@terreno/api 0.0.1

package/dist/transformers.d.ts

@@ -0,0 +1,25 @@
+import type express from "express";
+import type { Document } from "mongoose";
+import type { modelRouterOptions } from "./api";
+import type { User } from "./auth";
+export interface TerrenoTransformer<T> {
+    transform?: (obj: Partial<T>, method: "create" | "update", user?: User) => Partial<T> | undefined;
+    serialize?: (obj: T, user?: User) => Partial<T> | undefined;
+}
+export declare function AdminOwnerTransformer<T>(options: {
+    anonReadFields?: string[];
+    authReadFields?: string[];
+    ownerReadFields?: string[];
+    adminReadFields?: string[];
+    anonWriteFields?: string[];
+    authWriteFields?: string[];
+    ownerWriteFields?: string[];
+    adminWriteFields?: string[];
+}): TerrenoTransformer<T>;
+export declare function transform<T>(options: modelRouterOptions<T>, data: Partial<T> | Partial<T>[], method: "create" | "update", user?: User): Partial<T> | (Partial<T> | undefined)[] | undefined;
+export declare function serialize<T>(req: express.Request, options: modelRouterOptions<T>, data: (Document<any, any, any> & T) | (Document<any, any, any> & T)[]): Partial<T> | (Partial<T> | undefined)[] | undefined;
+/**
+ * Default response handler for modelRouter. Calls toObject on each doc and returns the result,
+ * using transformers.serializer if provided.
+ */
+export declare function defaultResponseHandler<T>(doc: (Document<any, any, any> & T) | (Document<any, any, any> & T)[] | null, method: "list" | "create" | "read" | "update", request: express.Request, options: modelRouterOptions<T>): Promise<Partial<T> | (Partial<T> | undefined)[] | null | undefined>;

package/dist/transformers.js

@@ -0,0 +1,217 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+var __values = (this && this.__values) || function(o) {
+    var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
+    if (m) return m.call(o);
+    if (o && typeof o.length === "number") return {
+        next: function () {
+            if (o && i >= o.length) o = void 0;
+            return { value: o && o[i++], done: !o };
+        }
+    };
+    throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
+};
+var __read = (this && this.__read) || function (o, n) {
+    var m = typeof Symbol === "function" && o[Symbol.iterator];
+    if (!m) return o;
+    var i = m.call(o), r, ar = [], e;
+    try {
+        while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
+    }
+    catch (error) { e = { error: error }; }
+    finally {
+        try {
+            if (r && !r.done && (m = i["return"])) m.call(i);
+        }
+        finally { if (e) throw e.error; }
+    }
+    return ar;
+};
+var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
+    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
+        if (ar || !(i in from)) {
+            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+            ar[i] = from[i];
+        }
+    }
+    return to.concat(ar || Array.prototype.slice.call(from));
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminOwnerTransformer = AdminOwnerTransformer;
+exports.transform = transform;
+exports.serialize = serialize;
+exports.defaultResponseHandler = defaultResponseHandler;
+var errors_1 = require("./errors");
+var logger_1 = require("./logger");
+function getUserType(user, obj) {
+    if (user === null || user === void 0 ? void 0 : user.admin) {
+        return "admin";
+    }
+    if (obj && user && String(obj === null || obj === void 0 ? void 0 : obj.ownerId) === String(user === null || user === void 0 ? void 0 : user.id)) {
+        return "owner";
+    }
+    if (user === null || user === void 0 ? void 0 : user.id) {
+        return "auth";
+    }
+    return "anon";
+}
+function AdminOwnerTransformer(options) {
+    function pickFields(obj, fields) {
+        var e_1, _a;
+        var newData = {};
+        try {
+            for (var fields_1 = __values(fields), fields_1_1 = fields_1.next(); !fields_1_1.done; fields_1_1 = fields_1.next()) {
+                var field = fields_1_1.value;
+                if (obj[field] !== undefined) {
+                    newData[field] = obj[field];
+                }
+            }
+        }
+        catch (e_1_1) { e_1 = { error: e_1_1 }; }
+        finally {
+            try {
+                if (fields_1_1 && !fields_1_1.done && (_a = fields_1.return)) _a.call(fields_1);
+            }
+            finally { if (e_1) throw e_1.error; }
+        }
+        return newData;
+    }
+    return {
+        serialize: function (obj, user) {
+            var _a, _b, _c, _d;
+            var userType = getUserType(user, obj);
+            if (userType === "admin") {
+                return pickFields(obj, __spreadArray(__spreadArray([], __read(((_a = options.adminReadFields) !== null && _a !== void 0 ? _a : [])), false), ["id"], false));
+            }
+            if (userType === "owner") {
+                return pickFields(obj, __spreadArray(__spreadArray([], __read(((_b = options.ownerReadFields) !== null && _b !== void 0 ? _b : [])), false), ["id"], false));
+            }
+            if (userType === "auth") {
+                return pickFields(obj, __spreadArray(__spreadArray([], __read(((_c = options.authReadFields) !== null && _c !== void 0 ? _c : [])), false), ["id"], false));
+            }
+            return pickFields(obj, __spreadArray(__spreadArray([], __read(((_d = options.anonReadFields) !== null && _d !== void 0 ? _d : [])), false), ["id"], false));
+        },
+        // TODO: Migrate AdminOwnerTransform to use pre-hooks.
+        transform: function (obj, _method, user) {
+            var _a, _b, _c, _d;
+            var userType = getUserType(user, obj);
+            var allowedFields;
+            if (userType === "admin") {
+                allowedFields = (_a = options.adminWriteFields) !== null && _a !== void 0 ? _a : [];
+            }
+            else if (userType === "owner") {
+                allowedFields = (_b = options.ownerWriteFields) !== null && _b !== void 0 ? _b : [];
+            }
+            else if (userType === "auth") {
+                allowedFields = (_c = options.authWriteFields) !== null && _c !== void 0 ? _c : [];
+            }
+            else {
+                allowedFields = (_d = options.anonWriteFields) !== null && _d !== void 0 ? _d : [];
+            }
+            var unallowedFields = Object.keys(obj).filter(function (k) { return !allowedFields.includes(k); });
+            if (unallowedFields.length) {
+                throw new Error("User of type ".concat(userType, " cannot write fields: ").concat(unallowedFields.join(", ")));
+            }
+            return obj;
+        },
+    };
+}
+function transform(options, data, method, user) {
+    var _a, _b;
+    if (!((_a = options.transformer) === null || _a === void 0 ? void 0 : _a.transform)) {
+        return data;
+    }
+    logger_1.logger.warn("transform functions are deprecated, use preCreate/preUpdate/preDelete hooks instead");
+    // TS doesn't realize this is defined otherwise...
+    var transformFn = (_b = options.transformer) === null || _b === void 0 ? void 0 : _b.transform;
+    if (!Array.isArray(data)) {
+        return transformFn(data, method, user);
+    }
+    return data.map(function (d) { return transformFn(d, method, user); });
+}
+function serialize(req, options, data) {
+    var _a;
+    var serializeFn = function (serializeData, serializeUser) {
+        var _a, _b;
+        var dataObject = serializeData.toObject();
+        dataObject.id = serializeData._id;
+        // Search for any value that is a Map and transform it to a plain object.
+        // Otherwise Express drops the contents.
+        for (var key in dataObject) {
+            var value = dataObject[key];
+            if (value instanceof Map) {
+                dataObject[key] = Object.fromEntries(value);
+            }
+        }
+        if ((_a = options.transformer) === null || _a === void 0 ? void 0 : _a.serialize) {
+            return (_b = options.transformer) === null || _b === void 0 ? void 0 : _b.serialize(dataObject, serializeUser);
+        }
+        return dataObject;
+    };
+    if ((_a = options.transformer) === null || _a === void 0 ? void 0 : _a.serialize) {
+        logger_1.logger.warn("transform.serialize functions are deprecated, use post* hooks and serialize instead");
+    }
+    if (!Array.isArray(data)) {
+        return serializeFn(data, req.user);
+    }
+    return data.map(function (d) { return serializeFn(d, req.user); });
+}
+/**
+ * Default response handler for modelRouter. Calls toObject on each doc and returns the result,
+ * using transformers.serializer if provided.
+ */
+function defaultResponseHandler(doc, method, request, options) {
+    return __awaiter(this, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            if (!doc) {
+                return [2 /*return*/, null];
+            }
+            try {
+                return [2 /*return*/, serialize(request, options, doc)];
+            }
+            catch (error) {
+                throw new errors_1.APIError({
+                    error: error,
+                    status: 400,
+                    title: "Error serializing ".concat(method, " response: ").concat(error.message),
+                });
+            }
+            return [2 /*return*/];
+        });
+    });
+}

package/dist/transformers.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/transformers.test.js

@@ -0,0 +1,370 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+var __read = (this && this.__read) || function (o, n) {
+    var m = typeof Symbol === "function" && o[Symbol.iterator];
+    if (!m) return o;
+    var i = m.call(o), r, ar = [], e;
+    try {
+        while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
+    }
+    catch (error) { e = { error: error }; }
+    finally {
+        try {
+            if (r && !r.done && (m = i["return"])) m.call(i);
+        }
+        finally { if (e) throw e.error; }
+    }
+    return ar;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+var bun_test_1 = require("bun:test");
+var supertest_1 = __importDefault(require("supertest"));
+var api_1 = require("./api");
+var auth_1 = require("./auth");
+var permissions_1 = require("./permissions");
+var tests_1 = require("./tests");
+var transformers_1 = require("./transformers");
+(0, bun_test_1.describe)("query and transform", function () {
+    var notAdmin;
+    var admin;
+    var server;
+    var app;
+    (0, bun_test_1.beforeEach)(function () { return __awaiter(void 0, void 0, void 0, function () {
+        var _a;
+        return __generator(this, function (_b) {
+            switch (_b.label) {
+                case 0:
+                    process.env.REFRESH_TOKEN_SECRET = "testsecret1234";
+                    return [4 /*yield*/, (0, tests_1.setupDb)()];
+                case 1:
+                    _a = __read.apply(void 0, [_b.sent(), 2]), admin = _a[0], notAdmin = _a[1];
+                    return [4 /*yield*/, Promise.all([
+                            tests_1.FoodModel.create({
+                                calories: 1,
+                                created: new Date(),
+                                name: "Spinach",
+                                ownerId: notAdmin._id,
+                            }),
+                            tests_1.FoodModel.create({
+                                calories: 100,
+                                created: Date.now() - 10,
+                                hidden: true,
+                                name: "Apple",
+                                ownerId: admin._id,
+                            }),
+                            tests_1.FoodModel.create({
+                                calories: 100,
+                                created: Date.now() - 10,
+                                name: "Carrots",
+                                ownerId: admin._id,
+                            }),
+                        ])];
+                case 2:
+                    _b.sent();
+                    app = (0, tests_1.getBaseServer)();
+                    (0, auth_1.setupAuth)(app, tests_1.UserModel);
+                    (0, auth_1.addAuthRoutes)(app, tests_1.UserModel);
+                    app.use("/food", (0, api_1.modelRouter)(tests_1.FoodModel, {
+                        allowAnonymous: true,
+                        permissions: {
+                            create: [permissions_1.Permissions.IsAny],
+                            delete: [permissions_1.Permissions.IsAny],
+                            list: [permissions_1.Permissions.IsAny],
+                            read: [permissions_1.Permissions.IsAny],
+                            update: [permissions_1.Permissions.IsAny],
+                        },
+                        queryFilter: function (user) {
+                            if (!(user === null || user === void 0 ? void 0 : user.admin)) {
+                                return { hidden: { $ne: true } };
+                            }
+                            return {};
+                        },
+                        transformer: (0, transformers_1.AdminOwnerTransformer)({
+                            adminReadFields: ["name", "calories", "created", "ownerId"],
+                            adminWriteFields: ["name", "calories", "created", "ownerId"],
+                            anonReadFields: ["name"],
+                            anonWriteFields: [],
+                            authReadFields: ["name", "calories", "created"],
+                            authWriteFields: ["name", "calories"],
+                            ownerReadFields: ["name", "calories", "created", "ownerId"],
+                            ownerWriteFields: ["name", "calories", "created"],
+                        }),
+                    }));
+                    server = (0, supertest_1.default)(app);
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("filters list for non-admin", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    (0, bun_test_1.expect)(foodRes.body.data).toHaveLength(2);
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("does not filter list for admin", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "admin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    (0, bun_test_1.expect)(foodRes.body.data).toHaveLength(3);
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("admin read transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, spinach;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "admin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    (0, bun_test_1.expect)(foodRes.body.data).toHaveLength(3);
+                    spinach = foodRes.body.data.find(function (food) { return food.name === "Spinach"; });
+                    (0, bun_test_1.expect)(spinach.created).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.id).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.ownerId).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.name).toBe("Spinach");
+                    (0, bun_test_1.expect)(spinach.calories).toBe(1);
+                    (0, bun_test_1.expect)(spinach.hidden).toBeUndefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("admin write transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, spinach, spinachRes;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "admin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    spinach = foodRes.body.data.find(function (food) { return food.name === "Spinach"; });
+                    return [4 /*yield*/, agent.patch("/food/".concat(spinach.id)).send({ name: "Lettuce" }).expect(200)];
+                case 3:
+                    spinachRes = _a.sent();
+                    (0, bun_test_1.expect)(spinachRes.body.data.name).toBe("Lettuce");
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("owner read transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, spinach;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    (0, bun_test_1.expect)(foodRes.body.data).toHaveLength(2);
+                    spinach = foodRes.body.data.find(function (food) { return food.name === "Spinach"; });
+                    (0, bun_test_1.expect)(spinach.id).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.name).toBe("Spinach");
+                    (0, bun_test_1.expect)(spinach.calories).toBe(1);
+                    (0, bun_test_1.expect)(spinach.created).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.ownerId).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.hidden).toBeUndefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("owner write transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, spinach;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    spinach = foodRes.body.data.find(function (food) { return food.name === "Spinach"; });
+                    return [4 /*yield*/, agent.patch("/food/".concat(spinach.id)).send({ ownerId: admin.id }).expect(403)];
+                case 3:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("owner write transform fails", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, spinach, spinachRes;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    spinach = foodRes.body.data.find(function (food) { return food.name === "Spinach"; });
+                    return [4 /*yield*/, agent
+                            .patch("/food/".concat(spinach.id))
+                            .send({ ownerId: notAdmin.id })
+                            .expect(403)];
+                case 3:
+                    spinachRes = _a.sent();
+                    (0, bun_test_1.expect)(spinachRes.body.title.includes("User of type owner cannot write fields: ownerId")).toBe(true);
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("auth read transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, spinach, carrots;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food").expect(200)];
+                case 2:
+                    foodRes = _a.sent();
+                    (0, bun_test_1.expect)(foodRes.body.data).toHaveLength(2);
+                    spinach = foodRes.body.data.find(function (food) { return food.name === "Spinach"; });
+                    (0, bun_test_1.expect)(spinach.id).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.name).toBe("Spinach");
+                    (0, bun_test_1.expect)(spinach.calories).toBe(1);
+                    (0, bun_test_1.expect)(spinach.created).toBeDefined();
+                    // Owner, so this is defined.
+                    (0, bun_test_1.expect)(spinach.ownerId).toBeDefined();
+                    (0, bun_test_1.expect)(spinach.hidden).toBeUndefined();
+                    carrots = foodRes.body.data.find(function (food) { return food.name === "Carrots"; });
+                    (0, bun_test_1.expect)(carrots.id).toBeDefined();
+                    (0, bun_test_1.expect)(carrots.name).toBe("Carrots");
+                    (0, bun_test_1.expect)(carrots.calories).toBe(100);
+                    (0, bun_test_1.expect)(carrots.created).toBeDefined();
+                    // Not owner, so undefined.
+                    (0, bun_test_1.expect)(carrots.ownerId).toBeUndefined();
+                    (0, bun_test_1.expect)(spinach.hidden).toBeUndefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("auth write transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, carrots, carrotRes;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food")];
+                case 2:
+                    foodRes = _a.sent();
+                    carrots = foodRes.body.data.find(function (food) { return food.name === "Carrots"; });
+                    return [4 /*yield*/, agent.patch("/food/".concat(carrots.id)).send({ calories: 2000 }).expect(200)];
+                case 3:
+                    carrotRes = _a.sent();
+                    (0, bun_test_1.expect)(carrotRes.body.data.calories).toBe(2000);
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("auth write transform fail", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var agent, foodRes, carrots, writeRes;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, tests_1.authAsUser)(app, "notAdmin")];
+                case 1:
+                    agent = _a.sent();
+                    return [4 /*yield*/, agent.get("/food")];
+                case 2:
+                    foodRes = _a.sent();
+                    carrots = foodRes.body.data.find(function (food) { return food.name === "Carrots"; });
+                    return [4 /*yield*/, agent
+                            .patch("/food/".concat(carrots.id))
+                            .send({ created: "2020-01-01T00:00:00Z" })
+                            .expect(403)];
+                case 3:
+                    writeRes = _a.sent();
+                    (0, bun_test_1.expect)(writeRes.body.title.includes("User of type auth cannot write fields: created")).toBe(true);
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("anon read transform", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var res;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, server.get("/food")];
+                case 1:
+                    res = _a.sent();
+                    (0, bun_test_1.expect)(res.body.data).toHaveLength(2);
+                    (0, bun_test_1.expect)(res.body.data.find(function (f) { return f.name === "Spinach"; })).toBeDefined();
+                    (0, bun_test_1.expect)(res.body.data.find(function (f) { return f.name === "Carrots"; })).toBeDefined();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("anon write transform fails", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var foodRes, carrots;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, server.get("/food")];
+                case 1:
+                    foodRes = _a.sent();
+                    carrots = foodRes.body.data.find(function (food) { return food.name === "Carrots"; });
+                    return [4 /*yield*/, server.patch("/food/".concat(carrots.id)).send({ calories: 10 }).expect(403)];
+                case 2:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+});

package/dist/utils.d.ts

@@ -0,0 +1,11 @@
+export declare function isValidObjectId(id: string): boolean;
+export declare const timeout: (ms: number) => Promise<NodeJS.Timeout>;
+/**
+ * Ensure that all mongoose models are set to strict mode.
+ * This validates that models will throw errors when attempting to set
+ * properties that aren't defined in the schema.
+ *
+ * @param ignoredModels - Array of model names to skip validation for
+ * @throws Error if any model is not set to strict mode or missing virtual settings
+ */
+export declare function checkModelsStrict(ignoredModels?: string[]): void;