@terreno/api 0.0.17 → 0.0.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/.windsurfrules +107 -0
  2. package/AGENTS.md +313 -0
  3. package/README.md +3 -4
  4. package/biome.jsonc +1 -1
  5. package/dist/api.js +1 -1
  6. package/dist/api.query.test.js +1 -1
  7. package/dist/api.test.js +36 -1202
  8. package/dist/errors.js +1 -1
  9. package/dist/expressServer.d.ts +8 -2
  10. package/dist/expressServer.js +8 -1
  11. package/dist/githubAuth.d.ts +64 -0
  12. package/dist/githubAuth.js +293 -0
  13. package/dist/githubAuth.test.d.ts +1 -0
  14. package/dist/githubAuth.test.js +351 -0
  15. package/dist/index.d.ts +1 -0
  16. package/dist/index.js +1 -0
  17. package/dist/logger.js +1 -1
  18. package/dist/middleware.js +1 -1
  19. package/dist/notifiers/googleChatNotifier.js +1 -1
  20. package/dist/notifiers/googleChatNotifier.test.js +1 -1
  21. package/dist/notifiers/slackNotifier.js +1 -1
  22. package/dist/notifiers/slackNotifier.test.js +1 -1
  23. package/dist/notifiers/zoomNotifier.js +1 -1
  24. package/dist/notifiers/zoomNotifier.test.js +1 -1
  25. package/dist/permissions.js +1 -1
  26. package/dist/tests/bunSetup.js +2 -2
  27. package/package.json +4 -2
  28. package/src/api.query.test.ts +1 -1
  29. package/src/api.test.ts +30 -984
  30. package/src/api.ts +1 -1
  31. package/src/errors.ts +1 -1
  32. package/src/expressServer.ts +18 -2
  33. package/src/githubAuth.test.ts +223 -0
  34. package/src/githubAuth.ts +335 -0
  35. package/src/index.ts +1 -0
  36. package/src/logger.ts +1 -1
  37. package/src/middleware.ts +1 -1
  38. package/src/notifiers/googleChatNotifier.test.ts +1 -1
  39. package/src/notifiers/googleChatNotifier.ts +1 -1
  40. package/src/notifiers/slackNotifier.test.ts +1 -1
  41. package/src/notifiers/slackNotifier.ts +1 -1
  42. package/src/notifiers/zoomNotifier.test.ts +1 -1
  43. package/src/notifiers/zoomNotifier.ts +1 -1
  44. package/src/permissions.ts +1 -1
  45. package/src/tests/bunSetup.ts +2 -2
  46. /package/{CLAUDE.md → .cursorrules} +0 -0
package/src/api.test.ts CHANGED
@@ -536,6 +536,7 @@ describe("@terreno/api", () => {
536
536
  describe("transformer errors", () => {
537
537
  let admin: any;
538
538
  let spinach: Food;
539
+ let agent: TestAgent;
539
540
 
540
541
  beforeEach(async () => {
541
542
  [admin] = await setupDb();
@@ -621,6 +622,35 @@ describe("@terreno/api", () => {
621
622
  const res = await server.post("/required").send({about: "test"}).expect(400);
622
623
  expect(res.body.title).toContain("Required");
623
624
  });
625
+
626
+ it("preDelete hook throwing APIError is re-thrown", async () => {
627
+ app.use(
628
+ "/food",
629
+ modelRouter(FoodModel, {
630
+ allowAnonymous: true,
631
+ permissions: {
632
+ create: [Permissions.IsAny],
633
+ delete: [Permissions.IsAny],
634
+ list: [Permissions.IsAny],
635
+ read: [Permissions.IsAny],
636
+ update: [Permissions.IsAny],
637
+ },
638
+ preDelete: () => {
639
+ throw new APIError({
640
+ disableExternalErrorTracking: true,
641
+ status: 400,
642
+ title: "Custom preDelete APIError",
643
+ });
644
+ },
645
+ })
646
+ );
647
+ server = supertest(app);
648
+ agent = await authAsUser(app, "notAdmin");
649
+
650
+ const res = await agent.delete(`/food/${spinach._id}`).expect(400);
651
+ expect(res.body.title).toBe("Custom preDelete APIError");
652
+ expect(res.body.disableExternalErrorTracking).toBe(true);
653
+ });
624
654
  });
625
655
 
626
656
  describe("addPopulateToQuery", () => {
@@ -902,132 +932,6 @@ describe("@terreno/api", () => {
902
932
  });
903
933
  });
904
934
 
905
- describe("transformer errors", () => {
906
- let admin: any;
907
- let spinach: Food;
908
- let agent: TestAgent;
909
-
910
- beforeEach(async () => {
911
- [admin] = await setupDb();
912
-
913
- spinach = await FoodModel.create({
914
- calories: 1,
915
- created: new Date("2021-12-03T00:00:20.000Z"),
916
- hidden: false,
917
- name: "Spinach",
918
- ownerId: admin._id,
919
- source: {
920
- name: "Brand",
921
- },
922
- });
923
-
924
- app = getBaseServer();
925
- setupAuth(app, UserModel as any);
926
- addAuthRoutes(app, UserModel as any);
927
- });
928
-
929
- it("transform error in create is handled", async () => {
930
- app.use(
931
- "/food",
932
- modelRouter(FoodModel, {
933
- allowAnonymous: true,
934
- permissions: {
935
- create: [Permissions.IsAny],
936
- delete: [Permissions.IsAny],
937
- list: [Permissions.IsAny],
938
- read: [Permissions.IsAny],
939
- update: [Permissions.IsAny],
940
- },
941
- transformer: AdminOwnerTransformer({
942
- // Only allow 'name' to be written, so 'calories' will throw
943
- anonWriteFields: ["name"],
944
- }),
945
- })
946
- );
947
- server = supertest(app);
948
-
949
- const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
950
- expect(res.body.title).toContain("cannot write fields");
951
- });
952
-
953
- it("transform error in patch is handled", async () => {
954
- app.use(
955
- "/food",
956
- modelRouter(FoodModel, {
957
- allowAnonymous: true,
958
- permissions: {
959
- create: [Permissions.IsAny],
960
- delete: [Permissions.IsAny],
961
- list: [Permissions.IsAny],
962
- read: [Permissions.IsAny],
963
- update: [Permissions.IsAny],
964
- },
965
- transformer: AdminOwnerTransformer({
966
- // Only allow 'name' to be written, so 'calories' will throw
967
- anonWriteFields: ["name"],
968
- }),
969
- })
970
- );
971
- server = supertest(app);
972
-
973
- const res = await server.patch(`/food/${spinach._id}`).send({calories: 100}).expect(403);
974
- expect(res.body.title).toContain("cannot write fields");
975
- });
976
-
977
- it("model.create validation error is handled", async () => {
978
- // Use a model that has required fields
979
- const {RequiredModel} = await import("./tests");
980
-
981
- app.use(
982
- "/required",
983
- modelRouter(RequiredModel, {
984
- allowAnonymous: true,
985
- permissions: {
986
- create: [Permissions.IsAny],
987
- delete: [Permissions.IsAny],
988
- list: [Permissions.IsAny],
989
- read: [Permissions.IsAny],
990
- update: [Permissions.IsAny],
991
- },
992
- })
993
- );
994
- server = supertest(app);
995
-
996
- // Send without required 'name' field
997
- const res = await server.post("/required").send({about: "test"}).expect(400);
998
- expect(res.body.title).toContain("Required");
999
- });
1000
-
1001
- it("preDelete hook throwing APIError is re-thrown", async () => {
1002
- app.use(
1003
- "/food",
1004
- modelRouter(FoodModel, {
1005
- allowAnonymous: true,
1006
- permissions: {
1007
- create: [Permissions.IsAny],
1008
- delete: [Permissions.IsAny],
1009
- list: [Permissions.IsAny],
1010
- read: [Permissions.IsAny],
1011
- update: [Permissions.IsAny],
1012
- },
1013
- preDelete: () => {
1014
- throw new APIError({
1015
- disableExternalErrorTracking: true,
1016
- status: 400,
1017
- title: "Custom preDelete APIError",
1018
- });
1019
- },
1020
- })
1021
- );
1022
- server = supertest(app);
1023
- agent = await authAsUser(app, "notAdmin");
1024
-
1025
- const res = await agent.delete(`/food/${spinach._id}`).expect(400);
1026
- expect(res.body.title).toBe("Custom preDelete APIError");
1027
- expect(res.body.disableExternalErrorTracking).toBe(true);
1028
- });
1029
- });
1030
-
1031
935
  describe("special query params", () => {
1032
936
  let admin: any;
1033
937
 
@@ -1158,864 +1062,6 @@ describe("@terreno/api", () => {
1158
1062
  });
1159
1063
  });
1160
1064
 
1161
- describe("addPopulateToQuery", () => {
1162
- it("returns query unchanged with no populate paths", async () => {
1163
- await setupDb();
1164
- const query = FoodModel.find({});
1165
- const result = addPopulateToQuery(query, undefined);
1166
- expect(result).toBe(query);
1167
- });
1168
-
1169
- it("returns query unchanged with empty populate paths", async () => {
1170
- await setupDb();
1171
- const query = FoodModel.find({});
1172
- const result = addPopulateToQuery(query, []);
1173
- expect(result).toBe(query);
1174
- });
1175
-
1176
- it("applies multiple populate paths", async () => {
1177
- await setupDb();
1178
- const query = FoodModel.find({});
1179
- const result = addPopulateToQuery(query, [
1180
- {fields: ["email"], path: "ownerId"},
1181
- {fields: ["name"], path: "eatenBy"},
1182
- ]);
1183
- // The result should be a query with populate applied
1184
- expect(result).toBeDefined();
1185
- });
1186
- });
1187
-
1188
- describe("soft delete with isDeleted plugin", () => {
1189
- let admin: any;
1190
- let agent: TestAgent;
1191
-
1192
- beforeEach(async () => {
1193
- [admin] = await setupDb();
1194
-
1195
- app = getBaseServer();
1196
- setupAuth(app, UserModel as any);
1197
- addAuthRoutes(app, UserModel as any);
1198
- });
1199
-
1200
- it("soft deletes user with deleted field", async () => {
1201
- // UserModel has the isDisabledPlugin which adds a 'disabled' field,
1202
- // but we need to test the 'deleted' field check.
1203
- // Let's use a model that has the deleted field.
1204
- app.use(
1205
- "/users",
1206
- modelRouter(UserModel, {
1207
- allowAnonymous: true,
1208
- permissions: {
1209
- create: [Permissions.IsAny],
1210
- delete: [Permissions.IsAny],
1211
- list: [Permissions.IsAny],
1212
- read: [Permissions.IsAny],
1213
- update: [Permissions.IsAny],
1214
- },
1215
- })
1216
- );
1217
- server = supertest(app);
1218
- agent = await authAsUser(app, "notAdmin");
1219
-
1220
- // Delete a user - this should use deleteOne since User doesn't have deleted field
1221
- const res = await agent.delete(`/users/${admin._id}`).expect(204);
1222
- expect(res.body).toEqual({});
1223
-
1224
- // Verify user was deleted
1225
- const deletedUser = await UserModel.findById(admin._id);
1226
- expect(deletedUser).toBeNull();
1227
- });
1228
- });
1229
-
1230
- describe("populate in create", () => {
1231
- let admin: any;
1232
-
1233
- beforeEach(async () => {
1234
- [admin] = await setupDb();
1235
-
1236
- await FoodModel.create({
1237
- calories: 1,
1238
- created: new Date("2021-12-03T00:00:20.000Z"),
1239
- hidden: false,
1240
- name: "Spinach",
1241
- ownerId: admin._id,
1242
- });
1243
-
1244
- app = getBaseServer();
1245
- setupAuth(app, UserModel as any);
1246
- addAuthRoutes(app, UserModel as any);
1247
- });
1248
-
1249
- it("handles populate with valid path in create", async () => {
1250
- // Test that valid populate works in create flow
1251
- app.use(
1252
- "/food",
1253
- modelRouter(FoodModel, {
1254
- allowAnonymous: true,
1255
- permissions: {
1256
- create: [Permissions.IsAny],
1257
- delete: [Permissions.IsAny],
1258
- list: [Permissions.IsAny],
1259
- read: [Permissions.IsAny],
1260
- update: [Permissions.IsAny],
1261
- },
1262
- populatePaths: [{fields: ["email"], path: "ownerId"}],
1263
- })
1264
- );
1265
- server = supertest(app);
1266
-
1267
- const res = await server
1268
- .post("/food")
1269
- .send({calories: 15, name: "Broccoli", ownerId: admin._id})
1270
- .expect(201);
1271
- expect(res.body.data.name).toBe("Broccoli");
1272
- // Verify populate worked - ownerId should be an object with email
1273
- expect(res.body.data.ownerId.email).toBe(admin.email);
1274
- });
1275
- });
1276
-
1277
- describe("save error handling", () => {
1278
- let admin: any;
1279
- let spinach: Food;
1280
-
1281
- beforeEach(async () => {
1282
- [admin] = await setupDb();
1283
-
1284
- spinach = await FoodModel.create({
1285
- calories: 1,
1286
- created: new Date("2021-12-03T00:00:20.000Z"),
1287
- hidden: false,
1288
- name: "Spinach",
1289
- ownerId: admin._id,
1290
- source: {
1291
- name: "Brand",
1292
- },
1293
- });
1294
-
1295
- app = getBaseServer();
1296
- setupAuth(app, UserModel as any);
1297
- addAuthRoutes(app, UserModel as any);
1298
- });
1299
-
1300
- it("handles patch save error with validation failure", async () => {
1301
- // The FoodModel has strict: "throw" which will cause validation errors for unknown fields
1302
- app.use(
1303
- "/food",
1304
- modelRouter(FoodModel, {
1305
- allowAnonymous: true,
1306
- permissions: {
1307
- create: [Permissions.IsAny],
1308
- delete: [Permissions.IsAny],
1309
- list: [Permissions.IsAny],
1310
- read: [Permissions.IsAny],
1311
- update: [Permissions.IsAny],
1312
- },
1313
- })
1314
- );
1315
- server = supertest(app);
1316
-
1317
- // Try to patch with an invalid field (will be caught by strict: "throw")
1318
- const res = await server
1319
- .patch(`/food/${spinach._id}`)
1320
- .send({invalidField: "value"})
1321
- .expect(400);
1322
- expect(res.body.title).toContain("preUpdate hook save error");
1323
- });
1324
- });
1325
-
1326
- describe("body undefined after transform without preCreate", () => {
1327
- beforeEach(async () => {
1328
- await setupDb();
1329
-
1330
- app = getBaseServer();
1331
- setupAuth(app, UserModel as any);
1332
- addAuthRoutes(app, UserModel as any);
1333
- });
1334
-
1335
- it("handles undefined body after transform when no preCreate", async () => {
1336
- // Create a transformer that returns undefined
1337
- app.use(
1338
- "/food",
1339
- modelRouter(FoodModel, {
1340
- allowAnonymous: true,
1341
- permissions: {
1342
- create: [Permissions.IsAny],
1343
- delete: [Permissions.IsAny],
1344
- list: [Permissions.IsAny],
1345
- read: [Permissions.IsAny],
1346
- update: [Permissions.IsAny],
1347
- },
1348
- transformer: {
1349
- transform: () => undefined,
1350
- },
1351
- })
1352
- );
1353
- server = supertest(app);
1354
-
1355
- const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
1356
- expect(res.body.title).toBe("Invalid request body");
1357
- expect(res.body.detail).toBe("Body is undefined");
1358
- });
1359
- });
1360
-
1361
- describe("soft delete with deleted field", () => {
1362
- let agent: TestAgent;
1363
-
1364
- beforeEach(async () => {
1365
- await setupDb();
1366
-
1367
- app = getBaseServer();
1368
- setupAuth(app, UserModel as any);
1369
- addAuthRoutes(app, UserModel as any);
1370
- });
1371
-
1372
- it("soft deletes document with deleted field using isDeletedPlugin", async () => {
1373
- // Create a test schema with the isDeletedPlugin
1374
- const mongoose = await import("mongoose");
1375
-
1376
- // Create a temporary model with the deleted field
1377
- const softDeleteSchema = new mongoose.Schema({
1378
- deleted: {default: false, type: Boolean},
1379
- name: String,
1380
- });
1381
- // Manually add the deleted field (simulating what isDeletedPlugin does)
1382
- // The schema already has the deleted field, so it should use soft delete
1383
-
1384
- // Check if the model already exists to avoid OverwriteModelError
1385
- let SoftDeleteModel;
1386
- try {
1387
- SoftDeleteModel = mongoose.model("SoftDeleteTest");
1388
- } catch {
1389
- SoftDeleteModel = mongoose.model("SoftDeleteTest", softDeleteSchema);
1390
- }
1391
-
1392
- // Clean up any existing documents
1393
- await SoftDeleteModel.deleteMany({});
1394
-
1395
- // Create a test document
1396
- const testDoc = await SoftDeleteModel.create({name: "TestItem"});
1397
-
1398
- app.use(
1399
- "/softdelete",
1400
- modelRouter(SoftDeleteModel, {
1401
- allowAnonymous: true,
1402
- permissions: {
1403
- create: [Permissions.IsAny],
1404
- delete: [Permissions.IsAny],
1405
- list: [Permissions.IsAny],
1406
- read: [Permissions.IsAny],
1407
- update: [Permissions.IsAny],
1408
- },
1409
- })
1410
- );
1411
- server = supertest(app);
1412
- agent = await authAsUser(app, "notAdmin");
1413
-
1414
- // Delete should soft delete (set deleted: true) instead of hard delete
1415
- await agent.delete(`/softdelete/${testDoc._id}`).expect(204);
1416
-
1417
- // Verify document was soft deleted (not hard deleted)
1418
- const softDeleted = await SoftDeleteModel.findById(testDoc._id);
1419
- expect(softDeleted).not.toBeNull();
1420
- expect(softDeleted?.deleted).toBe(true);
1421
-
1422
- // Clean up
1423
- await SoftDeleteModel.deleteMany({});
1424
- });
1425
- });
1426
-
1427
- describe("array operation with undefined preUpdate return", () => {
1428
- let admin: any;
1429
- let apple: Food;
1430
- let agent: TestAgent;
1431
-
1432
- beforeEach(async () => {
1433
- [admin] = await setupDb();
1434
-
1435
- apple = await FoodModel.create({
1436
- calories: 100,
1437
- categories: [
1438
- {name: "Fruit", show: true},
1439
- {name: "Popular", show: false},
1440
- ],
1441
- created: new Date("2021-12-03T00:00:30.000Z"),
1442
- hidden: false,
1443
- name: "Apple",
1444
- ownerId: admin._id,
1445
- tags: ["healthy", "cheap"],
1446
- });
1447
-
1448
- app = getBaseServer();
1449
- setupAuth(app, UserModel as any);
1450
- addAuthRoutes(app, UserModel as any);
1451
- });
1452
-
1453
- it("array operation preUpdate returning undefined for array POST throws error", async () => {
1454
- app.use(
1455
- "/food",
1456
- modelRouter(FoodModel, {
1457
- allowAnonymous: true,
1458
- permissions: {
1459
- create: [Permissions.IsAdmin],
1460
- delete: [Permissions.IsAdmin],
1461
- list: [Permissions.IsAdmin],
1462
- read: [Permissions.IsAdmin],
1463
- update: [Permissions.IsAdmin],
1464
- },
1465
- preUpdate: () => undefined as any,
1466
- })
1467
- );
1468
- server = supertest(app);
1469
- agent = await authAsUser(app, "admin");
1470
-
1471
- const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
1472
- expect(res.body.title).toBe("Update not allowed");
1473
- expect(res.body.detail).toBe("A body must be returned from preUpdate");
1474
- });
1475
-
1476
- it("array operation preUpdate returning null for array PATCH throws error", async () => {
1477
- app.use(
1478
- "/food",
1479
- modelRouter(FoodModel, {
1480
- allowAnonymous: true,
1481
- permissions: {
1482
- create: [Permissions.IsAdmin],
1483
- delete: [Permissions.IsAdmin],
1484
- list: [Permissions.IsAdmin],
1485
- read: [Permissions.IsAdmin],
1486
- update: [Permissions.IsAdmin],
1487
- },
1488
- preUpdate: () => null,
1489
- })
1490
- );
1491
- server = supertest(app);
1492
- agent = await authAsUser(app, "admin");
1493
-
1494
- const res = await agent
1495
- .patch(`/food/${apple._id}/tags/healthy`)
1496
- .send({tags: "unhealthy"})
1497
- .expect(403);
1498
- expect(res.body.title).toBe("Update not allowed");
1499
- });
1500
-
1501
- it("array operation preUpdate error for array DELETE is handled", async () => {
1502
- app.use(
1503
- "/food",
1504
- modelRouter(FoodModel, {
1505
- allowAnonymous: true,
1506
- permissions: {
1507
- create: [Permissions.IsAdmin],
1508
- delete: [Permissions.IsAdmin],
1509
- list: [Permissions.IsAdmin],
1510
- read: [Permissions.IsAdmin],
1511
- update: [Permissions.IsAdmin],
1512
- },
1513
- preUpdate: () => {
1514
- throw new Error("preUpdate error during delete");
1515
- },
1516
- })
1517
- );
1518
- server = supertest(app);
1519
- agent = await authAsUser(app, "admin");
1520
-
1521
- const res = await agent.delete(`/food/${apple._id}/tags/healthy`).expect(400);
1522
- expect(res.body.title).toContain("preUpdate hook error");
1523
- });
1524
- });
1525
-
1526
- describe("transformer errors", () => {
1527
- let admin: any;
1528
- let spinach: Food;
1529
- let _agent: TestAgent;
1530
-
1531
- beforeEach(async () => {
1532
- [admin] = await setupDb();
1533
-
1534
- spinach = await FoodModel.create({
1535
- calories: 1,
1536
- created: new Date("2021-12-03T00:00:20.000Z"),
1537
- hidden: false,
1538
- name: "Spinach",
1539
- ownerId: admin._id,
1540
- source: {
1541
- name: "Brand",
1542
- },
1543
- });
1544
-
1545
- app = getBaseServer();
1546
- setupAuth(app, UserModel as any);
1547
- addAuthRoutes(app, UserModel as any);
1548
- });
1549
-
1550
- it("transform error in create is handled", async () => {
1551
- app.use(
1552
- "/food",
1553
- modelRouter(FoodModel, {
1554
- allowAnonymous: true,
1555
- permissions: {
1556
- create: [Permissions.IsAny],
1557
- delete: [Permissions.IsAny],
1558
- list: [Permissions.IsAny],
1559
- read: [Permissions.IsAny],
1560
- update: [Permissions.IsAny],
1561
- },
1562
- transformer: AdminOwnerTransformer({
1563
- // Only allow 'name' to be written, so 'calories' will throw
1564
- anonWriteFields: ["name"],
1565
- }),
1566
- })
1567
- );
1568
- server = supertest(app);
1569
-
1570
- const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
1571
- expect(res.body.title).toContain("cannot write fields");
1572
- });
1573
-
1574
- it("transform error in patch is handled", async () => {
1575
- app.use(
1576
- "/food",
1577
- modelRouter(FoodModel, {
1578
- allowAnonymous: true,
1579
- permissions: {
1580
- create: [Permissions.IsAny],
1581
- delete: [Permissions.IsAny],
1582
- list: [Permissions.IsAny],
1583
- read: [Permissions.IsAny],
1584
- update: [Permissions.IsAny],
1585
- },
1586
- transformer: AdminOwnerTransformer({
1587
- // Only allow 'name' to be written, so 'calories' will throw
1588
- anonWriteFields: ["name"],
1589
- }),
1590
- })
1591
- );
1592
- server = supertest(app);
1593
-
1594
- const res = await server.patch(`/food/${spinach._id}`).send({calories: 100}).expect(403);
1595
- expect(res.body.title).toContain("cannot write fields");
1596
- });
1597
-
1598
- it("model.create validation error is handled", async () => {
1599
- // Use a model that has required fields
1600
- const {RequiredModel} = await import("./tests");
1601
-
1602
- app.use(
1603
- "/required",
1604
- modelRouter(RequiredModel, {
1605
- allowAnonymous: true,
1606
- permissions: {
1607
- create: [Permissions.IsAny],
1608
- delete: [Permissions.IsAny],
1609
- list: [Permissions.IsAny],
1610
- read: [Permissions.IsAny],
1611
- update: [Permissions.IsAny],
1612
- },
1613
- })
1614
- );
1615
- server = supertest(app);
1616
-
1617
- // Send without required 'name' field
1618
- const res = await server.post("/required").send({about: "test"}).expect(400);
1619
- expect(res.body.title).toContain("Required");
1620
- });
1621
- });
1622
-
1623
- describe("special query params", () => {
1624
- let admin: any;
1625
-
1626
- beforeEach(async () => {
1627
- [admin] = await setupDb();
1628
-
1629
- await FoodModel.create({
1630
- calories: 1,
1631
- created: new Date("2021-12-03T00:00:20.000Z"),
1632
- hidden: false,
1633
- name: "Spinach",
1634
- ownerId: admin._id,
1635
- });
1636
-
1637
- app = getBaseServer();
1638
- setupAuth(app, UserModel as any);
1639
- addAuthRoutes(app, UserModel as any);
1640
- });
1641
-
1642
- it("period query param is stripped from query", async () => {
1643
- app.use(
1644
- "/food",
1645
- modelRouter(FoodModel, {
1646
- allowAnonymous: true,
1647
- permissions: {
1648
- create: [Permissions.IsAny],
1649
- delete: [Permissions.IsAny],
1650
- list: [Permissions.IsAny],
1651
- read: [Permissions.IsAny],
1652
- update: [Permissions.IsAny],
1653
- },
1654
- queryFields: ["name", "period"],
1655
- queryFilter: (_user, query) => {
1656
- // Simulate a queryFilter that accepts and processes period
1657
- if (query?.period) {
1658
- // Period is processed but shouldn't be passed to mongo
1659
- return query;
1660
- }
1661
- return query ?? {};
1662
- },
1663
- })
1664
- );
1665
- server = supertest(app);
1666
-
1667
- // period should be accepted and processed without error
1668
- const res = await server.get("/food?period=weekly").expect(200);
1669
- expect(res.body.data).toBeDefined();
1670
- });
1671
-
1672
- it("query with false value", async () => {
1673
- // Create a food that is hidden
1674
- await FoodModel.create({
1675
- calories: 50,
1676
- created: new Date("2021-12-04T00:00:20.000Z"),
1677
- hidden: true,
1678
- name: "HiddenFood",
1679
- ownerId: admin._id,
1680
- });
1681
-
1682
- app.use(
1683
- "/food",
1684
- modelRouter(FoodModel, {
1685
- allowAnonymous: true,
1686
- permissions: {
1687
- create: [Permissions.IsAny],
1688
- delete: [Permissions.IsAny],
1689
- list: [Permissions.IsAny],
1690
- read: [Permissions.IsAny],
1691
- update: [Permissions.IsAny],
1692
- },
1693
- queryFields: ["name", "hidden"],
1694
- })
1695
- );
1696
- server = supertest(app);
1697
-
1698
- // Query for non-hidden foods using ?hidden=false
1699
- const res = await server.get("/food?hidden=false").expect(200);
1700
- expect(res.body.data.every((f: any) => f.hidden === false)).toBe(true);
1701
- });
1702
-
1703
- it("$search query triggers special handling code path", async () => {
1704
- // The $search code path just accesses the collection but doesn't do anything with it
1705
- // This test verifies the code path is exercised
1706
- app.use(
1707
- "/food",
1708
- modelRouter(FoodModel, {
1709
- allowAnonymous: true,
1710
- permissions: {
1711
- create: [Permissions.IsAny],
1712
- delete: [Permissions.IsAny],
1713
- list: [Permissions.IsAny],
1714
- read: [Permissions.IsAny],
1715
- update: [Permissions.IsAny],
1716
- },
1717
- // Need to include $search in queryFields for it to pass validation
1718
- queryFields: ["name", "$search"],
1719
- })
1720
- );
1721
- server = supertest(app);
1722
-
1723
- // The $search will be added to the query params, triggering the special handling
1724
- // Even though the code doesn't actually do anything useful with it (stub for Atlas)
1725
- const res = await server.get("/food?$search=test");
1726
- // May return 500 because $search is passed to Mongo which doesn't support it without Atlas
1727
- // The important thing is we've exercised the code path
1728
- expect(res.status === 200 || res.status === 500).toBe(true);
1729
- });
1730
-
1731
- it("$autocomplete query triggers special handling code path", async () => {
1732
- app.use(
1733
- "/food",
1734
- modelRouter(FoodModel, {
1735
- allowAnonymous: true,
1736
- permissions: {
1737
- create: [Permissions.IsAny],
1738
- delete: [Permissions.IsAny],
1739
- list: [Permissions.IsAny],
1740
- read: [Permissions.IsAny],
1741
- update: [Permissions.IsAny],
1742
- },
1743
- queryFields: ["name", "$autocomplete"],
1744
- })
1745
- );
1746
- server = supertest(app);
1747
-
1748
- const res = await server.get("/food?$autocomplete=test");
1749
- expect(res.status === 200 || res.status === 500).toBe(true);
1750
- });
1751
- });
1752
-
1753
- describe("addPopulateToQuery", () => {
1754
- it("returns query unchanged with no populate paths", async () => {
1755
- await setupDb();
1756
- const query = FoodModel.find({});
1757
- const result = addPopulateToQuery(query, undefined);
1758
- expect(result).toBe(query);
1759
- });
1760
-
1761
- it("returns query unchanged with empty populate paths", async () => {
1762
- await setupDb();
1763
- const query = FoodModel.find({});
1764
- const result = addPopulateToQuery(query, []);
1765
- expect(result).toBe(query);
1766
- });
1767
-
1768
- it("applies multiple populate paths", async () => {
1769
- await setupDb();
1770
- const query = FoodModel.find({});
1771
- const result = addPopulateToQuery(query, [
1772
- {fields: ["email"], path: "ownerId"},
1773
- {fields: ["name"], path: "eatenBy"},
1774
- ]);
1775
- // The result should be a query with populate applied
1776
- expect(result).toBeDefined();
1777
- });
1778
- });
1779
-
1780
- describe("soft delete with isDeleted plugin", () => {
1781
- let admin: any;
1782
- let agent: TestAgent;
1783
-
1784
- beforeEach(async () => {
1785
- [admin] = await setupDb();
1786
-
1787
- app = getBaseServer();
1788
- setupAuth(app, UserModel as any);
1789
- addAuthRoutes(app, UserModel as any);
1790
- });
1791
-
1792
- it("soft deletes user with deleted field", async () => {
1793
- // UserModel has the isDisabledPlugin which adds a 'disabled' field,
1794
- // but we need to test the 'deleted' field check.
1795
- // Let's use a model that has the deleted field.
1796
- app.use(
1797
- "/users",
1798
- modelRouter(UserModel, {
1799
- allowAnonymous: true,
1800
- permissions: {
1801
- create: [Permissions.IsAny],
1802
- delete: [Permissions.IsAny],
1803
- list: [Permissions.IsAny],
1804
- read: [Permissions.IsAny],
1805
- update: [Permissions.IsAny],
1806
- },
1807
- })
1808
- );
1809
- server = supertest(app);
1810
- agent = await authAsUser(app, "notAdmin");
1811
-
1812
- // Delete a user - this should use deleteOne since User doesn't have deleted field
1813
- const res = await agent.delete(`/users/${admin._id}`).expect(204);
1814
- expect(res.body).toEqual({});
1815
-
1816
- // Verify user was deleted
1817
- const deletedUser = await UserModel.findById(admin._id);
1818
- expect(deletedUser).toBeNull();
1819
- });
1820
- });
1821
-
1822
- describe("populate in create", () => {
1823
- let admin: any;
1824
-
1825
- beforeEach(async () => {
1826
- [admin] = await setupDb();
1827
-
1828
- await FoodModel.create({
1829
- calories: 1,
1830
- created: new Date("2021-12-03T00:00:20.000Z"),
1831
- hidden: false,
1832
- name: "Spinach",
1833
- ownerId: admin._id,
1834
- });
1835
-
1836
- app = getBaseServer();
1837
- setupAuth(app, UserModel as any);
1838
- addAuthRoutes(app, UserModel as any);
1839
- });
1840
-
1841
- it("handles populate with valid path in create", async () => {
1842
- // Test that valid populate works in create flow
1843
- app.use(
1844
- "/food",
1845
- modelRouter(FoodModel, {
1846
- allowAnonymous: true,
1847
- permissions: {
1848
- create: [Permissions.IsAny],
1849
- delete: [Permissions.IsAny],
1850
- list: [Permissions.IsAny],
1851
- read: [Permissions.IsAny],
1852
- update: [Permissions.IsAny],
1853
- },
1854
- populatePaths: [{fields: ["email"], path: "ownerId"}],
1855
- })
1856
- );
1857
- server = supertest(app);
1858
-
1859
- const res = await server
1860
- .post("/food")
1861
- .send({calories: 15, name: "Broccoli", ownerId: admin._id})
1862
- .expect(201);
1863
- expect(res.body.data.name).toBe("Broccoli");
1864
- // Verify populate worked - ownerId should be an object with email
1865
- expect(res.body.data.ownerId.email).toBe(admin.email);
1866
- });
1867
- });
1868
-
1869
- describe("save error handling", () => {
1870
- let admin: any;
1871
- let spinach: Food;
1872
-
1873
- beforeEach(async () => {
1874
- [admin] = await setupDb();
1875
-
1876
- spinach = await FoodModel.create({
1877
- calories: 1,
1878
- created: new Date("2021-12-03T00:00:20.000Z"),
1879
- hidden: false,
1880
- name: "Spinach",
1881
- ownerId: admin._id,
1882
- source: {
1883
- name: "Brand",
1884
- },
1885
- });
1886
-
1887
- app = getBaseServer();
1888
- setupAuth(app, UserModel as any);
1889
- addAuthRoutes(app, UserModel as any);
1890
- });
1891
-
1892
- it("handles patch save error with validation failure", async () => {
1893
- // The FoodModel has strict: "throw" which will cause validation errors for unknown fields
1894
- app.use(
1895
- "/food",
1896
- modelRouter(FoodModel, {
1897
- allowAnonymous: true,
1898
- permissions: {
1899
- create: [Permissions.IsAny],
1900
- delete: [Permissions.IsAny],
1901
- list: [Permissions.IsAny],
1902
- read: [Permissions.IsAny],
1903
- update: [Permissions.IsAny],
1904
- },
1905
- })
1906
- );
1907
- server = supertest(app);
1908
-
1909
- // Try to patch with an invalid field (will be caught by strict: "throw")
1910
- const res = await server
1911
- .patch(`/food/${spinach._id}`)
1912
- .send({invalidField: "value"})
1913
- .expect(400);
1914
- expect(res.body.title).toContain("preUpdate hook save error");
1915
- });
1916
- });
1917
-
1918
- describe("body undefined after transform without preCreate", () => {
1919
- beforeEach(async () => {
1920
- await setupDb();
1921
-
1922
- app = getBaseServer();
1923
- setupAuth(app, UserModel as any);
1924
- addAuthRoutes(app, UserModel as any);
1925
- });
1926
-
1927
- it("handles undefined body after transform when no preCreate", async () => {
1928
- // Create a transformer that returns undefined
1929
- app.use(
1930
- "/food",
1931
- modelRouter(FoodModel, {
1932
- allowAnonymous: true,
1933
- permissions: {
1934
- create: [Permissions.IsAny],
1935
- delete: [Permissions.IsAny],
1936
- list: [Permissions.IsAny],
1937
- read: [Permissions.IsAny],
1938
- update: [Permissions.IsAny],
1939
- },
1940
- transformer: {
1941
- transform: () => undefined,
1942
- },
1943
- })
1944
- );
1945
- server = supertest(app);
1946
-
1947
- const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
1948
- expect(res.body.title).toBe("Invalid request body");
1949
- expect(res.body.detail).toBe("Body is undefined");
1950
- });
1951
- });
1952
-
1953
- describe("soft delete with deleted field", () => {
1954
- let _admin: any;
1955
- let agent: TestAgent;
1956
-
1957
- beforeEach(async () => {
1958
- [_admin] = await setupDb();
1959
-
1960
- app = getBaseServer();
1961
- setupAuth(app, UserModel as any);
1962
- addAuthRoutes(app, UserModel as any);
1963
- });
1964
-
1965
- it("soft deletes document with deleted field using isDeletedPlugin", async () => {
1966
- const mongoose = await import("mongoose");
1967
-
1968
- // Create a temporary model with the deleted field
1969
- const softDeleteSchema = new mongoose.Schema({
1970
- deleted: {default: false, type: Boolean},
1971
- name: String,
1972
- });
1973
- // Manually add the deleted field (simulating what isDeletedPlugin does)
1974
- // The schema already has the deleted field, so it should use soft delete
1975
-
1976
- // Check if the model already exists to avoid OverwriteModelError
1977
- let SoftDeleteModel;
1978
- try {
1979
- SoftDeleteModel = mongoose.model("SoftDeleteTest");
1980
- } catch {
1981
- SoftDeleteModel = mongoose.model("SoftDeleteTest", softDeleteSchema);
1982
- }
1983
-
1984
- // Clean up any existing documents
1985
- await SoftDeleteModel.deleteMany({});
1986
-
1987
- // Create a test document
1988
- const testDoc = await SoftDeleteModel.create({name: "TestItem"});
1989
-
1990
- app.use(
1991
- "/softdelete",
1992
- modelRouter(SoftDeleteModel, {
1993
- allowAnonymous: true,
1994
- permissions: {
1995
- create: [Permissions.IsAny],
1996
- delete: [Permissions.IsAny],
1997
- list: [Permissions.IsAny],
1998
- read: [Permissions.IsAny],
1999
- update: [Permissions.IsAny],
2000
- },
2001
- })
2002
- );
2003
- server = supertest(app);
2004
- agent = await authAsUser(app, "notAdmin");
2005
-
2006
- // Delete should soft delete (set deleted: true) instead of hard delete
2007
- await agent.delete(`/softdelete/${testDoc._id}`).expect(204);
2008
-
2009
- // Verify document was soft deleted (not hard deleted)
2010
- const softDeleted = await SoftDeleteModel.findById(testDoc._id);
2011
- expect(softDeleted).not.toBeNull();
2012
- expect(softDeleted?.deleted).toBe(true);
2013
-
2014
- // Clean up
2015
- await SoftDeleteModel.deleteMany({});
2016
- });
2017
- });
2018
-
2019
1065
  describe("array operation with undefined preUpdate return", () => {
2020
1066
  let admin: any;
2021
1067
  let apple: Food;