@terreno/api 0.0.17 → 0.1.0

package/src/api.test.ts

@@ -536,6 +536,7 @@ describe("@terreno/api", () => {
   describe("transformer errors", () => {
     let admin: any;
     let spinach: Food;
+    let agent: TestAgent;
 
     beforeEach(async () => {
       [admin] = await setupDb();
@@ -621,6 +622,35 @@ describe("@terreno/api", () => {
       const res = await server.post("/required").send({about: "test"}).expect(400);
       expect(res.body.title).toContain("Required");
     });
+
+    it("preDelete hook throwing APIError is re-thrown", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          preDelete: () => {
+            throw new APIError({
+              disableExternalErrorTracking: true,
+              status: 400,
+              title: "Custom preDelete APIError",
+            });
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "notAdmin");
+
+      const res = await agent.delete(`/food/${spinach._id}`).expect(400);
+      expect(res.body.title).toBe("Custom preDelete APIError");
+      expect(res.body.disableExternalErrorTracking).toBe(true);
+    });
   });
 
   describe("addPopulateToQuery", () => {
@@ -828,8 +858,12 @@ describe("@terreno/api", () => {
       const mongoose = await import("mongoose");
 
       const softDeleteSchema = new mongoose.Schema({
-        deleted: {default: false, type: Boolean},
-        name: String,
+        deleted: {
+          default: false,
+          description: "Whether this item has been soft deleted",
+          type: Boolean,
+        },
+        name: {description: "The name of the item", type: String},
       });
 
       let SoftDeleteModel;
@@ -902,132 +936,6 @@ describe("@terreno/api", () => {
     });
   });
 
-  describe("transformer errors", () => {
-    let admin: any;
-    let spinach: Food;
-    let agent: TestAgent;
-
-    beforeEach(async () => {
-      [admin] = await setupDb();
-
-      spinach = await FoodModel.create({
-        calories: 1,
-        created: new Date("2021-12-03T00:00:20.000Z"),
-        hidden: false,
-        name: "Spinach",
-        ownerId: admin._id,
-        source: {
-          name: "Brand",
-        },
-      });
-
-      app = getBaseServer();
-      setupAuth(app, UserModel as any);
-      addAuthRoutes(app, UserModel as any);
-    });
-
-    it("transform error in create is handled", async () => {
-      app.use(
-        "/food",
-        modelRouter(FoodModel, {
-          allowAnonymous: true,
-          permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
-          },
-          transformer: AdminOwnerTransformer({
-            // Only allow 'name' to be written, so 'calories' will throw
-            anonWriteFields: ["name"],
-          }),
-        })
-      );
-      server = supertest(app);
-
-      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
-      expect(res.body.title).toContain("cannot write fields");
-    });
-
-    it("transform error in patch is handled", async () => {
-      app.use(
-        "/food",
-        modelRouter(FoodModel, {
-          allowAnonymous: true,
-          permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
-          },
-          transformer: AdminOwnerTransformer({
-            // Only allow 'name' to be written, so 'calories' will throw
-            anonWriteFields: ["name"],
-          }),
-        })
-      );
-      server = supertest(app);
-
-      const res = await server.patch(`/food/${spinach._id}`).send({calories: 100}).expect(403);
-      expect(res.body.title).toContain("cannot write fields");
-    });
-
-    it("model.create validation error is handled", async () => {
-      // Use a model that has required fields
-      const {RequiredModel} = await import("./tests");
-
-      app.use(
-        "/required",
-        modelRouter(RequiredModel, {
-          allowAnonymous: true,
-          permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
-          },
-        })
-      );
-      server = supertest(app);
-
-      // Send without required 'name' field
-      const res = await server.post("/required").send({about: "test"}).expect(400);
-      expect(res.body.title).toContain("Required");
-    });
-
-    it("preDelete hook throwing APIError is re-thrown", async () => {
-      app.use(
-        "/food",
-        modelRouter(FoodModel, {
-          allowAnonymous: true,
-          permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
-          },
-          preDelete: () => {
-            throw new APIError({
-              disableExternalErrorTracking: true,
-              status: 400,
-              title: "Custom preDelete APIError",
-            });
-          },
-        })
-      );
-      server = supertest(app);
-      agent = await authAsUser(app, "notAdmin");
-
-      const res = await agent.delete(`/food/${spinach._id}`).expect(400);
-      expect(res.body.title).toBe("Custom preDelete APIError");
-      expect(res.body.disableExternalErrorTracking).toBe(true);
-    });
-  });
-
   describe("special query params", () => {
     let admin: any;
 
@@ -1158,299 +1066,150 @@ describe("@terreno/api", () => {
     });
   });
 
-  describe("addPopulateToQuery", () => {
-    it("returns query unchanged with no populate paths", async () => {
-      await setupDb();
-      const query = FoodModel.find({});
-      const result = addPopulateToQuery(query, undefined);
-      expect(result).toBe(query);
-    });
-
-    it("returns query unchanged with empty populate paths", async () => {
-      await setupDb();
-      const query = FoodModel.find({});
-      const result = addPopulateToQuery(query, []);
-      expect(result).toBe(query);
-    });
-
-    it("applies multiple populate paths", async () => {
-      await setupDb();
-      const query = FoodModel.find({});
-      const result = addPopulateToQuery(query, [
-        {fields: ["email"], path: "ownerId"},
-        {fields: ["name"], path: "eatenBy"},
-      ]);
-      // The result should be a query with populate applied
-      expect(result).toBeDefined();
-    });
-  });
-
-  describe("soft delete with isDeleted plugin", () => {
+  describe("array operation with undefined preUpdate return", () => {
     let admin: any;
+    let apple: Food;
     let agent: TestAgent;
 
     beforeEach(async () => {
       [admin] = await setupDb();
 
+      apple = await FoodModel.create({
+        calories: 100,
+        categories: [
+          {name: "Fruit", show: true},
+          {name: "Popular", show: false},
+        ],
+        created: new Date("2021-12-03T00:00:30.000Z"),
+        hidden: false,
+        name: "Apple",
+        ownerId: admin._id,
+        tags: ["healthy", "cheap"],
+      });
+
       app = getBaseServer();
       setupAuth(app, UserModel as any);
       addAuthRoutes(app, UserModel as any);
     });
 
-    it("soft deletes user with deleted field", async () => {
-      // UserModel has the isDisabledPlugin which adds a 'disabled' field,
-      // but we need to test the 'deleted' field check.
-      // Let's use a model that has the deleted field.
+    it("array operation preUpdate returning undefined for array POST throws error", async () => {
       app.use(
-        "/users",
-        modelRouter(UserModel, {
+        "/food",
+        modelRouter(FoodModel, {
           allowAnonymous: true,
           permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
           },
+          preUpdate: () => undefined as any,
         })
       );
       server = supertest(app);
-      agent = await authAsUser(app, "notAdmin");
-
-      // Delete a user - this should use deleteOne since User doesn't have deleted field
-      const res = await agent.delete(`/users/${admin._id}`).expect(204);
-      expect(res.body).toEqual({});
-
-      // Verify user was deleted
-      const deletedUser = await UserModel.findById(admin._id);
-      expect(deletedUser).toBeNull();
-    });
-  });
-
-  describe("populate in create", () => {
-    let admin: any;
-
-    beforeEach(async () => {
-      [admin] = await setupDb();
-
-      await FoodModel.create({
-        calories: 1,
-        created: new Date("2021-12-03T00:00:20.000Z"),
-        hidden: false,
-        name: "Spinach",
-        ownerId: admin._id,
-      });
+      agent = await authAsUser(app, "admin");
 
-      app = getBaseServer();
-      setupAuth(app, UserModel as any);
-      addAuthRoutes(app, UserModel as any);
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
+      expect(res.body.title).toBe("Update not allowed");
+      expect(res.body.detail).toBe("A body must be returned from preUpdate");
     });
 
-    it("handles populate with valid path in create", async () => {
-      // Test that valid populate works in create flow
+    it("array operation preUpdate returning null for array PATCH throws error", async () => {
       app.use(
         "/food",
         modelRouter(FoodModel, {
           allowAnonymous: true,
           permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
           },
-          populatePaths: [{fields: ["email"], path: "ownerId"}],
+          preUpdate: () => null,
         })
       );
       server = supertest(app);
+      agent = await authAsUser(app, "admin");
 
-      const res = await server
-        .post("/food")
-        .send({calories: 15, name: "Broccoli", ownerId: admin._id})
-        .expect(201);
-      expect(res.body.data.name).toBe("Broccoli");
-      // Verify populate worked - ownerId should be an object with email
-      expect(res.body.data.ownerId.email).toBe(admin.email);
-    });
-  });
-
-  describe("save error handling", () => {
-    let admin: any;
-    let spinach: Food;
-
-    beforeEach(async () => {
-      [admin] = await setupDb();
-
-      spinach = await FoodModel.create({
-        calories: 1,
-        created: new Date("2021-12-03T00:00:20.000Z"),
-        hidden: false,
-        name: "Spinach",
-        ownerId: admin._id,
-        source: {
-          name: "Brand",
-        },
-      });
-
-      app = getBaseServer();
-      setupAuth(app, UserModel as any);
-      addAuthRoutes(app, UserModel as any);
+      const res = await agent
+        .patch(`/food/${apple._id}/tags/healthy`)
+        .send({tags: "unhealthy"})
+        .expect(403);
+      expect(res.body.title).toBe("Update not allowed");
     });
 
-    it("handles patch save error with validation failure", async () => {
-      // The FoodModel has strict: "throw" which will cause validation errors for unknown fields
+    it("array operation preUpdate error for array DELETE is handled", async () => {
       app.use(
         "/food",
         modelRouter(FoodModel, {
           allowAnonymous: true,
           permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+          preUpdate: () => {
+            throw new Error("preUpdate error during delete");
           },
         })
       );
       server = supertest(app);
+      agent = await authAsUser(app, "admin");
 
-      // Try to patch with an invalid field (will be caught by strict: "throw")
-      const res = await server
-        .patch(`/food/${spinach._id}`)
-        .send({invalidField: "value"})
-        .expect(400);
-      expect(res.body.title).toContain("preUpdate hook save error");
-    });
-  });
-
-  describe("body undefined after transform without preCreate", () => {
-    beforeEach(async () => {
-      await setupDb();
-
-      app = getBaseServer();
-      setupAuth(app, UserModel as any);
-      addAuthRoutes(app, UserModel as any);
+      const res = await agent.delete(`/food/${apple._id}/tags/healthy`).expect(400);
+      expect(res.body.title).toContain("preUpdate hook error");
     });
 
-    it("handles undefined body after transform when no preCreate", async () => {
-      // Create a transformer that returns undefined
+    it("array operation postUpdate error is handled", async () => {
       app.use(
         "/food",
         modelRouter(FoodModel, {
           allowAnonymous: true,
           permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
-            list: [Permissions.IsAny],
-            read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
           },
-          transformer: {
-            transform: () => undefined,
+          postUpdate: () => {
+            throw new Error("postUpdate array failed");
           },
         })
       );
       server = supertest(app);
+      agent = await authAsUser(app, "admin");
 
-      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
-      expect(res.body.title).toBe("Invalid request body");
-      expect(res.body.detail).toBe("Body is undefined");
-    });
-  });
-
-  describe("soft delete with deleted field", () => {
-    let agent: TestAgent;
-
-    beforeEach(async () => {
-      await setupDb();
-
-      app = getBaseServer();
-      setupAuth(app, UserModel as any);
-      addAuthRoutes(app, UserModel as any);
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(400);
+      expect(res.body.title).toContain("PATCH Post Update error");
     });
 
-    it("soft deletes document with deleted field using isDeletedPlugin", async () => {
-      // Create a test schema with the isDeletedPlugin
-      const mongoose = await import("mongoose");
-
-      // Create a temporary model with the deleted field
-      const softDeleteSchema = new mongoose.Schema({
-        deleted: {default: false, type: Boolean},
-        name: String,
-      });
-      // Manually add the deleted field (simulating what isDeletedPlugin does)
-      // The schema already has the deleted field, so it should use soft delete
-
-      // Check if the model already exists to avoid OverwriteModelError
-      let SoftDeleteModel;
-      try {
-        SoftDeleteModel = mongoose.model("SoftDeleteTest");
-      } catch {
-        SoftDeleteModel = mongoose.model("SoftDeleteTest", softDeleteSchema);
-      }
-
-      // Clean up any existing documents
-      await SoftDeleteModel.deleteMany({});
-
-      // Create a test document
-      const testDoc = await SoftDeleteModel.create({name: "TestItem"});
-
+    it("array operation denied without update permission", async () => {
       app.use(
-        "/softdelete",
-        modelRouter(SoftDeleteModel, {
+        "/food",
+        modelRouter(FoodModel, {
           allowAnonymous: true,
           permissions: {
-            create: [Permissions.IsAny],
-            delete: [Permissions.IsAny],
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
             list: [Permissions.IsAny],
             read: [Permissions.IsAny],
-            update: [Permissions.IsAny],
+            update: [Permissions.IsAdmin],
           },
         })
       );
       server = supertest(app);
       agent = await authAsUser(app, "notAdmin");
 
-      // Delete should soft delete (set deleted: true) instead of hard delete
-      await agent.delete(`/softdelete/${testDoc._id}`).expect(204);
-
-      // Verify document was soft deleted (not hard deleted)
-      const softDeleted = await SoftDeleteModel.findById(testDoc._id);
-      expect(softDeleted).not.toBeNull();
-      expect(softDeleted?.deleted).toBe(true);
-
-      // Clean up
-      await SoftDeleteModel.deleteMany({});
-    });
-  });
-
-  describe("array operation with undefined preUpdate return", () => {
-    let admin: any;
-    let apple: Food;
-    let agent: TestAgent;
-
-    beforeEach(async () => {
-      [admin] = await setupDb();
-
-      apple = await FoodModel.create({
-        calories: 100,
-        categories: [
-          {name: "Fruit", show: true},
-          {name: "Popular", show: false},
-        ],
-        created: new Date("2021-12-03T00:00:30.000Z"),
-        hidden: false,
-        name: "Apple",
-        ownerId: admin._id,
-        tags: ["healthy", "cheap"],
-      });
-
-      app = getBaseServer();
-      setupAuth(app, UserModel as any);
-      addAuthRoutes(app, UserModel as any);
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(405);
+      expect(res.body.title).toContain("Access to PATCH");
     });
 
-    it("array operation preUpdate returning undefined for array POST throws error", async () => {
+    it("array operation on non-existent document returns 404", async () => {
       app.use(
         "/food",
         modelRouter(FoodModel, {
@@ -1462,43 +1221,40 @@ describe("@terreno/api", () => {
             read: [Permissions.IsAdmin],
             update: [Permissions.IsAdmin],
           },
-          preUpdate: () => undefined as any,
         })
       );
       server = supertest(app);
       agent = await authAsUser(app, "admin");
 
-      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
-      expect(res.body.title).toBe("Update not allowed");
-      expect(res.body.detail).toBe("A body must be returned from preUpdate");
+      const fakeId = "000000000000000000000000";
+      const res = await agent.post(`/food/${fakeId}/tags`).send({tags: "organic"}).expect(404);
+      expect(res.body.title).toContain("Could not find document to PATCH");
     });
 
-    it("array operation preUpdate returning null for array PATCH throws error", async () => {
+    it("array operation denied when user cannot update specific doc", async () => {
+      // Create food owned by admin, then try to update as notAdmin
       app.use(
         "/food",
         modelRouter(FoodModel, {
           allowAnonymous: true,
           permissions: {
-            create: [Permissions.IsAdmin],
-            delete: [Permissions.IsAdmin],
-            list: [Permissions.IsAdmin],
-            read: [Permissions.IsAdmin],
-            update: [Permissions.IsAdmin],
+            create: [Permissions.IsAuthenticated],
+            delete: [Permissions.IsAuthenticated],
+            list: [Permissions.IsAuthenticated],
+            read: [Permissions.IsAuthenticated],
+            update: [Permissions.IsOwner],
           },
-          preUpdate: () => null,
         })
       );
       server = supertest(app);
-      agent = await authAsUser(app, "admin");
+      // Login as notAdmin and try to update admin's food (apple)
+      agent = await authAsUser(app, "notAdmin");
 
-      const res = await agent
-        .patch(`/food/${apple._id}/tags/healthy`)
-        .send({tags: "unhealthy"})
-        .expect(403);
-      expect(res.body.title).toBe("Update not allowed");
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
+      expect(res.body.title).toContain("Patch not allowed");
     });
 
-    it("array operation preUpdate error for array DELETE is handled", async () => {
+    it("array operation transform error is handled", async () => {
       app.use(
         "/food",
         modelRouter(FoodModel, {
@@ -1510,23 +1266,24 @@ describe("@terreno/api", () => {
             read: [Permissions.IsAdmin],
             update: [Permissions.IsAdmin],
           },
-          preUpdate: () => {
-            throw new Error("preUpdate error during delete");
-          },
+          transformer: AdminOwnerTransformer({
+            adminWriteFields: ["name"],
+          }),
         })
       );
       server = supertest(app);
       agent = await authAsUser(app, "admin");
 
-      const res = await agent.delete(`/food/${apple._id}/tags/healthy`).expect(400);
-      expect(res.body.title).toContain("preUpdate hook error");
+      // Try to update tags field, which is not in the allowed write fields
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
+      expect(res.body.title).toContain("cannot write fields");
     });
   });
 
   describe("transformer errors", () => {
     let admin: any;
     let spinach: Food;
-    let _agent: TestAgent;
+    let agent: TestAgent;
 
     beforeEach(async () => {
       [admin] = await setupDb();
@@ -1618,6 +1375,35 @@ describe("@terreno/api", () => {
       const res = await server.post("/required").send({about: "test"}).expect(400);
       expect(res.body.title).toContain("Required");
     });
+
+    it("preDelete hook throwing APIError is re-thrown", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          preDelete: () => {
+            throw new APIError({
+              disableExternalErrorTracking: true,
+              status: 400,
+              title: "Custom preDelete APIError",
+            });
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "notAdmin");
+
+      const res = await agent.delete(`/food/${spinach._id}`).expect(400);
+      expect(res.body.title).toBe("Custom preDelete APIError");
+      expect(res.body.disableExternalErrorTracking).toBe(true);
+    });
   });
 
   describe("special query params", () => {
@@ -1963,6 +1749,7 @@ describe("@terreno/api", () => {
     });
 
     it("soft deletes document with deleted field using isDeletedPlugin", async () => {
+      // Create a test schema with the isDeletedPlugin
       const mongoose = await import("mongoose");
 
       // Create a temporary model with the deleted field