@terreno/api 0.0.10 → 0.0.11-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/CLAUDE.md +107 -0
  2. package/bunfig.toml +3 -2
  3. package/dist/api.d.ts +3 -14
  4. package/dist/api.js +44 -68
  5. package/dist/api.test.js +2051 -166
  6. package/dist/permissions.d.ts +1 -1
  7. package/dist/permissions.js +17 -25
  8. package/dist/utils.test.js +169 -7
  9. package/package.json +3 -2
  10. package/src/api.test.ts +1736 -142
  11. package/src/api.ts +19 -61
  12. package/src/permissions.ts +4 -14
  13. package/src/utils.test.ts +189 -9
package/dist/permissions.d.ts CHANGED
@@ -23,4 +23,4 @@ export declare const Permissions: {
23
23
  IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: any) => boolean;
24
24
  };
25
25
  export declare function checkPermissions<T>(method: RESTMethod, permissions: PermissionMethod<T>[], user?: User, obj?: T): Promise<boolean>;
26
- export declare function permissionMiddleware<T>(baseModel: Model<T>, options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths" | "discriminatorKey">): (req: express.Request, _res: express.Response, next: NextFunction) => Promise<void>;
26
+ export declare function permissionMiddleware<T>(model: Model<T>, options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">): (req: express.Request, _res: express.Response, next: NextFunction) => Promise<void>;
package/dist/permissions.js CHANGED
@@ -194,20 +194,20 @@ function checkPermissions(method, permissions, user, obj) {
194
194
  // Check the permissions for a given model and method. If the method is a read, update, or delete,
195
195
  // finds the relevant object, checks the permissions, and attaches the object to the request as
196
196
  // req.obj.
197
- function permissionMiddleware(baseModel, options) {
197
+ function permissionMiddleware(model, options) {
198
198
  var _this = this;
199
199
  return function (req, _res, next) { return __awaiter(_this, void 0, void 0, function () {
200
- var method, reqMethod, model, builtQuery, populatedQuery, data, error_1, hiddenDoc, error, reason, error, error_2;
201
- var _a, _b, _c, _d;
202
- return __generator(this, function (_e) {
203
- switch (_e.label) {
200
+ var method, reqMethod, builtQuery, populatedQuery, data, error_1, hiddenDoc, error, reason, error, error_2;
201
+ var _a, _b;
202
+ return __generator(this, function (_c) {
203
+ switch (_c.label) {
204
204
  case 0:
205
205
  if (req.method === "OPTIONS") {
206
206
  return [2 /*return*/, next()];
207
207
  }
208
- _e.label = 1;
208
+ _c.label = 1;
209
209
  case 1:
210
- _e.trys.push([1, 10, , 11]);
210
+ _c.trys.push([1, 10, , 11]);
211
211
  method = void 0;
212
212
  reqMethod = req.method.toLowerCase();
213
213
  if (reqMethod === "post") {
@@ -233,11 +233,10 @@ function permissionMiddleware(baseModel, options) {
233
233
  title: "Method ".concat(req.method, " not allowed"),
234
234
  });
235
235
  }
236
- model = (0, api_1.getModel)(baseModel, req.body, options);
237
236
  return [4 /*yield*/, checkPermissions(method, options.permissions[method], req.user)];
238
237
  case 2:
239
238
  // All methods check for permissions.
240
- if (!(_e.sent())) {
239
+ if (!(_c.sent())) {
241
240
  throw new errors_1.APIError({
242
241
  status: 405,
243
242
  title: "Access to ".concat(method.toUpperCase(), " on ").concat(model.modelName, " ") +
@@ -250,34 +249,27 @@ function permissionMiddleware(baseModel, options) {
250
249
  builtQuery = model.findById(req.params.id);
251
250
  populatedQuery = (0, api_1.addPopulateToQuery)(builtQuery, options.populatePaths);
252
251
  data = void 0;
253
- _e.label = 3;
252
+ _c.label = 3;
254
253
  case 3:
255
- _e.trys.push([3, 5, , 6]);
254
+ _c.trys.push([3, 5, , 6]);
256
255
  return [4 /*yield*/, populatedQuery.exec()];
257
256
  case 4:
258
- data = _e.sent();
257
+ data = _c.sent();
259
258
  return [3 /*break*/, 6];
260
259
  case 5:
261
- error_1 = _e.sent();
260
+ error_1 = _c.sent();
262
261
  throw new errors_1.APIError({
263
262
  error: error_1,
264
263
  status: 500,
265
264
  title: "GET failed on ".concat(req.params.id),
266
265
  });
267
266
  case 6:
268
- if (!(!data || (["update", "delete"].includes(method) && (data === null || data === void 0 ? void 0 : data.__t) && !((_b = req.body) === null || _b === void 0 ? void 0 : _b.__t)))) return [3 /*break*/, 8];
269
- // For discriminated models, return 404 without checking hidden state
270
- if (["update", "delete"].includes(method) && (data === null || data === void 0 ? void 0 : data.__t) && !((_c = req.body) === null || _c === void 0 ? void 0 : _c.__t)) {
271
- throw new errors_1.APIError({
272
- status: 404,
273
- title: "Document ".concat(req.params.id, " not found for model ").concat(model.modelName),
274
- });
275
- }
267
+ if (!!data) return [3 /*break*/, 8];
276
268
  return [4 /*yield*/, model.collection.findOne({
277
269
  _id: new mongoose_1.default.Types.ObjectId(req.params.id),
278
270
  })];
279
271
  case 7:
280
- hiddenDoc = _e.sent();
272
+ hiddenDoc = _c.sent();
281
273
  if (!hiddenDoc) {
282
274
  Sentry.captureMessage("Document ".concat(req.params.id, " not found for model ").concat(model.modelName));
283
275
  error = new errors_1.APIError({
@@ -312,16 +304,16 @@ function permissionMiddleware(baseModel, options) {
312
304
  });
313
305
  case 8: return [4 /*yield*/, checkPermissions(method, options.permissions[method], req.user, data)];
314
306
  case 9:
315
- if (!(_e.sent())) {
307
+ if (!(_c.sent())) {
316
308
  throw new errors_1.APIError({
317
309
  status: 403,
318
- title: "Access to GET on ".concat(model.modelName, ":").concat(req.params.id, " denied for ").concat((_d = req.user) === null || _d === void 0 ? void 0 : _d.id),
310
+ title: "Access to GET on ".concat(model.modelName, ":").concat(req.params.id, " denied for ").concat((_b = req.user) === null || _b === void 0 ? void 0 : _b.id),
319
311
  });
320
312
  }
321
313
  req.obj = data;
322
314
  return [2 /*return*/, next()];
323
315
  case 10:
324
- error_2 = _e.sent();
316
+ error_2 = _c.sent();
325
317
  logger_1.logger.error("Permissions error: ".concat(error_2 instanceof Error ? error_2.message : error_2));
326
318
  return [2 /*return*/, next(error_2)];
327
319
  case 11: return [2 /*return*/];
package/dist/utils.test.js CHANGED
@@ -1,14 +1,176 @@
1
1
  "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
2
5
  Object.defineProperty(exports, "__esModule", { value: true });
3
6
  var bun_test_1 = require("bun:test");
7
+ var mongoose_1 = __importDefault(require("mongoose"));
4
8
  var utils_1 = require("./utils");
5
9
  (0, bun_test_1.describe)("utils", function () {
6
- (0, bun_test_1.it)("checks valid ObjectIds", function () {
7
- (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("62c44da0003d9f8ee8cc925c")).toBe(true);
8
- (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("620000000000000000000000")).toBe(true);
9
- // Mongoose's builtin "ObjectId.isValid" will falsely say this is an ObjectId.
10
- (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("1234567890ab")).toBe(false);
11
- (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("microsoft123")).toBe(false);
12
- (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("62c44da0003d9f8ee8cc925x")).toBe(false);
10
+ (0, bun_test_1.describe)("isValidObjectId", function () {
11
+ (0, bun_test_1.it)("checks valid ObjectIds", function () {
12
+ (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("62c44da0003d9f8ee8cc925c")).toBe(true);
13
+ (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("620000000000000000000000")).toBe(true);
14
+ // Mongoose's builtin "ObjectId.isValid" will falsely say this is an ObjectId.
15
+ (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("1234567890ab")).toBe(false);
16
+ (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("microsoft123")).toBe(false);
17
+ (0, bun_test_1.expect)((0, utils_1.isValidObjectId)("62c44da0003d9f8ee8cc925x")).toBe(false);
18
+ });
19
+ });
20
+ (0, bun_test_1.describe)("checkModelsStrict", function () {
21
+ (0, bun_test_1.it)("throws error when toObject.virtuals is not true", function () {
22
+ // Create a schema without toObject.virtuals
23
+ var testSchema = new mongoose_1.default.Schema({ name: String });
24
+ testSchema.set("strict", "throw");
25
+ // Not setting toObject.virtuals
26
+ if (mongoose_1.default.models.ToObjectTestModel) {
27
+ delete mongoose_1.default.models.ToObjectTestModel;
28
+ }
29
+ mongoose_1.default.model("ToObjectTestModel", testSchema);
30
+ try {
31
+ // This should throw because ToObjectTestModel doesn't have toObject.virtuals
32
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).toThrow("toObject.virtuals not set to true");
33
+ }
34
+ finally {
35
+ delete mongoose_1.default.models.ToObjectTestModel;
36
+ }
37
+ });
38
+ (0, bun_test_1.it)("throws error when toJSON.virtuals is not true", function () {
39
+ // Create a schema with toObject.virtuals but without toJSON.virtuals
40
+ var testSchema = new mongoose_1.default.Schema({ name: String });
41
+ testSchema.set("toObject", { virtuals: true });
42
+ testSchema.set("strict", "throw");
43
+ // Not setting toJSON.virtuals
44
+ if (mongoose_1.default.models.ToJsonTestModel) {
45
+ delete mongoose_1.default.models.ToJsonTestModel;
46
+ }
47
+ mongoose_1.default.model("ToJsonTestModel", testSchema);
48
+ // Use spyOn to intercept modelNames and return only our test model
49
+ var spy = (0, bun_test_1.spyOn)(mongoose_1.default, "modelNames").mockReturnValue(["ToJsonTestModel"]);
50
+ try {
51
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).toThrow("toJSON.virtuals not set to true");
52
+ }
53
+ finally {
54
+ spy.mockRestore();
55
+ delete mongoose_1.default.models.ToJsonTestModel;
56
+ }
57
+ });
58
+ (0, bun_test_1.it)("throws error when strict mode is not set to throw", function () {
59
+ // Create a schema with virtuals but without strict mode
60
+ var testSchema = new mongoose_1.default.Schema({ name: String });
61
+ testSchema.set("toObject", { virtuals: true });
62
+ testSchema.set("toJSON", { virtuals: true });
63
+ // Not setting strict to "throw"
64
+ if (mongoose_1.default.models.StrictTestModel) {
65
+ delete mongoose_1.default.models.StrictTestModel;
66
+ }
67
+ mongoose_1.default.model("StrictTestModel", testSchema);
68
+ var spy = (0, bun_test_1.spyOn)(mongoose_1.default, "modelNames").mockReturnValue(["StrictTestModel"]);
69
+ try {
70
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).toThrow("is not set to strict mode");
71
+ }
72
+ finally {
73
+ spy.mockRestore();
74
+ delete mongoose_1.default.models.StrictTestModel;
75
+ }
76
+ });
77
+ (0, bun_test_1.it)("passes when all checks pass", function () {
78
+ // Create a properly configured schema
79
+ var testSchema = new mongoose_1.default.Schema({ name: String });
80
+ testSchema.set("toObject", { virtuals: true });
81
+ testSchema.set("toJSON", { virtuals: true });
82
+ testSchema.set("strict", "throw");
83
+ if (mongoose_1.default.models.GoodTestModel) {
84
+ delete mongoose_1.default.models.GoodTestModel;
85
+ }
86
+ mongoose_1.default.model("GoodTestModel", testSchema);
87
+ var spy = (0, bun_test_1.spyOn)(mongoose_1.default, "modelNames").mockReturnValue(["GoodTestModel"]);
88
+ try {
89
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).not.toThrow();
90
+ }
91
+ finally {
92
+ spy.mockRestore();
93
+ delete mongoose_1.default.models.GoodTestModel;
94
+ }
95
+ });
96
+ (0, bun_test_1.it)("skips strict mode check for ignored models", function () {
97
+ // Create a properly configured model
98
+ var goodSchema = new mongoose_1.default.Schema({ name: String });
99
+ goodSchema.set("toObject", { virtuals: true });
100
+ goodSchema.set("toJSON", { virtuals: true });
101
+ goodSchema.set("strict", "throw");
102
+ if (mongoose_1.default.models.GoodModel) {
103
+ delete mongoose_1.default.models.GoodModel;
104
+ }
105
+ mongoose_1.default.model("GoodModel", goodSchema);
106
+ // Create a model without strict mode that we'll ignore
107
+ var badSchema = new mongoose_1.default.Schema({ name: String });
108
+ badSchema.set("toObject", { virtuals: true });
109
+ badSchema.set("toJSON", { virtuals: true });
110
+ // Not setting strict - should fail unless ignored
111
+ if (mongoose_1.default.models.IgnoredModel) {
112
+ delete mongoose_1.default.models.IgnoredModel;
113
+ }
114
+ mongoose_1.default.model("IgnoredModel", badSchema);
115
+ var spy = (0, bun_test_1.spyOn)(mongoose_1.default, "modelNames").mockReturnValue(["GoodModel", "IgnoredModel"]);
116
+ try {
117
+ // Without ignoring, should throw for IgnoredModel
118
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).toThrow("is not set to strict mode");
119
+ // With ignoring IgnoredModel, should pass
120
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(["IgnoredModel"]); }).not.toThrow();
121
+ }
122
+ finally {
123
+ spy.mockRestore();
124
+ delete mongoose_1.default.models.GoodModel;
125
+ delete mongoose_1.default.models.IgnoredModel;
126
+ }
127
+ });
128
+ (0, bun_test_1.it)("handles multiple models and validates all", function () {
129
+ // Create three properly configured models
130
+ var schema1 = new mongoose_1.default.Schema({ name: String });
131
+ schema1.set("toObject", { virtuals: true });
132
+ schema1.set("toJSON", { virtuals: true });
133
+ schema1.set("strict", "throw");
134
+ var schema2 = new mongoose_1.default.Schema({ value: Number });
135
+ schema2.set("toObject", { virtuals: true });
136
+ schema2.set("toJSON", { virtuals: true });
137
+ schema2.set("strict", "throw");
138
+ var schema3 = new mongoose_1.default.Schema({ active: Boolean });
139
+ schema3.set("toObject", { virtuals: true });
140
+ schema3.set("toJSON", { virtuals: true });
141
+ schema3.set("strict", "throw");
142
+ if (mongoose_1.default.models.MultiModel1)
143
+ delete mongoose_1.default.models.MultiModel1;
144
+ if (mongoose_1.default.models.MultiModel2)
145
+ delete mongoose_1.default.models.MultiModel2;
146
+ if (mongoose_1.default.models.MultiModel3)
147
+ delete mongoose_1.default.models.MultiModel3;
148
+ mongoose_1.default.model("MultiModel1", schema1);
149
+ mongoose_1.default.model("MultiModel2", schema2);
150
+ mongoose_1.default.model("MultiModel3", schema3);
151
+ var spy = (0, bun_test_1.spyOn)(mongoose_1.default, "modelNames").mockReturnValue([
152
+ "MultiModel1",
153
+ "MultiModel2",
154
+ "MultiModel3",
155
+ ]);
156
+ try {
157
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).not.toThrow();
158
+ }
159
+ finally {
160
+ spy.mockRestore();
161
+ delete mongoose_1.default.models.MultiModel1;
162
+ delete mongoose_1.default.models.MultiModel2;
163
+ delete mongoose_1.default.models.MultiModel3;
164
+ }
165
+ });
166
+ (0, bun_test_1.it)("handles empty model list", function () {
167
+ var spy = (0, bun_test_1.spyOn)(mongoose_1.default, "modelNames").mockReturnValue([]);
168
+ try {
169
+ (0, bun_test_1.expect)(function () { return (0, utils_1.checkModelsStrict)(); }).not.toThrow();
170
+ }
171
+ finally {
172
+ spy.mockRestore();
173
+ }
174
+ });
13
175
  });
14
176
  });
package/package.json CHANGED
@@ -17,7 +17,7 @@
17
17
  "jsonwebtoken": "^9.0.2",
18
18
  "lodash": "^4.17.21",
19
19
  "luxon": "^3.7.2",
20
- "mongoose": "^9.1.1",
20
+ "mongoose": "8.18.1",
21
21
  "mongoose-to-swagger": "^1.4.0",
22
22
  "ms": "^2.1.3",
23
23
  "on-finished": "^2.3.0",
@@ -81,8 +81,9 @@
81
81
  "lint:fix": "biome check --write ./src",
82
82
  "lint:unsafefix": "biome check --fix --unsafe ./src",
83
83
  "test": "bun test --preload ./src/tests/bunSetup.ts",
84
+ "test:ci": "bun test --preload ./src/tests/bunSetup.ts",
84
85
  "updateSnapshot": "bun test --update-snapshots"
85
86
  },
86
87
  "types": "dist/index.d.ts",
87
- "version": "0.0.10"
88
+ "version": "0.0.11-beta.1"
88
89
  }