, { auth }) });\n }\n\n if (fields) {\n Object.assign(sanitizedQuery, { fields: await sanitizeFields(fields, schema) });\n }\n\n if (populate) {\n Object.assign(sanitizedQuery, { populate: await sanitizePopulate(populate, schema) });\n }\n\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (result.success) {\n sanitizedQuery[key] = result.data;\n } else {\n delete sanitizedQuery[key];\n }\n }\n }\n }\n }\n\n if (strictParams) {\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n return pick(allowedKeys, sanitizedQuery) as Record<string, unknown>;\n }\n\n return sanitizedQuery;\n };\n\n const sanitizeFilters: SanitizeFunc = (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFilters');\n }\n if (isArray(filters)) {\n return Promise.all(filters.map((filter) => sanitizeFilters(filter, schema, { auth })));\n }\n\n const transforms = [sanitizers.defaultSanitizeFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(filters);\n };\n\n const sanitizeSort: SanitizeFunc = (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeSort');\n }\n const transforms = [sanitizers.defaultSanitizeSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(sort);\n };\n\n const sanitizeFields: SanitizeFunc = (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFields');\n }\n const transforms = [sanitizers.defaultSanitizeFields({ schema, getModel })];\n\n return pipeAsync(...transforms)(fields);\n };\n\n const sanitizePopulate: SanitizeFunc = (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [sanitizers.defaultSanitizePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(populate);\n };\n\n return {\n input: sanitizeInput,\n output: sanitizeOutput,\n query: sanitizeQuery,\n filters: sanitizeFilters,\n sort: sanitizeSort,\n fields: sanitizeFields,\n populate: sanitizePopulate,\n };\n};\n\nexport { createAPISanitizers, sanitizers, visitors };\n\nexport type APISanitiers = ReturnType<typeof createAPISanitizers>;\n"],"names":["createAPISanitizers","opts","getModel","sanitizeInput","data","schema","auth","strictParams","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","omit","constants","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","traverseEntity","visitors","push","sanitizers","input","forEach","sanitizer","routeBodySanitizeTransform","Array","obj","bodySchema","request","body","shape","key","Object","keys","zodSchema","safeParse","result","success","pipeAsync","sanitizeOutput","res","length","i","output","sanitizeQuery","query","filters","sort","fields","populate","sanitizedQuery","cloneDeep","assign","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizePopulate","extraQueryKeys","getExtraQueryKeysFromRoute","routeQuerySchema","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","pick","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;AAgEA,MAAMA,sBAAsB,CAACC,IAAAA,GAAAA;IAC3B,MAAM,EAAEC,QAAQ,EAAE,GAAGD,IAAAA;AAErB,IAAA,MAAME,aAAAA,GAA8B,CAClCC,IAAAA,EACAC,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAE,GAAG,EAAE,GAAA;AAE1C,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQN,IAAAA,CAAAA,EAAO;YACjB,OAAOO,OAAAA,CAAQC,GAAG,CAChBR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQ;AAAEC,oBAAAA,IAAAA;AAAMC,oBAAAA,YAAAA;AAAcC,oBAAAA;AAAM,iBAAA,CAAA,CAAA,CAAA;AAEjF,QAAA;AAEA,QAAA,MAAMO,uBAAuBC,mDAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,qCAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;;AAEjBC,YAAAA,OAAAA,CAAKC,uBAAUC,YAAY,CAAA;AAC3BF,YAAAA,OAAAA,CAAKC,uBAAUE,gBAAgB,CAAA;;YAE/BC,cAAAA,CAAeC,sBAA+B,CAACR,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAC3F,SAAA;AAED,QAAA,IAAIK,YAAAA,EAAc;;AAEhBY,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,EAAE;AAChDpB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;AAEA,QAAA,IAAIT,IAAAA,EAAM;;AAERa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAErF;;;;;;;;;;QAWA,MAAM0B,6BAA6B,OAAO3B,IAAAA,GAAAA;YACxC,IAAI,CAACA,QAAQ,OAAOA,IAAAA,KAAS,YAAY4B,KAAAA,CAAMtB,OAAO,CAACN,IAAAA,CAAAA,EAAO,OAAOA,IAAAA;AACrE,YAAA,MAAM6B,GAAAA,GAAM7B,IAAAA;AACZ,YAAA,MAAM8B,UAAAA,GAAa1B,KAAAA,EAAO2B,OAAAA,EAASC,IAAAA,GAAO,kBAAA,CAAmB;AAC7D,YAAA,IAAIF,UAAAA,IAAc,OAAOA,UAAAA,KAAe,QAAA,IAAY,WAAWA,UAAAA,EAAY;gBACzE,MAAMG,KAAAA,GAAQ,UAACH,CAAuDG,KAAK;AAC3E,gBAAA,KAAK,MAAMC,GAAAA,IAAOC,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,oBAAA,IAAIC,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOL,GAAE,CAAA,EAAI;oBACrC,MAAMQ,SAAAA,GAAYJ,KAAK,CAACC,GAAAA,CAAI;AAC5B,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACT,GAAG,CAACK,GAAAA,CAAI,CAAA;wBAC7D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBX,4BAAAA,GAAG,CAACK,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACxB,CAAA,MAAO;4BACL,OAAO6B,GAAG,CAACK,GAAAA,CAAI;AACjB,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;YACA,OAAOlC,IAAAA;AACT,QAAA,CAAA;AACCe,QAAAA,UAAAA,CAA2DO,IAAI,CAACK,0BAAAA,CAAAA;AAEjE,QAAA,OAAOc,cAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAM0C,cAAAA,GAA+B,OAAO1C,IAAAA,EAAMC,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQN,IAAAA,CAAAA,EAAO;AACjB,YAAA,MAAM2C,GAAAA,GAAM,IAAIf,KAAAA,CAAM5B,IAAAA,CAAK4C,MAAM,CAAA;YACjC,IAAK,IAAIC,IAAI,CAAA,EAAGA,CAAAA,GAAI7C,KAAK4C,MAAM,EAAEC,KAAK,CAAA,CAAG;gBACvCF,GAAG,CAACE,EAAE,GAAG,MAAMH,eAAe1C,IAAI,CAAC6C,CAAAA,CAAE,EAAE5C,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA;AACxD,YAAA;YACA,OAAOyC,GAAAA;AACT,QAAA;AAEA,QAAA,MAAM5B,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAeuB,gCAAgC,CAAC;AAAEtB,oBAAAA,MAAAA;AAAQH,oBAAAA;iBAAS,EAAGE,IAAAA;AACxE,SAAA;AAED,QAAA,IAAIE,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYuB,QAAQrB,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAEtF,QAAA,OAAOwC,cAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;AAEA,IAAA,MAAM+C,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;QACA,MAAM,EAAE4C,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGJ,KAAAA;AAE5C,QAAA,MAAMK,iBAAiBC,YAAAA,CAAUN,KAAAA,CAAAA;AAEjC,QAAA,IAAIC,OAAAA,EAAS;YACXd,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAEJ,OAAAA,EAAS,MAAMO,eAAAA,CAAgBP,OAAAA,EAAShD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AAC5F,QAAA;AAEA,QAAA,IAAIgD,IAAAA,EAAM;YACRf,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAEH,IAAAA,EAAM,MAAMO,YAAAA,CAAaP,IAAAA,EAAMjD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AACnF,QAAA;AAEA,QAAA,IAAIiD,MAAAA,EAAQ;YACVhB,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAEF,MAAAA,EAAQ,MAAMO,eAAeP,MAAAA,EAAQlD,MAAAA;AAAQ,aAAA,CAAA;AAC/E,QAAA;AAEA,QAAA,IAAImD,QAAAA,EAAU;YACZjB,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAED,QAAAA,EAAU,MAAMO,iBAAiBP,QAAAA,EAAUnD,MAAAA;AAAQ,aAAA,CAAA;AACrF,QAAA;AAEA,QAAA,MAAM2D,iBAAiBC,gDAAAA,CAA2BzD,KAAAA,CAAAA;QAClD,MAAM0D,gBAAAA,GAAmB1D,OAAO2B,OAAAA,EAASiB,KAAAA;AACzC,QAAA,IAAIc,gBAAAA,EAAkB;YACpB,KAAK,MAAM5B,OAAO0B,cAAAA,CAAgB;AAChC,gBAAA,IAAI1B,OAAOc,KAAAA,EAAO;oBAChB,MAAMX,SAAAA,GAAYyB,gBAAgB,CAAC5B,GAAAA,CAAI;AACvC,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACU,KAAK,CAACd,GAAAA,CAAI,CAAA;wBAC/D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBa,4BAAAA,cAAc,CAACnB,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACnC,CAAA,MAAO;4BACL,OAAOqD,cAAc,CAACnB,GAAAA,CAAI;AAC5B,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;AAEA,QAAA,IAAI/B,YAAAA,EAAc;AAChB,YAAA,MAAM4D,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,4CAAAA;AAA6BJ,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,OAAOK,QAAKF,WAAAA,EAAaV,cAAAA,CAAAA;AAC3B,QAAA;QAEA,OAAOA,cAAAA;AACT,IAAA,CAAA;IAEA,MAAMG,eAAAA,GAAgC,CAACP,OAAAA,EAAShD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQ2C,OAAAA,CAAAA,EAAU;YACpB,OAAO1C,OAAAA,CAAQC,GAAG,CAACyC,OAAAA,CAAQxC,GAAG,CAAC,CAACyD,MAAAA,GAAWV,eAAAA,CAAgBU,MAAAA,EAAQjE,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACpF,QAAA;AAEA,QAAA,MAAMa,UAAAA,GAAa;AAACQ,YAAAA,iCAAiC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb6C,YAAAA,CAAqB9C,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEtF,QAAA;AAEA,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYkC,OAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMQ,YAAAA,GAA6B,CAACP,IAAAA,EAAMjD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AACpE,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,8BAA8B,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb8C,SAAAA,CAAkB/C,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEnF,QAAA;AAEA,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYmC,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMQ,cAAAA,GAA+B,CAACP,MAAAA,EAAQlD,MAAAA,GAAAA;AAC5C,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,gCAAgC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE3E,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYoC,MAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMQ,gBAAAA,GAAiC,CAACP,QAAAA,EAAUnD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,kCAAkC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb+C,aAAAA,CAAsBhD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEvF,QAAA;AAEA,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYqC,QAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,OAAO;QACL5B,KAAAA,EAAOzB,aAAAA;QACP+C,MAAAA,EAAQJ,cAAAA;QACRM,KAAAA,EAAOD,aAAAA;QACPE,OAAAA,EAASO,eAAAA;QACTN,IAAAA,EAAMO,YAAAA;QACNN,MAAAA,EAAQO,cAAAA;QACRN,QAAAA,EAAUO;AACZ,KAAA;AACF;;;;;;"}
1
+ {"version":3,"file":"index.js","sources":["../../src/sanitize/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, cloneDeep, omit, pick } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { constants, getNonWritableAttributes } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\n\nimport * as visitors from './visitors';\nimport * as sanitizers from './sanitizers';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\nimport type { Model, Data } from '../types';\nimport { validatePublicationFilterQueryParam } from '../publication-filter';\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, removes fields that are not declared in the schema (input) or keeps only allowed query param keys (query).\n * Defaults to false for backward compatibility.\n * TODO: In Strapi 6, strictParams will default to true (and may be removed as an option)\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated/sanitized with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Sanitizer {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface SanitizeFunc {\n (data: unknown, schema: Model, options?: Options): Promise<unknown>;\n}\n\nexport type SanitizeQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport type SanitizeBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport interface APIOptions {\n sanitizers?: Sanitizers;\n getModel: (model: string) => Model;\n}\n\nexport interface Sanitizers {\n input?: Sanitizer[];\n output?: Sanitizer[];\n}\n\nconst createAPISanitizers = (opts: APIOptions) => {\n const { getModel } = opts;\n\n const sanitizeInput: SanitizeFunc = (\n data: unknown,\n schema: Model,\n { auth, strictParams = false, route } = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeInput');\n }\n if (isArray(data)) {\n return Promise.all(\n data.map((entry) => sanitizeInput(entry, schema, { auth, strictParams, route }))\n );\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n // Remove first level ID in inputs\n omit(constants.ID_ATTRIBUTE),\n omit(constants.DOC_ID_ATTRIBUTE),\n // Remove non-writable attributes\n traverseEntity(visitors.removeRestrictedFields(nonWritableAttributes), { schema, getModel }),\n ];\n\n if (strictParams) {\n // Remove unrecognized fields (allowedExtraRootKeys = registered input param keys)\n transforms.push(\n traverseEntity(visitors.removeUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n })\n );\n }\n\n if (auth) {\n // Remove restricted relations\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.input?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n /**\n * For each extra root key from the route's body schema present in data, run Zod safeParse.\n * If parsing fails, the key is removed from the output.\n *\n * Content-api sends the document payload as body.data; the controller calls sanitizeInput(body.data, ctx),\n * so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n * The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n * the main document payload is already sanitized above by traverseEntity (removeUnrecognizedFields, etc.);\n * relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n * Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n */\n const routeBodySanitizeTransform = async (data: Data): Promise<Data> => {\n if (!data || typeof data !== 'object' || Array.isArray(data)) return data;\n const obj = data as Record<string, unknown>;\n const bodySchema = route?.request?.body?.['application/json'];\n if (bodySchema && typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in obj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(obj[key]);\n if (result.success) {\n obj[key] = result.data;\n } else {\n delete obj[key];\n }\n }\n }\n }\n return data;\n };\n (transforms as Array<(data: Data) => Data | Promise<Data>>).push(routeBodySanitizeTransform);\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeOutput: SanitizeFunc = async (data, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeOutput');\n }\n if (isArray(data)) {\n const res = new Array(data.length);\n for (let i = 0; i < data.length; i += 1) {\n res[i] = await sanitizeOutput(data[i], schema, { auth });\n }\n return res;\n }\n\n const transforms = [\n (data: Data) => sanitizers.defaultSanitizeOutput({ schema, getModel }, data),\n ];\n\n if (auth) {\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.output?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeQuery');\n }\n const { filters, sort, fields, populate } = query;\n\n const sanitizedQuery = cloneDeep(query);\n\n if ('publicationFilter' in sanitizedQuery) {\n validatePublicationFilterQueryParam(sanitizedQuery.publicationFilter);\n }\n\n if (filters) {\n Object.assign(sanitizedQuery, { filters: await sanitizeFilters(filters, schema, { auth }) });\n }\n\n if (sort) {\n Object.assign(sanitizedQuery, { sort: await sanitizeSort(sort, schema, { auth }) });\n }\n\n if (fields) {\n Object.assign(sanitizedQuery, { fields: await sanitizeFields(fields, schema) });\n }\n\n if (populate) {\n Object.assign(sanitizedQuery, { populate: await sanitizePopulate(populate, schema) });\n }\n\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (result.success) {\n sanitizedQuery[key] = result.data;\n } else {\n delete sanitizedQuery[key];\n }\n }\n }\n }\n }\n\n if (strictParams) {\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n return pick(allowedKeys, sanitizedQuery) as Record<string, unknown>;\n }\n\n return sanitizedQuery;\n };\n\n const sanitizeFilters: SanitizeFunc = (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFilters');\n }\n if (isArray(filters)) {\n return Promise.all(filters.map((filter) => sanitizeFilters(filter, schema, { auth })));\n }\n\n const transforms = [sanitizers.defaultSanitizeFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(filters);\n };\n\n const sanitizeSort: SanitizeFunc = (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeSort');\n }\n const transforms = [sanitizers.defaultSanitizeSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(sort);\n };\n\n const sanitizeFields: SanitizeFunc = (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFields');\n }\n const transforms = [sanitizers.defaultSanitizeFields({ schema, getModel })];\n\n return pipeAsync(...transforms)(fields);\n };\n\n const sanitizePopulate: SanitizeFunc = (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [sanitizers.defaultSanitizePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(populate);\n };\n\n return {\n input: sanitizeInput,\n output: sanitizeOutput,\n query: sanitizeQuery,\n filters: sanitizeFilters,\n sort: sanitizeSort,\n fields: sanitizeFields,\n populate: sanitizePopulate,\n };\n};\n\nexport { createAPISanitizers, sanitizers, visitors };\n\nexport type APISanitiers = ReturnType<typeof createAPISanitizers>;\n"],"names":["createAPISanitizers","opts","getModel","sanitizeInput","data","schema","auth","strictParams","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","omit","constants","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","traverseEntity","visitors","push","sanitizers","input","forEach","sanitizer","routeBodySanitizeTransform","Array","obj","bodySchema","request","body","shape","key","Object","keys","zodSchema","safeParse","result","success","pipeAsync","sanitizeOutput","res","length","i","output","sanitizeQuery","query","filters","sort","fields","populate","sanitizedQuery","cloneDeep","validatePublicationFilterQueryParam","publicationFilter","assign","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizePopulate","extraQueryKeys","getExtraQueryKeysFromRoute","routeQuerySchema","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","pick","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;AAiEA,MAAMA,sBAAsB,CAACC,IAAAA,GAAAA;IAC3B,MAAM,EAAEC,QAAQ,EAAE,GAAGD,IAAAA;AAErB,IAAA,MAAME,aAAAA,GAA8B,CAClCC,IAAAA,EACAC,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAE,GAAG,EAAE,GAAA;AAE1C,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQN,IAAAA,CAAAA,EAAO;YACjB,OAAOO,OAAAA,CAAQC,GAAG,CAChBR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQ;AAAEC,oBAAAA,IAAAA;AAAMC,oBAAAA,YAAAA;AAAcC,oBAAAA;AAAM,iBAAA,CAAA,CAAA,CAAA;AAEjF,QAAA;AAEA,QAAA,MAAMO,uBAAuBC,mDAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,qCAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;;AAEjBC,YAAAA,OAAAA,CAAKC,uBAAUC,YAAY,CAAA;AAC3BF,YAAAA,OAAAA,CAAKC,uBAAUE,gBAAgB,CAAA;;YAE/BC,cAAAA,CAAeC,sBAA+B,CAACR,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAC3F,SAAA;AAED,QAAA,IAAIK,YAAAA,EAAc;;AAEhBY,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,EAAE;AAChDpB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;AAEA,QAAA,IAAIT,IAAAA,EAAM;;AAERa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAErF;;;;;;;;;;QAWA,MAAM0B,6BAA6B,OAAO3B,IAAAA,GAAAA;YACxC,IAAI,CAACA,QAAQ,OAAOA,IAAAA,KAAS,YAAY4B,KAAAA,CAAMtB,OAAO,CAACN,IAAAA,CAAAA,EAAO,OAAOA,IAAAA;AACrE,YAAA,MAAM6B,GAAAA,GAAM7B,IAAAA;AACZ,YAAA,MAAM8B,UAAAA,GAAa1B,KAAAA,EAAO2B,OAAAA,EAASC,IAAAA,GAAO,kBAAA,CAAmB;AAC7D,YAAA,IAAIF,UAAAA,IAAc,OAAOA,UAAAA,KAAe,QAAA,IAAY,WAAWA,UAAAA,EAAY;gBACzE,MAAMG,KAAAA,GAAQ,UAACH,CAAuDG,KAAK;AAC3E,gBAAA,KAAK,MAAMC,GAAAA,IAAOC,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,oBAAA,IAAIC,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOL,GAAE,CAAA,EAAI;oBACrC,MAAMQ,SAAAA,GAAYJ,KAAK,CAACC,GAAAA,CAAI;AAC5B,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACT,GAAG,CAACK,GAAAA,CAAI,CAAA;wBAC7D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBX,4BAAAA,GAAG,CAACK,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACxB,CAAA,MAAO;4BACL,OAAO6B,GAAG,CAACK,GAAAA,CAAI;AACjB,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;YACA,OAAOlC,IAAAA;AACT,QAAA,CAAA;AACCe,QAAAA,UAAAA,CAA2DO,IAAI,CAACK,0BAAAA,CAAAA;AAEjE,QAAA,OAAOc,cAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAM0C,cAAAA,GAA+B,OAAO1C,IAAAA,EAAMC,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQN,IAAAA,CAAAA,EAAO;AACjB,YAAA,MAAM2C,GAAAA,GAAM,IAAIf,KAAAA,CAAM5B,IAAAA,CAAK4C,MAAM,CAAA;YACjC,IAAK,IAAIC,IAAI,CAAA,EAAGA,CAAAA,GAAI7C,KAAK4C,MAAM,EAAEC,KAAK,CAAA,CAAG;gBACvCF,GAAG,CAACE,EAAE,GAAG,MAAMH,eAAe1C,IAAI,CAAC6C,CAAAA,CAAE,EAAE5C,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA;AACxD,YAAA;YACA,OAAOyC,GAAAA;AACT,QAAA;AAEA,QAAA,MAAM5B,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAeuB,gCAAgC,CAAC;AAAEtB,oBAAAA,MAAAA;AAAQH,oBAAAA;iBAAS,EAAGE,IAAAA;AACxE,SAAA;AAED,QAAA,IAAIE,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYuB,QAAQrB,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAEtF,QAAA,OAAOwC,cAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;AAEA,IAAA,MAAM+C,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;QACA,MAAM,EAAE4C,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGJ,KAAAA;AAE5C,QAAA,MAAMK,iBAAiBC,YAAAA,CAAUN,KAAAA,CAAAA;AAEjC,QAAA,IAAI,uBAAuBK,cAAAA,EAAgB;AACzCE,YAAAA,qDAAAA,CAAoCF,eAAeG,iBAAiB,CAAA;AACtE,QAAA;AAEA,QAAA,IAAIP,OAAAA,EAAS;YACXd,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAEJ,OAAAA,EAAS,MAAMS,eAAAA,CAAgBT,OAAAA,EAAShD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AAC5F,QAAA;AAEA,QAAA,IAAIgD,IAAAA,EAAM;YACRf,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAEH,IAAAA,EAAM,MAAMS,YAAAA,CAAaT,IAAAA,EAAMjD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AACnF,QAAA;AAEA,QAAA,IAAIiD,MAAAA,EAAQ;YACVhB,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAEF,MAAAA,EAAQ,MAAMS,eAAeT,MAAAA,EAAQlD,MAAAA;AAAQ,aAAA,CAAA;AAC/E,QAAA;AAEA,QAAA,IAAImD,QAAAA,EAAU;YACZjB,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAED,QAAAA,EAAU,MAAMS,iBAAiBT,QAAAA,EAAUnD,MAAAA;AAAQ,aAAA,CAAA;AACrF,QAAA;AAEA,QAAA,MAAM6D,iBAAiBC,gDAAAA,CAA2B3D,KAAAA,CAAAA;QAClD,MAAM4D,gBAAAA,GAAmB5D,OAAO2B,OAAAA,EAASiB,KAAAA;AACzC,QAAA,IAAIgB,gBAAAA,EAAkB;YACpB,KAAK,MAAM9B,OAAO4B,cAAAA,CAAgB;AAChC,gBAAA,IAAI5B,OAAOc,KAAAA,EAAO;oBAChB,MAAMX,SAAAA,GAAY2B,gBAAgB,CAAC9B,GAAAA,CAAI;AACvC,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACU,KAAK,CAACd,GAAAA,CAAI,CAAA;wBAC/D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBa,4BAAAA,cAAc,CAACnB,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACnC,CAAA,MAAO;4BACL,OAAOqD,cAAc,CAACnB,GAAAA,CAAI;AAC5B,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;AAEA,QAAA,IAAI/B,YAAAA,EAAc;AAChB,YAAA,MAAM8D,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,4CAAAA;AAA6BJ,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,OAAOK,QAAKF,WAAAA,EAAaZ,cAAAA,CAAAA;AAC3B,QAAA;QAEA,OAAOA,cAAAA;AACT,IAAA,CAAA;IAEA,MAAMK,eAAAA,GAAgC,CAACT,OAAAA,EAAShD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQ2C,OAAAA,CAAAA,EAAU;YACpB,OAAO1C,OAAAA,CAAQC,GAAG,CAACyC,OAAAA,CAAQxC,GAAG,CAAC,CAAC2D,MAAAA,GAAWV,eAAAA,CAAgBU,MAAAA,EAAQnE,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACpF,QAAA;AAEA,QAAA,MAAMa,UAAAA,GAAa;AAACQ,YAAAA,iCAAiC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb+C,YAAAA,CAAqBhD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEtF,QAAA;AAEA,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYkC,OAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMU,YAAAA,GAA6B,CAACT,IAAAA,EAAMjD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AACpE,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,8BAA8B,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbgD,SAAAA,CAAkBjD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEnF,QAAA;AAEA,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYmC,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMU,cAAAA,GAA+B,CAACT,MAAAA,EAAQlD,MAAAA,GAAAA;AAC5C,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,gCAAgC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE3E,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYoC,MAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMU,gBAAAA,GAAiC,CAACT,QAAAA,EAAUnD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,kCAAkC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbiD,aAAAA,CAAsBlD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEvF,QAAA;AAEA,QAAA,OAAO2C,cAAa1B,UAAAA,CAAAA,CAAYqC,QAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,OAAO;QACL5B,KAAAA,EAAOzB,aAAAA;QACP+C,MAAAA,EAAQJ,cAAAA;QACRM,KAAAA,EAAOD,aAAAA;QACPE,OAAAA,EAASS,eAAAA;QACTR,IAAAA,EAAMS,YAAAA;QACNR,MAAAA,EAAQS,cAAAA;QACRR,QAAAA,EAAUS;AACZ,KAAA;AACF;;;;;;"}
package/dist/sanitize/index.mjs CHANGED
@@ -13,6 +13,7 @@ import traverseQueryFilters from '../traverse/query-filters.mjs';
13
13
  import traverseQuerySort from '../traverse/query-sort.mjs';
14
14
  import traverseQueryPopulate from '../traverse/query-populate.mjs';
15
15
  import '../traverse/query-fields.mjs';
16
+ import { validatePublicationFilterQueryParam } from '../publication-filter.mjs';
16
17
  import removeUnrecognizedFields from './visitors/remove-unrecognized-fields.mjs';
17
18
  import removeRestrictedRelations from './visitors/remove-restricted-relations.mjs';
18
19
  import removeRestrictedFields from './visitors/remove-restricted-fields.mjs';
@@ -128,6 +129,9 @@ const createAPISanitizers = (opts)=>{
128
129
  }
129
130
  const { filters, sort, fields, populate } = query;
130
131
  const sanitizedQuery = cloneDeep(query);
132
+ if ('publicationFilter' in sanitizedQuery) {
133
+ validatePublicationFilterQueryParam(sanitizedQuery.publicationFilter);
134
+ }
131
135
  if (filters) {
132
136
  Object.assign(sanitizedQuery, {
133
137
  filters: await sanitizeFilters(filters, schema, {
package/dist/sanitize/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","sources":["../../src/sanitize/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, cloneDeep, omit, pick } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { constants, getNonWritableAttributes } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\n\nimport * as visitors from './visitors';\nimport * as sanitizers from './sanitizers';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\nimport type { Model, Data } from '../types';\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, removes fields that are not declared in the schema (input) or keeps only allowed query param keys (query).\n * Defaults to false for backward compatibility.\n * TODO: In Strapi 6, strictParams will default to true (and may be removed as an option)\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated/sanitized with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Sanitizer {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface SanitizeFunc {\n (data: unknown, schema: Model, options?: Options): Promise<unknown>;\n}\n\nexport type SanitizeQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport type SanitizeBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport interface APIOptions {\n sanitizers?: Sanitizers;\n getModel: (model: string) => Model;\n}\n\nexport interface Sanitizers {\n input?: Sanitizer[];\n output?: Sanitizer[];\n}\n\nconst createAPISanitizers = (opts: APIOptions) => {\n const { getModel } = opts;\n\n const sanitizeInput: SanitizeFunc = (\n data: unknown,\n schema: Model,\n { auth, strictParams = false, route } = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeInput');\n }\n if (isArray(data)) {\n return Promise.all(\n data.map((entry) => sanitizeInput(entry, schema, { auth, strictParams, route }))\n );\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n // Remove first level ID in inputs\n omit(constants.ID_ATTRIBUTE),\n omit(constants.DOC_ID_ATTRIBUTE),\n // Remove non-writable attributes\n traverseEntity(visitors.removeRestrictedFields(nonWritableAttributes), { schema, getModel }),\n ];\n\n if (strictParams) {\n // Remove unrecognized fields (allowedExtraRootKeys = registered input param keys)\n transforms.push(\n traverseEntity(visitors.removeUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n })\n );\n }\n\n if (auth) {\n // Remove restricted relations\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.input?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n /**\n * For each extra root key from the route's body schema present in data, run Zod safeParse.\n * If parsing fails, the key is removed from the output.\n *\n * Content-api sends the document payload as body.data; the controller calls sanitizeInput(body.data, ctx),\n * so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n * The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n * the main document payload is already sanitized above by traverseEntity (removeUnrecognizedFields, etc.);\n * relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n * Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n */\n const routeBodySanitizeTransform = async (data: Data): Promise<Data> => {\n if (!data || typeof data !== 'object' || Array.isArray(data)) return data;\n const obj = data as Record<string, unknown>;\n const bodySchema = route?.request?.body?.['application/json'];\n if (bodySchema && typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in obj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(obj[key]);\n if (result.success) {\n obj[key] = result.data;\n } else {\n delete obj[key];\n }\n }\n }\n }\n return data;\n };\n (transforms as Array<(data: Data) => Data | Promise<Data>>).push(routeBodySanitizeTransform);\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeOutput: SanitizeFunc = async (data, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeOutput');\n }\n if (isArray(data)) {\n const res = new Array(data.length);\n for (let i = 0; i < data.length; i += 1) {\n res[i] = await sanitizeOutput(data[i], schema, { auth });\n }\n return res;\n }\n\n const transforms = [\n (data: Data) => sanitizers.defaultSanitizeOutput({ schema, getModel }, data),\n ];\n\n if (auth) {\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.output?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeQuery');\n }\n const { filters, sort, fields, populate } = query;\n\n const sanitizedQuery = cloneDeep(query);\n\n if (filters) {\n Object.assign(sanitizedQuery, { filters: await sanitizeFilters(filters, schema, { auth }) });\n }\n\n if (sort) {\n Object.assign(sanitizedQuery, { sort: await sanitizeSort(sort, schema, { auth }) });\n }\n\n if (fields) {\n Object.assign(sanitizedQuery, { fields: await sanitizeFields(fields, schema) });\n }\n\n if (populate) {\n Object.assign(sanitizedQuery, { populate: await sanitizePopulate(populate, schema) });\n }\n\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (result.success) {\n sanitizedQuery[key] = result.data;\n } else {\n delete sanitizedQuery[key];\n }\n }\n }\n }\n }\n\n if (strictParams) {\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n return pick(allowedKeys, sanitizedQuery) as Record<string, unknown>;\n }\n\n return sanitizedQuery;\n };\n\n const sanitizeFilters: SanitizeFunc = (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFilters');\n }\n if (isArray(filters)) {\n return Promise.all(filters.map((filter) => sanitizeFilters(filter, schema, { auth })));\n }\n\n const transforms = [sanitizers.defaultSanitizeFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(filters);\n };\n\n const sanitizeSort: SanitizeFunc = (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeSort');\n }\n const transforms = [sanitizers.defaultSanitizeSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(sort);\n };\n\n const sanitizeFields: SanitizeFunc = (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFields');\n }\n const transforms = [sanitizers.defaultSanitizeFields({ schema, getModel })];\n\n return pipeAsync(...transforms)(fields);\n };\n\n const sanitizePopulate: SanitizeFunc = (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [sanitizers.defaultSanitizePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(populate);\n };\n\n return {\n input: sanitizeInput,\n output: sanitizeOutput,\n query: sanitizeQuery,\n filters: sanitizeFilters,\n sort: sanitizeSort,\n fields: sanitizeFields,\n populate: sanitizePopulate,\n };\n};\n\nexport { createAPISanitizers, sanitizers, visitors };\n\nexport type APISanitiers = ReturnType<typeof createAPISanitizers>;\n"],"names":["createAPISanitizers","opts","getModel","sanitizeInput","data","schema","auth","strictParams","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","omit","constants","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","traverseEntity","visitors","push","sanitizers","input","forEach","sanitizer","routeBodySanitizeTransform","Array","obj","bodySchema","request","body","shape","key","Object","keys","zodSchema","safeParse","result","success","pipeAsync","sanitizeOutput","res","length","i","output","sanitizeQuery","query","filters","sort","fields","populate","sanitizedQuery","cloneDeep","assign","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizePopulate","extraQueryKeys","getExtraQueryKeysFromRoute","routeQuerySchema","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","pick","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;AAgEA,MAAMA,sBAAsB,CAACC,IAAAA,GAAAA;IAC3B,MAAM,EAAEC,QAAQ,EAAE,GAAGD,IAAAA;AAErB,IAAA,MAAME,aAAAA,GAA8B,CAClCC,IAAAA,EACAC,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAE,GAAG,EAAE,GAAA;AAE1C,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQN,IAAAA,CAAAA,EAAO;YACjB,OAAOO,OAAAA,CAAQC,GAAG,CAChBR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQ;AAAEC,oBAAAA,IAAAA;AAAMC,oBAAAA,YAAAA;AAAcC,oBAAAA;AAAM,iBAAA,CAAA,CAAA,CAAA;AAEjF,QAAA;AAEA,QAAA,MAAMO,uBAAuBC,6BAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,wBAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;;AAEjBC,YAAAA,IAAAA,CAAKC,UAAUC,YAAY,CAAA;AAC3BF,YAAAA,IAAAA,CAAKC,UAAUE,gBAAgB,CAAA;;YAE/BC,cAAAA,CAAeC,sBAA+B,CAACR,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAC3F,SAAA;AAED,QAAA,IAAIK,YAAAA,EAAc;;AAEhBY,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,EAAE;AAChDpB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;AAEA,QAAA,IAAIT,IAAAA,EAAM;;AAERa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAErF;;;;;;;;;;QAWA,MAAM0B,6BAA6B,OAAO3B,IAAAA,GAAAA;YACxC,IAAI,CAACA,QAAQ,OAAOA,IAAAA,KAAS,YAAY4B,KAAAA,CAAMtB,OAAO,CAACN,IAAAA,CAAAA,EAAO,OAAOA,IAAAA;AACrE,YAAA,MAAM6B,GAAAA,GAAM7B,IAAAA;AACZ,YAAA,MAAM8B,UAAAA,GAAa1B,KAAAA,EAAO2B,OAAAA,EAASC,IAAAA,GAAO,kBAAA,CAAmB;AAC7D,YAAA,IAAIF,UAAAA,IAAc,OAAOA,UAAAA,KAAe,QAAA,IAAY,WAAWA,UAAAA,EAAY;gBACzE,MAAMG,KAAAA,GAAQ,UAACH,CAAuDG,KAAK;AAC3E,gBAAA,KAAK,MAAMC,GAAAA,IAAOC,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,oBAAA,IAAIC,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOL,GAAE,CAAA,EAAI;oBACrC,MAAMQ,SAAAA,GAAYJ,KAAK,CAACC,GAAAA,CAAI;AAC5B,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACT,GAAG,CAACK,GAAAA,CAAI,CAAA;wBAC7D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBX,4BAAAA,GAAG,CAACK,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACxB,CAAA,MAAO;4BACL,OAAO6B,GAAG,CAACK,GAAAA,CAAI;AACjB,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;YACA,OAAOlC,IAAAA;AACT,QAAA,CAAA;AACCe,QAAAA,UAAAA,CAA2DO,IAAI,CAACK,0BAAAA,CAAAA;AAEjE,QAAA,OAAOc,QAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAM0C,cAAAA,GAA+B,OAAO1C,IAAAA,EAAMC,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQN,IAAAA,CAAAA,EAAO;AACjB,YAAA,MAAM2C,GAAAA,GAAM,IAAIf,KAAAA,CAAM5B,IAAAA,CAAK4C,MAAM,CAAA;YACjC,IAAK,IAAIC,IAAI,CAAA,EAAGA,CAAAA,GAAI7C,KAAK4C,MAAM,EAAEC,KAAK,CAAA,CAAG;gBACvCF,GAAG,CAACE,EAAE,GAAG,MAAMH,eAAe1C,IAAI,CAAC6C,CAAAA,CAAE,EAAE5C,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA;AACxD,YAAA;YACA,OAAOyC,GAAAA;AACT,QAAA;AAEA,QAAA,MAAM5B,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAeuB,qBAAgC,CAAC;AAAEtB,oBAAAA,MAAAA;AAAQH,oBAAAA;iBAAS,EAAGE,IAAAA;AACxE,SAAA;AAED,QAAA,IAAIE,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYuB,QAAQrB,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAEtF,QAAA,OAAOwC,QAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;AAEA,IAAA,MAAM+C,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;QACA,MAAM,EAAE4C,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGJ,KAAAA;AAE5C,QAAA,MAAMK,iBAAiBC,SAAAA,CAAUN,KAAAA,CAAAA;AAEjC,QAAA,IAAIC,OAAAA,EAAS;YACXd,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAEJ,OAAAA,EAAS,MAAMO,eAAAA,CAAgBP,OAAAA,EAAShD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AAC5F,QAAA;AAEA,QAAA,IAAIgD,IAAAA,EAAM;YACRf,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAEH,IAAAA,EAAM,MAAMO,YAAAA,CAAaP,IAAAA,EAAMjD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AACnF,QAAA;AAEA,QAAA,IAAIiD,MAAAA,EAAQ;YACVhB,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAEF,MAAAA,EAAQ,MAAMO,eAAeP,MAAAA,EAAQlD,MAAAA;AAAQ,aAAA,CAAA;AAC/E,QAAA;AAEA,QAAA,IAAImD,QAAAA,EAAU;YACZjB,MAAAA,CAAOoB,MAAM,CAACF,cAAAA,EAAgB;gBAAED,QAAAA,EAAU,MAAMO,iBAAiBP,QAAAA,EAAUnD,MAAAA;AAAQ,aAAA,CAAA;AACrF,QAAA;AAEA,QAAA,MAAM2D,iBAAiBC,0BAAAA,CAA2BzD,KAAAA,CAAAA;QAClD,MAAM0D,gBAAAA,GAAmB1D,OAAO2B,OAAAA,EAASiB,KAAAA;AACzC,QAAA,IAAIc,gBAAAA,EAAkB;YACpB,KAAK,MAAM5B,OAAO0B,cAAAA,CAAgB;AAChC,gBAAA,IAAI1B,OAAOc,KAAAA,EAAO;oBAChB,MAAMX,SAAAA,GAAYyB,gBAAgB,CAAC5B,GAAAA,CAAI;AACvC,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACU,KAAK,CAACd,GAAAA,CAAI,CAAA;wBAC/D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBa,4BAAAA,cAAc,CAACnB,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACnC,CAAA,MAAO;4BACL,OAAOqD,cAAc,CAACnB,GAAAA,CAAI;AAC5B,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;AAEA,QAAA,IAAI/B,YAAAA,EAAc;AAChB,YAAA,MAAM4D,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,wBAAAA;AAA6BJ,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,OAAOK,KAAKF,WAAAA,EAAaV,cAAAA,CAAAA;AAC3B,QAAA;QAEA,OAAOA,cAAAA;AACT,IAAA,CAAA;IAEA,MAAMG,eAAAA,GAAgC,CAACP,OAAAA,EAAShD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQ2C,OAAAA,CAAAA,EAAU;YACpB,OAAO1C,OAAAA,CAAQC,GAAG,CAACyC,OAAAA,CAAQxC,GAAG,CAAC,CAACyD,MAAAA,GAAWV,eAAAA,CAAgBU,MAAAA,EAAQjE,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACpF,QAAA;AAEA,QAAA,MAAMa,UAAAA,GAAa;AAACQ,YAAAA,sBAAiC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb6C,oBAAAA,CAAqB9C,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEtF,QAAA;AAEA,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYkC,OAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMQ,YAAAA,GAA6B,CAACP,IAAAA,EAAMjD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AACpE,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,mBAA8B,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb8C,iBAAAA,CAAkB/C,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEnF,QAAA;AAEA,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYmC,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMQ,cAAAA,GAA+B,CAACP,MAAAA,EAAQlD,MAAAA,GAAAA;AAC5C,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,qBAAgC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE3E,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYoC,MAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMQ,gBAAAA,GAAiC,CAACP,QAAAA,EAAUnD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,uBAAkC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb+C,qBAAAA,CAAsBhD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEvF,QAAA;AAEA,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYqC,QAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,OAAO;QACL5B,KAAAA,EAAOzB,aAAAA;QACP+C,MAAAA,EAAQJ,cAAAA;QACRM,KAAAA,EAAOD,aAAAA;QACPE,OAAAA,EAASO,eAAAA;QACTN,IAAAA,EAAMO,YAAAA;QACNN,MAAAA,EAAQO,cAAAA;QACRN,QAAAA,EAAUO;AACZ,KAAA;AACF;;;;"}
1
+ {"version":3,"file":"index.mjs","sources":["../../src/sanitize/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, cloneDeep, omit, pick } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { constants, getNonWritableAttributes } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\n\nimport * as visitors from './visitors';\nimport * as sanitizers from './sanitizers';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\nimport type { Model, Data } from '../types';\nimport { validatePublicationFilterQueryParam } from '../publication-filter';\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, removes fields that are not declared in the schema (input) or keeps only allowed query param keys (query).\n * Defaults to false for backward compatibility.\n * TODO: In Strapi 6, strictParams will default to true (and may be removed as an option)\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated/sanitized with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Sanitizer {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface SanitizeFunc {\n (data: unknown, schema: Model, options?: Options): Promise<unknown>;\n}\n\nexport type SanitizeQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport type SanitizeBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<unknown>;\n\nexport interface APIOptions {\n sanitizers?: Sanitizers;\n getModel: (model: string) => Model;\n}\n\nexport interface Sanitizers {\n input?: Sanitizer[];\n output?: Sanitizer[];\n}\n\nconst createAPISanitizers = (opts: APIOptions) => {\n const { getModel } = opts;\n\n const sanitizeInput: SanitizeFunc = (\n data: unknown,\n schema: Model,\n { auth, strictParams = false, route } = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeInput');\n }\n if (isArray(data)) {\n return Promise.all(\n data.map((entry) => sanitizeInput(entry, schema, { auth, strictParams, route }))\n );\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n // Remove first level ID in inputs\n omit(constants.ID_ATTRIBUTE),\n omit(constants.DOC_ID_ATTRIBUTE),\n // Remove non-writable attributes\n traverseEntity(visitors.removeRestrictedFields(nonWritableAttributes), { schema, getModel }),\n ];\n\n if (strictParams) {\n // Remove unrecognized fields (allowedExtraRootKeys = registered input param keys)\n transforms.push(\n traverseEntity(visitors.removeUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n })\n );\n }\n\n if (auth) {\n // Remove restricted relations\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.input?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n /**\n * For each extra root key from the route's body schema present in data, run Zod safeParse.\n * If parsing fails, the key is removed from the output.\n *\n * Content-api sends the document payload as body.data; the controller calls sanitizeInput(body.data, ctx),\n * so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n * The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n * the main document payload is already sanitized above by traverseEntity (removeUnrecognizedFields, etc.);\n * relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n * Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n */\n const routeBodySanitizeTransform = async (data: Data): Promise<Data> => {\n if (!data || typeof data !== 'object' || Array.isArray(data)) return data;\n const obj = data as Record<string, unknown>;\n const bodySchema = route?.request?.body?.['application/json'];\n if (bodySchema && typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in obj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(obj[key]);\n if (result.success) {\n obj[key] = result.data;\n } else {\n delete obj[key];\n }\n }\n }\n }\n return data;\n };\n (transforms as Array<(data: Data) => Data | Promise<Data>>).push(routeBodySanitizeTransform);\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeOutput: SanitizeFunc = async (data, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeOutput');\n }\n if (isArray(data)) {\n const res = new Array(data.length);\n for (let i = 0; i < data.length; i += 1) {\n res[i] = await sanitizeOutput(data[i], schema, { auth });\n }\n return res;\n }\n\n const transforms = [\n (data: Data) => sanitizers.defaultSanitizeOutput({ schema, getModel }, data),\n ];\n\n if (auth) {\n transforms.push(\n traverseEntity(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n // Apply sanitizers from registry if exists\n opts?.sanitizers?.output?.forEach((sanitizer: Sanitizer) => transforms.push(sanitizer(schema)));\n\n return pipeAsync(...transforms)(data as Data);\n };\n\n const sanitizeQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeQuery');\n }\n const { filters, sort, fields, populate } = query;\n\n const sanitizedQuery = cloneDeep(query);\n\n if ('publicationFilter' in sanitizedQuery) {\n validatePublicationFilterQueryParam(sanitizedQuery.publicationFilter);\n }\n\n if (filters) {\n Object.assign(sanitizedQuery, { filters: await sanitizeFilters(filters, schema, { auth }) });\n }\n\n if (sort) {\n Object.assign(sanitizedQuery, { sort: await sanitizeSort(sort, schema, { auth }) });\n }\n\n if (fields) {\n Object.assign(sanitizedQuery, { fields: await sanitizeFields(fields, schema) });\n }\n\n if (populate) {\n Object.assign(sanitizedQuery, { populate: await sanitizePopulate(populate, schema) });\n }\n\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).safeParse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (result.success) {\n sanitizedQuery[key] = result.data;\n } else {\n delete sanitizedQuery[key];\n }\n }\n }\n }\n }\n\n if (strictParams) {\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n return pick(allowedKeys, sanitizedQuery) as Record<string, unknown>;\n }\n\n return sanitizedQuery;\n };\n\n const sanitizeFilters: SanitizeFunc = (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFilters');\n }\n if (isArray(filters)) {\n return Promise.all(filters.map((filter) => sanitizeFilters(filter, schema, { auth })));\n }\n\n const transforms = [sanitizers.defaultSanitizeFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(filters);\n };\n\n const sanitizeSort: SanitizeFunc = (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeSort');\n }\n const transforms = [sanitizers.defaultSanitizeSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(sort);\n };\n\n const sanitizeFields: SanitizeFunc = (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizeFields');\n }\n const transforms = [sanitizers.defaultSanitizeFields({ schema, getModel })];\n\n return pipeAsync(...transforms)(fields);\n };\n\n const sanitizePopulate: SanitizeFunc = (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [sanitizers.defaultSanitizePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.removeRestrictedRelations(auth), { schema, getModel })\n );\n }\n\n return pipeAsync(...transforms)(populate);\n };\n\n return {\n input: sanitizeInput,\n output: sanitizeOutput,\n query: sanitizeQuery,\n filters: sanitizeFilters,\n sort: sanitizeSort,\n fields: sanitizeFields,\n populate: sanitizePopulate,\n };\n};\n\nexport { createAPISanitizers, sanitizers, visitors };\n\nexport type APISanitiers = ReturnType<typeof createAPISanitizers>;\n"],"names":["createAPISanitizers","opts","getModel","sanitizeInput","data","schema","auth","strictParams","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","omit","constants","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","traverseEntity","visitors","push","sanitizers","input","forEach","sanitizer","routeBodySanitizeTransform","Array","obj","bodySchema","request","body","shape","key","Object","keys","zodSchema","safeParse","result","success","pipeAsync","sanitizeOutput","res","length","i","output","sanitizeQuery","query","filters","sort","fields","populate","sanitizedQuery","cloneDeep","validatePublicationFilterQueryParam","publicationFilter","assign","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizePopulate","extraQueryKeys","getExtraQueryKeysFromRoute","routeQuerySchema","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","pick","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;;AAiEA,MAAMA,sBAAsB,CAACC,IAAAA,GAAAA;IAC3B,MAAM,EAAEC,QAAQ,EAAE,GAAGD,IAAAA;AAErB,IAAA,MAAME,aAAAA,GAA8B,CAClCC,IAAAA,EACAC,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAE,GAAG,EAAE,GAAA;AAE1C,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQN,IAAAA,CAAAA,EAAO;YACjB,OAAOO,OAAAA,CAAQC,GAAG,CAChBR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQ;AAAEC,oBAAAA,IAAAA;AAAMC,oBAAAA,YAAAA;AAAcC,oBAAAA;AAAM,iBAAA,CAAA,CAAA,CAAA;AAEjF,QAAA;AAEA,QAAA,MAAMO,uBAAuBC,6BAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,wBAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;;AAEjBC,YAAAA,IAAAA,CAAKC,UAAUC,YAAY,CAAA;AAC3BF,YAAAA,IAAAA,CAAKC,UAAUE,gBAAgB,CAAA;;YAE/BC,cAAAA,CAAeC,sBAA+B,CAACR,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAC3F,SAAA;AAED,QAAA,IAAIK,YAAAA,EAAc;;AAEhBY,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,EAAE;AAChDpB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;AAEA,QAAA,IAAIT,IAAAA,EAAM;;AAERa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAErF;;;;;;;;;;QAWA,MAAM0B,6BAA6B,OAAO3B,IAAAA,GAAAA;YACxC,IAAI,CAACA,QAAQ,OAAOA,IAAAA,KAAS,YAAY4B,KAAAA,CAAMtB,OAAO,CAACN,IAAAA,CAAAA,EAAO,OAAOA,IAAAA;AACrE,YAAA,MAAM6B,GAAAA,GAAM7B,IAAAA;AACZ,YAAA,MAAM8B,UAAAA,GAAa1B,KAAAA,EAAO2B,OAAAA,EAASC,IAAAA,GAAO,kBAAA,CAAmB;AAC7D,YAAA,IAAIF,UAAAA,IAAc,OAAOA,UAAAA,KAAe,QAAA,IAAY,WAAWA,UAAAA,EAAY;gBACzE,MAAMG,KAAAA,GAAQ,UAACH,CAAuDG,KAAK;AAC3E,gBAAA,KAAK,MAAMC,GAAAA,IAAOC,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,oBAAA,IAAIC,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOL,GAAE,CAAA,EAAI;oBACrC,MAAMQ,SAAAA,GAAYJ,KAAK,CAACC,GAAAA,CAAI;AAC5B,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACT,GAAG,CAACK,GAAAA,CAAI,CAAA;wBAC7D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBX,4BAAAA,GAAG,CAACK,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACxB,CAAA,MAAO;4BACL,OAAO6B,GAAG,CAACK,GAAAA,CAAI;AACjB,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;YACA,OAAOlC,IAAAA;AACT,QAAA,CAAA;AACCe,QAAAA,UAAAA,CAA2DO,IAAI,CAACK,0BAAAA,CAAAA;AAEjE,QAAA,OAAOc,QAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAM0C,cAAAA,GAA+B,OAAO1C,IAAAA,EAAMC,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQN,IAAAA,CAAAA,EAAO;AACjB,YAAA,MAAM2C,GAAAA,GAAM,IAAIf,KAAAA,CAAM5B,IAAAA,CAAK4C,MAAM,CAAA;YACjC,IAAK,IAAIC,IAAI,CAAA,EAAGA,CAAAA,GAAI7C,KAAK4C,MAAM,EAAEC,KAAK,CAAA,CAAG;gBACvCF,GAAG,CAACE,EAAE,GAAG,MAAMH,eAAe1C,IAAI,CAAC6C,CAAAA,CAAE,EAAE5C,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA;AACxD,YAAA;YACA,OAAOyC,GAAAA;AACT,QAAA;AAEA,QAAA,MAAM5B,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAeuB,qBAAgC,CAAC;AAAEtB,oBAAAA,MAAAA;AAAQH,oBAAAA;iBAAS,EAAGE,IAAAA;AACxE,SAAA;AAED,QAAA,IAAIE,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbF,cAAAA,CAAeC,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEhF,QAAA;;QAGAD,IAAAA,EAAM0B,UAAAA,EAAYuB,QAAQrB,OAAAA,CAAQ,CAACC,YAAyBX,UAAAA,CAAWO,IAAI,CAACI,SAAAA,CAAUzB,MAAAA,CAAAA,CAAAA,CAAAA;AAEtF,QAAA,OAAOwC,QAAa1B,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;AAClC,IAAA,CAAA;AAEA,IAAA,MAAM+C,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEC,IAAI,EAAEC,YAAAA,GAAe,KAAK,EAAEC,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;QACA,MAAM,EAAE4C,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGJ,KAAAA;AAE5C,QAAA,MAAMK,iBAAiBC,SAAAA,CAAUN,KAAAA,CAAAA;AAEjC,QAAA,IAAI,uBAAuBK,cAAAA,EAAgB;AACzCE,YAAAA,mCAAAA,CAAoCF,eAAeG,iBAAiB,CAAA;AACtE,QAAA;AAEA,QAAA,IAAIP,OAAAA,EAAS;YACXd,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAEJ,OAAAA,EAAS,MAAMS,eAAAA,CAAgBT,OAAAA,EAAShD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AAC5F,QAAA;AAEA,QAAA,IAAIgD,IAAAA,EAAM;YACRf,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAEH,IAAAA,EAAM,MAAMS,YAAAA,CAAaT,IAAAA,EAAMjD,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA;AAAG,aAAA,CAAA;AACnF,QAAA;AAEA,QAAA,IAAIiD,MAAAA,EAAQ;YACVhB,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAEF,MAAAA,EAAQ,MAAMS,eAAeT,MAAAA,EAAQlD,MAAAA;AAAQ,aAAA,CAAA;AAC/E,QAAA;AAEA,QAAA,IAAImD,QAAAA,EAAU;YACZjB,MAAAA,CAAOsB,MAAM,CAACJ,cAAAA,EAAgB;gBAAED,QAAAA,EAAU,MAAMS,iBAAiBT,QAAAA,EAAUnD,MAAAA;AAAQ,aAAA,CAAA;AACrF,QAAA;AAEA,QAAA,MAAM6D,iBAAiBC,0BAAAA,CAA2B3D,KAAAA,CAAAA;QAClD,MAAM4D,gBAAAA,GAAmB5D,OAAO2B,OAAAA,EAASiB,KAAAA;AACzC,QAAA,IAAIgB,gBAAAA,EAAkB;YACpB,KAAK,MAAM9B,OAAO4B,cAAAA,CAAgB;AAChC,gBAAA,IAAI5B,OAAOc,KAAAA,EAAO;oBAChB,MAAMX,SAAAA,GAAY2B,gBAAgB,CAAC9B,GAAAA,CAAI;AACvC,oBAAA,IAAIG,aAAa,OAAQA,SAAAA,CAA2BC,SAAS,KAAK,UAAA,EAAY;AAC5E,wBAAA,MAAMC,SAAS,SAACF,CAA2BC,SAAS,CAACU,KAAK,CAACd,GAAAA,CAAI,CAAA;wBAC/D,IAAIK,MAAAA,CAAOC,OAAO,EAAE;AAClBa,4BAAAA,cAAc,CAACnB,GAAAA,CAAI,GAAGK,MAAAA,CAAOvC,IAAI;wBACnC,CAAA,MAAO;4BACL,OAAOqD,cAAc,CAACnB,GAAAA,CAAI;AAC5B,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;AAEA,QAAA,IAAI/B,YAAAA,EAAc;AAChB,YAAA,MAAM8D,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,wBAAAA;AAA6BJ,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,OAAOK,KAAKF,WAAAA,EAAaZ,cAAAA,CAAAA;AAC3B,QAAA;QAEA,OAAOA,cAAAA;AACT,IAAA,CAAA;IAEA,MAAMK,eAAAA,GAAgC,CAACT,OAAAA,EAAShD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQ2C,OAAAA,CAAAA,EAAU;YACpB,OAAO1C,OAAAA,CAAQC,GAAG,CAACyC,OAAAA,CAAQxC,GAAG,CAAC,CAAC2D,MAAAA,GAAWV,eAAAA,CAAgBU,MAAAA,EAAQnE,MAAAA,EAAQ;AAAEC,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACpF,QAAA;AAEA,QAAA,MAAMa,UAAAA,GAAa;AAACQ,YAAAA,sBAAiC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACb+C,oBAAAA,CAAqBhD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEtF,QAAA;AAEA,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYkC,OAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMU,YAAAA,GAA6B,CAACT,IAAAA,EAAMjD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AACpE,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,mBAA8B,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbgD,iBAAAA,CAAkBjD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEnF,QAAA;AAEA,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYmC,IAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMU,cAAAA,GAA+B,CAACT,MAAAA,EAAQlD,MAAAA,GAAAA;AAC5C,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,qBAAgC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE3E,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYoC,MAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,MAAMU,gBAAAA,GAAiC,CAACT,QAAAA,EAAUnD,MAAAA,EAAe,EAAEC,IAAI,EAAE,GAAG,EAAE,GAAA;AAC5E,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACQ,YAAAA,uBAAkC,CAAC;AAAEtB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAII,IAAAA,EAAM;AACRa,YAAAA,UAAAA,CAAWO,IAAI,CACbiD,qBAAAA,CAAsBlD,yBAAkC,CAACnB,IAAAA,CAAAA,EAAO;AAAED,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA,CAAA;AAEvF,QAAA;AAEA,QAAA,OAAO2C,QAAa1B,UAAAA,CAAAA,CAAYqC,QAAAA,CAAAA;AAClC,IAAA,CAAA;IAEA,OAAO;QACL5B,KAAAA,EAAOzB,aAAAA;QACP+C,MAAAA,EAAQJ,cAAAA;QACRM,KAAAA,EAAOD,aAAAA;QACPE,OAAAA,EAASS,eAAAA;QACTR,IAAAA,EAAMS,YAAAA;QACNR,MAAAA,EAAQS,cAAAA;QACRR,QAAAA,EAAUS;AACZ,KAAA;AACF;;;;"}
package/dist/validate/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/validate/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAM1C,OAAO,EACL,KAAK,SAAS,EAGf,MAAM,6BAA6B,CAAC;AAIrC,OAAO,KAAK,QAAQ,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAK3C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAKvC,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;OAGG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACxB,CAAC,MAAM,EAAE,KAAK,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACxD;AACD,MAAM,WAAW,YAAY;IAC3B,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClE;AAED,MAAM,MAAM,yBAAyB,GAAG,CACtC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,MAAM,MAAM,wBAAwB,GAAG,CACrC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,UAAU,UAAU;IAClB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,KAAK,CAAC;CACpC;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;CACrB;AAED,QAAA,MAAM,mBAAmB,SAAU,UAAU;;mBA8FlC,OAAO,MAAM,EAAE,OAAO,CAAC,UACtB,KAAK,kCAC0B,OAAO;;;;;CA0KjD,CAAC;AAEF,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/validate/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAM1C,OAAO,EACL,KAAK,SAAS,EAGf,MAAM,6BAA6B,CAAC;AAIrC,OAAO,KAAK,QAAQ,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAK3C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAMvC,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;OAGG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,SAAS;IACxB,CAAC,MAAM,EAAE,KAAK,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACxD;AACD,MAAM,WAAW,YAAY;IAC3B,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClE;AAED,MAAM,MAAM,yBAAyB,GAAG,CACtC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,MAAM,MAAM,wBAAwB,GAAG,CACrC,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,KAAK,EACb,OAAO,CAAC,EAAE,OAAO,KACd,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,UAAU,UAAU;IAClB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,KAAK,CAAC;CACpC;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;CACrB;AAED,QAAA,MAAM,mBAAmB,SAAU,UAAU;;mBA8FlC,OAAO,MAAM,EAAE,OAAO,CAAC,UACtB,KAAK,kCAC0B,OAAO;;;;;CA+KjD,CAAC;AAEF,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}
package/dist/validate/index.js CHANGED
@@ -14,6 +14,7 @@ var querySort = require('../traverse/query-sort.js');
14
14
  var queryPopulate = require('../traverse/query-populate.js');
15
15
  require('../traverse/query-fields.js');
16
16
  var errors = require('../errors.js');
17
+ var publicationFilter = require('../publication-filter.js');
17
18
  var throwUnrecognizedFields = require('./visitors/throw-unrecognized-fields.js');
18
19
  var throwRestrictedRelations = require('./visitors/throw-restricted-relations.js');
19
20
  var throwRestrictedFields = require('./visitors/throw-restricted-fields.js');
@@ -112,6 +113,10 @@ const createAPIValidators = (opts)=>{
112
113
  if (!schema) {
113
114
  throw new Error('Missing schema in validateQuery');
114
115
  }
116
+ // Core allowlisted params are not covered by route.request.query Zod (see getExtraQueryKeysFromRoute).
117
+ if ('publicationFilter' in query) {
118
+ publicationFilter.validatePublicationFilterQueryParam(query.publicationFilter);
119
+ }
115
120
  if (strictParams) {
116
121
  const extraQueryKeys = contentApiRouteParams.getExtraQueryKeysFromRoute(route);
117
122
  const allowedKeys = [
package/dist/validate/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sources":["../../src/validate/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, isObject } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { getNonWritableAttributes, constants } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\nimport { throwInvalidKey } from './utils';\n\nimport * as visitors from './visitors';\nimport * as validators from './validators';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\n\nimport { Model, Data } from '../types';\nimport { ValidationError } from '../errors';\n\nconst { ID_ATTRIBUTE, DOC_ID_ATTRIBUTE } = constants;\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, validateQuery throws when the query has any top-level key not in the allowed list.\n * Defaults to false for backward compatibility.\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Validator {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface ValidateFunc {\n (data: unknown, schema: Model, options?: Options): Promise<void>;\n}\n\nexport type ValidateQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\nexport type ValidateBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\ninterface APIOptions {\n validators?: Validators;\n getModel: (model: string) => Model;\n}\n\nexport interface Validators {\n input?: Validator[];\n}\n\nconst createAPIValidators = (opts: APIOptions) => {\n const { getModel } = opts || {};\n\n const validateInput: ValidateFunc = async (data: unknown, schema: Model, options = {}) => {\n const { auth, route } = options;\n if (!schema) {\n throw new Error('Missing schema in validateInput');\n }\n\n if (isArray(data)) {\n await Promise.all(data.map((entry) => validateInput(entry, schema, options)));\n return;\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n (data: unknown) => {\n if (isObject(data)) {\n if (ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: ID_ATTRIBUTE });\n }\n\n if (DOC_ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: DOC_ID_ATTRIBUTE });\n }\n }\n return data;\n },\n // non-writable attributes\n traverseEntity(visitors.throwRestrictedFields(nonWritableAttributes), { schema, getModel }),\n // unrecognized attributes (allowedExtraRootKeys = registered input param keys)\n traverseEntity(visitors.throwUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n }),\n ];\n\n if (auth) {\n // restricted relations\n transforms.push(\n traverseEntity(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n // Apply validators from registry if exists\n opts?.validators?.input?.forEach((validator: Validator) => transforms.push(validator(schema)));\n\n try {\n await pipeAsync(...transforms)(data as Data);\n\n // Validate extra root keys from route's body schema with Zod (throw on failure).\n //\n // Content-api sends the document payload as body.data; the controller calls validateInput(body.data, ctx),\n // so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n // The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n // the main document payload is already validated above by traverseEntity (throwUnrecognizedFields, etc.);\n // relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n // Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n if (isObject(data) && route?.request?.body?.['application/json']) {\n const bodySchema = route.request.body['application/json'];\n if (typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n const dataObj = data as Record<string, unknown>;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in dataObj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(dataObj[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Validation failed',\n { key, path: null, source: 'body', param: key }\n );\n }\n }\n }\n }\n }\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'body';\n }\n throw e;\n }\n };\n\n const validateQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in validateQuery');\n }\n\n if (strictParams) {\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n for (const key of Object.keys(query)) {\n if (!allowedKeys.includes(key)) {\n try {\n throwInvalidKey({ key, path: null });\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = key;\n }\n throw e;\n }\n }\n }\n // Validate extra query keys from route's request schema with Zod (throw on failure)\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Invalid query param',\n { key, path: null, source: 'query', param: key }\n );\n }\n }\n }\n }\n }\n }\n\n const { filters, sort, fields, populate } = query;\n\n if (filters) {\n await validateFilters(filters, schema, { auth });\n }\n\n if (sort) {\n await validateSort(sort, schema, { auth });\n }\n\n if (fields) {\n await validateFields(fields, schema);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (populate && populate !== '*') {\n await validatePopulate(populate, schema);\n }\n };\n\n const validateFilters: ValidateFunc = async (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateFilters');\n }\n if (isArray(filters)) {\n await Promise.all(filters.map((filter) => validateFilters(filter, schema, { auth })));\n return;\n }\n\n const transforms = [validators.defaultValidateFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(filters);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'filters';\n }\n throw e;\n }\n };\n\n const validateSort: ValidateFunc = async (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateSort');\n }\n const transforms = [validators.defaultValidateSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(sort);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'sort';\n }\n throw e;\n }\n };\n\n const validateFields: ValidateFunc = async (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in validateFields');\n }\n const transforms = [validators.defaultValidateFields({ schema, getModel })];\n\n try {\n await pipeAsync(...transforms)(fields);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'fields';\n }\n throw e;\n }\n };\n\n const validatePopulate: ValidateFunc = async (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [validators.defaultValidatePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(populate);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'populate';\n }\n throw e;\n }\n };\n\n return {\n input: validateInput,\n query: validateQuery,\n filters: validateFilters,\n sort: validateSort,\n fields: validateFields,\n populate: validatePopulate,\n };\n};\n\nexport { createAPIValidators, validators, visitors };\n\nexport type APIValidators = ReturnType<typeof createAPIValidators>;\n"],"names":["ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","constants","createAPIValidators","opts","getModel","validateInput","data","schema","options","auth","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","isObject","throwInvalidKey","key","traverseEntity","visitors","push","validators","input","forEach","validator","pipeAsync","request","body","bodySchema","shape","dataObj","Object","keys","zodSchema","parse","result","safeParse","success","ValidationError","error","message","path","source","param","e","details","validateQuery","query","strictParams","extraQueryKeys","getExtraQueryKeysFromRoute","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","includes","routeQuerySchema","filters","sort","fields","populate","validateFilters","validateSort","validateFields","validatePopulate","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;;AAuBA,MAAM,EAAEA,YAAY,EAAEC,gBAAgB,EAAE,GAAGC,sBAAAA;AA4C3C,MAAMC,sBAAsB,CAACC,IAAAA,GAAAA;AAC3B,IAAA,MAAM,EAAEC,QAAQ,EAAE,GAAGD,QAAQ,EAAC;AAE9B,IAAA,MAAME,gBAA8B,OAAOC,IAAAA,EAAeC,MAAAA,EAAeC,OAAAA,GAAU,EAAE,GAAA;AACnF,QAAA,MAAM,EAAEC,IAAI,EAAEC,KAAK,EAAE,GAAGF,OAAAA;AACxB,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AAEA,QAAA,IAAIC,WAAQN,IAAAA,CAAAA,EAAO;YACjB,MAAMO,OAAAA,CAAQC,GAAG,CAACR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQC,OAAAA,CAAAA,CAAAA,CAAAA;AACnE,YAAA;AACF,QAAA;AAEA,QAAA,MAAMS,uBAAuBC,mDAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,qCAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAAA;AACC,gBAAA,IAAIgB,YAAShB,IAAAA,CAAAA,EAAO;AAClB,oBAAA,IAAIP,gBAAgBO,IAAAA,EAAM;wBACxBiB,qBAAAA,CAAgB;4BAAEC,GAAAA,EAAKzB;AAAa,yBAAA,CAAA;AACtC,oBAAA;AAEA,oBAAA,IAAIC,oBAAoBM,IAAAA,EAAM;wBAC5BiB,qBAAAA,CAAgB;4BAAEC,GAAAA,EAAKxB;AAAiB,yBAAA,CAAA;AAC1C,oBAAA;AACF,gBAAA;gBACA,OAAOM,IAAAA;AACT,YAAA,CAAA;;YAEAmB,cAAAA,CAAeC,qBAA8B,CAACP,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA;;YAEzFqB,cAAAA,CAAeC,uBAAgC,EAAE;AAC/CnB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA;AACD,SAAA;AAED,QAAA,IAAIR,IAAAA,EAAM;;AAERY,YAAAA,UAAAA,CAAWM,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACtDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;;QAGAD,IAAAA,EAAMyB,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBV,UAAAA,CAAWM,IAAI,CAACI,SAAAA,CAAUxB,MAAAA,CAAAA,CAAAA,CAAAA;QAErF,IAAI;AACF,YAAA,MAAMyB,cAAaX,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;;;;;;;;;AAU/B,YAAA,IAAIgB,YAAShB,IAAAA,CAAAA,IAASI,KAAAA,EAAOuB,SAASC,IAAAA,GAAO,mBAAmB,EAAE;AAChE,gBAAA,MAAMC,aAAazB,KAAAA,CAAMuB,OAAO,CAACC,IAAI,CAAC,kBAAA,CAAmB;AACzD,gBAAA,IAAI,OAAOC,UAAAA,KAAe,QAAA,IAAY,OAAA,IAAWA,UAAAA,EAAY;oBAC3D,MAAMC,KAAAA,GAAQ,UAACD,CAAuDC,KAAK;AAC3E,oBAAA,MAAMC,OAAAA,GAAU/B,IAAAA;AAChB,oBAAA,KAAK,MAAMkB,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,wBAAA,IAAIZ,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOa,OAAM,CAAA,EAAI;wBACzC,MAAMG,SAAAA,GAAYJ,KAAK,CAACZ,GAAAA,CAAI;AAC5B,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACN,OAAO,CAACb,GAAAA,CAAI,CAAA;4BACjE,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,sBAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,mBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,MAAA;oCAAQC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAElD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA,CAAA,CAAE,OAAO2B,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,MAAA;AACrB,YAAA;YACA,MAAME,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAME,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEE,IAAI,EAAE8C,YAAAA,GAAe,KAAK,EAAE7C,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AAEA,QAAA,IAAI4C,YAAAA,EAAc;AAChB,YAAA,MAAMC,iBAAiBC,gDAAAA,CAA2B/C,KAAAA,CAAAA;AAClD,YAAA,MAAMgD,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,4CAAAA;AAA6BH,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,KAAK,MAAMhC,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACe,KAAAA,CAAAA,CAAQ;AACpC,gBAAA,IAAI,CAACI,WAAAA,CAAYE,QAAQ,CAACpC,GAAAA,CAAAA,EAAM;oBAC9B,IAAI;wBACFD,qBAAAA,CAAgB;AAAEC,4BAAAA,GAAAA;4BAAKwB,IAAAA,EAAM;AAAK,yBAAA,CAAA;AACpC,oBAAA,CAAA,CAAE,OAAOG,CAAAA,EAAG;AACV,wBAAA,IAAIA,aAAaN,sBAAAA,EAAiB;4BAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;4BACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG1B,GAAAA;AACpB,wBAAA;wBACA,MAAM2B,CAAAA;AACR,oBAAA;AACF,gBAAA;AACF,YAAA;;YAEA,MAAMU,gBAAAA,GAAmBnD,OAAOuB,OAAAA,EAASqB,KAAAA;AACzC,YAAA,IAAIO,gBAAAA,EAAkB;gBACpB,KAAK,MAAMrC,OAAOgC,cAAAA,CAAgB;AAChC,oBAAA,IAAIhC,OAAO8B,KAAAA,EAAO;wBAChB,MAAMd,SAAAA,GAAYqB,gBAAgB,CAACrC,GAAAA,CAAI;AACvC,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACW,KAAK,CAAC9B,GAAAA,CAAI,CAAA;4BAC/D,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,sBAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,qBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,OAAA;oCAASC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAEnD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;QAEA,MAAM,EAAEsC,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGX,KAAAA;AAE5C,QAAA,IAAIQ,OAAAA,EAAS;YACX,MAAMI,eAAAA,CAAgBJ,SAASvD,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAChD,QAAA;AAEA,QAAA,IAAIsD,IAAAA,EAAM;YACR,MAAMI,YAAAA,CAAaJ,MAAMxD,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAC1C,QAAA;AAEA,QAAA,IAAIuD,MAAAA,EAAQ;AACV,YAAA,MAAMI,eAAeJ,MAAAA,EAAQzD,MAAAA,CAAAA;AAC/B,QAAA;;QAGA,IAAI0D,QAAAA,IAAYA,aAAa,GAAA,EAAK;AAChC,YAAA,MAAMI,iBAAiBJ,QAAAA,EAAU1D,MAAAA,CAAAA;AACnC,QAAA;AACF,IAAA,CAAA;IAEA,MAAM2D,eAAAA,GAAgC,OAAOJ,OAAAA,EAASvD,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAChF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQkD,OAAAA,CAAAA,EAAU;YACpB,MAAMjD,OAAAA,CAAQC,GAAG,CAACgD,OAAAA,CAAQ/C,GAAG,CAAC,CAACuD,MAAAA,GAAWJ,eAAAA,CAAgBI,MAAAA,EAAQ/D,MAAAA,EAAQ;AAAEE,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACjF,YAAA;AACF,QAAA;AAEA,QAAA,MAAMY,UAAAA,GAAa;AAACO,YAAAA,iCAAiC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb4C,YAAAA,CAAqB7C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC5DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAYyC,OAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOX,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,SAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMgB,YAAAA,GAA6B,OAAOJ,IAAAA,EAAMxD,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,8BAA8B,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb6C,SAAAA,CAAkB9C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACzDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY0C,IAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOZ,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,MAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMiB,cAAAA,GAA+B,OAAOJ,MAAAA,EAAQzD,MAAAA,GAAAA;AAClD,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,gCAAgC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;QAE3E,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY2C,MAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOb,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,QAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMkB,gBAAAA,GAAiC,OAAOJ,QAAAA,EAAU1D,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAClF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,kCAAkC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb8C,aAAAA,CAAsB/C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC7DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY4C,QAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOd,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,UAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,OAAO;QACLtB,KAAAA,EAAOxB,aAAAA;QACPiD,KAAAA,EAAOD,aAAAA;QACPS,OAAAA,EAASI,eAAAA;QACTH,IAAAA,EAAMI,YAAAA;QACNH,MAAAA,EAAQI,cAAAA;QACRH,QAAAA,EAAUI;AACZ,KAAA;AACF;;;;;;"}
1
+ {"version":3,"file":"index.js","sources":["../../src/validate/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, isObject } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { getNonWritableAttributes, constants } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\nimport { throwInvalidKey } from './utils';\n\nimport * as visitors from './visitors';\nimport * as validators from './validators';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\n\nimport { Model, Data } from '../types';\nimport { ValidationError } from '../errors';\nimport { validatePublicationFilterQueryParam } from '../publication-filter';\n\nconst { ID_ATTRIBUTE, DOC_ID_ATTRIBUTE } = constants;\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, validateQuery throws when the query has any top-level key not in the allowed list.\n * Defaults to false for backward compatibility.\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Validator {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface ValidateFunc {\n (data: unknown, schema: Model, options?: Options): Promise<void>;\n}\n\nexport type ValidateQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\nexport type ValidateBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\ninterface APIOptions {\n validators?: Validators;\n getModel: (model: string) => Model;\n}\n\nexport interface Validators {\n input?: Validator[];\n}\n\nconst createAPIValidators = (opts: APIOptions) => {\n const { getModel } = opts || {};\n\n const validateInput: ValidateFunc = async (data: unknown, schema: Model, options = {}) => {\n const { auth, route } = options;\n if (!schema) {\n throw new Error('Missing schema in validateInput');\n }\n\n if (isArray(data)) {\n await Promise.all(data.map((entry) => validateInput(entry, schema, options)));\n return;\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n (data: unknown) => {\n if (isObject(data)) {\n if (ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: ID_ATTRIBUTE });\n }\n\n if (DOC_ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: DOC_ID_ATTRIBUTE });\n }\n }\n return data;\n },\n // non-writable attributes\n traverseEntity(visitors.throwRestrictedFields(nonWritableAttributes), { schema, getModel }),\n // unrecognized attributes (allowedExtraRootKeys = registered input param keys)\n traverseEntity(visitors.throwUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n }),\n ];\n\n if (auth) {\n // restricted relations\n transforms.push(\n traverseEntity(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n // Apply validators from registry if exists\n opts?.validators?.input?.forEach((validator: Validator) => transforms.push(validator(schema)));\n\n try {\n await pipeAsync(...transforms)(data as Data);\n\n // Validate extra root keys from route's body schema with Zod (throw on failure).\n //\n // Content-api sends the document payload as body.data; the controller calls validateInput(body.data, ctx),\n // so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n // The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n // the main document payload is already validated above by traverseEntity (throwUnrecognizedFields, etc.);\n // relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n // Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n if (isObject(data) && route?.request?.body?.['application/json']) {\n const bodySchema = route.request.body['application/json'];\n if (typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n const dataObj = data as Record<string, unknown>;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in dataObj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(dataObj[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Validation failed',\n { key, path: null, source: 'body', param: key }\n );\n }\n }\n }\n }\n }\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'body';\n }\n throw e;\n }\n };\n\n const validateQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in validateQuery');\n }\n\n // Core allowlisted params are not covered by route.request.query Zod (see getExtraQueryKeysFromRoute).\n if ('publicationFilter' in query) {\n validatePublicationFilterQueryParam(query.publicationFilter);\n }\n\n if (strictParams) {\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n for (const key of Object.keys(query)) {\n if (!allowedKeys.includes(key)) {\n try {\n throwInvalidKey({ key, path: null });\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = key;\n }\n throw e;\n }\n }\n }\n // Validate extra query keys from route's request schema with Zod (throw on failure)\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Invalid query param',\n { key, path: null, source: 'query', param: key }\n );\n }\n }\n }\n }\n }\n }\n\n const { filters, sort, fields, populate } = query;\n\n if (filters) {\n await validateFilters(filters, schema, { auth });\n }\n\n if (sort) {\n await validateSort(sort, schema, { auth });\n }\n\n if (fields) {\n await validateFields(fields, schema);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (populate && populate !== '*') {\n await validatePopulate(populate, schema);\n }\n };\n\n const validateFilters: ValidateFunc = async (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateFilters');\n }\n if (isArray(filters)) {\n await Promise.all(filters.map((filter) => validateFilters(filter, schema, { auth })));\n return;\n }\n\n const transforms = [validators.defaultValidateFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(filters);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'filters';\n }\n throw e;\n }\n };\n\n const validateSort: ValidateFunc = async (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateSort');\n }\n const transforms = [validators.defaultValidateSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(sort);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'sort';\n }\n throw e;\n }\n };\n\n const validateFields: ValidateFunc = async (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in validateFields');\n }\n const transforms = [validators.defaultValidateFields({ schema, getModel })];\n\n try {\n await pipeAsync(...transforms)(fields);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'fields';\n }\n throw e;\n }\n };\n\n const validatePopulate: ValidateFunc = async (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [validators.defaultValidatePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(populate);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'populate';\n }\n throw e;\n }\n };\n\n return {\n input: validateInput,\n query: validateQuery,\n filters: validateFilters,\n sort: validateSort,\n fields: validateFields,\n populate: validatePopulate,\n };\n};\n\nexport { createAPIValidators, validators, visitors };\n\nexport type APIValidators = ReturnType<typeof createAPIValidators>;\n"],"names":["ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","constants","createAPIValidators","opts","getModel","validateInput","data","schema","options","auth","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","isObject","throwInvalidKey","key","traverseEntity","visitors","push","validators","input","forEach","validator","pipeAsync","request","body","bodySchema","shape","dataObj","Object","keys","zodSchema","parse","result","safeParse","success","ValidationError","error","message","path","source","param","e","details","validateQuery","query","strictParams","validatePublicationFilterQueryParam","publicationFilter","extraQueryKeys","getExtraQueryKeysFromRoute","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","includes","routeQuerySchema","filters","sort","fields","populate","validateFilters","validateSort","validateFields","validatePopulate","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAwBA,MAAM,EAAEA,YAAY,EAAEC,gBAAgB,EAAE,GAAGC,sBAAAA;AA4C3C,MAAMC,sBAAsB,CAACC,IAAAA,GAAAA;AAC3B,IAAA,MAAM,EAAEC,QAAQ,EAAE,GAAGD,QAAQ,EAAC;AAE9B,IAAA,MAAME,gBAA8B,OAAOC,IAAAA,EAAeC,MAAAA,EAAeC,OAAAA,GAAU,EAAE,GAAA;AACnF,QAAA,MAAM,EAAEC,IAAI,EAAEC,KAAK,EAAE,GAAGF,OAAAA;AACxB,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AAEA,QAAA,IAAIC,WAAQN,IAAAA,CAAAA,EAAO;YACjB,MAAMO,OAAAA,CAAQC,GAAG,CAACR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQC,OAAAA,CAAAA,CAAAA,CAAAA;AACnE,YAAA;AACF,QAAA;AAEA,QAAA,MAAMS,uBAAuBC,mDAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,qCAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAAA;AACC,gBAAA,IAAIgB,YAAShB,IAAAA,CAAAA,EAAO;AAClB,oBAAA,IAAIP,gBAAgBO,IAAAA,EAAM;wBACxBiB,qBAAAA,CAAgB;4BAAEC,GAAAA,EAAKzB;AAAa,yBAAA,CAAA;AACtC,oBAAA;AAEA,oBAAA,IAAIC,oBAAoBM,IAAAA,EAAM;wBAC5BiB,qBAAAA,CAAgB;4BAAEC,GAAAA,EAAKxB;AAAiB,yBAAA,CAAA;AAC1C,oBAAA;AACF,gBAAA;gBACA,OAAOM,IAAAA;AACT,YAAA,CAAA;;YAEAmB,cAAAA,CAAeC,qBAA8B,CAACP,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA;;YAEzFqB,cAAAA,CAAeC,uBAAgC,EAAE;AAC/CnB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA;AACD,SAAA;AAED,QAAA,IAAIR,IAAAA,EAAM;;AAERY,YAAAA,UAAAA,CAAWM,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACtDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;;QAGAD,IAAAA,EAAMyB,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBV,UAAAA,CAAWM,IAAI,CAACI,SAAAA,CAAUxB,MAAAA,CAAAA,CAAAA,CAAAA;QAErF,IAAI;AACF,YAAA,MAAMyB,cAAaX,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;;;;;;;;;AAU/B,YAAA,IAAIgB,YAAShB,IAAAA,CAAAA,IAASI,KAAAA,EAAOuB,SAASC,IAAAA,GAAO,mBAAmB,EAAE;AAChE,gBAAA,MAAMC,aAAazB,KAAAA,CAAMuB,OAAO,CAACC,IAAI,CAAC,kBAAA,CAAmB;AACzD,gBAAA,IAAI,OAAOC,UAAAA,KAAe,QAAA,IAAY,OAAA,IAAWA,UAAAA,EAAY;oBAC3D,MAAMC,KAAAA,GAAQ,UAACD,CAAuDC,KAAK;AAC3E,oBAAA,MAAMC,OAAAA,GAAU/B,IAAAA;AAChB,oBAAA,KAAK,MAAMkB,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,wBAAA,IAAIZ,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOa,OAAM,CAAA,EAAI;wBACzC,MAAMG,SAAAA,GAAYJ,KAAK,CAACZ,GAAAA,CAAI;AAC5B,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACN,OAAO,CAACb,GAAAA,CAAI,CAAA;4BACjE,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,sBAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,mBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,MAAA;oCAAQC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAElD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA,CAAA,CAAE,OAAO2B,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,MAAA;AACrB,YAAA;YACA,MAAME,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAME,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEE,IAAI,EAAE8C,YAAAA,GAAe,KAAK,EAAE7C,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;;AAGA,QAAA,IAAI,uBAAuB2C,KAAAA,EAAO;AAChCE,YAAAA,qDAAAA,CAAoCF,MAAMG,iBAAiB,CAAA;AAC7D,QAAA;AAEA,QAAA,IAAIF,YAAAA,EAAc;AAChB,YAAA,MAAMG,iBAAiBC,gDAAAA,CAA2BjD,KAAAA,CAAAA;AAClD,YAAA,MAAMkD,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,4CAAAA;AAA6BH,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,KAAK,MAAMlC,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACe,KAAAA,CAAAA,CAAQ;AACpC,gBAAA,IAAI,CAACM,WAAAA,CAAYE,QAAQ,CAACtC,GAAAA,CAAAA,EAAM;oBAC9B,IAAI;wBACFD,qBAAAA,CAAgB;AAAEC,4BAAAA,GAAAA;4BAAKwB,IAAAA,EAAM;AAAK,yBAAA,CAAA;AACpC,oBAAA,CAAA,CAAE,OAAOG,CAAAA,EAAG;AACV,wBAAA,IAAIA,aAAaN,sBAAAA,EAAiB;4BAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;4BACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG1B,GAAAA;AACpB,wBAAA;wBACA,MAAM2B,CAAAA;AACR,oBAAA;AACF,gBAAA;AACF,YAAA;;YAEA,MAAMY,gBAAAA,GAAmBrD,OAAOuB,OAAAA,EAASqB,KAAAA;AACzC,YAAA,IAAIS,gBAAAA,EAAkB;gBACpB,KAAK,MAAMvC,OAAOkC,cAAAA,CAAgB;AAChC,oBAAA,IAAIlC,OAAO8B,KAAAA,EAAO;wBAChB,MAAMd,SAAAA,GAAYuB,gBAAgB,CAACvC,GAAAA,CAAI;AACvC,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACW,KAAK,CAAC9B,GAAAA,CAAI,CAAA;4BAC/D,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,sBAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,qBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,OAAA;oCAASC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAEnD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;QAEA,MAAM,EAAEwC,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGb,KAAAA;AAE5C,QAAA,IAAIU,OAAAA,EAAS;YACX,MAAMI,eAAAA,CAAgBJ,SAASzD,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAChD,QAAA;AAEA,QAAA,IAAIwD,IAAAA,EAAM;YACR,MAAMI,YAAAA,CAAaJ,MAAM1D,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAC1C,QAAA;AAEA,QAAA,IAAIyD,MAAAA,EAAQ;AACV,YAAA,MAAMI,eAAeJ,MAAAA,EAAQ3D,MAAAA,CAAAA;AAC/B,QAAA;;QAGA,IAAI4D,QAAAA,IAAYA,aAAa,GAAA,EAAK;AAChC,YAAA,MAAMI,iBAAiBJ,QAAAA,EAAU5D,MAAAA,CAAAA;AACnC,QAAA;AACF,IAAA,CAAA;IAEA,MAAM6D,eAAAA,GAAgC,OAAOJ,OAAAA,EAASzD,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAChF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,WAAQoD,OAAAA,CAAAA,EAAU;YACpB,MAAMnD,OAAAA,CAAQC,GAAG,CAACkD,OAAAA,CAAQjD,GAAG,CAAC,CAACyD,MAAAA,GAAWJ,eAAAA,CAAgBI,MAAAA,EAAQjE,MAAAA,EAAQ;AAAEE,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACjF,YAAA;AACF,QAAA;AAEA,QAAA,MAAMY,UAAAA,GAAa;AAACO,YAAAA,iCAAiC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb8C,YAAAA,CAAqB/C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC5DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY2C,OAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOb,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,SAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMkB,YAAAA,GAA6B,OAAOJ,IAAAA,EAAM1D,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,8BAA8B,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb+C,SAAAA,CAAkBhD,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACzDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY4C,IAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOd,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,MAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMmB,cAAAA,GAA+B,OAAOJ,MAAAA,EAAQ3D,MAAAA,GAAAA;AAClD,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,gCAAgC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;QAE3E,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY6C,MAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOf,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,QAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMoB,gBAAAA,GAAiC,OAAOJ,QAAAA,EAAU5D,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAClF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,kCAAkC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACbgD,aAAAA,CAAsBjD,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC7DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,cAAaX,UAAAA,CAAAA,CAAY8C,QAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOhB,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,sBAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,UAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,OAAO;QACLtB,KAAAA,EAAOxB,aAAAA;QACPiD,KAAAA,EAAOD,aAAAA;QACPW,OAAAA,EAASI,eAAAA;QACTH,IAAAA,EAAMI,YAAAA;QACNH,MAAAA,EAAQI,cAAAA;QACRH,QAAAA,EAAUI;AACZ,KAAA;AACF;;;;;;"}
package/dist/validate/index.mjs CHANGED
@@ -15,6 +15,7 @@ import traverseQuerySort from '../traverse/query-sort.mjs';
15
15
  import traverseQueryPopulate from '../traverse/query-populate.mjs';
16
16
  import '../traverse/query-fields.mjs';
17
17
  import { ValidationError } from '../errors.mjs';
18
+ import { validatePublicationFilterQueryParam } from '../publication-filter.mjs';
18
19
  import throwUnrecognizedFields from './visitors/throw-unrecognized-fields.mjs';
19
20
  import throwRestrictedRelations from './visitors/throw-restricted-relations.mjs';
20
21
  import throwRestrictedFields from './visitors/throw-restricted-fields.mjs';
@@ -113,6 +114,10 @@ const createAPIValidators = (opts)=>{
113
114
  if (!schema) {
114
115
  throw new Error('Missing schema in validateQuery');
115
116
  }
117
+ // Core allowlisted params are not covered by route.request.query Zod (see getExtraQueryKeysFromRoute).
118
+ if ('publicationFilter' in query) {
119
+ validatePublicationFilterQueryParam(query.publicationFilter);
120
+ }
116
121
  if (strictParams) {
117
122
  const extraQueryKeys = getExtraQueryKeysFromRoute(route);
118
123
  const allowedKeys = [
package/dist/validate/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","sources":["../../src/validate/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, isObject } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { getNonWritableAttributes, constants } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\nimport { throwInvalidKey } from './utils';\n\nimport * as visitors from './visitors';\nimport * as validators from './validators';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\n\nimport { Model, Data } from '../types';\nimport { ValidationError } from '../errors';\n\nconst { ID_ATTRIBUTE, DOC_ID_ATTRIBUTE } = constants;\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, validateQuery throws when the query has any top-level key not in the allowed list.\n * Defaults to false for backward compatibility.\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Validator {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface ValidateFunc {\n (data: unknown, schema: Model, options?: Options): Promise<void>;\n}\n\nexport type ValidateQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\nexport type ValidateBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\ninterface APIOptions {\n validators?: Validators;\n getModel: (model: string) => Model;\n}\n\nexport interface Validators {\n input?: Validator[];\n}\n\nconst createAPIValidators = (opts: APIOptions) => {\n const { getModel } = opts || {};\n\n const validateInput: ValidateFunc = async (data: unknown, schema: Model, options = {}) => {\n const { auth, route } = options;\n if (!schema) {\n throw new Error('Missing schema in validateInput');\n }\n\n if (isArray(data)) {\n await Promise.all(data.map((entry) => validateInput(entry, schema, options)));\n return;\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n (data: unknown) => {\n if (isObject(data)) {\n if (ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: ID_ATTRIBUTE });\n }\n\n if (DOC_ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: DOC_ID_ATTRIBUTE });\n }\n }\n return data;\n },\n // non-writable attributes\n traverseEntity(visitors.throwRestrictedFields(nonWritableAttributes), { schema, getModel }),\n // unrecognized attributes (allowedExtraRootKeys = registered input param keys)\n traverseEntity(visitors.throwUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n }),\n ];\n\n if (auth) {\n // restricted relations\n transforms.push(\n traverseEntity(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n // Apply validators from registry if exists\n opts?.validators?.input?.forEach((validator: Validator) => transforms.push(validator(schema)));\n\n try {\n await pipeAsync(...transforms)(data as Data);\n\n // Validate extra root keys from route's body schema with Zod (throw on failure).\n //\n // Content-api sends the document payload as body.data; the controller calls validateInput(body.data, ctx),\n // so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n // The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n // the main document payload is already validated above by traverseEntity (throwUnrecognizedFields, etc.);\n // relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n // Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n if (isObject(data) && route?.request?.body?.['application/json']) {\n const bodySchema = route.request.body['application/json'];\n if (typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n const dataObj = data as Record<string, unknown>;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in dataObj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(dataObj[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Validation failed',\n { key, path: null, source: 'body', param: key }\n );\n }\n }\n }\n }\n }\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'body';\n }\n throw e;\n }\n };\n\n const validateQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in validateQuery');\n }\n\n if (strictParams) {\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n for (const key of Object.keys(query)) {\n if (!allowedKeys.includes(key)) {\n try {\n throwInvalidKey({ key, path: null });\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = key;\n }\n throw e;\n }\n }\n }\n // Validate extra query keys from route's request schema with Zod (throw on failure)\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Invalid query param',\n { key, path: null, source: 'query', param: key }\n );\n }\n }\n }\n }\n }\n }\n\n const { filters, sort, fields, populate } = query;\n\n if (filters) {\n await validateFilters(filters, schema, { auth });\n }\n\n if (sort) {\n await validateSort(sort, schema, { auth });\n }\n\n if (fields) {\n await validateFields(fields, schema);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (populate && populate !== '*') {\n await validatePopulate(populate, schema);\n }\n };\n\n const validateFilters: ValidateFunc = async (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateFilters');\n }\n if (isArray(filters)) {\n await Promise.all(filters.map((filter) => validateFilters(filter, schema, { auth })));\n return;\n }\n\n const transforms = [validators.defaultValidateFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(filters);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'filters';\n }\n throw e;\n }\n };\n\n const validateSort: ValidateFunc = async (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateSort');\n }\n const transforms = [validators.defaultValidateSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(sort);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'sort';\n }\n throw e;\n }\n };\n\n const validateFields: ValidateFunc = async (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in validateFields');\n }\n const transforms = [validators.defaultValidateFields({ schema, getModel })];\n\n try {\n await pipeAsync(...transforms)(fields);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'fields';\n }\n throw e;\n }\n };\n\n const validatePopulate: ValidateFunc = async (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [validators.defaultValidatePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(populate);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'populate';\n }\n throw e;\n }\n };\n\n return {\n input: validateInput,\n query: validateQuery,\n filters: validateFilters,\n sort: validateSort,\n fields: validateFields,\n populate: validatePopulate,\n };\n};\n\nexport { createAPIValidators, validators, visitors };\n\nexport type APIValidators = ReturnType<typeof createAPIValidators>;\n"],"names":["ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","constants","createAPIValidators","opts","getModel","validateInput","data","schema","options","auth","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","isObject","throwInvalidKey","key","traverseEntity","visitors","push","validators","input","forEach","validator","pipeAsync","request","body","bodySchema","shape","dataObj","Object","keys","zodSchema","parse","result","safeParse","success","ValidationError","error","message","path","source","param","e","details","validateQuery","query","strictParams","extraQueryKeys","getExtraQueryKeysFromRoute","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","includes","routeQuerySchema","filters","sort","fields","populate","validateFilters","validateSort","validateFields","validatePopulate","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAuBA,MAAM,EAAEA,YAAY,EAAEC,gBAAgB,EAAE,GAAGC,SAAAA;AA4C3C,MAAMC,sBAAsB,CAACC,IAAAA,GAAAA;AAC3B,IAAA,MAAM,EAAEC,QAAQ,EAAE,GAAGD,QAAQ,EAAC;AAE9B,IAAA,MAAME,gBAA8B,OAAOC,IAAAA,EAAeC,MAAAA,EAAeC,OAAAA,GAAU,EAAE,GAAA;AACnF,QAAA,MAAM,EAAEC,IAAI,EAAEC,KAAK,EAAE,GAAGF,OAAAA;AACxB,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AAEA,QAAA,IAAIC,QAAQN,IAAAA,CAAAA,EAAO;YACjB,MAAMO,OAAAA,CAAQC,GAAG,CAACR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQC,OAAAA,CAAAA,CAAAA,CAAAA;AACnE,YAAA;AACF,QAAA;AAEA,QAAA,MAAMS,uBAAuBC,6BAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,wBAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAAA;AACC,gBAAA,IAAIgB,SAAShB,IAAAA,CAAAA,EAAO;AAClB,oBAAA,IAAIP,gBAAgBO,IAAAA,EAAM;wBACxBiB,eAAAA,CAAgB;4BAAEC,GAAAA,EAAKzB;AAAa,yBAAA,CAAA;AACtC,oBAAA;AAEA,oBAAA,IAAIC,oBAAoBM,IAAAA,EAAM;wBAC5BiB,eAAAA,CAAgB;4BAAEC,GAAAA,EAAKxB;AAAiB,yBAAA,CAAA;AAC1C,oBAAA;AACF,gBAAA;gBACA,OAAOM,IAAAA;AACT,YAAA,CAAA;;YAEAmB,cAAAA,CAAeC,qBAA8B,CAACP,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA;;YAEzFqB,cAAAA,CAAeC,uBAAgC,EAAE;AAC/CnB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA;AACD,SAAA;AAED,QAAA,IAAIR,IAAAA,EAAM;;AAERY,YAAAA,UAAAA,CAAWM,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACtDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;;QAGAD,IAAAA,EAAMyB,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBV,UAAAA,CAAWM,IAAI,CAACI,SAAAA,CAAUxB,MAAAA,CAAAA,CAAAA,CAAAA;QAErF,IAAI;AACF,YAAA,MAAMyB,QAAaX,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;;;;;;;;;AAU/B,YAAA,IAAIgB,SAAShB,IAAAA,CAAAA,IAASI,KAAAA,EAAOuB,SAASC,IAAAA,GAAO,mBAAmB,EAAE;AAChE,gBAAA,MAAMC,aAAazB,KAAAA,CAAMuB,OAAO,CAACC,IAAI,CAAC,kBAAA,CAAmB;AACzD,gBAAA,IAAI,OAAOC,UAAAA,KAAe,QAAA,IAAY,OAAA,IAAWA,UAAAA,EAAY;oBAC3D,MAAMC,KAAAA,GAAQ,UAACD,CAAuDC,KAAK;AAC3E,oBAAA,MAAMC,OAAAA,GAAU/B,IAAAA;AAChB,oBAAA,KAAK,MAAMkB,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,wBAAA,IAAIZ,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOa,OAAM,CAAA,EAAI;wBACzC,MAAMG,SAAAA,GAAYJ,KAAK,CAACZ,GAAAA,CAAI;AAC5B,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACN,OAAO,CAACb,GAAAA,CAAI,CAAA;4BACjE,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,eAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,mBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,MAAA;oCAAQC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAElD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA,CAAA,CAAE,OAAO2B,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,MAAA;AACrB,YAAA;YACA,MAAME,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAME,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEE,IAAI,EAAE8C,YAAAA,GAAe,KAAK,EAAE7C,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AAEA,QAAA,IAAI4C,YAAAA,EAAc;AAChB,YAAA,MAAMC,iBAAiBC,0BAAAA,CAA2B/C,KAAAA,CAAAA;AAClD,YAAA,MAAMgD,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,wBAAAA;AAA6BH,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,KAAK,MAAMhC,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACe,KAAAA,CAAAA,CAAQ;AACpC,gBAAA,IAAI,CAACI,WAAAA,CAAYE,QAAQ,CAACpC,GAAAA,CAAAA,EAAM;oBAC9B,IAAI;wBACFD,eAAAA,CAAgB;AAAEC,4BAAAA,GAAAA;4BAAKwB,IAAAA,EAAM;AAAK,yBAAA,CAAA;AACpC,oBAAA,CAAA,CAAE,OAAOG,CAAAA,EAAG;AACV,wBAAA,IAAIA,aAAaN,eAAAA,EAAiB;4BAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;4BACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG1B,GAAAA;AACpB,wBAAA;wBACA,MAAM2B,CAAAA;AACR,oBAAA;AACF,gBAAA;AACF,YAAA;;YAEA,MAAMU,gBAAAA,GAAmBnD,OAAOuB,OAAAA,EAASqB,KAAAA;AACzC,YAAA,IAAIO,gBAAAA,EAAkB;gBACpB,KAAK,MAAMrC,OAAOgC,cAAAA,CAAgB;AAChC,oBAAA,IAAIhC,OAAO8B,KAAAA,EAAO;wBAChB,MAAMd,SAAAA,GAAYqB,gBAAgB,CAACrC,GAAAA,CAAI;AACvC,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACW,KAAK,CAAC9B,GAAAA,CAAI,CAAA;4BAC/D,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,eAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,qBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,OAAA;oCAASC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAEnD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;QAEA,MAAM,EAAEsC,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGX,KAAAA;AAE5C,QAAA,IAAIQ,OAAAA,EAAS;YACX,MAAMI,eAAAA,CAAgBJ,SAASvD,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAChD,QAAA;AAEA,QAAA,IAAIsD,IAAAA,EAAM;YACR,MAAMI,YAAAA,CAAaJ,MAAMxD,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAC1C,QAAA;AAEA,QAAA,IAAIuD,MAAAA,EAAQ;AACV,YAAA,MAAMI,eAAeJ,MAAAA,EAAQzD,MAAAA,CAAAA;AAC/B,QAAA;;QAGA,IAAI0D,QAAAA,IAAYA,aAAa,GAAA,EAAK;AAChC,YAAA,MAAMI,iBAAiBJ,QAAAA,EAAU1D,MAAAA,CAAAA;AACnC,QAAA;AACF,IAAA,CAAA;IAEA,MAAM2D,eAAAA,GAAgC,OAAOJ,OAAAA,EAASvD,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAChF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQkD,OAAAA,CAAAA,EAAU;YACpB,MAAMjD,OAAAA,CAAQC,GAAG,CAACgD,OAAAA,CAAQ/C,GAAG,CAAC,CAACuD,MAAAA,GAAWJ,eAAAA,CAAgBI,MAAAA,EAAQ/D,MAAAA,EAAQ;AAAEE,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACjF,YAAA;AACF,QAAA;AAEA,QAAA,MAAMY,UAAAA,GAAa;AAACO,YAAAA,sBAAiC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb4C,oBAAAA,CAAqB7C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC5DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAYyC,OAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOX,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,SAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMgB,YAAAA,GAA6B,OAAOJ,IAAAA,EAAMxD,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,mBAA8B,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb6C,iBAAAA,CAAkB9C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACzDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY0C,IAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOZ,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,MAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMiB,cAAAA,GAA+B,OAAOJ,MAAAA,EAAQzD,MAAAA,GAAAA;AAClD,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,qBAAgC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;QAE3E,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY2C,MAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOb,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,QAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMkB,gBAAAA,GAAiC,OAAOJ,QAAAA,EAAU1D,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAClF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,uBAAkC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb8C,qBAAAA,CAAsB/C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC7DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY4C,QAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOd,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,UAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,OAAO;QACLtB,KAAAA,EAAOxB,aAAAA;QACPiD,KAAAA,EAAOD,aAAAA;QACPS,OAAAA,EAASI,eAAAA;QACTH,IAAAA,EAAMI,YAAAA;QACNH,MAAAA,EAAQI,cAAAA;QACRH,QAAAA,EAAUI;AACZ,KAAA;AACF;;;;"}
1
+ {"version":3,"file":"index.mjs","sources":["../../src/validate/index.ts"],"sourcesContent":["import { CurriedFunction1 } from 'lodash';\nimport { isArray, isObject } from 'lodash/fp';\nimport type { z } from 'zod/v4';\n\nimport { getNonWritableAttributes, constants } from '../content-types';\nimport { ALLOWED_QUERY_PARAM_KEYS } from '../content-api-constants';\nimport {\n type RouteLike,\n getExtraQueryKeysFromRoute,\n getExtraRootKeysFromRouteBody,\n} from '../content-api-route-params';\nimport { pipe as pipeAsync } from '../async';\nimport { throwInvalidKey } from './utils';\n\nimport * as visitors from './visitors';\nimport * as validators from './validators';\nimport traverseEntity from '../traverse-entity';\n\nimport { traverseQueryFilters, traverseQuerySort, traverseQueryPopulate } from '../traverse';\n\nimport { Model, Data } from '../types';\nimport { ValidationError } from '../errors';\nimport { validatePublicationFilterQueryParam } from '../publication-filter';\n\nconst { ID_ATTRIBUTE, DOC_ID_ATTRIBUTE } = constants;\n\nexport interface Options {\n auth?: unknown;\n /**\n * If true, validateQuery throws when the query has any top-level key not in the allowed list.\n * Defaults to false for backward compatibility.\n */\n strictParams?: boolean;\n /**\n * When set, extra query/input params are derived from the route's request schema (and validated with Zod).\n * When absent, no extra params are allowed in strict mode.\n */\n route?: RouteLike;\n}\n\nexport interface Validator {\n (schema: Model): CurriedFunction1<Data, Promise<Data>>;\n}\nexport interface ValidateFunc {\n (data: unknown, schema: Model, options?: Options): Promise<void>;\n}\n\nexport type ValidateQueryParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\nexport type ValidateBodyParamHandler = (\n value: unknown,\n schema: Model,\n options?: Options\n) => Promise<void>;\n\ninterface APIOptions {\n validators?: Validators;\n getModel: (model: string) => Model;\n}\n\nexport interface Validators {\n input?: Validator[];\n}\n\nconst createAPIValidators = (opts: APIOptions) => {\n const { getModel } = opts || {};\n\n const validateInput: ValidateFunc = async (data: unknown, schema: Model, options = {}) => {\n const { auth, route } = options;\n if (!schema) {\n throw new Error('Missing schema in validateInput');\n }\n\n if (isArray(data)) {\n await Promise.all(data.map((entry) => validateInput(entry, schema, options)));\n return;\n }\n\n const allowedExtraRootKeys = getExtraRootKeysFromRouteBody(route);\n\n const nonWritableAttributes = getNonWritableAttributes(schema);\n\n const transforms = [\n (data: unknown) => {\n if (isObject(data)) {\n if (ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: ID_ATTRIBUTE });\n }\n\n if (DOC_ID_ATTRIBUTE in data) {\n throwInvalidKey({ key: DOC_ID_ATTRIBUTE });\n }\n }\n return data;\n },\n // non-writable attributes\n traverseEntity(visitors.throwRestrictedFields(nonWritableAttributes), { schema, getModel }),\n // unrecognized attributes (allowedExtraRootKeys = registered input param keys)\n traverseEntity(visitors.throwUnrecognizedFields, {\n schema,\n getModel,\n allowedExtraRootKeys,\n }),\n ];\n\n if (auth) {\n // restricted relations\n transforms.push(\n traverseEntity(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n // Apply validators from registry if exists\n opts?.validators?.input?.forEach((validator: Validator) => transforms.push(validator(schema)));\n\n try {\n await pipeAsync(...transforms)(data as Data);\n\n // Validate extra root keys from route's body schema with Zod (throw on failure).\n //\n // Content-api sends the document payload as body.data; the controller calls validateInput(body.data, ctx),\n // so the input we receive here is the inner payload (keys like \"relatedMedia\", \"name\"), not the full body.\n // The route's body schema is z.object({ data: ... }), so its shape includes \"data\". We skip \"data\" because\n // the main document payload is already validated above by traverseEntity (throwUnrecognizedFields, etc.);\n // relation ops (connect/disconnect/set) are handled there, not by the route's Zod schema. We only run\n // Zod here for truly extra root keys added via addInputParams (e.g. clientMutationId).\n if (isObject(data) && route?.request?.body?.['application/json']) {\n const bodySchema = route.request.body['application/json'];\n if (typeof bodySchema === 'object' && 'shape' in bodySchema) {\n const shape = (bodySchema as { shape: Record<string, z.ZodTypeAny> }).shape;\n const dataObj = data as Record<string, unknown>;\n for (const key of Object.keys(shape)) {\n if (key === 'data' || !(key in dataObj)) continue;\n const zodSchema = shape[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(dataObj[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Validation failed',\n { key, path: null, source: 'body', param: key }\n );\n }\n }\n }\n }\n }\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'body';\n }\n throw e;\n }\n };\n\n const validateQuery = async (\n query: Record<string, unknown>,\n schema: Model,\n { auth, strictParams = false, route }: Options = {}\n ) => {\n if (!schema) {\n throw new Error('Missing schema in validateQuery');\n }\n\n // Core allowlisted params are not covered by route.request.query Zod (see getExtraQueryKeysFromRoute).\n if ('publicationFilter' in query) {\n validatePublicationFilterQueryParam(query.publicationFilter);\n }\n\n if (strictParams) {\n const extraQueryKeys = getExtraQueryKeysFromRoute(route);\n const allowedKeys = [...ALLOWED_QUERY_PARAM_KEYS, ...extraQueryKeys];\n for (const key of Object.keys(query)) {\n if (!allowedKeys.includes(key)) {\n try {\n throwInvalidKey({ key, path: null });\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = key;\n }\n throw e;\n }\n }\n }\n // Validate extra query keys from route's request schema with Zod (throw on failure)\n const routeQuerySchema = route?.request?.query;\n if (routeQuerySchema) {\n for (const key of extraQueryKeys) {\n if (key in query) {\n const zodSchema = routeQuerySchema[key];\n if (zodSchema && typeof (zodSchema as z.ZodTypeAny).parse === 'function') {\n const result = (zodSchema as z.ZodTypeAny).safeParse(query[key]);\n if (!result.success) {\n throw new ValidationError(\n (result.error?.message as string) ?? 'Invalid query param',\n { key, path: null, source: 'query', param: key }\n );\n }\n }\n }\n }\n }\n }\n\n const { filters, sort, fields, populate } = query;\n\n if (filters) {\n await validateFilters(filters, schema, { auth });\n }\n\n if (sort) {\n await validateSort(sort, schema, { auth });\n }\n\n if (fields) {\n await validateFields(fields, schema);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (populate && populate !== '*') {\n await validatePopulate(populate, schema);\n }\n };\n\n const validateFilters: ValidateFunc = async (filters, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateFilters');\n }\n if (isArray(filters)) {\n await Promise.all(filters.map((filter) => validateFilters(filter, schema, { auth })));\n return;\n }\n\n const transforms = [validators.defaultValidateFilters({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryFilters(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(filters);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'filters';\n }\n throw e;\n }\n };\n\n const validateSort: ValidateFunc = async (sort, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in validateSort');\n }\n const transforms = [validators.defaultValidateSort({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQuerySort(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(sort);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'sort';\n }\n throw e;\n }\n };\n\n const validateFields: ValidateFunc = async (fields, schema: Model) => {\n if (!schema) {\n throw new Error('Missing schema in validateFields');\n }\n const transforms = [validators.defaultValidateFields({ schema, getModel })];\n\n try {\n await pipeAsync(...transforms)(fields);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'fields';\n }\n throw e;\n }\n };\n\n const validatePopulate: ValidateFunc = async (populate, schema: Model, { auth } = {}) => {\n if (!schema) {\n throw new Error('Missing schema in sanitizePopulate');\n }\n const transforms = [validators.defaultValidatePopulate({ schema, getModel })];\n\n if (auth) {\n transforms.push(\n traverseQueryPopulate(visitors.throwRestrictedRelations(auth), {\n schema,\n getModel,\n })\n );\n }\n\n try {\n await pipeAsync(...transforms)(populate);\n } catch (e) {\n if (e instanceof ValidationError) {\n e.details.source = 'query';\n e.details.param = 'populate';\n }\n throw e;\n }\n };\n\n return {\n input: validateInput,\n query: validateQuery,\n filters: validateFilters,\n sort: validateSort,\n fields: validateFields,\n populate: validatePopulate,\n };\n};\n\nexport { createAPIValidators, validators, visitors };\n\nexport type APIValidators = ReturnType<typeof createAPIValidators>;\n"],"names":["ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","constants","createAPIValidators","opts","getModel","validateInput","data","schema","options","auth","route","Error","isArray","Promise","all","map","entry","allowedExtraRootKeys","getExtraRootKeysFromRouteBody","nonWritableAttributes","getNonWritableAttributes","transforms","isObject","throwInvalidKey","key","traverseEntity","visitors","push","validators","input","forEach","validator","pipeAsync","request","body","bodySchema","shape","dataObj","Object","keys","zodSchema","parse","result","safeParse","success","ValidationError","error","message","path","source","param","e","details","validateQuery","query","strictParams","validatePublicationFilterQueryParam","publicationFilter","extraQueryKeys","getExtraQueryKeysFromRoute","allowedKeys","ALLOWED_QUERY_PARAM_KEYS","includes","routeQuerySchema","filters","sort","fields","populate","validateFilters","validateSort","validateFields","validatePopulate","filter","traverseQueryFilters","traverseQuerySort","traverseQueryPopulate"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAwBA,MAAM,EAAEA,YAAY,EAAEC,gBAAgB,EAAE,GAAGC,SAAAA;AA4C3C,MAAMC,sBAAsB,CAACC,IAAAA,GAAAA;AAC3B,IAAA,MAAM,EAAEC,QAAQ,EAAE,GAAGD,QAAQ,EAAC;AAE9B,IAAA,MAAME,gBAA8B,OAAOC,IAAAA,EAAeC,MAAAA,EAAeC,OAAAA,GAAU,EAAE,GAAA;AACnF,QAAA,MAAM,EAAEC,IAAI,EAAEC,KAAK,EAAE,GAAGF,OAAAA;AACxB,QAAA,IAAI,CAACD,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;AAEA,QAAA,IAAIC,QAAQN,IAAAA,CAAAA,EAAO;YACjB,MAAMO,OAAAA,CAAQC,GAAG,CAACR,IAAAA,CAAKS,GAAG,CAAC,CAACC,KAAAA,GAAUX,aAAAA,CAAcW,KAAAA,EAAOT,MAAAA,EAAQC,OAAAA,CAAAA,CAAAA,CAAAA;AACnE,YAAA;AACF,QAAA;AAEA,QAAA,MAAMS,uBAAuBC,6BAAAA,CAA8BR,KAAAA,CAAAA;AAE3D,QAAA,MAAMS,wBAAwBC,wBAAAA,CAAyBb,MAAAA,CAAAA;AAEvD,QAAA,MAAMc,UAAAA,GAAa;YACjB,CAACf,IAAAA,GAAAA;AACC,gBAAA,IAAIgB,SAAShB,IAAAA,CAAAA,EAAO;AAClB,oBAAA,IAAIP,gBAAgBO,IAAAA,EAAM;wBACxBiB,eAAAA,CAAgB;4BAAEC,GAAAA,EAAKzB;AAAa,yBAAA,CAAA;AACtC,oBAAA;AAEA,oBAAA,IAAIC,oBAAoBM,IAAAA,EAAM;wBAC5BiB,eAAAA,CAAgB;4BAAEC,GAAAA,EAAKxB;AAAiB,yBAAA,CAAA;AAC1C,oBAAA;AACF,gBAAA;gBACA,OAAOM,IAAAA;AACT,YAAA,CAAA;;YAEAmB,cAAAA,CAAeC,qBAA8B,CAACP,qBAAAA,CAAAA,EAAwB;AAAEZ,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA,CAAA;;YAEzFqB,cAAAA,CAAeC,uBAAgC,EAAE;AAC/CnB,gBAAAA,MAAAA;AACAH,gBAAAA,QAAAA;AACAa,gBAAAA;AACF,aAAA;AACD,SAAA;AAED,QAAA,IAAIR,IAAAA,EAAM;;AAERY,YAAAA,UAAAA,CAAWM,IAAI,CACbF,cAAAA,CAAeC,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACtDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;;QAGAD,IAAAA,EAAMyB,UAAAA,EAAYC,OAAOC,OAAAA,CAAQ,CAACC,YAAyBV,UAAAA,CAAWM,IAAI,CAACI,SAAAA,CAAUxB,MAAAA,CAAAA,CAAAA,CAAAA;QAErF,IAAI;AACF,YAAA,MAAMyB,QAAaX,UAAAA,CAAAA,CAAYf,IAAAA,CAAAA;;;;;;;;;AAU/B,YAAA,IAAIgB,SAAShB,IAAAA,CAAAA,IAASI,KAAAA,EAAOuB,SAASC,IAAAA,GAAO,mBAAmB,EAAE;AAChE,gBAAA,MAAMC,aAAazB,KAAAA,CAAMuB,OAAO,CAACC,IAAI,CAAC,kBAAA,CAAmB;AACzD,gBAAA,IAAI,OAAOC,UAAAA,KAAe,QAAA,IAAY,OAAA,IAAWA,UAAAA,EAAY;oBAC3D,MAAMC,KAAAA,GAAQ,UAACD,CAAuDC,KAAK;AAC3E,oBAAA,MAAMC,OAAAA,GAAU/B,IAAAA;AAChB,oBAAA,KAAK,MAAMkB,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACH,KAAAA,CAAAA,CAAQ;AACpC,wBAAA,IAAIZ,QAAQ,MAAA,IAAU,EAAEA,GAAAA,IAAOa,OAAM,CAAA,EAAI;wBACzC,MAAMG,SAAAA,GAAYJ,KAAK,CAACZ,GAAAA,CAAI;AAC5B,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACN,OAAO,CAACb,GAAAA,CAAI,CAAA;4BACjE,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,eAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,mBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,MAAA;oCAAQC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAElD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA,CAAA,CAAE,OAAO2B,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,MAAA;AACrB,YAAA;YACA,MAAME,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAME,aAAAA,GAAgB,OACpBC,KAAAA,EACA/C,MAAAA,EACA,EAAEE,IAAI,EAAE8C,YAAAA,GAAe,KAAK,EAAE7C,KAAK,EAAW,GAAG,EAAE,GAAA;AAEnD,QAAA,IAAI,CAACH,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,iCAAA,CAAA;AAClB,QAAA;;AAGA,QAAA,IAAI,uBAAuB2C,KAAAA,EAAO;AAChCE,YAAAA,mCAAAA,CAAoCF,MAAMG,iBAAiB,CAAA;AAC7D,QAAA;AAEA,QAAA,IAAIF,YAAAA,EAAc;AAChB,YAAA,MAAMG,iBAAiBC,0BAAAA,CAA2BjD,KAAAA,CAAAA;AAClD,YAAA,MAAMkD,WAAAA,GAAc;AAAIC,gBAAAA,GAAAA,wBAAAA;AAA6BH,gBAAAA,GAAAA;AAAe,aAAA;AACpE,YAAA,KAAK,MAAMlC,GAAAA,IAAOc,MAAAA,CAAOC,IAAI,CAACe,KAAAA,CAAAA,CAAQ;AACpC,gBAAA,IAAI,CAACM,WAAAA,CAAYE,QAAQ,CAACtC,GAAAA,CAAAA,EAAM;oBAC9B,IAAI;wBACFD,eAAAA,CAAgB;AAAEC,4BAAAA,GAAAA;4BAAKwB,IAAAA,EAAM;AAAK,yBAAA,CAAA;AACpC,oBAAA,CAAA,CAAE,OAAOG,CAAAA,EAAG;AACV,wBAAA,IAAIA,aAAaN,eAAAA,EAAiB;4BAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;4BACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG1B,GAAAA;AACpB,wBAAA;wBACA,MAAM2B,CAAAA;AACR,oBAAA;AACF,gBAAA;AACF,YAAA;;YAEA,MAAMY,gBAAAA,GAAmBrD,OAAOuB,OAAAA,EAASqB,KAAAA;AACzC,YAAA,IAAIS,gBAAAA,EAAkB;gBACpB,KAAK,MAAMvC,OAAOkC,cAAAA,CAAgB;AAChC,oBAAA,IAAIlC,OAAO8B,KAAAA,EAAO;wBAChB,MAAMd,SAAAA,GAAYuB,gBAAgB,CAACvC,GAAAA,CAAI;AACvC,wBAAA,IAAIgB,aAAa,OAAQA,SAAAA,CAA2BC,KAAK,KAAK,UAAA,EAAY;AACxE,4BAAA,MAAMC,SAAS,SAACF,CAA2BG,SAAS,CAACW,KAAK,CAAC9B,GAAAA,CAAI,CAAA;4BAC/D,IAAI,CAACkB,MAAAA,CAAOE,OAAO,EAAE;AACnB,gCAAA,MAAM,IAAIC,eAAAA,CACPH,OAAOI,KAAK,EAAEC,WAAsB,qBAAA,EACrC;AAAEvB,oCAAAA,GAAAA;oCAAKwB,IAAAA,EAAM,IAAA;oCAAMC,MAAAA,EAAQ,OAAA;oCAASC,KAAAA,EAAO1B;AAAI,iCAAA,CAAA;AAEnD,4BAAA;AACF,wBAAA;AACF,oBAAA;AACF,gBAAA;AACF,YAAA;AACF,QAAA;QAEA,MAAM,EAAEwC,OAAO,EAAEC,IAAI,EAAEC,MAAM,EAAEC,QAAQ,EAAE,GAAGb,KAAAA;AAE5C,QAAA,IAAIU,OAAAA,EAAS;YACX,MAAMI,eAAAA,CAAgBJ,SAASzD,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAChD,QAAA;AAEA,QAAA,IAAIwD,IAAAA,EAAM;YACR,MAAMI,YAAAA,CAAaJ,MAAM1D,MAAAA,EAAQ;AAAEE,gBAAAA;AAAK,aAAA,CAAA;AAC1C,QAAA;AAEA,QAAA,IAAIyD,MAAAA,EAAQ;AACV,YAAA,MAAMI,eAAeJ,MAAAA,EAAQ3D,MAAAA,CAAAA;AAC/B,QAAA;;QAGA,IAAI4D,QAAAA,IAAYA,aAAa,GAAA,EAAK;AAChC,YAAA,MAAMI,iBAAiBJ,QAAAA,EAAU5D,MAAAA,CAAAA;AACnC,QAAA;AACF,IAAA,CAAA;IAEA,MAAM6D,eAAAA,GAAgC,OAAOJ,OAAAA,EAASzD,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAChF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,mCAAA,CAAA;AAClB,QAAA;AACA,QAAA,IAAIC,QAAQoD,OAAAA,CAAAA,EAAU;YACpB,MAAMnD,OAAAA,CAAQC,GAAG,CAACkD,OAAAA,CAAQjD,GAAG,CAAC,CAACyD,MAAAA,GAAWJ,eAAAA,CAAgBI,MAAAA,EAAQjE,MAAAA,EAAQ;AAAEE,oBAAAA;AAAK,iBAAA,CAAA,CAAA,CAAA;AACjF,YAAA;AACF,QAAA;AAEA,QAAA,MAAMY,UAAAA,GAAa;AAACO,YAAAA,sBAAiC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE5E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb8C,oBAAAA,CAAqB/C,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC5DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY2C,OAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOb,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,SAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMkB,YAAAA,GAA6B,OAAOJ,IAAAA,EAAM1D,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAC1E,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,gCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,mBAA8B,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAEzE,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACb+C,iBAAAA,CAAkBhD,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AACzDF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY4C,IAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOd,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,MAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMmB,cAAAA,GAA+B,OAAOJ,MAAAA,EAAQ3D,MAAAA,GAAAA;AAClD,QAAA,IAAI,CAACA,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,kCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,qBAAgC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;QAE3E,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY6C,MAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOf,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,QAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,MAAMoB,gBAAAA,GAAiC,OAAOJ,QAAAA,EAAU5D,MAAAA,EAAe,EAAEE,IAAI,EAAE,GAAG,EAAE,GAAA;AAClF,QAAA,IAAI,CAACF,MAAAA,EAAQ;AACX,YAAA,MAAM,IAAII,KAAAA,CAAM,oCAAA,CAAA;AAClB,QAAA;AACA,QAAA,MAAMU,UAAAA,GAAa;AAACO,YAAAA,uBAAkC,CAAC;AAAErB,gBAAAA,MAAAA;AAAQH,gBAAAA;AAAS,aAAA;AAAG,SAAA;AAE7E,QAAA,IAAIK,IAAAA,EAAM;AACRY,YAAAA,UAAAA,CAAWM,IAAI,CACbgD,qBAAAA,CAAsBjD,wBAAiC,CAACjB,IAAAA,CAAAA,EAAO;AAC7DF,gBAAAA,MAAAA;AACAH,gBAAAA;AACF,aAAA,CAAA,CAAA;AAEJ,QAAA;QAEA,IAAI;AACF,YAAA,MAAM4B,QAAaX,UAAAA,CAAAA,CAAY8C,QAAAA,CAAAA;AACjC,QAAA,CAAA,CAAE,OAAOhB,CAAAA,EAAG;AACV,YAAA,IAAIA,aAAaN,eAAAA,EAAiB;gBAChCM,CAAAA,CAAEC,OAAO,CAACH,MAAM,GAAG,OAAA;gBACnBE,CAAAA,CAAEC,OAAO,CAACF,KAAK,GAAG,UAAA;AACpB,YAAA;YACA,MAAMC,CAAAA;AACR,QAAA;AACF,IAAA,CAAA;IAEA,OAAO;QACLtB,KAAAA,EAAOxB,aAAAA;QACPiD,KAAAA,EAAOD,aAAAA;QACPW,OAAAA,EAASI,eAAAA;QACTH,IAAAA,EAAMI,YAAAA;QACNH,MAAAA,EAAQI,cAAAA;QACRH,QAAAA,EAAUI;AACZ,KAAA;AACF;;;;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@strapi/utils",
3
- "version": "5.46.0",
3
+ "version": "5.47.0",
4
4
  "description": "Shared utilities for the Strapi packages",
5
5
  "keywords": [
6
6
  "strapi",
@@ -62,10 +62,10 @@
62
62
  "@types/http-errors": "2.0.4",
63
63
  "@types/koa": "2.13.4",
64
64
  "@types/node": "24.10.0",
65
- "eslint-config-custom": "5.46.0",
65
+ "eslint-config-custom": "5.47.0",
66
66
  "koa": "2.16.4",
67
67
  "koa-body": "6.0.1",
68
- "tsconfig": "5.46.0"
68
+ "tsconfig": "5.47.0"
69
69
  },
70
70
  "engines": {
71
71
  "node": ">=20.0.0 <=24.x.x",