@terreno/api 0.0.10 → 0.0.11-beta.1

package/src/api.ts

@@ -241,16 +241,6 @@ export interface ModelRouterOptions<T> {
     request: express.Request,
     options: ModelRouterOptions<T>
   ) => Promise<JSONValue>;
-  /**
-   * The discriminatorKey that you passed when creating the Mongoose models. Defaults to __t. See:
-   * https://mongoosejs.com/docs/discriminators.html If this key is provided,
-   * you must provide the same key as part of the top level of the body when making performing
-   * update or delete operations on this model.
-   *    \{discriminatorKey: "__t"\}
-   *
-   *     PATCH \{__t: "SuperUser", name: "Foo"\} // __t is required or there will be a 404 error.
-   */
-  discriminatorKey?: string;
   /**
    * The OpenAPI generator for this server. This is used to generate the OpenAPI documentation.
    */
@@ -275,23 +265,6 @@ export interface ModelRouterOptions<T> {
   openApiExtraModelProperties?: any;
 }
 
-// A function to decide which model to use. If no discriminators are provided,
-// just returns the base model. If
-export function getModel(baseModel: Model<any>, body?: any, options?: ModelRouterOptions<any>) {
-  const discriminatorKey = options?.discriminatorKey ?? "__t";
-  const modelName = body?.[discriminatorKey];
-  if (!modelName) {
-    return baseModel;
-  }
-  const model = baseModel.discriminators?.[modelName];
-  if (!model) {
-    throw new Error(
-      `Could not find discriminator model for key ${modelName}, baseModel: ${baseModel}`
-    );
-  }
-  return model;
-}
-
 // Ensures query params are allowed. Also checks nested query params when using $and/$or.
 function checkQueryParamAllowed(
   queryParam: string,
@@ -337,15 +310,12 @@ function checkQueryParamAllowed(
 // }
 
 /**
- * Create a set of CRUD routes given a Mongoose model $baseModel and configuration options.
+ * Create a set of CRUD routes given a Mongoose model and configuration options.
  *
- * @param baseModel A Mongoose Model
+ * @param model A Mongoose Model
  * @param options Options for configuring the REST API, such as permissions, transformers, and hooks.
  */
-export function modelRouter<T>(
-  baseModel: Model<T>,
-  options: ModelRouterOptions<T>
-): express.Router {
+export function modelRouter<T>(model: Model<T>, options: ModelRouterOptions<T>): express.Router {
   const router = express.Router();
 
   // Do before the other router options so endpoints take priority.
@@ -359,12 +329,10 @@ export function modelRouter<T>(
     "/",
     [
       authenticateMiddleware(options.allowAnonymous),
-      createOpenApiMiddleware(baseModel, options),
-      permissionMiddleware(baseModel, options),
+      createOpenApiMiddleware(model, options),
+      permissionMiddleware(model, options),
     ],
     asyncHandler(async (req: Request, res: Response) => {
-      const model = getModel(baseModel, req.body?.__t, options);
-
       let body: Partial<T> | (Partial<T> | undefined)[] | null | undefined;
       try {
         body = transform<T>(options, req.body, "create", req.user);
@@ -426,7 +394,7 @@ export function modelRouter<T>(
 
       if (options.populatePaths) {
         try {
-          let populateQuery = model.findById(data._id);
+          let populateQuery: any = model.findById(data._id);
           populateQuery = addPopulateToQuery(populateQuery, options.populatePaths);
           data = await populateQuery.exec();
         } catch (error: any) {
@@ -469,13 +437,10 @@ export function modelRouter<T>(
     "/",
     [
       authenticateMiddleware(options.allowAnonymous),
-      permissionMiddleware(baseModel, options),
-      listOpenApiMiddleware(baseModel, options),
+      permissionMiddleware(model, options),
+      listOpenApiMiddleware(model, options),
     ],
     asyncHandler(async (req: Request, res: Response) => {
-      // For pure read queries, Mongoose will return the correct data with just the base model.
-      const model = baseModel;
-
       let query: any = {};
       for (const queryParam of Object.keys(options.defaultQueryParams ?? [])) {
         query[queryParam] = options.defaultQueryParams?.[queryParam];
@@ -624,8 +589,8 @@ export function modelRouter<T>(
     "/:id",
     [
       authenticateMiddleware(options.allowAnonymous),
-      getOpenApiMiddleware(baseModel, options),
-      permissionMiddleware(baseModel, options),
+      getOpenApiMiddleware(model, options),
+      permissionMiddleware(model, options),
     ],
     asyncHandler(async (req: Request, res: Response) => {
       const data: mongoose.Document & T = (req as any).obj;
@@ -658,12 +623,10 @@ export function modelRouter<T>(
     "/:id",
     [
       authenticateMiddleware(options.allowAnonymous),
-      patchOpenApiMiddleware(baseModel, options),
-      permissionMiddleware(baseModel, options),
+      patchOpenApiMiddleware(model, options),
+      permissionMiddleware(model, options),
     ],
     asyncHandler(async (req: Request, res: Response) => {
-      const model = getModel(baseModel, req.body, options);
-
       let doc: mongoose.Document & T = (req as any).obj;
 
       let body;
@@ -731,7 +694,7 @@ export function modelRouter<T>(
       }
 
       if (options.populatePaths) {
-        let populateQuery = model.findById(doc._id);
+        let populateQuery: any = model.findById(doc._id);
         populateQuery = addPopulateToQuery(populateQuery, options.populatePaths);
         doc = await populateQuery.exec();
       }
@@ -766,12 +729,10 @@ export function modelRouter<T>(
     "/:id",
     [
       authenticateMiddleware(options.allowAnonymous),
-      deleteOpenApiMiddleware(baseModel, options),
-      permissionMiddleware(baseModel, options),
+      deleteOpenApiMiddleware(model, options),
+      permissionMiddleware(model, options),
     ],
     asyncHandler(async (req: Request, res: Response) => {
-      const model = getModel(baseModel, req.body, options);
-
       const doc: mongoose.Document & T & {deleted?: boolean} = (req as any).obj;
 
       if (options.preDelete) {
@@ -849,7 +810,6 @@ export function modelRouter<T>(
     operation: "POST" | "PATCH" | "DELETE"
   ) {
     // TODO Combine array operations and .patch(), as they are very similar.
-    const model = getModel(baseModel, req.body, options);
 
     if (!(await checkPermissions("update", options.permissions.update, req.user))) {
       throw new APIError({
@@ -861,9 +821,7 @@ export function modelRouter<T>(
     const doc = await model.findById(req.params.id);
     // Make a copy for passing pre-saved values to hooks.
     const prevDoc = cloneDeep(doc);
-    // We fail here because we might fetch the document without the __t but we'd be missing all the
-    // hooks.
-    if (!doc || (doc.__t && !req.body.__t)) {
+    if (!doc) {
       throw new APIError({
         status: 404,
         title: `Could not find document to PATCH: ${req.params.id}`,
@@ -979,7 +937,7 @@ export function modelRouter<T>(
 
     if (options.postUpdate) {
       try {
-        await options.postUpdate(doc, body, req, prevDoc);
+        await options.postUpdate(doc as any, body, req, prevDoc as any);
       } catch (error: any) {
         throw new APIError({
           disableExternalErrorTracking: getDisableExternalErrorTracking(error),
@@ -989,7 +947,7 @@ export function modelRouter<T>(
         });
       }
     }
-    return res.json({data: serialize<T>(req, options, doc)});
+    return res.json({data: serialize<T>(req, options, doc as any)});
   }
 
   async function arrayPost(req: Request, res: Response) {
@@ -1004,7 +962,7 @@ export function modelRouter<T>(
     return arrayOperation(req, res, "DELETE");
   }
   // Set up routes for managing array fields. Check if there any array fields to add this for.
-  if (Object.values(baseModel.schema.paths).find((config: any) => config.instance === "Array")) {
+  if (Object.values(model.schema.paths).find((config: any) => config.instance === "Array")) {
     router.post(
       "/:id/:field",
       authenticateMiddleware(options.allowAnonymous),

package/src/permissions.ts

@@ -4,7 +4,7 @@ import type express from "express";
 import type {NextFunction} from "express";
 import mongoose, {type Model} from "mongoose";
 
-import {addPopulateToQuery, getModel, type ModelRouterOptions, type RESTMethod} from "./api";
+import {addPopulateToQuery, type ModelRouterOptions, type RESTMethod} from "./api";
 import type {User} from "./auth";
 import {APIError} from "./errors";
 import {logger} from "./logger";
@@ -101,8 +101,8 @@ export async function checkPermissions<T>(
 // finds the relevant object, checks the permissions, and attaches the object to the request as
 // req.obj.
 export function permissionMiddleware<T>(
-  baseModel: Model<T>,
-  options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths" | "discriminatorKey">
+  model: Model<T>,
+  options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">
 ) {
   return async (req: express.Request, _res: express.Response, next: NextFunction) => {
     if (req.method === "OPTIONS") {
@@ -131,8 +131,6 @@ export function permissionMiddleware<T>(
         });
       }
 
-      const model = getModel(baseModel, req.body, options);
-
       // All methods check for permissions.
       if (!(await checkPermissions(method, options.permissions[method], req.user))) {
         throw new APIError({
@@ -159,15 +157,7 @@ export function permissionMiddleware<T>(
           title: `GET failed on ${req.params.id}`,
         });
       }
-      if (!data || (["update", "delete"].includes(method) && data?.__t && !req.body?.__t)) {
-        // For discriminated models, return 404 without checking hidden state
-        if (["update", "delete"].includes(method) && data?.__t && !req.body?.__t) {
-          throw new APIError({
-            status: 404,
-            title: `Document ${req.params.id} not found for model ${model.modelName}`,
-          });
-        }
-
+      if (!data) {
         // Check if document exists but is hidden. Completely skip plugins.
         const hiddenDoc = await model.collection.findOne({
           _id: new mongoose.Types.ObjectId(req.params.id),

package/src/utils.test.ts

@@ -1,14 +1,194 @@
-import {describe, expect, it} from "bun:test";
+import {describe, expect, it, spyOn} from "bun:test";
+import mongoose from "mongoose";
 
-import {isValidObjectId} from "./utils";
+import {checkModelsStrict, isValidObjectId} from "./utils";
 
 describe("utils", () => {
-  it("checks valid ObjectIds", () => {
-    expect(isValidObjectId("62c44da0003d9f8ee8cc925c")).toBe(true);
-    expect(isValidObjectId("620000000000000000000000")).toBe(true);
-    // Mongoose's builtin "ObjectId.isValid" will falsely say this is an ObjectId.
-    expect(isValidObjectId("1234567890ab")).toBe(false);
-    expect(isValidObjectId("microsoft123")).toBe(false);
-    expect(isValidObjectId("62c44da0003d9f8ee8cc925x")).toBe(false);
+  describe("isValidObjectId", () => {
+    it("checks valid ObjectIds", () => {
+      expect(isValidObjectId("62c44da0003d9f8ee8cc925c")).toBe(true);
+      expect(isValidObjectId("620000000000000000000000")).toBe(true);
+      // Mongoose's builtin "ObjectId.isValid" will falsely say this is an ObjectId.
+      expect(isValidObjectId("1234567890ab")).toBe(false);
+      expect(isValidObjectId("microsoft123")).toBe(false);
+      expect(isValidObjectId("62c44da0003d9f8ee8cc925x")).toBe(false);
+    });
+  });
+
+  describe("checkModelsStrict", () => {
+    it("throws error when toObject.virtuals is not true", () => {
+      // Create a schema without toObject.virtuals
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("strict", "throw");
+      // Not setting toObject.virtuals
+
+      if (mongoose.models.ToObjectTestModel) {
+        delete mongoose.models.ToObjectTestModel;
+      }
+      mongoose.model("ToObjectTestModel", testSchema);
+
+      try {
+        // This should throw because ToObjectTestModel doesn't have toObject.virtuals
+        expect(() => checkModelsStrict()).toThrow("toObject.virtuals not set to true");
+      } finally {
+        delete mongoose.models.ToObjectTestModel;
+      }
+    });
+
+    it("throws error when toJSON.virtuals is not true", () => {
+      // Create a schema with toObject.virtuals but without toJSON.virtuals
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("toObject", {virtuals: true});
+      testSchema.set("strict", "throw");
+      // Not setting toJSON.virtuals
+
+      if (mongoose.models.ToJsonTestModel) {
+        delete mongoose.models.ToJsonTestModel;
+      }
+      mongoose.model("ToJsonTestModel", testSchema);
+
+      // Use spyOn to intercept modelNames and return only our test model
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["ToJsonTestModel"]);
+
+      try {
+        expect(() => checkModelsStrict()).toThrow("toJSON.virtuals not set to true");
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.ToJsonTestModel;
+      }
+    });
+
+    it("throws error when strict mode is not set to throw", () => {
+      // Create a schema with virtuals but without strict mode
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("toObject", {virtuals: true});
+      testSchema.set("toJSON", {virtuals: true});
+      // Not setting strict to "throw"
+
+      if (mongoose.models.StrictTestModel) {
+        delete mongoose.models.StrictTestModel;
+      }
+      mongoose.model("StrictTestModel", testSchema);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["StrictTestModel"]);
+
+      try {
+        expect(() => checkModelsStrict()).toThrow("is not set to strict mode");
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.StrictTestModel;
+      }
+    });
+
+    it("passes when all checks pass", () => {
+      // Create a properly configured schema
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("toObject", {virtuals: true});
+      testSchema.set("toJSON", {virtuals: true});
+      testSchema.set("strict", "throw");
+
+      if (mongoose.models.GoodTestModel) {
+        delete mongoose.models.GoodTestModel;
+      }
+      mongoose.model("GoodTestModel", testSchema);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["GoodTestModel"]);
+
+      try {
+        expect(() => checkModelsStrict()).not.toThrow();
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.GoodTestModel;
+      }
+    });
+
+    it("skips strict mode check for ignored models", () => {
+      // Create a properly configured model
+      const goodSchema = new mongoose.Schema({name: String});
+      goodSchema.set("toObject", {virtuals: true});
+      goodSchema.set("toJSON", {virtuals: true});
+      goodSchema.set("strict", "throw");
+
+      if (mongoose.models.GoodModel) {
+        delete mongoose.models.GoodModel;
+      }
+      mongoose.model("GoodModel", goodSchema);
+
+      // Create a model without strict mode that we'll ignore
+      const badSchema = new mongoose.Schema({name: String});
+      badSchema.set("toObject", {virtuals: true});
+      badSchema.set("toJSON", {virtuals: true});
+      // Not setting strict - should fail unless ignored
+
+      if (mongoose.models.IgnoredModel) {
+        delete mongoose.models.IgnoredModel;
+      }
+      mongoose.model("IgnoredModel", badSchema);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["GoodModel", "IgnoredModel"]);
+
+      try {
+        // Without ignoring, should throw for IgnoredModel
+        expect(() => checkModelsStrict()).toThrow("is not set to strict mode");
+
+        // With ignoring IgnoredModel, should pass
+        expect(() => checkModelsStrict(["IgnoredModel"])).not.toThrow();
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.GoodModel;
+        delete mongoose.models.IgnoredModel;
+      }
+    });
+
+    it("handles multiple models and validates all", () => {
+      // Create three properly configured models
+      const schema1 = new mongoose.Schema({name: String});
+      schema1.set("toObject", {virtuals: true});
+      schema1.set("toJSON", {virtuals: true});
+      schema1.set("strict", "throw");
+
+      const schema2 = new mongoose.Schema({value: Number});
+      schema2.set("toObject", {virtuals: true});
+      schema2.set("toJSON", {virtuals: true});
+      schema2.set("strict", "throw");
+
+      const schema3 = new mongoose.Schema({active: Boolean});
+      schema3.set("toObject", {virtuals: true});
+      schema3.set("toJSON", {virtuals: true});
+      schema3.set("strict", "throw");
+
+      if (mongoose.models.MultiModel1) delete mongoose.models.MultiModel1;
+      if (mongoose.models.MultiModel2) delete mongoose.models.MultiModel2;
+      if (mongoose.models.MultiModel3) delete mongoose.models.MultiModel3;
+
+      mongoose.model("MultiModel1", schema1);
+      mongoose.model("MultiModel2", schema2);
+      mongoose.model("MultiModel3", schema3);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue([
+        "MultiModel1",
+        "MultiModel2",
+        "MultiModel3",
+      ]);
+
+      try {
+        expect(() => checkModelsStrict()).not.toThrow();
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.MultiModel1;
+        delete mongoose.models.MultiModel2;
+        delete mongoose.models.MultiModel3;
+      }
+    });
+
+    it("handles empty model list", () => {
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue([]);
+
+      try {
+        expect(() => checkModelsStrict()).not.toThrow();
+      } finally {
+        spy.mockRestore();
+      }
+    });
   });
 });