@terreno/api 0.11.0 → 0.11.2

package/dist/api.d.ts

@@ -8,11 +8,11 @@ import { type TerrenoTransformer } from "./transformers";
 export type JSONPrimitive = string | number | boolean | null;
 export interface JSONArray extends Array<JSONValue> {
 }
-export type JSONObject = {
+export interface JSONObject {
     [member: string]: JSONValue;
-};
+}
 export type JSONValue = JSONPrimitive | JSONObject | JSONArray;
-export declare function addPopulateToQuery(builtQuery: mongoose.Query<any[], any, Record<string, never>, any>, populatePaths?: PopulatePath[]): mongoose.Query<any[], any, Record<string, never>, any, "find", Record<string, never>>;
+export declare const addPopulateToQuery: (builtQuery: mongoose.Query<any[], any, Record<string, never>, any>, populatePaths?: PopulatePath[]) => mongoose.Query<any[], any, Record<string, never>, any, "find", Record<string, never>>;
 /**
  * @param a - the first number
  * @param b - the second number

package/dist/api.js

@@ -119,8 +119,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.gooseRestRouter = exports.asyncHandler = void 0;
-exports.addPopulateToQuery = addPopulateToQuery;
+exports.gooseRestRouter = exports.asyncHandler = exports.addPopulateToQuery = void 0;
 exports.modelRouter = modelRouter;
 /**
  * This is the doc comment for api.ts
@@ -139,7 +138,7 @@ var openApiValidator_1 = require("./openApiValidator");
 var permissions_1 = require("./permissions");
 var transformers_1 = require("./transformers");
 var utils_1 = require("./utils");
-function addPopulateToQuery(builtQuery, populatePaths) {
+var addPopulateToQuery = function (builtQuery, populatePaths) {
     var e_1, _a;
     var paths = populatePaths !== null && populatePaths !== void 0 ? populatePaths : [];
     var query = builtQuery;
@@ -159,7 +158,8 @@ function addPopulateToQuery(builtQuery, populatePaths) {
         finally { if (e_1) throw e_1.error; }
     }
     return query;
-}
+};
+exports.addPopulateToQuery = addPopulateToQuery;
 // TODOS:
 // Support bulk actions
 // Support more complex query fields
@@ -169,7 +169,7 @@ var PAGINATION_QUERY_PARAMS = ["limit", "page", "sort"];
 // Add support for more complex queries.
 var COMPLEX_QUERY_PARAMS = ["$and", "$or"];
 // Ensures query params are allowed. Also checks nested query params when using $and/$or.
-function checkQueryParamAllowed(queryParam, queryParamValue, queryFields) {
+var checkQueryParamAllowed = function (queryParam, queryParamValue, queryFields) {
     var e_2, _a, e_3, _b;
     if (queryFields === void 0) { queryFields = []; }
     // Check the values of each of the complex query params. We don't support recursive queries here,
@@ -209,7 +209,7 @@ function checkQueryParamAllowed(queryParam, queryParamValue, queryFields) {
             title: "".concat(queryParam, " is not allowed as a query param."),
         });
     }
-}
+};
 // Handles dot notation patches, creates a normal object to be used for updates.
 // function flattenDotNotationPatch(data: any) {
 //   const result = {};
@@ -231,7 +231,7 @@ function checkQueryParamAllowed(queryParam, queryParamValue, queryFields) {
 // Helper to determine if validation should be enabled for a specific operation.
 // When options.validation is not set, returns true — the middleware's own
 // isConfigured check will decide whether to actually validate.
-function shouldValidate(options, operation) {
+var shouldValidate = function (options, operation) {
     var _a, _b, _c;
     // Check route-specific validation option first
     if (options.validation !== undefined) {
@@ -248,9 +248,9 @@ function shouldValidate(options, operation) {
     }
     // Default: let middleware's isConfigured check decide
     return true;
-}
+};
 // Get body validation middleware if validation is enabled
-function getBodyValidationMiddleware(model, options, operation) {
+var getBodyValidationMiddleware = function (model, options, operation) {
     var validationOptions = {};
     if (!shouldValidate(options, operation)) {
         validationOptions.enabled = false;
@@ -271,9 +271,9 @@ function getBodyValidationMiddleware(model, options, operation) {
         }
     }
     return (0, openApiValidator_1.validateModelRequestBody)(model, validationOptions);
-}
+};
 // Get query validation middleware if validation is enabled
-function getQueryValidationMiddleware(model, options) {
+var getQueryValidationMiddleware = function (model, options) {
     var querySchema = (0, openApiValidator_1.buildQuerySchemaFromFields)(model, options.queryFields);
     var validationOptions = {};
     if (!shouldValidate(options, "query")) {
@@ -283,7 +283,7 @@ function getQueryValidationMiddleware(model, options) {
         validationOptions.onError = options.validation.onError;
     }
     return (0, openApiValidator_1.validateQueryParams)(querySchema, validationOptions);
-}
+};
 function modelRouter(pathOrModel, modelOrOptions, maybeOptions) {
     var model;
     var options;
@@ -406,7 +406,7 @@ function _buildModelRouter(model, options) {
                 case 10:
                     _a.trys.push([10, 12, , 13]);
                     populateQuery = model.findById(data._id);
-                    populateQuery = addPopulateToQuery(populateQuery, options.populatePaths);
+                    populateQuery = (0, exports.addPopulateToQuery)(populateQuery, options.populatePaths);
                     return [4 /*yield*/, populateQuery.exec()];
                 case 11:
                     data = _a.sent();
@@ -568,7 +568,7 @@ function _buildModelRouter(model, options) {
                     else if (options.sort) {
                         builtQuery = builtQuery.sort(options.sort);
                     }
-                    populatedQuery = addPopulateToQuery(builtQuery, options.populatePaths);
+                    populatedQuery = (0, exports.addPopulateToQuery)(builtQuery, options.populatePaths);
                     _o.label = 7;
                 case 7:
                     _o.trys.push([7, 9, , 10]);
@@ -754,7 +754,7 @@ function _buildModelRouter(model, options) {
                 case 9:
                     if (!options.populatePaths) return [3 /*break*/, 11];
                     populateQuery = model.findById(doc._id);
-                    populateQuery = addPopulateToQuery(populateQuery, options.populatePaths);
+                    populateQuery = (0, exports.addPopulateToQuery)(populateQuery, options.populatePaths);
                     return [4 /*yield*/, populateQuery.exec()];
                 case 10:
                     doc = _b.sent();

package/dist/populate.test.js

@@ -281,4 +281,66 @@ var tests_1 = require("./tests");
         });
         (0, bun_test_1.expect)(result.properties).toBeDefined();
     });
+    (0, bun_test_1.it)("uses openApiComponent $ref when provided", function () {
+        var result = (0, populate_1.getOpenApiSpecForModel)(tests_1.FoodModel, {
+            populatePaths: [{ openApiComponent: "UserComponent", path: "ownerId" }],
+        });
+        (0, bun_test_1.expect)(result.properties.ownerId).toEqual({
+            $ref: "#/components/schemas/UserComponent",
+        });
+    });
+    (0, bun_test_1.it)("populates array ref fields (eatenBy)", function () {
+        var result = (0, populate_1.getOpenApiSpecForModel)(tests_1.FoodModel, {
+            populatePaths: [{ path: "eatenBy" }],
+        });
+        (0, bun_test_1.expect)(result.properties.eatenBy).toBeDefined();
+        (0, bun_test_1.expect)(result.properties.eatenBy.items).toBeDefined();
+    });
+    (0, bun_test_1.it)("populates nested ref in sub-schema (likesIds.userId)", function () {
+        var result = (0, populate_1.getOpenApiSpecForModel)(tests_1.FoodModel, {
+            populatePaths: [{ path: "likesIds.userId" }],
+        });
+        (0, bun_test_1.expect)(result.properties.likesIds).toBeDefined();
+    });
+    (0, bun_test_1.it)("includes virtuals from model schema", function () {
+        var result = (0, populate_1.getOpenApiSpecForModel)(tests_1.FoodModel);
+        (0, bun_test_1.expect)(result.properties.description).toBeDefined();
+        (0, bun_test_1.expect)(result.properties.description.type).toBe("any");
+    });
+    (0, bun_test_1.it)("includes virtuals from child schemas", function () {
+        var childSub = new mongoose_1.Schema({ amount: { description: "Amount", type: Number } });
+        childSub.virtual("displayAmount").get(function () {
+            return "".concat(this.amount, " units");
+        });
+        var parentSchema = new mongoose_1.Schema({
+            detail: { description: "Single embedded detail", type: childSub },
+            title: { description: "Title", type: String },
+        });
+        var ParentModel = mongoose_1.default.models.ParentWithChildVirtual ||
+            mongoose_1.default.model("ParentWithChildVirtual", parentSchema);
+        var result = (0, populate_1.getOpenApiSpecForModel)(ParentModel);
+        var detail = result.properties.detail;
+        (0, bun_test_1.expect)(detail.properties.displayAmount).toBeDefined();
+        (0, bun_test_1.expect)(detail.properties.displayAmount.type).toBe("any");
+    });
+});
+(0, bun_test_1.describe)("filterKeys (via getOpenApiSpecForModel populatePaths)", function () {
+    (0, bun_test_1.it)("filters populated fields using dot-notation keys", function () {
+        var result = (0, populate_1.getOpenApiSpecForModel)(tests_1.FoodModel, {
+            populatePaths: [{ fields: ["name.nested"], path: "ownerId" }],
+        });
+        var ownerProps = result.properties.ownerId.properties;
+        (0, bun_test_1.expect)(ownerProps.name).toBeDefined();
+        (0, bun_test_1.expect)(typeof ownerProps.name).toBe("object");
+    });
+    (0, bun_test_1.it)("rejects prototype pollution keys in nested dot-notation", function () {
+        var result = (0, populate_1.getOpenApiSpecForModel)(tests_1.FoodModel, {
+            populatePaths: [{ fields: ["__proto__.polluted"], path: "ownerId" }],
+        });
+        (0, bun_test_1.expect)(result.properties).toBeDefined();
+        (0, bun_test_1.expect)(Object.prototype.polluted).toBeUndefined();
+        var ownerProps = result.properties.ownerId.properties;
+        (0, bun_test_1.expect)(ownerProps).toBeDefined();
+        (0, bun_test_1.expect)(Object.keys(ownerProps)).not.toContain("__proto__");
+    });
 });

package/package.json

@@ -104,5 +104,5 @@
     "updateSnapshot": "bun test --update-snapshots"
   },
   "types": "dist/index.d.ts",
-  "version": "0.11.0"
+  "version": "0.11.2"
 }

package/src/api.ts

@@ -36,13 +36,15 @@ import {isValidObjectId} from "./utils";
 
 export type JSONPrimitive = string | number | boolean | null;
 export interface JSONArray extends Array<JSONValue> {}
-export type JSONObject = {[member: string]: JSONValue};
+export interface JSONObject {
+  [member: string]: JSONValue;
+}
 export type JSONValue = JSONPrimitive | JSONObject | JSONArray;
 
-export function addPopulateToQuery(
+export const addPopulateToQuery = (
   builtQuery: mongoose.Query<any[], any, Record<string, never>, any>,
   populatePaths?: PopulatePath[]
-) {
+) => {
   const paths = populatePaths ?? [];
   let query = builtQuery;
 
@@ -52,7 +54,7 @@ export function addPopulateToQuery(
     query = builtQuery.populate({path, select});
   }
   return query;
-}
+};
 
 // TODOS:
 // Support bulk actions
@@ -312,11 +314,11 @@ export interface ModelRouterOptions<T> {
 }
 
 // Ensures query params are allowed. Also checks nested query params when using $and/$or.
-function checkQueryParamAllowed(
+const checkQueryParamAllowed = (
   queryParam: string,
   queryParamValue: any,
   queryFields: string[] = []
-) {
+) => {
   // Check the values of each of the complex query params. We don't support recursive queries here,
   // just one level of and/or
   if (COMPLEX_QUERY_PARAMS.includes(queryParam)) {
@@ -334,7 +336,7 @@ function checkQueryParamAllowed(
       title: `${queryParam} is not allowed as a query param.`,
     });
   }
-}
+};
 
 // Handles dot notation patches, creates a normal object to be used for updates.
 // function flattenDotNotationPatch(data: any) {
@@ -358,10 +360,10 @@ function checkQueryParamAllowed(
 // Helper to determine if validation should be enabled for a specific operation.
 // When options.validation is not set, returns true — the middleware's own
 // isConfigured check will decide whether to actually validate.
-function shouldValidate(
+const shouldValidate = (
   options: ModelRouterOptions<any>,
   operation: "create" | "update" | "query"
-): boolean {
+): boolean => {
   // Check route-specific validation option first
   if (options.validation !== undefined) {
     if (typeof options.validation === "boolean") {
@@ -378,14 +380,14 @@ function shouldValidate(
 
   // Default: let middleware's isConfigured check decide
   return true;
-}
+};
 
 // Get body validation middleware if validation is enabled
-function getBodyValidationMiddleware<T>(
+const getBodyValidationMiddleware = <T>(
   model: Model<T>,
   options: ModelRouterOptions<T>,
   operation: "create" | "update"
-): (req: Request, res: Response, next: NextFunction) => void {
+): ((req: Request, res: Response, next: NextFunction) => void) => {
   const validationOptions: import("./openApiValidator").RequestBodyValidatorOptions = {};
   if (!shouldValidate(options, operation)) {
     validationOptions.enabled = false;
@@ -408,13 +410,13 @@ function getBodyValidationMiddleware<T>(
   }
 
   return validateModelRequestBody(model, validationOptions);
-}
+};
 
 // Get query validation middleware if validation is enabled
-function getQueryValidationMiddleware<T>(
+const getQueryValidationMiddleware = <T>(
   model: Model<T>,
   options: ModelRouterOptions<T>
-): (req: Request, res: Response, next: NextFunction) => void {
+): ((req: Request, res: Response, next: NextFunction) => void) => {
   const querySchema = buildQuerySchemaFromFields(model, options.queryFields);
   const validationOptions: import("./openApiValidator").QueryValidatorOptions = {};
   if (!shouldValidate(options, "query")) {
@@ -425,7 +427,7 @@ function getQueryValidationMiddleware<T>(
   }
 
   return validateQueryParams(querySchema, validationOptions);
-}
+};
 
 /**
  * Registration object returned by modelRouter when called with a path.

package/src/populate.test.ts

@@ -196,4 +196,74 @@ describe("getOpenApiSpecForModel edge cases", () => {
     });
     expect(result.properties).toBeDefined();
   });
+
+  it("uses openApiComponent $ref when provided", () => {
+    const result = getOpenApiSpecForModel(FoodModel, {
+      populatePaths: [{openApiComponent: "UserComponent", path: "ownerId"}],
+    });
+    expect(result.properties.ownerId).toEqual({
+      $ref: "#/components/schemas/UserComponent",
+    });
+  });
+
+  it("populates array ref fields (eatenBy)", () => {
+    const result = getOpenApiSpecForModel(FoodModel, {
+      populatePaths: [{path: "eatenBy"}],
+    });
+    expect(result.properties.eatenBy).toBeDefined();
+    expect((result.properties.eatenBy as any).items).toBeDefined();
+  });
+
+  it("populates nested ref in sub-schema (likesIds.userId)", () => {
+    const result = getOpenApiSpecForModel(FoodModel, {
+      populatePaths: [{path: "likesIds.userId"}],
+    });
+    expect(result.properties.likesIds).toBeDefined();
+  });
+
+  it("includes virtuals from model schema", () => {
+    const result = getOpenApiSpecForModel(FoodModel);
+    expect(result.properties.description).toBeDefined();
+    expect((result.properties.description as any).type).toBe("any");
+  });
+
+  it("includes virtuals from child schemas", () => {
+    const childSub = new Schema({amount: {description: "Amount", type: Number}});
+    childSub.virtual("displayAmount").get(function () {
+      return `${this.amount} units`;
+    });
+    const parentSchema = new Schema({
+      detail: {description: "Single embedded detail", type: childSub},
+      title: {description: "Title", type: String},
+    });
+    const ParentModel =
+      mongoose.models.ParentWithChildVirtual ||
+      mongoose.model("ParentWithChildVirtual", parentSchema);
+    const result = getOpenApiSpecForModel(ParentModel);
+    const detail = result.properties.detail as any;
+    expect(detail.properties.displayAmount).toBeDefined();
+    expect(detail.properties.displayAmount.type).toBe("any");
+  });
+});
+
+describe("filterKeys (via getOpenApiSpecForModel populatePaths)", () => {
+  it("filters populated fields using dot-notation keys", () => {
+    const result = getOpenApiSpecForModel(FoodModel, {
+      populatePaths: [{fields: ["name.nested"], path: "ownerId"}],
+    });
+    const ownerProps = (result.properties.ownerId as any).properties;
+    expect(ownerProps.name).toBeDefined();
+    expect(typeof ownerProps.name).toBe("object");
+  });
+
+  it("rejects prototype pollution keys in nested dot-notation", () => {
+    const result = getOpenApiSpecForModel(FoodModel, {
+      populatePaths: [{fields: ["__proto__.polluted"], path: "ownerId"}],
+    });
+    expect(result.properties).toBeDefined();
+    expect((Object.prototype as any).polluted).toBeUndefined();
+    const ownerProps = (result.properties.ownerId as any).properties;
+    expect(ownerProps).toBeDefined();
+    expect(Object.keys(ownerProps)).not.toContain("__proto__");
+  });
 });