@terreno/api 0.0.18 → 0.2.0

package/src/api.test.ts

@@ -858,8 +858,12 @@ describe("@terreno/api", () => {
       const mongoose = await import("mongoose");
 
       const softDeleteSchema = new mongoose.Schema({
-        deleted: {default: false, type: Boolean},
-        name: String,
+        deleted: {
+          default: false,
+          description: "Whether this item has been soft deleted",
+          type: Boolean,
+        },
+        name: {description: "The name of the item", type: String},
       });
 
       let SoftDeleteModel;
@@ -1062,6 +1066,743 @@ describe("@terreno/api", () => {
     });
   });
 
+  describe("array operation with undefined preUpdate return", () => {
+    let admin: any;
+    let apple: Food;
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      apple = await FoodModel.create({
+        calories: 100,
+        categories: [
+          {name: "Fruit", show: true},
+          {name: "Popular", show: false},
+        ],
+        created: new Date("2021-12-03T00:00:30.000Z"),
+        hidden: false,
+        name: "Apple",
+        ownerId: admin._id,
+        tags: ["healthy", "cheap"],
+      });
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("array operation preUpdate returning undefined for array POST throws error", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+          preUpdate: () => undefined as any,
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
+      expect(res.body.title).toBe("Update not allowed");
+      expect(res.body.detail).toBe("A body must be returned from preUpdate");
+    });
+
+    it("array operation preUpdate returning null for array PATCH throws error", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+          preUpdate: () => null,
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+
+      const res = await agent
+        .patch(`/food/${apple._id}/tags/healthy`)
+        .send({tags: "unhealthy"})
+        .expect(403);
+      expect(res.body.title).toBe("Update not allowed");
+    });
+
+    it("array operation preUpdate error for array DELETE is handled", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+          preUpdate: () => {
+            throw new Error("preUpdate error during delete");
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+
+      const res = await agent.delete(`/food/${apple._id}/tags/healthy`).expect(400);
+      expect(res.body.title).toContain("preUpdate hook error");
+    });
+
+    it("array operation postUpdate error is handled", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+          postUpdate: () => {
+            throw new Error("postUpdate array failed");
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(400);
+      expect(res.body.title).toContain("PATCH Post Update error");
+    });
+
+    it("array operation denied without update permission", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAdmin],
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "notAdmin");
+
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(405);
+      expect(res.body.title).toContain("Access to PATCH");
+    });
+
+    it("array operation on non-existent document returns 404", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+
+      const fakeId = "000000000000000000000000";
+      const res = await agent.post(`/food/${fakeId}/tags`).send({tags: "organic"}).expect(404);
+      expect(res.body.title).toContain("Could not find document to PATCH");
+    });
+
+    it("array operation denied when user cannot update specific doc", async () => {
+      // Create food owned by admin, then try to update as notAdmin
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAuthenticated],
+            delete: [Permissions.IsAuthenticated],
+            list: [Permissions.IsAuthenticated],
+            read: [Permissions.IsAuthenticated],
+            update: [Permissions.IsOwner],
+          },
+        })
+      );
+      server = supertest(app);
+      // Login as notAdmin and try to update admin's food (apple)
+      agent = await authAsUser(app, "notAdmin");
+
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
+      expect(res.body.title).toContain("Patch not allowed");
+    });
+
+    it("array operation transform error is handled", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAdmin],
+            delete: [Permissions.IsAdmin],
+            list: [Permissions.IsAdmin],
+            read: [Permissions.IsAdmin],
+            update: [Permissions.IsAdmin],
+          },
+          transformer: AdminOwnerTransformer({
+            adminWriteFields: ["name"],
+          }),
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+
+      // Try to update tags field, which is not in the allowed write fields
+      const res = await agent.post(`/food/${apple._id}/tags`).send({tags: "organic"}).expect(403);
+      expect(res.body.title).toContain("cannot write fields");
+    });
+  });
+
+  describe("transformer errors", () => {
+    let admin: any;
+    let spinach: Food;
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      spinach = await FoodModel.create({
+        calories: 1,
+        created: new Date("2021-12-03T00:00:20.000Z"),
+        hidden: false,
+        name: "Spinach",
+        ownerId: admin._id,
+        source: {
+          name: "Brand",
+        },
+      });
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("transform error in create is handled", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          transformer: AdminOwnerTransformer({
+            // Only allow 'name' to be written, so 'calories' will throw
+            anonWriteFields: ["name"],
+          }),
+        })
+      );
+      server = supertest(app);
+
+      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
+      expect(res.body.title).toContain("cannot write fields");
+    });
+
+    it("transform error in patch is handled", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          transformer: AdminOwnerTransformer({
+            // Only allow 'name' to be written, so 'calories' will throw
+            anonWriteFields: ["name"],
+          }),
+        })
+      );
+      server = supertest(app);
+
+      const res = await server.patch(`/food/${spinach._id}`).send({calories: 100}).expect(403);
+      expect(res.body.title).toContain("cannot write fields");
+    });
+
+    it("model.create validation error is handled", async () => {
+      // Use a model that has required fields
+      const {RequiredModel} = await import("./tests");
+
+      app.use(
+        "/required",
+        modelRouter(RequiredModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+        })
+      );
+      server = supertest(app);
+
+      // Send without required 'name' field
+      const res = await server.post("/required").send({about: "test"}).expect(400);
+      expect(res.body.title).toContain("Required");
+    });
+
+    it("preDelete hook throwing APIError is re-thrown", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          preDelete: () => {
+            throw new APIError({
+              disableExternalErrorTracking: true,
+              status: 400,
+              title: "Custom preDelete APIError",
+            });
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "notAdmin");
+
+      const res = await agent.delete(`/food/${spinach._id}`).expect(400);
+      expect(res.body.title).toBe("Custom preDelete APIError");
+      expect(res.body.disableExternalErrorTracking).toBe(true);
+    });
+  });
+
+  describe("special query params", () => {
+    let admin: any;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      await FoodModel.create({
+        calories: 1,
+        created: new Date("2021-12-03T00:00:20.000Z"),
+        hidden: false,
+        name: "Spinach",
+        ownerId: admin._id,
+      });
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("period query param is stripped from query", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          queryFields: ["name", "period"],
+          queryFilter: (_user, query) => {
+            // Simulate a queryFilter that accepts and processes period
+            if (query?.period) {
+              // Period is processed but shouldn't be passed to mongo
+              return query;
+            }
+            return query ?? {};
+          },
+        })
+      );
+      server = supertest(app);
+
+      // period should be accepted and processed without error
+      const res = await server.get("/food?period=weekly").expect(200);
+      expect(res.body.data).toBeDefined();
+    });
+
+    it("query with false value", async () => {
+      // Create a food that is hidden
+      await FoodModel.create({
+        calories: 50,
+        created: new Date("2021-12-04T00:00:20.000Z"),
+        hidden: true,
+        name: "HiddenFood",
+        ownerId: admin._id,
+      });
+
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          queryFields: ["name", "hidden"],
+        })
+      );
+      server = supertest(app);
+
+      // Query for non-hidden foods using ?hidden=false
+      const res = await server.get("/food?hidden=false").expect(200);
+      expect(res.body.data.every((f: any) => f.hidden === false)).toBe(true);
+    });
+
+    it("$search query triggers special handling code path", async () => {
+      // The $search code path just accesses the collection but doesn't do anything with it
+      // This test verifies the code path is exercised
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          // Need to include $search in queryFields for it to pass validation
+          queryFields: ["name", "$search"],
+        })
+      );
+      server = supertest(app);
+
+      // The $search will be added to the query params, triggering the special handling
+      // Even though the code doesn't actually do anything useful with it (stub for Atlas)
+      const res = await server.get("/food?$search=test");
+      // May return 500 because $search is passed to Mongo which doesn't support it without Atlas
+      // The important thing is we've exercised the code path
+      expect(res.status === 200 || res.status === 500).toBe(true);
+    });
+
+    it("$autocomplete query triggers special handling code path", async () => {
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          queryFields: ["name", "$autocomplete"],
+        })
+      );
+      server = supertest(app);
+
+      const res = await server.get("/food?$autocomplete=test");
+      expect(res.status === 200 || res.status === 500).toBe(true);
+    });
+  });
+
+  describe("addPopulateToQuery", () => {
+    it("returns query unchanged with no populate paths", async () => {
+      await setupDb();
+      const query = FoodModel.find({});
+      const result = addPopulateToQuery(query, undefined);
+      expect(result).toBe(query);
+    });
+
+    it("returns query unchanged with empty populate paths", async () => {
+      await setupDb();
+      const query = FoodModel.find({});
+      const result = addPopulateToQuery(query, []);
+      expect(result).toBe(query);
+    });
+
+    it("applies multiple populate paths", async () => {
+      await setupDb();
+      const query = FoodModel.find({});
+      const result = addPopulateToQuery(query, [
+        {fields: ["email"], path: "ownerId"},
+        {fields: ["name"], path: "eatenBy"},
+      ]);
+      // The result should be a query with populate applied
+      expect(result).toBeDefined();
+    });
+  });
+
+  describe("soft delete with isDeleted plugin", () => {
+    let admin: any;
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("soft deletes user with deleted field", async () => {
+      // UserModel has the isDisabledPlugin which adds a 'disabled' field,
+      // but we need to test the 'deleted' field check.
+      // Let's use a model that has the deleted field.
+      app.use(
+        "/users",
+        modelRouter(UserModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "notAdmin");
+
+      // Delete a user - this should use deleteOne since User doesn't have deleted field
+      const res = await agent.delete(`/users/${admin._id}`).expect(204);
+      expect(res.body).toEqual({});
+
+      // Verify user was deleted
+      const deletedUser = await UserModel.findById(admin._id);
+      expect(deletedUser).toBeNull();
+    });
+  });
+
+  describe("populate in create", () => {
+    let admin: any;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      await FoodModel.create({
+        calories: 1,
+        created: new Date("2021-12-03T00:00:20.000Z"),
+        hidden: false,
+        name: "Spinach",
+        ownerId: admin._id,
+      });
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("handles populate with valid path in create", async () => {
+      // Test that valid populate works in create flow
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          populatePaths: [{fields: ["email"], path: "ownerId"}],
+        })
+      );
+      server = supertest(app);
+
+      const res = await server
+        .post("/food")
+        .send({calories: 15, name: "Broccoli", ownerId: admin._id})
+        .expect(201);
+      expect(res.body.data.name).toBe("Broccoli");
+      // Verify populate worked - ownerId should be an object with email
+      expect(res.body.data.ownerId.email).toBe(admin.email);
+    });
+  });
+
+  describe("save error handling", () => {
+    let admin: any;
+    let spinach: Food;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      spinach = await FoodModel.create({
+        calories: 1,
+        created: new Date("2021-12-03T00:00:20.000Z"),
+        hidden: false,
+        name: "Spinach",
+        ownerId: admin._id,
+        source: {
+          name: "Brand",
+        },
+      });
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("handles patch save error with validation failure", async () => {
+      // The FoodModel has strict: "throw" which will cause validation errors for unknown fields
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+        })
+      );
+      server = supertest(app);
+
+      // Try to patch with an invalid field (will be caught by strict: "throw")
+      const res = await server
+        .patch(`/food/${spinach._id}`)
+        .send({invalidField: "value"})
+        .expect(400);
+      expect(res.body.title).toContain("preUpdate hook save error");
+    });
+  });
+
+  describe("body undefined after transform without preCreate", () => {
+    beforeEach(async () => {
+      await setupDb();
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("handles undefined body after transform when no preCreate", async () => {
+      // Create a transformer that returns undefined
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          transformer: {
+            transform: () => undefined,
+          },
+        })
+      );
+      server = supertest(app);
+
+      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
+      expect(res.body.title).toBe("Invalid request body");
+      expect(res.body.detail).toBe("Body is undefined");
+    });
+  });
+
+  describe("soft delete with deleted field", () => {
+    let _admin: any;
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      [_admin] = await setupDb();
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as any);
+      addAuthRoutes(app, UserModel as any);
+    });
+
+    it("soft deletes document with deleted field using isDeletedPlugin", async () => {
+      // Create a test schema with the isDeletedPlugin
+      const mongoose = await import("mongoose");
+
+      // Create a temporary model with the deleted field
+      const softDeleteSchema = new mongoose.Schema({
+        deleted: {default: false, type: Boolean},
+        name: String,
+      });
+      // Manually add the deleted field (simulating what isDeletedPlugin does)
+      // The schema already has the deleted field, so it should use soft delete
+
+      // Check if the model already exists to avoid OverwriteModelError
+      let SoftDeleteModel;
+      try {
+        SoftDeleteModel = mongoose.model("SoftDeleteTest");
+      } catch {
+        SoftDeleteModel = mongoose.model("SoftDeleteTest", softDeleteSchema);
+      }
+
+      // Clean up any existing documents
+      await SoftDeleteModel.deleteMany({});
+
+      // Create a test document
+      const testDoc = await SoftDeleteModel.create({name: "TestItem"});
+
+      app.use(
+        "/softdelete",
+        modelRouter(SoftDeleteModel, {
+          allowAnonymous: true,
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "notAdmin");
+
+      // Delete should soft delete (set deleted: true) instead of hard delete
+      await agent.delete(`/softdelete/${testDoc._id}`).expect(204);
+
+      // Verify document was soft deleted (not hard deleted)
+      const softDeleted = await SoftDeleteModel.findById(testDoc._id);
+      expect(softDeleted).not.toBeNull();
+      expect(softDeleted?.deleted).toBe(true);
+
+      // Clean up
+      await SoftDeleteModel.deleteMany({});
+    });
+  });
+
   describe("array operation with undefined preUpdate return", () => {
     let admin: any;
     let apple: Food;