@terreno/api 0.12.2 → 0.13.1

package/dist/populate.test.js

@@ -92,6 +92,7 @@ var tests_1 = require("./tests");
 (0, bun_test_1.describe)("populate functions", function () {
     var admin;
     var notAdmin;
+    // noExplicitAny: typing as HydratedDocument<Food> causes cascading errors on populated field access patterns (e.g. populated.ownerId.name)
     var spinach;
     (0, bun_test_1.beforeEach)(function () { return __awaiter(void 0, void 0, void 0, function () {
         var _a, _b;
@@ -228,7 +229,9 @@ var tests_1 = require("./tests");
     });
     (0, bun_test_1.it)("replaces Mixed fields with only description", function () {
         var schema = new mongoose_1.Schema({ data: { description: "any data", type: mongoose_1.Schema.Types.Mixed } });
-        var properties = { data: { description: "any data", type: "object" } };
+        var properties = {
+            data: { description: "any data", type: "object" },
+        };
         (0, populate_1.fixMixedFields)(schema, properties);
         (0, bun_test_1.expect)(properties.data).toEqual({ description: "any data" });
     });
@@ -338,6 +341,7 @@ var tests_1 = require("./tests");
             populatePaths: [{ fields: ["__proto__.polluted"], path: "ownerId" }],
         });
         (0, bun_test_1.expect)(result.properties).toBeDefined();
+        // noExplicitAny: testing that prototype pollution did not add a 'polluted' property to Object.prototype
         (0, bun_test_1.expect)(Object.prototype.polluted).toBeUndefined();
         var ownerProps = result.properties.ownerId.properties;
         (0, bun_test_1.expect)(ownerProps).toBeDefined();

package/dist/scriptRunner.js

@@ -102,7 +102,7 @@ var progressSchema = new mongoose_1.Schema({
     message: { description: "Human-readable progress message", type: String },
     percentage: { description: "Progress percentage from 0 to 100", max: 100, min: 0, type: Number },
     stage: { description: "Current stage of the task", type: String },
-}, { _id: false });
+}, { _id: false, strict: "throw" });
 var logSchema = new mongoose_1.Schema({
     level: {
         description: "Log level",
@@ -112,7 +112,7 @@ var logSchema = new mongoose_1.Schema({
     },
     message: { description: "Log message", required: true, type: String },
     timestamp: { description: "When this log entry was created", required: true, type: Date },
-}, { _id: false });
+}, { _id: false, strict: "throw" });
 var backgroundTaskSchema = new mongoose_1.Schema({
     completedAt: {
         description: "When the task completed (success or failure)",

package/dist/secretProviders.js

@@ -168,7 +168,10 @@ var GcpSecretProvider = /** @class */ (function () {
                     case 4:
                         SecretManagerServiceClient = (_b = mod.SecretManagerServiceClient) !== null && _b !== void 0 ? _b : (_c = mod.default) === null || _c === void 0 ? void 0 : _c.SecretManagerServiceClient;
                         if (!SecretManagerServiceClient) {
-                            throw new Error("SecretManagerServiceClient not found in @google-cloud/secret-manager module");
+                            throw new errors_1.APIError({
+                                status: 500,
+                                title: "SecretManagerServiceClient not found in @google-cloud/secret-manager module",
+                            });
                         }
                         this.client = new SecretManagerServiceClient();
                         _d.label = 5;

package/dist/tests.js

@@ -156,6 +156,7 @@ var foodSchema = new mongoose_1.Schema({
             type: mongoose_1.Schema.Types.ObjectId,
         },
     ],
+    // noExplicitAny: DateOnly is a custom SchemaType not recognized by Mongoose's built-in type definitions
     expiration: { description: "Expiration date of the food", type: plugins_1.DateOnly },
     hidden: {
         default: false,

package/dist/utils.js

@@ -82,6 +82,7 @@ var __values = (this && this.__values) || function(o) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkModelsStrict = exports.timeout = exports.isValidObjectId = void 0;
 var mongoose_1 = __importStar(require("mongoose"));
+var errors_1 = require("./errors");
 var logger_1 = require("./logger");
 // A better version of mongoose's ObjectId.isValid,
 // which falsely will say any 12 character string is valid.
@@ -119,16 +120,25 @@ var checkModelsStrict = function (ignoredModels) {
             var model = models_1_1.value;
             var schema = mongoose_1.default.model(model).schema;
             if (((_b = schema.get("toObject")) === null || _b === void 0 ? void 0 : _b.virtuals) !== true) {
-                throw new Error("Model ".concat(model, " toObject.virtuals not set to true"));
+                throw new errors_1.APIError({
+                    status: 500,
+                    title: "Model ".concat(model, " toObject.virtuals not set to true"),
+                });
             }
             if (((_c = schema.get("toJSON")) === null || _c === void 0 ? void 0 : _c.virtuals) !== true) {
-                throw new Error("Model ".concat(model, " toJSON.virtuals not set to true"));
+                throw new errors_1.APIError({
+                    status: 500,
+                    title: "Model ".concat(model, " toJSON.virtuals not set to true"),
+                });
             }
             if (ignoredModels.includes(model)) {
                 continue;
             }
             if (schema.get("strict") !== "throw") {
-                throw new Error("Model ".concat(model, " is not set to strict mode."));
+                throw new errors_1.APIError({
+                    status: 500,
+                    title: "Model ".concat(model, " is not set to strict mode."),
+                });
             }
         }
     }

package/package.json

@@ -104,5 +104,5 @@
     "updateSnapshot": "bun test --update-snapshots"
   },
   "types": "dist/index.d.ts",
-  "version": "0.12.2"
+  "version": "0.13.1"
 }

package/src/configurationPlugin.ts

@@ -139,7 +139,13 @@ export const configurationPlugin = (schema: Schema, options?: ConfigurationPlugi
   // Add a sentinel field with a unique index to enforce singleton at the DB level.
   // All config documents get _singleton: "config", and the unique index prevents duplicates.
   schema.add({
-    _singleton: {default: "config", immutable: true, select: false, type: String},
+    _singleton: {
+      default: "config",
+      description: "Sentinel field enforcing singleton constraint",
+      immutable: true,
+      select: false,
+      type: String,
+    },
   });
   schema.index({_singleton: 1}, {unique: true});
 

package/src/consentApp.ts

@@ -6,7 +6,7 @@
  * endpoints for fetching pending consents and submitting responses.
  */
 
-import type express from "express";
+import {type Application, Router} from "express";
 import {DateTime} from "luxon";
 import {asyncHandler, modelRouter} from "./api";
 import type {User} from "./auth";
@@ -47,7 +47,7 @@ export class ConsentApp implements TerrenoPlugin {
     this.options = options;
   }
 
-  register(app: express.Application): void {
+  register(app: Application): void {
     const {auditTrail, resolveConsentForms, aiConfig} = this.options;
 
     // Admin CRUD for consent forms
@@ -192,7 +192,7 @@ export class ConsentApp implements TerrenoPlugin {
     );
 
     // User-facing consent endpoints
-    const router = require("express").Router() as express.Router;
+    const router = Router();
 
     // GET /consents/pending - fetch pending consent forms for the current user
     router.get(

package/src/githubAuth.test.ts

@@ -6,11 +6,48 @@ import passportLocalMongoose from "passport-local-mongoose";
 import supertest from "supertest";
 import type TestAgent from "supertest/lib/agent";
 
+import {generateTokens, type UserModel} from "./auth";
 import {setupServer} from "./expressServer";
 import {type GitHubUserFields, githubUserPlugin, setupGitHubAuth} from "./githubAuth";
 import {logger} from "./logger";
 import {createdUpdatedPlugin, isDisabledPlugin} from "./plugins";
 
+interface FakeStrategyOutcome {
+  type: "success" | "redirect" | "fail";
+  user?: unknown;
+  url?: string;
+  challenge?: {message: string};
+}
+
+let fakeGithubOutcome: FakeStrategyOutcome = {type: "redirect", url: "http://github.com/mock"};
+
+interface FakePassportStrategy {
+  name: string;
+  success: (user: unknown) => void;
+  fail: (challenge: {message: string}) => void;
+  redirect: (url: string) => void;
+  error: (err: Error) => void;
+  authenticate: (req: express.Request) => void;
+}
+
+const installFakeGithubStrategy = (): void => {
+  const strategy: Pick<FakePassportStrategy, "name" | "authenticate"> = {
+    authenticate(this: FakePassportStrategy): void {
+      if (fakeGithubOutcome.type === "success") {
+        this.success(fakeGithubOutcome.user);
+        return;
+      }
+      if (fakeGithubOutcome.type === "fail") {
+        this.fail(fakeGithubOutcome.challenge ?? {message: "auth failed"});
+        return;
+      }
+      this.redirect(fakeGithubOutcome.url ?? "http://github.com/mock");
+    },
+    name: "github",
+  };
+  passport.use("github", strategy as unknown as passport.Strategy);
+};
+
 interface TestUser extends GitHubUserFields {
   admin: boolean;
   name?: string;
@@ -19,6 +56,13 @@ interface TestUser extends GitHubUserFields {
   disabled?: boolean;
 }
 
+interface PasswordedDocument {
+  setPassword: (password: string) => Promise<unknown>;
+  save: () => Promise<unknown>;
+  hash?: string;
+  salt?: string;
+}
+
 // Create schema for GitHub-enabled user
 const testUserSchema = new Schema<TestUser>({
   admin: {default: false, description: "Whether the user has admin privileges", type: Boolean},
@@ -527,3 +571,286 @@ describe("addGitHubAuthRoutes link endpoints", () => {
     expect((updatedUser as any).githubProfileUrl).toBeUndefined();
   });
 });
+
+describe("GitHub callback handler (fake strategy)", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addMiddleware: (a) => {
+        // The handler reads (req as unknown as {session?: {returnTo?: string}}).session?.returnTo.
+        // setupServer does not install express-session, so prime a fake session from a request
+        // header for tests.
+        a.use((req, _res, next) => {
+          const headerReturnTo = req.headers["x-mock-return-to"];
+          if (typeof headerReturnTo === "string") {
+            (req as unknown as {session: {returnTo: string}}).session = {returnTo: headerReturnTo};
+          }
+          next();
+        });
+      },
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as unknown as UserModel,
+    });
+    // Swap the github strategy with our fake after setupServer registered it.
+    installFakeGithubStrategy();
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+    fakeGithubOutcome = {type: "redirect", url: "http://github.com/mock"};
+  });
+
+  it("GET /auth/github/callback returns JSON tokens on success", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "cb@example.com",
+      githubId: "cb-gh-1",
+      name: "CB User",
+    } as unknown as TestUser);
+
+    fakeGithubOutcome = {type: "success", user};
+
+    const res = await agent.get("/auth/github/callback").expect(200);
+    expect(res.body.data.token).toBeDefined();
+    expect(res.body.data.refreshToken).toBeDefined();
+    expect(res.body.data.userId).toBeDefined();
+  });
+
+  it("GET /auth/github/callback redirects to returnTo with tokens when session.returnTo is set", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "cb2@example.com",
+      githubId: "cb-gh-2",
+      name: "CB User 2",
+    } as unknown as TestUser);
+
+    fakeGithubOutcome = {type: "success", user};
+    const res = await agent
+      .get("/auth/github/callback")
+      .set("x-mock-return-to", "https://example.com/cb")
+      .expect(302);
+    expect(res.headers.location).toContain("https://example.com/cb");
+    expect(res.headers.location).toContain("token=");
+    expect(res.headers.location).toContain("refreshToken=");
+    expect(res.headers.location).toContain("userId=");
+  });
+
+  it("GET /auth/github/callback redirects on failure", async () => {
+    fakeGithubOutcome = {challenge: {message: "denied"}, type: "fail"};
+    const res = await agent.get("/auth/github/callback").expect(302);
+    expect(res.headers.location).toContain("/auth/github/failure");
+  });
+
+  it("GET /auth/github/callback returns 500 when token generation fails", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "cb3@example.com",
+      githubId: "cb-gh-3",
+      name: "CB User 3",
+    } as unknown as TestUser);
+
+    fakeGithubOutcome = {type: "success", user};
+
+    const savedSecret = process.env.TOKEN_SECRET;
+    process.env.TOKEN_SECRET = "";
+    try {
+      const res = await agent.get("/auth/github/callback").expect(500);
+      expect(res.body.message).toBe("Authentication failed");
+    } finally {
+      process.env.TOKEN_SECRET = savedSecret;
+    }
+  });
+});
+
+describe("GET /auth/github/link with JWT (fake strategy)", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as unknown as UserModel,
+    });
+    installFakeGithubStrategy();
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+    fakeGithubOutcome = {type: "redirect", url: "http://github.com/mock"};
+  });
+
+  it("GET /auth/github/link forwards to GitHub auth when JWT is valid", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "linkjwt@example.com",
+      name: "Link JWT User",
+    } as unknown as TestUser);
+    await (user as unknown as PasswordedDocument).setPassword("password123");
+    await user.save();
+
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "linkjwt@example.com", password: "password123"})
+      .expect(200);
+
+    fakeGithubOutcome = {type: "redirect", url: "http://github.com/auth"};
+    const res = await agent
+      .get("/auth/github/link")
+      .set("authorization", `Bearer ${loginRes.body.data.token}`)
+      .expect(302);
+    expect(res.headers.location).toBe("http://github.com/auth");
+  });
+});
+
+describe("DELETE /auth/github/unlink edge cases", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as unknown as UserModel,
+    });
+    installFakeGithubStrategy();
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+  });
+
+  it("returns 400 when user has no password (no other auth method)", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "ghonly@example.com",
+      githubId: "ghonly-1",
+      githubUsername: "ghonly",
+    } as unknown as TestUser);
+
+    const {token} = await generateTokens({_id: (user as unknown as {_id: unknown})._id});
+
+    const res = await agent
+      .delete("/auth/github/unlink")
+      .set("authorization", `Bearer ${token}`)
+      .expect(400);
+    expect(res.body.message).toContain("Cannot unlink GitHub account");
+  });
+
+  it("returns 500 when save throws during unlink", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "savefail@example.com",
+      githubId: "savefail-1",
+    } as unknown as TestUser);
+    await (user as unknown as PasswordedDocument).setPassword("password123");
+    await user.save();
+
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "savefail@example.com", password: "password123"})
+      .expect(200);
+
+    interface MockableFindById {
+      findById: (id: unknown) => {
+        select: (fields: string) => Promise<PasswordedDocument | null>;
+      };
+    }
+    const mockableModel = GitHubTestUserModel as unknown as MockableFindById;
+    const originalFindById = mockableModel.findById;
+    mockableModel.findById = () => ({
+      select: async () => ({
+        hash: "x",
+        salt: "y",
+        save: async () => {
+          throw new Error("boom");
+        },
+        setPassword: async () => undefined,
+      }),
+    });
+    try {
+      const res = await agent
+        .delete("/auth/github/unlink")
+        .set("authorization", `Bearer ${loginRes.body.data.token}`)
+        .expect(500);
+      expect(res.body.message).toBe("Failed to unlink GitHub account");
+    } finally {
+      mockableModel.findById = originalFindById;
+    }
+  });
+});
+
+describe("GitHub strategy verify callback edge cases", () => {
+  const testApp = {get: () => {}, use: () => {}} as unknown as express.Application;
+
+  beforeEach(async () => {
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+  });
+
+  it("returns 404 when linking a user whose record disappears", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "gone@example.com",
+    } as unknown as TestUser);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as unknown as UserModel, {
+      allowAccountLinking: true,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    // Delete user before verify runs to hit the 404 path.
+    await GitHubTestUserModel.deleteOne({_id: (existingUser as unknown as {_id: unknown})._id});
+
+    const req = {user: existingUser};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {
+      id: "gh-missing-1",
+      username: "missing",
+    });
+    expect(result.err).toBeDefined();
+    expect(result.err?.status).toBe(404);
+  });
+});

package/src/models/consentForm.ts

@@ -2,6 +2,15 @@ import mongoose from "mongoose";
 import {createdUpdatedPlugin, findExactlyOne, findOneOrNone, isDeletedPlugin} from "../plugins";
 import type {ConsentFormDocument, ConsentFormModel} from "../types/consentForm";
 
+const consentFormTypeValues = [
+  "agreement",
+  "privacy",
+  "hipaa",
+  "research",
+  "terms",
+  "custom",
+] as const;
+
 const consentFormSchema = new mongoose.Schema<ConsentFormDocument, ConsentFormModel>(
   {
     active: {
@@ -95,7 +104,7 @@ const consentFormSchema = new mongoose.Schema<ConsentFormDocument, ConsentFormMo
     },
     type: {
       description: "Category of consent form",
-      enum: ["agreement", "privacy", "hipaa", "research", "terms", "custom"],
+      enum: consentFormTypeValues,
       required: true,
       type: String,
     },

package/src/notifiers/slackNotifier.ts

@@ -7,7 +7,7 @@ import {logger} from "../logger";
 // If `url` is provided, it will be used directly instead of looking up from environment.
 // DEPRECATED: Looking up webhook URLs from the SLACK_WEBHOOKS environment variable by channel name
 // is deprecated and will be removed in a future version. Please pass the `url` parameter directly.
-export async function sendToSlack(
+export const sendToSlack = async (
   text: string,
   {
     slackChannel,
@@ -15,7 +15,7 @@ export async function sendToSlack(
     env,
     url,
   }: {slackChannel?: string; shouldThrow?: boolean; env?: string; url?: string} = {}
-) {
+) => {
   let slackWebhookUrl = url;
 
   if (!slackWebhookUrl) {
@@ -53,14 +53,15 @@ export async function sendToSlack(
     await axios.post(slackWebhookUrl, {
       text: formattedText,
     });
-  } catch (error: any) {
-    logger.error(`Error posting to slack: ${error.text ?? error.message}`);
+  } catch (error: unknown) {
+    const errorObj = error as {text?: string; message?: string};
+    logger.error(`Error posting to slack: ${errorObj.text ?? errorObj.message}`);
     Sentry.captureException(error);
     if (shouldThrow) {
       throw new APIError({
         status: 500,
-        title: `Error posting to slack: ${error.text ?? error.message}`,
+        title: `Error posting to slack: ${errorObj.text ?? errorObj.message}`,
       });
     }
   }
-}
+};

package/src/openApiEtag.ts

@@ -7,32 +7,25 @@ import type {NextFunction, Request, Response} from "express";
  * to intercept requests to /openapi.json and add conditional request support.
  */
 export const openApiEtagMiddleware = (req: Request, res: Response, next: NextFunction): void => {
-  // Only handle GET requests to /openapi.json
   if (req.method !== "GET" || req.path !== "/openapi.json") {
     next();
     return;
   }
 
-  // Store original res.json to intercept the response
   const originalJson = res.json.bind(res);
 
   res.json = (body: any) => {
-    // Generate ETag based on the JSON content
     const jsonString = JSON.stringify(body);
     const etag = `"${crypto.createHash("sha256").update(jsonString).digest("hex").substring(0, 16)}"`;
 
-    // Set ETag header
     res.set("ETag", etag);
 
-    // Check If-None-Match header for conditional requests
     const ifNoneMatch = req.get("If-None-Match");
     if (ifNoneMatch === etag) {
-      // Resource hasn't changed, return 304 Not Modified
       res.status(304).end();
       return res;
     }
 
-    // Resource has changed or no conditional header, return the content
     return originalJson(body);
   };
 

package/src/plugins.ts

@@ -85,14 +85,14 @@ export const createdUpdatedPlugin = (schema: Schema<any, any, any, any>): void =
     }
     // If we aren't specifying created, use now.
     if (!this.created) {
-      this.created = new Date();
+      this.created = DateTime.now().toJSDate();
     }
     // All writes change the updated time.
-    this.updated = new Date();
+    this.updated = DateTime.now().toJSDate();
   });
 
   schema.pre(/save|updateOne|insertMany/, function () {
-    void this.updateOne({}, {$set: {updated: new Date()}});
+    void this.updateOne({}, {$set: {updated: DateTime.now().toJSDate()}});
   });
 };
 
@@ -253,7 +253,7 @@ export interface FindExactlyOnePlugin<T> {
 }
 
 export class DateOnly extends SchemaType {
-  constructor(key: string, options: SchemaTypeOptions<any>) {
+  constructor(key: string, options: SchemaTypeOptions<Date>) {
     super(key, options, "DateOnly");
   }
 
@@ -262,6 +262,7 @@ export class DateOnly extends SchemaType {
   }
 
   $conditionalHandlers = {
+    // noExplicitAny: $conditionalHandlers is not exposed on SchemaType's prototype in Mongoose's public type definitions
     ...(SchemaType as any).prototype.$conditionalHandlers,
     $gt: this.handleSingle,
     $gte: this.handleSingle,
@@ -273,6 +274,7 @@ export class DateOnly extends SchemaType {
   // When using $gt, $gte, $lt, $lte, etc, we need to cast the value to a Date
   castForQuery($conditional, val, context): Date | undefined {
     if ($conditional == null) {
+      // noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
       return (this as any).applySetters(val, context);
     }
 
@@ -287,7 +289,7 @@ export class DateOnly extends SchemaType {
 
   // When either setting a value to a DateOnly or fetching from the DB,
   // we want to strip off the time portion.
-  cast(val: any): Date | undefined {
+  cast(val: unknown): Date | undefined {
     if (val instanceof Date) {
       const date = DateTime.fromJSDate(val).toUTC().startOf("day");
       if (!date.isValid) {
@@ -314,7 +316,7 @@ export class DateOnly extends SchemaType {
     }
     // Handle $gte, $lte, etc
     if (typeof val === "object") {
-      return val;
+      return val as Date;
     }
     throw new MongooseError.CastError(
       "DateOnly",
@@ -324,10 +326,13 @@ export class DateOnly extends SchemaType {
     );
   }
 
-  get(val: any): this {
-    return (val instanceof Date ? DateTime.fromJSDate(val).startOf("day").toJSDate() : val) as any;
+  get(val: unknown): this {
+    return (val instanceof Date
+      ? DateTime.fromJSDate(val).startOf("day").toJSDate()
+      : val) as unknown as this;
   }
 }
 
 // Register DateOnly with Mongoose's Schema.Types
+// noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
 (mongoose.Schema.Types as any).DateOnly = DateOnly;