@terreno/api 0.0.11 → 0.0.13

package/src/permissions.test.ts

@@ -5,7 +5,7 @@ import type TestAgent from "supertest/lib/agent";
 
 import {modelRouter} from "./api";
 import {addAuthRoutes, setupAuth} from "./auth";
-import {Permissions} from "./permissions";
+import {OwnerQueryFilter, Permissions} from "./permissions";
 import {
   authAsUser,
   type Food,
@@ -217,3 +217,72 @@ describe("permissions", () => {
     });
   });
 });
+
+describe("permissions module", () => {
+  describe("OwnerQueryFilter", () => {
+    it("returns ownerId filter when user is provided", () => {
+      const user = {id: "user-123"} as any;
+      const filter = OwnerQueryFilter(user);
+      expect(filter).toEqual({ownerId: "user-123"});
+    });
+
+    it("returns null when user is undefined", () => {
+      const filter = OwnerQueryFilter(undefined);
+      expect(filter).toBeNull();
+    });
+  });
+
+  describe("Permissions.IsAuthenticatedOrReadOnly", () => {
+    it("returns true for authenticated non-anonymous users", () => {
+      const user = {id: "user-123", isAnonymous: false} as any;
+      expect(Permissions.IsAuthenticatedOrReadOnly("create", user)).toBe(true);
+    });
+
+    it("returns true for read methods when user is anonymous", () => {
+      const user = {id: "user-123", isAnonymous: true} as any;
+      expect(Permissions.IsAuthenticatedOrReadOnly("list", user)).toBe(true);
+      expect(Permissions.IsAuthenticatedOrReadOnly("read", user)).toBe(true);
+    });
+
+    it("returns false for write methods when user is anonymous", () => {
+      const user = {id: "user-123", isAnonymous: true} as any;
+      expect(Permissions.IsAuthenticatedOrReadOnly("create", user)).toBe(false);
+      expect(Permissions.IsAuthenticatedOrReadOnly("update", user)).toBe(false);
+      expect(Permissions.IsAuthenticatedOrReadOnly("delete", user)).toBe(false);
+    });
+  });
+
+  describe("Permissions.IsOwnerOrReadOnly", () => {
+    it("returns true when no object is provided", () => {
+      expect(Permissions.IsOwnerOrReadOnly("update", {id: "user-123"} as any, undefined)).toBe(
+        true
+      );
+    });
+
+    it("returns true for admin users", () => {
+      const user = {admin: true, id: "admin-123"} as any;
+      const obj = {ownerId: "other-user"};
+      expect(Permissions.IsOwnerOrReadOnly("update", user, obj)).toBe(true);
+    });
+
+    it("returns true when user is owner", () => {
+      const user = {id: "user-123"} as any;
+      const obj = {ownerId: "user-123"};
+      expect(Permissions.IsOwnerOrReadOnly("update", user, obj)).toBe(true);
+    });
+
+    it("returns true for read methods when not owner", () => {
+      const user = {id: "user-123"} as any;
+      const obj = {ownerId: "other-user"};
+      expect(Permissions.IsOwnerOrReadOnly("list", user, obj)).toBe(true);
+      expect(Permissions.IsOwnerOrReadOnly("read", user, obj)).toBe(true);
+    });
+
+    it("returns false for write methods when not owner", () => {
+      const user = {id: "user-123"} as any;
+      const obj = {ownerId: "other-user"};
+      expect(Permissions.IsOwnerOrReadOnly("update", user, obj)).toBe(false);
+      expect(Permissions.IsOwnerOrReadOnly("delete", user, obj)).toBe(false);
+    });
+  });
+});

package/src/permissions.ts

@@ -4,7 +4,7 @@ import type express from "express";
 import type {NextFunction} from "express";
 import mongoose, {type Model} from "mongoose";
 
-import {addPopulateToQuery, getModel, type ModelRouterOptions, type RESTMethod} from "./api";
+import {addPopulateToQuery, type ModelRouterOptions, type RESTMethod} from "./api";
 import type {User} from "./auth";
 import {APIError} from "./errors";
 import {logger} from "./logger";
@@ -101,8 +101,8 @@ export async function checkPermissions<T>(
 // finds the relevant object, checks the permissions, and attaches the object to the request as
 // req.obj.
 export function permissionMiddleware<T>(
-  baseModel: Model<T>,
-  options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths" | "discriminatorKey">
+  model: Model<T>,
+  options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">
 ) {
   return async (req: express.Request, _res: express.Response, next: NextFunction) => {
     if (req.method === "OPTIONS") {
@@ -131,8 +131,6 @@ export function permissionMiddleware<T>(
         });
       }
 
-      const model = getModel(baseModel, req.body, options);
-
       // All methods check for permissions.
       if (!(await checkPermissions(method, options.permissions[method], req.user))) {
         throw new APIError({
@@ -159,15 +157,7 @@ export function permissionMiddleware<T>(
           title: `GET failed on ${req.params.id}`,
         });
       }
-      if (!data || (["update", "delete"].includes(method) && data?.__t && !req.body?.__t)) {
-        // For discriminated models, return 404 without checking hidden state
-        if (["update", "delete"].includes(method) && data?.__t && !req.body?.__t) {
-          throw new APIError({
-            status: 404,
-            title: `Document ${req.params.id} not found for model ${model.modelName}`,
-          });
-        }
-
+      if (!data) {
         // Check if document exists but is hidden. Completely skip plugins.
         const hiddenDoc = await model.collection.findOne({
           _id: new mongoose.Types.ObjectId(req.params.id),

package/src/populate.test.ts

@@ -63,3 +63,61 @@ describe("populate functions", () => {
     expect(populated.likesIds[1].userId.name).toBeUndefined();
   });
 });
+
+describe("unpopulate edge cases", () => {
+  it("throws error when path is empty", () => {
+    const doc = {name: "test"};
+    expect(() => unpopulate(doc as any, "")).toThrow("path is required");
+  });
+
+  it("unpopulates single populated field", () => {
+    const doc = {
+      name: "test",
+      ownerId: {_id: "owner-123", email: "owner@test.com"},
+    };
+    const result = unpopulate(doc as any, "ownerId") as any;
+    expect(result.ownerId).toBe("owner-123");
+  });
+
+  it("unpopulates array of populated fields", () => {
+    const doc = {
+      items: [{_id: "item-1", name: "Item 1"}, {_id: "item-2", name: "Item 2"}, "item-3"],
+      name: "test",
+    };
+    const result = unpopulate(doc as any, "items") as any;
+    expect(result.items).toEqual(["item-1", "item-2", "item-3"]);
+  });
+
+  it("handles nested paths", () => {
+    const doc = {
+      name: "test",
+      nested: {
+        items: [
+          {_id: "item-1", name: "Item 1"},
+          {_id: "item-2", name: "Item 2"},
+        ],
+      },
+    };
+    const result = unpopulate(doc as any, "nested.items") as any;
+    expect(result.nested.items).toEqual(["item-1", "item-2"]);
+  });
+
+  it("returns original doc when path does not exist", () => {
+    const doc = {name: "test"};
+    const result = unpopulate(doc as any, "nonexistent") as any;
+    expect(result).toEqual(doc);
+  });
+
+  it("handles nested array paths", () => {
+    const doc = {
+      containers: [
+        {items: [{_id: "item-1"}, {_id: "item-2"}]},
+        {items: [{_id: "item-3"}, {_id: "item-4"}]},
+      ],
+      name: "test",
+    };
+    const result = unpopulate(doc as any, "containers.items") as any;
+    expect(result.containers[0].items).toEqual(["item-1", "item-2"]);
+    expect(result.containers[1].items).toEqual(["item-3", "item-4"]);
+  });
+});

package/src/utils.test.ts

@@ -1,14 +1,219 @@
-import {describe, expect, it} from "bun:test";
+import {describe, expect, it, spyOn} from "bun:test";
+import mongoose from "mongoose";
 
-import {isValidObjectId} from "./utils";
+import {checkModelsStrict, isValidObjectId, timeout} from "./utils";
 
 describe("utils", () => {
-  it("checks valid ObjectIds", () => {
-    expect(isValidObjectId("62c44da0003d9f8ee8cc925c")).toBe(true);
-    expect(isValidObjectId("620000000000000000000000")).toBe(true);
-    // Mongoose's builtin "ObjectId.isValid" will falsely say this is an ObjectId.
-    expect(isValidObjectId("1234567890ab")).toBe(false);
-    expect(isValidObjectId("microsoft123")).toBe(false);
-    expect(isValidObjectId("62c44da0003d9f8ee8cc925x")).toBe(false);
+  describe("isValidObjectId", () => {
+    it("checks valid ObjectIds", () => {
+      expect(isValidObjectId("62c44da0003d9f8ee8cc925c")).toBe(true);
+      expect(isValidObjectId("620000000000000000000000")).toBe(true);
+      // Mongoose's builtin "ObjectId.isValid" will falsely say this is an ObjectId.
+      expect(isValidObjectId("1234567890ab")).toBe(false);
+      expect(isValidObjectId("microsoft123")).toBe(false);
+      expect(isValidObjectId("62c44da0003d9f8ee8cc925x")).toBe(false);
+    });
+  });
+
+  describe("checkModelsStrict", () => {
+    it("throws error when toObject.virtuals is not true", () => {
+      // Create a schema without toObject.virtuals
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("strict", "throw");
+      // Not setting toObject.virtuals
+
+      if (mongoose.models.ToObjectTestModel) {
+        delete mongoose.models.ToObjectTestModel;
+      }
+      mongoose.model("ToObjectTestModel", testSchema);
+
+      try {
+        // This should throw because ToObjectTestModel doesn't have toObject.virtuals
+        expect(() => checkModelsStrict()).toThrow("toObject.virtuals not set to true");
+      } finally {
+        delete mongoose.models.ToObjectTestModel;
+      }
+    });
+
+    it("throws error when toJSON.virtuals is not true", () => {
+      // Create a schema with toObject.virtuals but without toJSON.virtuals
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("toObject", {virtuals: true});
+      testSchema.set("strict", "throw");
+      // Not setting toJSON.virtuals
+
+      if (mongoose.models.ToJsonTestModel) {
+        delete mongoose.models.ToJsonTestModel;
+      }
+      mongoose.model("ToJsonTestModel", testSchema);
+
+      // Use spyOn to intercept modelNames and return only our test model
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["ToJsonTestModel"]);
+
+      try {
+        expect(() => checkModelsStrict()).toThrow("toJSON.virtuals not set to true");
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.ToJsonTestModel;
+      }
+    });
+
+    it("throws error when strict mode is not set to throw", () => {
+      // Create a schema with virtuals but without strict mode
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("toObject", {virtuals: true});
+      testSchema.set("toJSON", {virtuals: true});
+      // Not setting strict to "throw"
+
+      if (mongoose.models.StrictTestModel) {
+        delete mongoose.models.StrictTestModel;
+      }
+      mongoose.model("StrictTestModel", testSchema);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["StrictTestModel"]);
+
+      try {
+        expect(() => checkModelsStrict()).toThrow("is not set to strict mode");
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.StrictTestModel;
+      }
+    });
+
+    it("passes when all checks pass", () => {
+      // Create a properly configured schema
+      const testSchema = new mongoose.Schema({name: String});
+      testSchema.set("toObject", {virtuals: true});
+      testSchema.set("toJSON", {virtuals: true});
+      testSchema.set("strict", "throw");
+
+      if (mongoose.models.GoodTestModel) {
+        delete mongoose.models.GoodTestModel;
+      }
+      mongoose.model("GoodTestModel", testSchema);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["GoodTestModel"]);
+
+      try {
+        expect(() => checkModelsStrict()).not.toThrow();
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.GoodTestModel;
+      }
+    });
+
+    it("skips strict mode check for ignored models", () => {
+      // Create a properly configured model
+      const goodSchema = new mongoose.Schema({name: String});
+      goodSchema.set("toObject", {virtuals: true});
+      goodSchema.set("toJSON", {virtuals: true});
+      goodSchema.set("strict", "throw");
+
+      if (mongoose.models.GoodModel) {
+        delete mongoose.models.GoodModel;
+      }
+      mongoose.model("GoodModel", goodSchema);
+
+      // Create a model without strict mode that we'll ignore
+      const badSchema = new mongoose.Schema({name: String});
+      badSchema.set("toObject", {virtuals: true});
+      badSchema.set("toJSON", {virtuals: true});
+      // Not setting strict - should fail unless ignored
+
+      if (mongoose.models.IgnoredModel) {
+        delete mongoose.models.IgnoredModel;
+      }
+      mongoose.model("IgnoredModel", badSchema);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue(["GoodModel", "IgnoredModel"]);
+
+      try {
+        // Without ignoring, should throw for IgnoredModel
+        expect(() => checkModelsStrict()).toThrow("is not set to strict mode");
+
+        // With ignoring IgnoredModel, should pass
+        expect(() => checkModelsStrict(["IgnoredModel"])).not.toThrow();
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.GoodModel;
+        delete mongoose.models.IgnoredModel;
+      }
+    });
+
+    it("handles multiple models and validates all", () => {
+      // Create three properly configured models
+      const schema1 = new mongoose.Schema({name: String});
+      schema1.set("toObject", {virtuals: true});
+      schema1.set("toJSON", {virtuals: true});
+      schema1.set("strict", "throw");
+
+      const schema2 = new mongoose.Schema({value: Number});
+      schema2.set("toObject", {virtuals: true});
+      schema2.set("toJSON", {virtuals: true});
+      schema2.set("strict", "throw");
+
+      const schema3 = new mongoose.Schema({active: Boolean});
+      schema3.set("toObject", {virtuals: true});
+      schema3.set("toJSON", {virtuals: true});
+      schema3.set("strict", "throw");
+
+      if (mongoose.models.MultiModel1) delete mongoose.models.MultiModel1;
+      if (mongoose.models.MultiModel2) delete mongoose.models.MultiModel2;
+      if (mongoose.models.MultiModel3) delete mongoose.models.MultiModel3;
+
+      mongoose.model("MultiModel1", schema1);
+      mongoose.model("MultiModel2", schema2);
+      mongoose.model("MultiModel3", schema3);
+
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue([
+        "MultiModel1",
+        "MultiModel2",
+        "MultiModel3",
+      ]);
+
+      try {
+        expect(() => checkModelsStrict()).not.toThrow();
+      } finally {
+        spy.mockRestore();
+        delete mongoose.models.MultiModel1;
+        delete mongoose.models.MultiModel2;
+        delete mongoose.models.MultiModel3;
+      }
+    });
+
+    it("handles empty model list", () => {
+      const spy = spyOn(mongoose, "modelNames").mockReturnValue([]);
+
+      try {
+        expect(() => checkModelsStrict()).not.toThrow();
+      } finally {
+        spy.mockRestore();
+      }
+    });
+  });
+
+  describe("timeout", () => {
+    it("resolves after specified time", async () => {
+      const start = Date.now();
+      await timeout(50);
+      const elapsed = Date.now() - start;
+      expect(elapsed).toBeGreaterThanOrEqual(40);
+    });
+  });
+
+  describe("isValidObjectId additional cases", () => {
+    it("returns true for valid ObjectId strings", () => {
+      expect(isValidObjectId("507f1f77bcf86cd799439011")).toBe(true);
+    });
+
+    it("returns false for invalid ObjectId strings", () => {
+      expect(isValidObjectId("invalid-id")).toBe(false);
+      expect(isValidObjectId("12345")).toBe(false);
+      expect(isValidObjectId("")).toBe(false);
+    });
+
+    it("returns false for 12-character strings that are not valid ObjectIds", () => {
+      expect(isValidObjectId("123456789012")).toBe(false);
+    });
   });
 });