@terreno/api 0.0.14 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/biome.jsonc +0 -1
  2. package/dist/api.test.js +1514 -0
  3. package/package.json +1 -1
  4. package/src/api.test.ts +1247 -0
package/src/api.test.ts CHANGED
@@ -5,6 +5,7 @@ import type TestAgent from "supertest/lib/agent";
5
5
 
6
6
  import {addPopulateToQuery, modelRouter} from "./api";
7
7
  import {addAuthRoutes, setupAuth} from "./auth";
8
+ import {APIError} from "./errors";
8
9
  import {Permissions} from "./permissions";
9
10
  import {
10
11
  authAsUser,
@@ -866,5 +867,1251 @@ describe("@terreno/api", () => {
866
867
 
867
868
  await SoftDeleteModel.deleteMany({});
868
869
  });
870
+
871
+ it("array operation transform error is handled", async () => {
872
+ const apple = await FoodModel.create({
873
+ calories: 95,
874
+ created: new Date(),
875
+ hidden: false,
876
+ name: "Apple",
877
+ tags: [],
878
+ });
879
+
880
+ app.use(
881
+ "/food",
882
+ modelRouter(FoodModel, {
883
+ allowAnonymous: true,
884
+ permissions: {
885
+ create: [Permissions.IsAdmin],
886
+ delete: [Permissions.IsAdmin],
887
+ list: [Permissions.IsAdmin],
888
+ read: [Permissions.IsAdmin],
889
+ update: [Permissions.IsAdmin],
890
+ },
891
+ transformer: AdminOwnerTransformer({
892
+ adminWriteFields: ["name"],
893
+ }),
894
+ })
895
+ );
896
+ server = supertest(app);
897
+ agent = await authAsUser(app, "admin");
898
+
899
+ // Try to update tags field, which is not in the allowed write fields
900
+ const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
901
+ expect(res.body.title).toContain("cannot write fields");
902
+ });
903
+ });
904
+
905
+ describe("transformer errors", () => {
906
+ let admin: any;
907
+ let spinach: Food;
908
+ let agent: TestAgent;
909
+
910
+ beforeEach(async () => {
911
+ [admin] = await setupDb();
912
+
913
+ spinach = await FoodModel.create({
914
+ calories: 1,
915
+ created: new Date("2021-12-03T00:00:20.000Z"),
916
+ hidden: false,
917
+ name: "Spinach",
918
+ ownerId: admin._id,
919
+ source: {
920
+ name: "Brand",
921
+ },
922
+ });
923
+
924
+ app = getBaseServer();
925
+ setupAuth(app, UserModel as any);
926
+ addAuthRoutes(app, UserModel as any);
927
+ });
928
+
929
+ it("transform error in create is handled", async () => {
930
+ app.use(
931
+ "/food",
932
+ modelRouter(FoodModel, {
933
+ allowAnonymous: true,
934
+ permissions: {
935
+ create: [Permissions.IsAny],
936
+ delete: [Permissions.IsAny],
937
+ list: [Permissions.IsAny],
938
+ read: [Permissions.IsAny],
939
+ update: [Permissions.IsAny],
940
+ },
941
+ transformer: AdminOwnerTransformer({
942
+ // Only allow 'name' to be written, so 'calories' will throw
943
+ anonWriteFields: ["name"],
944
+ }),
945
+ })
946
+ );
947
+ server = supertest(app);
948
+
949
+ const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
950
+ expect(res.body.title).toContain("cannot write fields");
951
+ });
952
+
953
+ it("transform error in patch is handled", async () => {
954
+ app.use(
955
+ "/food",
956
+ modelRouter(FoodModel, {
957
+ allowAnonymous: true,
958
+ permissions: {
959
+ create: [Permissions.IsAny],
960
+ delete: [Permissions.IsAny],
961
+ list: [Permissions.IsAny],
962
+ read: [Permissions.IsAny],
963
+ update: [Permissions.IsAny],
964
+ },
965
+ transformer: AdminOwnerTransformer({
966
+ // Only allow 'name' to be written, so 'calories' will throw
967
+ anonWriteFields: ["name"],
968
+ }),
969
+ })
970
+ );
971
+ server = supertest(app);
972
+
973
+ const res = await server.patch(`/food/${spinach._id}`).send({calories: 100}).expect(403);
974
+ expect(res.body.title).toContain("cannot write fields");
975
+ });
976
+
977
+ it("model.create validation error is handled", async () => {
978
+ // Use a model that has required fields
979
+ const {RequiredModel} = await import("./tests");
980
+
981
+ app.use(
982
+ "/required",
983
+ modelRouter(RequiredModel, {
984
+ allowAnonymous: true,
985
+ permissions: {
986
+ create: [Permissions.IsAny],
987
+ delete: [Permissions.IsAny],
988
+ list: [Permissions.IsAny],
989
+ read: [Permissions.IsAny],
990
+ update: [Permissions.IsAny],
991
+ },
992
+ })
993
+ );
994
+ server = supertest(app);
995
+
996
+ // Send without required 'name' field
997
+ const res = await server.post("/required").send({about: "test"}).expect(400);
998
+ expect(res.body.title).toContain("Required");
999
+ });
1000
+
1001
+ it("preDelete hook throwing APIError is re-thrown", async () => {
1002
+ app.use(
1003
+ "/food",
1004
+ modelRouter(FoodModel, {
1005
+ allowAnonymous: true,
1006
+ permissions: {
1007
+ create: [Permissions.IsAny],
1008
+ delete: [Permissions.IsAny],
1009
+ list: [Permissions.IsAny],
1010
+ read: [Permissions.IsAny],
1011
+ update: [Permissions.IsAny],
1012
+ },
1013
+ preDelete: () => {
1014
+ throw new APIError({
1015
+ disableExternalErrorTracking: true,
1016
+ status: 400,
1017
+ title: "Custom preDelete APIError",
1018
+ });
1019
+ },
1020
+ })
1021
+ );
1022
+ server = supertest(app);
1023
+ agent = await authAsUser(app, "notAdmin");
1024
+
1025
+ const res = await agent.delete(`/food/${spinach._id}`).expect(400);
1026
+ expect(res.body.title).toBe("Custom preDelete APIError");
1027
+ expect(res.body.disableExternalErrorTracking).toBe(true);
1028
+ });
1029
+ });
1030
+
1031
+ describe("special query params", () => {
1032
+ let admin: any;
1033
+
1034
+ beforeEach(async () => {
1035
+ [admin] = await setupDb();
1036
+
1037
+ await FoodModel.create({
1038
+ calories: 1,
1039
+ created: new Date("2021-12-03T00:00:20.000Z"),
1040
+ hidden: false,
1041
+ name: "Spinach",
1042
+ ownerId: admin._id,
1043
+ });
1044
+
1045
+ app = getBaseServer();
1046
+ setupAuth(app, UserModel as any);
1047
+ addAuthRoutes(app, UserModel as any);
1048
+ });
1049
+
1050
+ it("period query param is stripped from query", async () => {
1051
+ app.use(
1052
+ "/food",
1053
+ modelRouter(FoodModel, {
1054
+ allowAnonymous: true,
1055
+ permissions: {
1056
+ create: [Permissions.IsAny],
1057
+ delete: [Permissions.IsAny],
1058
+ list: [Permissions.IsAny],
1059
+ read: [Permissions.IsAny],
1060
+ update: [Permissions.IsAny],
1061
+ },
1062
+ queryFields: ["name", "period"],
1063
+ queryFilter: (_user, query) => {
1064
+ // Simulate a queryFilter that accepts and processes period
1065
+ if (query?.period) {
1066
+ // Period is processed but shouldn't be passed to mongo
1067
+ return query;
1068
+ }
1069
+ return query ?? {};
1070
+ },
1071
+ })
1072
+ );
1073
+ server = supertest(app);
1074
+
1075
+ // period should be accepted and processed without error
1076
+ const res = await server.get("/food?period=weekly").expect(200);
1077
+ expect(res.body.data).toBeDefined();
1078
+ });
1079
+
1080
+ it("query with false value", async () => {
1081
+ // Create a food that is hidden
1082
+ await FoodModel.create({
1083
+ calories: 50,
1084
+ created: new Date("2021-12-04T00:00:20.000Z"),
1085
+ hidden: true,
1086
+ name: "HiddenFood",
1087
+ ownerId: admin._id,
1088
+ });
1089
+
1090
+ app.use(
1091
+ "/food",
1092
+ modelRouter(FoodModel, {
1093
+ allowAnonymous: true,
1094
+ permissions: {
1095
+ create: [Permissions.IsAny],
1096
+ delete: [Permissions.IsAny],
1097
+ list: [Permissions.IsAny],
1098
+ read: [Permissions.IsAny],
1099
+ update: [Permissions.IsAny],
1100
+ },
1101
+ queryFields: ["name", "hidden"],
1102
+ })
1103
+ );
1104
+ server = supertest(app);
1105
+
1106
+ // Query for non-hidden foods using ?hidden=false
1107
+ const res = await server.get("/food?hidden=false").expect(200);
1108
+ expect(res.body.data.every((f: any) => f.hidden === false)).toBe(true);
1109
+ });
1110
+
1111
+ it("$search query triggers special handling code path", async () => {
1112
+ // The $search code path just accesses the collection but doesn't do anything with it
1113
+ // This test verifies the code path is exercised
1114
+ app.use(
1115
+ "/food",
1116
+ modelRouter(FoodModel, {
1117
+ allowAnonymous: true,
1118
+ permissions: {
1119
+ create: [Permissions.IsAny],
1120
+ delete: [Permissions.IsAny],
1121
+ list: [Permissions.IsAny],
1122
+ read: [Permissions.IsAny],
1123
+ update: [Permissions.IsAny],
1124
+ },
1125
+ // Need to include $search in queryFields for it to pass validation
1126
+ queryFields: ["name", "$search"],
1127
+ })
1128
+ );
1129
+ server = supertest(app);
1130
+
1131
+ // The $search will be added to the query params, triggering the special handling
1132
+ // Even though the code doesn't actually do anything useful with it (stub for Atlas)
1133
+ const res = await server.get("/food?$search=test");
1134
+ // May return 500 because $search is passed to Mongo which doesn't support it without Atlas
1135
+ // The important thing is we've exercised the code path
1136
+ expect(res.status === 200 || res.status === 500).toBe(true);
1137
+ });
1138
+
1139
+ it("$autocomplete query triggers special handling code path", async () => {
1140
+ app.use(
1141
+ "/food",
1142
+ modelRouter(FoodModel, {
1143
+ allowAnonymous: true,
1144
+ permissions: {
1145
+ create: [Permissions.IsAny],
1146
+ delete: [Permissions.IsAny],
1147
+ list: [Permissions.IsAny],
1148
+ read: [Permissions.IsAny],
1149
+ update: [Permissions.IsAny],
1150
+ },
1151
+ queryFields: ["name", "$autocomplete"],
1152
+ })
1153
+ );
1154
+ server = supertest(app);
1155
+
1156
+ const res = await server.get("/food?$autocomplete=test");
1157
+ expect(res.status === 200 || res.status === 500).toBe(true);
1158
+ });
1159
+ });
1160
+
1161
+ describe("addPopulateToQuery", () => {
1162
+ it("returns query unchanged with no populate paths", async () => {
1163
+ await setupDb();
1164
+ const query = FoodModel.find({});
1165
+ const result = addPopulateToQuery(query, undefined);
1166
+ expect(result).toBe(query);
1167
+ });
1168
+
1169
+ it("returns query unchanged with empty populate paths", async () => {
1170
+ await setupDb();
1171
+ const query = FoodModel.find({});
1172
+ const result = addPopulateToQuery(query, []);
1173
+ expect(result).toBe(query);
1174
+ });
1175
+
1176
+ it("applies multiple populate paths", async () => {
1177
+ await setupDb();
1178
+ const query = FoodModel.find({});
1179
+ const result = addPopulateToQuery(query, [
1180
+ {fields: ["email"], path: "ownerId"},
1181
+ {fields: ["name"], path: "eatenBy"},
1182
+ ]);
1183
+ // The result should be a query with populate applied
1184
+ expect(result).toBeDefined();
1185
+ });
1186
+ });
1187
+
1188
+ describe("soft delete with isDeleted plugin", () => {
1189
+ let admin: any;
1190
+ let agent: TestAgent;
1191
+
1192
+ beforeEach(async () => {
1193
+ [admin] = await setupDb();
1194
+
1195
+ app = getBaseServer();
1196
+ setupAuth(app, UserModel as any);
1197
+ addAuthRoutes(app, UserModel as any);
1198
+ });
1199
+
1200
+ it("soft deletes user with deleted field", async () => {
1201
+ // UserModel has the isDisabledPlugin which adds a 'disabled' field,
1202
+ // but we need to test the 'deleted' field check.
1203
+ // Let's use a model that has the deleted field.
1204
+ app.use(
1205
+ "/users",
1206
+ modelRouter(UserModel, {
1207
+ allowAnonymous: true,
1208
+ permissions: {
1209
+ create: [Permissions.IsAny],
1210
+ delete: [Permissions.IsAny],
1211
+ list: [Permissions.IsAny],
1212
+ read: [Permissions.IsAny],
1213
+ update: [Permissions.IsAny],
1214
+ },
1215
+ })
1216
+ );
1217
+ server = supertest(app);
1218
+ agent = await authAsUser(app, "notAdmin");
1219
+
1220
+ // Delete a user - this should use deleteOne since User doesn't have deleted field
1221
+ const res = await agent.delete(`/users/${admin._id}`).expect(204);
1222
+ expect(res.body).toEqual({});
1223
+
1224
+ // Verify user was deleted
1225
+ const deletedUser = await UserModel.findById(admin._id);
1226
+ expect(deletedUser).toBeNull();
1227
+ });
1228
+ });
1229
+
1230
+ describe("populate in create", () => {
1231
+ let admin: any;
1232
+
1233
+ beforeEach(async () => {
1234
+ [admin] = await setupDb();
1235
+
1236
+ await FoodModel.create({
1237
+ calories: 1,
1238
+ created: new Date("2021-12-03T00:00:20.000Z"),
1239
+ hidden: false,
1240
+ name: "Spinach",
1241
+ ownerId: admin._id,
1242
+ });
1243
+
1244
+ app = getBaseServer();
1245
+ setupAuth(app, UserModel as any);
1246
+ addAuthRoutes(app, UserModel as any);
1247
+ });
1248
+
1249
+ it("handles populate with valid path in create", async () => {
1250
+ // Test that valid populate works in create flow
1251
+ app.use(
1252
+ "/food",
1253
+ modelRouter(FoodModel, {
1254
+ allowAnonymous: true,
1255
+ permissions: {
1256
+ create: [Permissions.IsAny],
1257
+ delete: [Permissions.IsAny],
1258
+ list: [Permissions.IsAny],
1259
+ read: [Permissions.IsAny],
1260
+ update: [Permissions.IsAny],
1261
+ },
1262
+ populatePaths: [{fields: ["email"], path: "ownerId"}],
1263
+ })
1264
+ );
1265
+ server = supertest(app);
1266
+
1267
+ const res = await server
1268
+ .post("/food")
1269
+ .send({calories: 15, name: "Broccoli", ownerId: admin._id})
1270
+ .expect(201);
1271
+ expect(res.body.data.name).toBe("Broccoli");
1272
+ // Verify populate worked - ownerId should be an object with email
1273
+ expect(res.body.data.ownerId.email).toBe(admin.email);
1274
+ });
1275
+ });
1276
+
1277
+ describe("save error handling", () => {
1278
+ let admin: any;
1279
+ let spinach: Food;
1280
+
1281
+ beforeEach(async () => {
1282
+ [admin] = await setupDb();
1283
+
1284
+ spinach = await FoodModel.create({
1285
+ calories: 1,
1286
+ created: new Date("2021-12-03T00:00:20.000Z"),
1287
+ hidden: false,
1288
+ name: "Spinach",
1289
+ ownerId: admin._id,
1290
+ source: {
1291
+ name: "Brand",
1292
+ },
1293
+ });
1294
+
1295
+ app = getBaseServer();
1296
+ setupAuth(app, UserModel as any);
1297
+ addAuthRoutes(app, UserModel as any);
1298
+ });
1299
+
1300
+ it("handles patch save error with validation failure", async () => {
1301
+ // The FoodModel has strict: "throw" which will cause validation errors for unknown fields
1302
+ app.use(
1303
+ "/food",
1304
+ modelRouter(FoodModel, {
1305
+ allowAnonymous: true,
1306
+ permissions: {
1307
+ create: [Permissions.IsAny],
1308
+ delete: [Permissions.IsAny],
1309
+ list: [Permissions.IsAny],
1310
+ read: [Permissions.IsAny],
1311
+ update: [Permissions.IsAny],
1312
+ },
1313
+ })
1314
+ );
1315
+ server = supertest(app);
1316
+
1317
+ // Try to patch with an invalid field (will be caught by strict: "throw")
1318
+ const res = await server
1319
+ .patch(`/food/${spinach._id}`)
1320
+ .send({invalidField: "value"})
1321
+ .expect(400);
1322
+ expect(res.body.title).toContain("preUpdate hook save error");
1323
+ });
1324
+ });
1325
+
1326
+ describe("body undefined after transform without preCreate", () => {
1327
+ beforeEach(async () => {
1328
+ await setupDb();
1329
+
1330
+ app = getBaseServer();
1331
+ setupAuth(app, UserModel as any);
1332
+ addAuthRoutes(app, UserModel as any);
1333
+ });
1334
+
1335
+ it("handles undefined body after transform when no preCreate", async () => {
1336
+ // Create a transformer that returns undefined
1337
+ app.use(
1338
+ "/food",
1339
+ modelRouter(FoodModel, {
1340
+ allowAnonymous: true,
1341
+ permissions: {
1342
+ create: [Permissions.IsAny],
1343
+ delete: [Permissions.IsAny],
1344
+ list: [Permissions.IsAny],
1345
+ read: [Permissions.IsAny],
1346
+ update: [Permissions.IsAny],
1347
+ },
1348
+ transformer: {
1349
+ transform: () => undefined,
1350
+ },
1351
+ })
1352
+ );
1353
+ server = supertest(app);
1354
+
1355
+ const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
1356
+ expect(res.body.title).toBe("Invalid request body");
1357
+ expect(res.body.detail).toBe("Body is undefined");
1358
+ });
1359
+ });
1360
+
1361
+ describe("soft delete with deleted field", () => {
1362
+ let agent: TestAgent;
1363
+
1364
+ beforeEach(async () => {
1365
+ await setupDb();
1366
+
1367
+ app = getBaseServer();
1368
+ setupAuth(app, UserModel as any);
1369
+ addAuthRoutes(app, UserModel as any);
1370
+ });
1371
+
1372
+ it("soft deletes document with deleted field using isDeletedPlugin", async () => {
1373
+ // Create a test schema with the isDeletedPlugin
1374
+ const mongoose = await import("mongoose");
1375
+
1376
+ // Create a temporary model with the deleted field
1377
+ const softDeleteSchema = new mongoose.Schema({
1378
+ deleted: {default: false, type: Boolean},
1379
+ name: String,
1380
+ });
1381
+ // Manually add the deleted field (simulating what isDeletedPlugin does)
1382
+ // The schema already has the deleted field, so it should use soft delete
1383
+
1384
+ // Check if the model already exists to avoid OverwriteModelError
1385
+ let SoftDeleteModel;
1386
+ try {
1387
+ SoftDeleteModel = mongoose.model("SoftDeleteTest");
1388
+ } catch {
1389
+ SoftDeleteModel = mongoose.model("SoftDeleteTest", softDeleteSchema);
1390
+ }
1391
+
1392
+ // Clean up any existing documents
1393
+ await SoftDeleteModel.deleteMany({});
1394
+
1395
+ // Create a test document
1396
+ const testDoc = await SoftDeleteModel.create({name: "TestItem"});
1397
+
1398
+ app.use(
1399
+ "/softdelete",
1400
+ modelRouter(SoftDeleteModel, {
1401
+ allowAnonymous: true,
1402
+ permissions: {
1403
+ create: [Permissions.IsAny],
1404
+ delete: [Permissions.IsAny],
1405
+ list: [Permissions.IsAny],
1406
+ read: [Permissions.IsAny],
1407
+ update: [Permissions.IsAny],
1408
+ },
1409
+ })
1410
+ );
1411
+ server = supertest(app);
1412
+ agent = await authAsUser(app, "notAdmin");
1413
+
1414
+ // Delete should soft delete (set deleted: true) instead of hard delete
1415
+ await agent.delete(`/softdelete/${testDoc._id}`).expect(204);
1416
+
1417
+ // Verify document was soft deleted (not hard deleted)
1418
+ const softDeleted = await SoftDeleteModel.findById(testDoc._id);
1419
+ expect(softDeleted).not.toBeNull();
1420
+ expect(softDeleted?.deleted).toBe(true);
1421
+
1422
+ // Clean up
1423
+ await SoftDeleteModel.deleteMany({});
1424
+ });
1425
+ });
1426
+
1427
+ describe("array operation with undefined preUpdate return", () => {
1428
+ let admin: any;
1429
+ let apple: Food;
1430
+ let agent: TestAgent;
1431
+
1432
+ beforeEach(async () => {
1433
+ [admin] = await setupDb();
1434
+
1435
+ apple = await FoodModel.create({
1436
+ calories: 100,
1437
+ categories: [
1438
+ {name: "Fruit", show: true},
1439
+ {name: "Popular", show: false},
1440
+ ],
1441
+ created: new Date("2021-12-03T00:00:30.000Z"),
1442
+ hidden: false,
1443
+ name: "Apple",
1444
+ ownerId: admin._id,
1445
+ tags: ["healthy", "cheap"],
1446
+ });
1447
+
1448
+ app = getBaseServer();
1449
+ setupAuth(app, UserModel as any);
1450
+ addAuthRoutes(app, UserModel as any);
1451
+ });
1452
+
1453
+ it("array operation preUpdate returning undefined for array POST throws error", async () => {
1454
+ app.use(
1455
+ "/food",
1456
+ modelRouter(FoodModel, {
1457
+ allowAnonymous: true,
1458
+ permissions: {
1459
+ create: [Permissions.IsAdmin],
1460
+ delete: [Permissions.IsAdmin],
1461
+ list: [Permissions.IsAdmin],
1462
+ read: [Permissions.IsAdmin],
1463
+ update: [Permissions.IsAdmin],
1464
+ },
1465
+ preUpdate: () => undefined as any,
1466
+ })
1467
+ );
1468
+ server = supertest(app);
1469
+ agent = await authAsUser(app, "admin");
1470
+
1471
+ const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
1472
+ expect(res.body.title).toBe("Update not allowed");
1473
+ expect(res.body.detail).toBe("A body must be returned from preUpdate");
1474
+ });
1475
+
1476
+ it("array operation preUpdate returning null for array PATCH throws error", async () => {
1477
+ app.use(
1478
+ "/food",
1479
+ modelRouter(FoodModel, {
1480
+ allowAnonymous: true,
1481
+ permissions: {
1482
+ create: [Permissions.IsAdmin],
1483
+ delete: [Permissions.IsAdmin],
1484
+ list: [Permissions.IsAdmin],
1485
+ read: [Permissions.IsAdmin],
1486
+ update: [Permissions.IsAdmin],
1487
+ },
1488
+ preUpdate: () => null,
1489
+ })
1490
+ );
1491
+ server = supertest(app);
1492
+ agent = await authAsUser(app, "admin");
1493
+
1494
+ const res = await agent
1495
+ .patch(`/food/${apple._id}/tags/healthy`)
1496
+ .send({tags: "unhealthy"})
1497
+ .expect(403);
1498
+ expect(res.body.title).toBe("Update not allowed");
1499
+ });
1500
+
1501
+ it("array operation preUpdate error for array DELETE is handled", async () => {
1502
+ app.use(
1503
+ "/food",
1504
+ modelRouter(FoodModel, {
1505
+ allowAnonymous: true,
1506
+ permissions: {
1507
+ create: [Permissions.IsAdmin],
1508
+ delete: [Permissions.IsAdmin],
1509
+ list: [Permissions.IsAdmin],
1510
+ read: [Permissions.IsAdmin],
1511
+ update: [Permissions.IsAdmin],
1512
+ },
1513
+ preUpdate: () => {
1514
+ throw new Error("preUpdate error during delete");
1515
+ },
1516
+ })
1517
+ );
1518
+ server = supertest(app);
1519
+ agent = await authAsUser(app, "admin");
1520
+
1521
+ const res = await agent.delete(`/food/${apple._id}/tags/healthy`).expect(400);
1522
+ expect(res.body.title).toContain("preUpdate hook error");
1523
+ });
1524
+ });
1525
+
1526
+ describe("transformer errors", () => {
1527
+ let admin: any;
1528
+ let spinach: Food;
1529
+ let _agent: TestAgent;
1530
+
1531
+ beforeEach(async () => {
1532
+ [admin] = await setupDb();
1533
+
1534
+ spinach = await FoodModel.create({
1535
+ calories: 1,
1536
+ created: new Date("2021-12-03T00:00:20.000Z"),
1537
+ hidden: false,
1538
+ name: "Spinach",
1539
+ ownerId: admin._id,
1540
+ source: {
1541
+ name: "Brand",
1542
+ },
1543
+ });
1544
+
1545
+ app = getBaseServer();
1546
+ setupAuth(app, UserModel as any);
1547
+ addAuthRoutes(app, UserModel as any);
1548
+ });
1549
+
1550
+ it("transform error in create is handled", async () => {
1551
+ app.use(
1552
+ "/food",
1553
+ modelRouter(FoodModel, {
1554
+ allowAnonymous: true,
1555
+ permissions: {
1556
+ create: [Permissions.IsAny],
1557
+ delete: [Permissions.IsAny],
1558
+ list: [Permissions.IsAny],
1559
+ read: [Permissions.IsAny],
1560
+ update: [Permissions.IsAny],
1561
+ },
1562
+ transformer: AdminOwnerTransformer({
1563
+ // Only allow 'name' to be written, so 'calories' will throw
1564
+ anonWriteFields: ["name"],
1565
+ }),
1566
+ })
1567
+ );
1568
+ server = supertest(app);
1569
+
1570
+ const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
1571
+ expect(res.body.title).toContain("cannot write fields");
1572
+ });
1573
+
1574
+ it("transform error in patch is handled", async () => {
1575
+ app.use(
1576
+ "/food",
1577
+ modelRouter(FoodModel, {
1578
+ allowAnonymous: true,
1579
+ permissions: {
1580
+ create: [Permissions.IsAny],
1581
+ delete: [Permissions.IsAny],
1582
+ list: [Permissions.IsAny],
1583
+ read: [Permissions.IsAny],
1584
+ update: [Permissions.IsAny],
1585
+ },
1586
+ transformer: AdminOwnerTransformer({
1587
+ // Only allow 'name' to be written, so 'calories' will throw
1588
+ anonWriteFields: ["name"],
1589
+ }),
1590
+ })
1591
+ );
1592
+ server = supertest(app);
1593
+
1594
+ const res = await server.patch(`/food/${spinach._id}`).send({calories: 100}).expect(403);
1595
+ expect(res.body.title).toContain("cannot write fields");
1596
+ });
1597
+
1598
+ it("model.create validation error is handled", async () => {
1599
+ // Use a model that has required fields
1600
+ const {RequiredModel} = await import("./tests");
1601
+
1602
+ app.use(
1603
+ "/required",
1604
+ modelRouter(RequiredModel, {
1605
+ allowAnonymous: true,
1606
+ permissions: {
1607
+ create: [Permissions.IsAny],
1608
+ delete: [Permissions.IsAny],
1609
+ list: [Permissions.IsAny],
1610
+ read: [Permissions.IsAny],
1611
+ update: [Permissions.IsAny],
1612
+ },
1613
+ })
1614
+ );
1615
+ server = supertest(app);
1616
+
1617
+ // Send without required 'name' field
1618
+ const res = await server.post("/required").send({about: "test"}).expect(400);
1619
+ expect(res.body.title).toContain("Required");
1620
+ });
1621
+ });
1622
+
1623
+ describe("special query params", () => {
1624
+ let admin: any;
1625
+
1626
+ beforeEach(async () => {
1627
+ [admin] = await setupDb();
1628
+
1629
+ await FoodModel.create({
1630
+ calories: 1,
1631
+ created: new Date("2021-12-03T00:00:20.000Z"),
1632
+ hidden: false,
1633
+ name: "Spinach",
1634
+ ownerId: admin._id,
1635
+ });
1636
+
1637
+ app = getBaseServer();
1638
+ setupAuth(app, UserModel as any);
1639
+ addAuthRoutes(app, UserModel as any);
1640
+ });
1641
+
1642
+ it("period query param is stripped from query", async () => {
1643
+ app.use(
1644
+ "/food",
1645
+ modelRouter(FoodModel, {
1646
+ allowAnonymous: true,
1647
+ permissions: {
1648
+ create: [Permissions.IsAny],
1649
+ delete: [Permissions.IsAny],
1650
+ list: [Permissions.IsAny],
1651
+ read: [Permissions.IsAny],
1652
+ update: [Permissions.IsAny],
1653
+ },
1654
+ queryFields: ["name", "period"],
1655
+ queryFilter: (_user, query) => {
1656
+ // Simulate a queryFilter that accepts and processes period
1657
+ if (query?.period) {
1658
+ // Period is processed but shouldn't be passed to mongo
1659
+ return query;
1660
+ }
1661
+ return query ?? {};
1662
+ },
1663
+ })
1664
+ );
1665
+ server = supertest(app);
1666
+
1667
+ // period should be accepted and processed without error
1668
+ const res = await server.get("/food?period=weekly").expect(200);
1669
+ expect(res.body.data).toBeDefined();
1670
+ });
1671
+
1672
+ it("query with false value", async () => {
1673
+ // Create a food that is hidden
1674
+ await FoodModel.create({
1675
+ calories: 50,
1676
+ created: new Date("2021-12-04T00:00:20.000Z"),
1677
+ hidden: true,
1678
+ name: "HiddenFood",
1679
+ ownerId: admin._id,
1680
+ });
1681
+
1682
+ app.use(
1683
+ "/food",
1684
+ modelRouter(FoodModel, {
1685
+ allowAnonymous: true,
1686
+ permissions: {
1687
+ create: [Permissions.IsAny],
1688
+ delete: [Permissions.IsAny],
1689
+ list: [Permissions.IsAny],
1690
+ read: [Permissions.IsAny],
1691
+ update: [Permissions.IsAny],
1692
+ },
1693
+ queryFields: ["name", "hidden"],
1694
+ })
1695
+ );
1696
+ server = supertest(app);
1697
+
1698
+ // Query for non-hidden foods using ?hidden=false
1699
+ const res = await server.get("/food?hidden=false").expect(200);
1700
+ expect(res.body.data.every((f: any) => f.hidden === false)).toBe(true);
1701
+ });
1702
+
1703
+ it("$search query triggers special handling code path", async () => {
1704
+ // The $search code path just accesses the collection but doesn't do anything with it
1705
+ // This test verifies the code path is exercised
1706
+ app.use(
1707
+ "/food",
1708
+ modelRouter(FoodModel, {
1709
+ allowAnonymous: true,
1710
+ permissions: {
1711
+ create: [Permissions.IsAny],
1712
+ delete: [Permissions.IsAny],
1713
+ list: [Permissions.IsAny],
1714
+ read: [Permissions.IsAny],
1715
+ update: [Permissions.IsAny],
1716
+ },
1717
+ // Need to include $search in queryFields for it to pass validation
1718
+ queryFields: ["name", "$search"],
1719
+ })
1720
+ );
1721
+ server = supertest(app);
1722
+
1723
+ // The $search will be added to the query params, triggering the special handling
1724
+ // Even though the code doesn't actually do anything useful with it (stub for Atlas)
1725
+ const res = await server.get("/food?$search=test");
1726
+ // May return 500 because $search is passed to Mongo which doesn't support it without Atlas
1727
+ // The important thing is we've exercised the code path
1728
+ expect(res.status === 200 || res.status === 500).toBe(true);
1729
+ });
1730
+
1731
+ it("$autocomplete query triggers special handling code path", async () => {
1732
+ app.use(
1733
+ "/food",
1734
+ modelRouter(FoodModel, {
1735
+ allowAnonymous: true,
1736
+ permissions: {
1737
+ create: [Permissions.IsAny],
1738
+ delete: [Permissions.IsAny],
1739
+ list: [Permissions.IsAny],
1740
+ read: [Permissions.IsAny],
1741
+ update: [Permissions.IsAny],
1742
+ },
1743
+ queryFields: ["name", "$autocomplete"],
1744
+ })
1745
+ );
1746
+ server = supertest(app);
1747
+
1748
+ const res = await server.get("/food?$autocomplete=test");
1749
+ expect(res.status === 200 || res.status === 500).toBe(true);
1750
+ });
1751
+ });
1752
+
1753
+ describe("addPopulateToQuery", () => {
1754
+ it("returns query unchanged with no populate paths", async () => {
1755
+ await setupDb();
1756
+ const query = FoodModel.find({});
1757
+ const result = addPopulateToQuery(query, undefined);
1758
+ expect(result).toBe(query);
1759
+ });
1760
+
1761
+ it("returns query unchanged with empty populate paths", async () => {
1762
+ await setupDb();
1763
+ const query = FoodModel.find({});
1764
+ const result = addPopulateToQuery(query, []);
1765
+ expect(result).toBe(query);
1766
+ });
1767
+
1768
+ it("applies multiple populate paths", async () => {
1769
+ await setupDb();
1770
+ const query = FoodModel.find({});
1771
+ const result = addPopulateToQuery(query, [
1772
+ {fields: ["email"], path: "ownerId"},
1773
+ {fields: ["name"], path: "eatenBy"},
1774
+ ]);
1775
+ // The result should be a query with populate applied
1776
+ expect(result).toBeDefined();
1777
+ });
1778
+ });
1779
+
1780
+ describe("soft delete with isDeleted plugin", () => {
1781
+ let admin: any;
1782
+ let agent: TestAgent;
1783
+
1784
+ beforeEach(async () => {
1785
+ [admin] = await setupDb();
1786
+
1787
+ app = getBaseServer();
1788
+ setupAuth(app, UserModel as any);
1789
+ addAuthRoutes(app, UserModel as any);
1790
+ });
1791
+
1792
+ it("soft deletes user with deleted field", async () => {
1793
+ // UserModel has the isDisabledPlugin which adds a 'disabled' field,
1794
+ // but we need to test the 'deleted' field check.
1795
+ // Let's use a model that has the deleted field.
1796
+ app.use(
1797
+ "/users",
1798
+ modelRouter(UserModel, {
1799
+ allowAnonymous: true,
1800
+ permissions: {
1801
+ create: [Permissions.IsAny],
1802
+ delete: [Permissions.IsAny],
1803
+ list: [Permissions.IsAny],
1804
+ read: [Permissions.IsAny],
1805
+ update: [Permissions.IsAny],
1806
+ },
1807
+ })
1808
+ );
1809
+ server = supertest(app);
1810
+ agent = await authAsUser(app, "notAdmin");
1811
+
1812
+ // Delete a user - this should use deleteOne since User doesn't have deleted field
1813
+ const res = await agent.delete(`/users/${admin._id}`).expect(204);
1814
+ expect(res.body).toEqual({});
1815
+
1816
+ // Verify user was deleted
1817
+ const deletedUser = await UserModel.findById(admin._id);
1818
+ expect(deletedUser).toBeNull();
1819
+ });
1820
+ });
1821
+
1822
+ describe("populate in create", () => {
1823
+ let admin: any;
1824
+
1825
+ beforeEach(async () => {
1826
+ [admin] = await setupDb();
1827
+
1828
+ await FoodModel.create({
1829
+ calories: 1,
1830
+ created: new Date("2021-12-03T00:00:20.000Z"),
1831
+ hidden: false,
1832
+ name: "Spinach",
1833
+ ownerId: admin._id,
1834
+ });
1835
+
1836
+ app = getBaseServer();
1837
+ setupAuth(app, UserModel as any);
1838
+ addAuthRoutes(app, UserModel as any);
1839
+ });
1840
+
1841
+ it("handles populate with valid path in create", async () => {
1842
+ // Test that valid populate works in create flow
1843
+ app.use(
1844
+ "/food",
1845
+ modelRouter(FoodModel, {
1846
+ allowAnonymous: true,
1847
+ permissions: {
1848
+ create: [Permissions.IsAny],
1849
+ delete: [Permissions.IsAny],
1850
+ list: [Permissions.IsAny],
1851
+ read: [Permissions.IsAny],
1852
+ update: [Permissions.IsAny],
1853
+ },
1854
+ populatePaths: [{fields: ["email"], path: "ownerId"}],
1855
+ })
1856
+ );
1857
+ server = supertest(app);
1858
+
1859
+ const res = await server
1860
+ .post("/food")
1861
+ .send({calories: 15, name: "Broccoli", ownerId: admin._id})
1862
+ .expect(201);
1863
+ expect(res.body.data.name).toBe("Broccoli");
1864
+ // Verify populate worked - ownerId should be an object with email
1865
+ expect(res.body.data.ownerId.email).toBe(admin.email);
1866
+ });
1867
+ });
1868
+
1869
+ describe("save error handling", () => {
1870
+ let admin: any;
1871
+ let spinach: Food;
1872
+
1873
+ beforeEach(async () => {
1874
+ [admin] = await setupDb();
1875
+
1876
+ spinach = await FoodModel.create({
1877
+ calories: 1,
1878
+ created: new Date("2021-12-03T00:00:20.000Z"),
1879
+ hidden: false,
1880
+ name: "Spinach",
1881
+ ownerId: admin._id,
1882
+ source: {
1883
+ name: "Brand",
1884
+ },
1885
+ });
1886
+
1887
+ app = getBaseServer();
1888
+ setupAuth(app, UserModel as any);
1889
+ addAuthRoutes(app, UserModel as any);
1890
+ });
1891
+
1892
+ it("handles patch save error with validation failure", async () => {
1893
+ // The FoodModel has strict: "throw" which will cause validation errors for unknown fields
1894
+ app.use(
1895
+ "/food",
1896
+ modelRouter(FoodModel, {
1897
+ allowAnonymous: true,
1898
+ permissions: {
1899
+ create: [Permissions.IsAny],
1900
+ delete: [Permissions.IsAny],
1901
+ list: [Permissions.IsAny],
1902
+ read: [Permissions.IsAny],
1903
+ update: [Permissions.IsAny],
1904
+ },
1905
+ })
1906
+ );
1907
+ server = supertest(app);
1908
+
1909
+ // Try to patch with an invalid field (will be caught by strict: "throw")
1910
+ const res = await server
1911
+ .patch(`/food/${spinach._id}`)
1912
+ .send({invalidField: "value"})
1913
+ .expect(400);
1914
+ expect(res.body.title).toContain("preUpdate hook save error");
1915
+ });
1916
+ });
1917
+
1918
+ describe("body undefined after transform without preCreate", () => {
1919
+ beforeEach(async () => {
1920
+ await setupDb();
1921
+
1922
+ app = getBaseServer();
1923
+ setupAuth(app, UserModel as any);
1924
+ addAuthRoutes(app, UserModel as any);
1925
+ });
1926
+
1927
+ it("handles undefined body after transform when no preCreate", async () => {
1928
+ // Create a transformer that returns undefined
1929
+ app.use(
1930
+ "/food",
1931
+ modelRouter(FoodModel, {
1932
+ allowAnonymous: true,
1933
+ permissions: {
1934
+ create: [Permissions.IsAny],
1935
+ delete: [Permissions.IsAny],
1936
+ list: [Permissions.IsAny],
1937
+ read: [Permissions.IsAny],
1938
+ update: [Permissions.IsAny],
1939
+ },
1940
+ transformer: {
1941
+ transform: () => undefined,
1942
+ },
1943
+ })
1944
+ );
1945
+ server = supertest(app);
1946
+
1947
+ const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
1948
+ expect(res.body.title).toBe("Invalid request body");
1949
+ expect(res.body.detail).toBe("Body is undefined");
1950
+ });
1951
+ });
1952
+
1953
+ describe("soft delete with deleted field", () => {
1954
+ let _admin: any;
1955
+ let agent: TestAgent;
1956
+
1957
+ beforeEach(async () => {
1958
+ [_admin] = await setupDb();
1959
+
1960
+ app = getBaseServer();
1961
+ setupAuth(app, UserModel as any);
1962
+ addAuthRoutes(app, UserModel as any);
1963
+ });
1964
+
1965
+ it("soft deletes document with deleted field using isDeletedPlugin", async () => {
1966
+ const mongoose = await import("mongoose");
1967
+
1968
+ // Create a temporary model with the deleted field
1969
+ const softDeleteSchema = new mongoose.Schema({
1970
+ deleted: {default: false, type: Boolean},
1971
+ name: String,
1972
+ });
1973
+ // Manually add the deleted field (simulating what isDeletedPlugin does)
1974
+ // The schema already has the deleted field, so it should use soft delete
1975
+
1976
+ // Check if the model already exists to avoid OverwriteModelError
1977
+ let SoftDeleteModel;
1978
+ try {
1979
+ SoftDeleteModel = mongoose.model("SoftDeleteTest");
1980
+ } catch {
1981
+ SoftDeleteModel = mongoose.model("SoftDeleteTest", softDeleteSchema);
1982
+ }
1983
+
1984
+ // Clean up any existing documents
1985
+ await SoftDeleteModel.deleteMany({});
1986
+
1987
+ // Create a test document
1988
+ const testDoc = await SoftDeleteModel.create({name: "TestItem"});
1989
+
1990
+ app.use(
1991
+ "/softdelete",
1992
+ modelRouter(SoftDeleteModel, {
1993
+ allowAnonymous: true,
1994
+ permissions: {
1995
+ create: [Permissions.IsAny],
1996
+ delete: [Permissions.IsAny],
1997
+ list: [Permissions.IsAny],
1998
+ read: [Permissions.IsAny],
1999
+ update: [Permissions.IsAny],
2000
+ },
2001
+ })
2002
+ );
2003
+ server = supertest(app);
2004
+ agent = await authAsUser(app, "notAdmin");
2005
+
2006
+ // Delete should soft delete (set deleted: true) instead of hard delete
2007
+ await agent.delete(`/softdelete/${testDoc._id}`).expect(204);
2008
+
2009
+ // Verify document was soft deleted (not hard deleted)
2010
+ const softDeleted = await SoftDeleteModel.findById(testDoc._id);
2011
+ expect(softDeleted).not.toBeNull();
2012
+ expect(softDeleted?.deleted).toBe(true);
2013
+
2014
+ // Clean up
2015
+ await SoftDeleteModel.deleteMany({});
2016
+ });
2017
+ });
2018
+
2019
+ describe("array operation with undefined preUpdate return", () => {
2020
+ let admin: any;
2021
+ let apple: Food;
2022
+ let agent: TestAgent;
2023
+
2024
+ beforeEach(async () => {
2025
+ [admin] = await setupDb();
2026
+
2027
+ apple = await FoodModel.create({
2028
+ calories: 100,
2029
+ categories: [
2030
+ {name: "Fruit", show: true},
2031
+ {name: "Popular", show: false},
2032
+ ],
2033
+ created: new Date("2021-12-03T00:00:30.000Z"),
2034
+ hidden: false,
2035
+ name: "Apple",
2036
+ ownerId: admin._id,
2037
+ tags: ["healthy", "cheap"],
2038
+ });
2039
+
2040
+ app = getBaseServer();
2041
+ setupAuth(app, UserModel as any);
2042
+ addAuthRoutes(app, UserModel as any);
2043
+ });
2044
+
2045
+ it("array operation preUpdate returning undefined for array POST throws error", async () => {
2046
+ app.use(
2047
+ "/food",
2048
+ modelRouter(FoodModel, {
2049
+ allowAnonymous: true,
2050
+ permissions: {
2051
+ create: [Permissions.IsAdmin],
2052
+ delete: [Permissions.IsAdmin],
2053
+ list: [Permissions.IsAdmin],
2054
+ read: [Permissions.IsAdmin],
2055
+ update: [Permissions.IsAdmin],
2056
+ },
2057
+ preUpdate: () => undefined as any,
2058
+ })
2059
+ );
2060
+ server = supertest(app);
2061
+ agent = await authAsUser(app, "admin");
2062
+
2063
+ const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
2064
+ expect(res.body.title).toBe("Update not allowed");
2065
+ expect(res.body.detail).toBe("A body must be returned from preUpdate");
2066
+ });
2067
+
2068
+ it("array operation preUpdate returning null for array PATCH throws error", async () => {
2069
+ app.use(
2070
+ "/food",
2071
+ modelRouter(FoodModel, {
2072
+ allowAnonymous: true,
2073
+ permissions: {
2074
+ create: [Permissions.IsAdmin],
2075
+ delete: [Permissions.IsAdmin],
2076
+ list: [Permissions.IsAdmin],
2077
+ read: [Permissions.IsAdmin],
2078
+ update: [Permissions.IsAdmin],
2079
+ },
2080
+ preUpdate: () => null,
2081
+ })
2082
+ );
2083
+ server = supertest(app);
2084
+ agent = await authAsUser(app, "admin");
2085
+
2086
+ const res = await agent
2087
+ .patch(`/food/${apple._id}/tags/healthy`)
2088
+ .send({tags: "unhealthy"})
2089
+ .expect(403);
2090
+ expect(res.body.title).toBe("Update not allowed");
2091
+ });
2092
+
2093
+ it("array operation preUpdate error for array DELETE is handled", async () => {
2094
+ app.use(
2095
+ "/food",
2096
+ modelRouter(FoodModel, {
2097
+ allowAnonymous: true,
2098
+ permissions: {
2099
+ create: [Permissions.IsAdmin],
2100
+ delete: [Permissions.IsAdmin],
2101
+ list: [Permissions.IsAdmin],
2102
+ read: [Permissions.IsAdmin],
2103
+ update: [Permissions.IsAdmin],
2104
+ },
2105
+ preUpdate: () => {
2106
+ throw new Error("preUpdate error during delete");
2107
+ },
2108
+ })
2109
+ );
2110
+ server = supertest(app);
2111
+ agent = await authAsUser(app, "admin");
2112
+
2113
+ const res = await agent.delete(`/food/${apple._id}/tags/healthy`).expect(400);
2114
+ expect(res.body.title).toContain("preUpdate hook error");
2115
+ });
869
2116
  });
870
2117
  });