@terreno/api 0.12.2 → 0.13.1

package/src/populate.test.ts

@@ -1,13 +1,14 @@
 import {beforeEach, describe, expect, it} from "bun:test";
-import mongoose, {Schema} from "mongoose";
+import mongoose, {type Document, type HydratedDocument, Schema} from "mongoose";
 
 import {fixMixedFields, getOpenApiSpecForModel, unpopulate} from "./populate";
-import {FoodModel, setupDb, UserModel} from "./tests";
+import {FoodModel, setupDb, type User, UserModel} from "./tests";
 
 describe("populate functions", () => {
-  let admin: any;
-  let notAdmin: any;
+  let admin: HydratedDocument<User>;
+  let notAdmin: HydratedDocument<User>;
 
+  // noExplicitAny: typing as HydratedDocument<Food> causes cascading errors on populated field access patterns (e.g. populated.ownerId.name)
   let spinach: any;
 
   beforeEach(async () => {
@@ -44,6 +45,7 @@ describe("populate functions", () => {
     expect(populated.likesIds[1].userId.id).toBe(notAdmin.id);
     expect(populated.likesIds[1].userId.name).toBe("Not Admin");
 
+    // noExplicitAny: unpopulate returns Document<T> which doesn't expose model properties; would require refactoring the return type
     let unpopulated: any = unpopulate(populated, "ownerId");
     expect(spinach.ownerId.name).toBeUndefined();
     expect(unpopulated.ownerId.toString()).toBe(admin.id);
@@ -68,7 +70,7 @@ describe("populate functions", () => {
 describe("unpopulate edge cases", () => {
   it("throws error when path is empty", () => {
     const doc = {name: "test"};
-    expect(() => unpopulate(doc as any, "")).toThrow("path is required");
+    expect(() => unpopulate(doc as unknown as Document<unknown>, "")).toThrow("path is required");
   });
 
   it("unpopulates single populated field", () => {
@@ -76,7 +78,9 @@ describe("unpopulate edge cases", () => {
       name: "test",
       ownerId: {_id: "owner-123", email: "owner@test.com"},
     };
-    const result = unpopulate(doc as any, "ownerId") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "ownerId") as unknown as {
+      ownerId: string;
+    };
     expect(result.ownerId).toBe("owner-123");
   });
 
@@ -85,7 +89,9 @@ describe("unpopulate edge cases", () => {
       items: [{_id: "item-1", name: "Item 1"}, {_id: "item-2", name: "Item 2"}, "item-3"],
       name: "test",
     };
-    const result = unpopulate(doc as any, "items") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "items") as unknown as {
+      items: string[];
+    };
     expect(result.items).toEqual(["item-1", "item-2", "item-3"]);
   });
 
@@ -99,13 +105,17 @@ describe("unpopulate edge cases", () => {
         ],
       },
     };
-    const result = unpopulate(doc as any, "nested.items") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "nested.items") as unknown as {
+      nested: {items: string[]};
+    };
     expect(result.nested.items).toEqual(["item-1", "item-2"]);
   });
 
   it("returns original doc when path does not exist", () => {
     const doc = {name: "test"};
-    const result = unpopulate(doc as any, "nonexistent") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "nonexistent") as unknown as {
+      name: string;
+    };
     expect(result).toEqual(doc);
   });
 
@@ -117,7 +127,10 @@ describe("unpopulate edge cases", () => {
       ],
       name: "test",
     };
-    const result = unpopulate(doc as any, "containers.items") as any;
+    const result = unpopulate(
+      doc as unknown as Document<unknown>,
+      "containers.items"
+    ) as unknown as {containers: {items: string[]}[]};
     expect(result.containers[0].items).toEqual(["item-1", "item-2"]);
     expect(result.containers[1].items).toEqual(["item-3", "item-4"]);
   });
@@ -131,12 +144,14 @@ describe("fixMixedFields", () => {
 
   it("returns early when properties is missing", () => {
     const schema = new Schema({});
-    expect(() => fixMixedFields(schema, null as any)).not.toThrow();
+    expect(() => fixMixedFields(schema, null as unknown as Record<string, unknown>)).not.toThrow();
   });
 
   it("replaces Mixed fields with only description", () => {
     const schema = new Schema({data: {description: "any data", type: Schema.Types.Mixed}});
-    const properties: any = {data: {description: "any data", type: "object"}};
+    const properties: Record<string, Record<string, unknown>> = {
+      data: {description: "any data", type: "object"},
+    };
     fixMixedFields(schema, properties);
     expect(properties.data).toEqual({description: "any data"});
   });
@@ -144,14 +159,14 @@ describe("fixMixedFields", () => {
   it("recurses into arrays of sub-documents", () => {
     const subSchema = new Schema({meta: {type: Schema.Types.Mixed}});
     const schema = new Schema({items: [subSchema]});
-    const properties: any = {
+    const properties = {
       items: {
         items: {
           properties: {
-            meta: {type: "object"},
+            meta: {type: "object"} as Record<string, unknown>,
           },
         },
-        type: "array",
+        type: "array" as const,
       },
     };
     fixMixedFields(schema, properties);
@@ -211,7 +226,7 @@ describe("getOpenApiSpecForModel edge cases", () => {
       populatePaths: [{path: "eatenBy"}],
     });
     expect(result.properties.eatenBy).toBeDefined();
-    expect((result.properties.eatenBy as any).items).toBeDefined();
+    expect((result.properties.eatenBy as Record<string, unknown>).items).toBeDefined();
   });
 
   it("populates nested ref in sub-schema (likesIds.userId)", () => {
@@ -224,7 +239,7 @@ describe("getOpenApiSpecForModel edge cases", () => {
   it("includes virtuals from model schema", () => {
     const result = getOpenApiSpecForModel(FoodModel);
     expect(result.properties.description).toBeDefined();
-    expect((result.properties.description as any).type).toBe("any");
+    expect((result.properties.description as Record<string, unknown>).type).toBe("any");
   });
 
   it("includes virtuals from child schemas", () => {
@@ -240,7 +255,10 @@ describe("getOpenApiSpecForModel edge cases", () => {
       mongoose.models.ParentWithChildVirtual ||
       mongoose.model("ParentWithChildVirtual", parentSchema);
     const result = getOpenApiSpecForModel(ParentModel);
-    const detail = result.properties.detail as any;
+    const detail = result.properties.detail as Record<
+      string,
+      Record<string, Record<string, unknown>>
+    >;
     expect(detail.properties.displayAmount).toBeDefined();
     expect(detail.properties.displayAmount.type).toBe("any");
   });
@@ -251,7 +269,10 @@ describe("filterKeys (via getOpenApiSpecForModel populatePaths)", () => {
     const result = getOpenApiSpecForModel(FoodModel, {
       populatePaths: [{fields: ["name.nested"], path: "ownerId"}],
     });
-    const ownerProps = (result.properties.ownerId as any).properties;
+    const ownerProps = (result.properties.ownerId as Record<string, unknown>).properties as Record<
+      string,
+      unknown
+    >;
     expect(ownerProps.name).toBeDefined();
     expect(typeof ownerProps.name).toBe("object");
   });
@@ -261,8 +282,12 @@ describe("filterKeys (via getOpenApiSpecForModel populatePaths)", () => {
       populatePaths: [{fields: ["__proto__.polluted"], path: "ownerId"}],
     });
     expect(result.properties).toBeDefined();
+    // noExplicitAny: testing that prototype pollution did not add a 'polluted' property to Object.prototype
     expect((Object.prototype as any).polluted).toBeUndefined();
-    const ownerProps = (result.properties.ownerId as any).properties;
+    const ownerProps = (result.properties.ownerId as Record<string, unknown>).properties as Record<
+      string,
+      unknown
+    >;
     expect(ownerProps).toBeDefined();
     expect(Object.keys(ownerProps)).not.toContain("__proto__");
   });

package/src/scriptRunner.ts

@@ -86,7 +86,7 @@ const progressSchema = new Schema(
     percentage: {description: "Progress percentage from 0 to 100", max: 100, min: 0, type: Number},
     stage: {description: "Current stage of the task", type: String},
   },
-  {_id: false}
+  {_id: false, strict: "throw"}
 );
 
 const logSchema = new Schema(
@@ -100,7 +100,7 @@ const logSchema = new Schema(
     message: {description: "Log message", required: true, type: String},
     timestamp: {description: "When this log entry was created", required: true, type: Date},
   },
-  {_id: false}
+  {_id: false, strict: "throw"}
 );
 
 const backgroundTaskSchema = new Schema<

package/src/secretProviders.ts

@@ -86,9 +86,10 @@ export class GcpSecretProvider implements SecretProvider {
       const SecretManagerServiceClient =
         mod.SecretManagerServiceClient ?? mod.default?.SecretManagerServiceClient;
       if (!SecretManagerServiceClient) {
-        throw new Error(
-          "SecretManagerServiceClient not found in @google-cloud/secret-manager module"
-        );
+        throw new APIError({
+          status: 500,
+          title: "SecretManagerServiceClient not found in @google-cloud/secret-manager module",
+        });
       }
       this.client = new SecretManagerServiceClient();
     }

package/src/tests.ts

@@ -1,6 +1,6 @@
 import express, {type Express} from "express";
 import mongoose, {type Model, model, Schema} from "mongoose";
-import passportLocalMongoose from "passport-local-mongoose";
+import passportLocalMongoose, {type PassportLocalMongooseDocument} from "passport-local-mongoose";
 import qs from "qs";
 import supertest from "supertest";
 import type TestAgent from "supertest/lib/agent";
@@ -62,19 +62,22 @@ const userSchema = new Schema<User>({
   username: {description: "The user's username", type: String},
 });
 
-userSchema.plugin(passportLocalMongoose as any, {
-  attemptsField: "attempts",
-  interval: process.env.NODE_ENV === "test" ? 1 : 100,
-  limitAttempts: true,
-  maxAttempts: 3,
-  maxInterval: process.env.NODE_ENV === "test" ? 1 : 300000,
-  usernameCaseInsensitive: true,
-  usernameField: "email",
-});
+userSchema.plugin(
+  passportLocalMongoose as unknown as (schema: Schema, options?: Record<string, unknown>) => void,
+  {
+    attemptsField: "attempts",
+    interval: process.env.NODE_ENV === "test" ? 1 : 100,
+    limitAttempts: true,
+    maxAttempts: 3,
+    maxInterval: process.env.NODE_ENV === "test" ? 1 : 300000,
+    usernameCaseInsensitive: true,
+    usernameField: "email",
+  }
+);
 // userSchema.plugin(tokenPlugin);
 userSchema.plugin(createdUpdatedPlugin);
 userSchema.plugin(isDisabledPlugin);
-userSchema.methods.postCreate = async function (body: any) {
+userSchema.methods.postCreate = async function (body: {age?: number}) {
   this.age = body.age;
   return this.save();
 };
@@ -121,6 +124,7 @@ const foodSchema = new Schema<Food>(
         type: Schema.Types.ObjectId,
       },
     ],
+    // noExplicitAny: DateOnly is a custom SchemaType not recognized by Mongoose's built-in type definitions
     expiration: {description: "Expiration date of the food", type: DateOnly as any},
     hidden: {
       default: false,
@@ -221,13 +225,13 @@ export const setupDb = async () => {
       UserModel.create({admin: true, email: "admin@example.com", name: "Admin"}),
       UserModel.create({admin: true, email: "admin+other@example.com", name: "Admin Other"}),
     ]);
-    await (notAdmin as any).setPassword("password");
+    await (notAdmin as unknown as PassportLocalMongooseDocument).setPassword("password");
     await notAdmin.save();
 
-    await (admin as any).setPassword("securePassword");
+    await (admin as unknown as PassportLocalMongooseDocument).setPassword("securePassword");
     await admin.save();
 
-    await (adminOther as any).setPassword("otherPassword");
+    await (adminOther as unknown as PassportLocalMongooseDocument).setPassword("otherPassword");
 
     await adminOther.save();
 

package/src/utils.ts

@@ -1,5 +1,6 @@
 import mongoose, {Types} from "mongoose";
 
+import {APIError} from "./errors";
 import {logger} from "./logger";
 
 // A better version of mongoose's ObjectId.isValid,
@@ -31,17 +32,26 @@ export const checkModelsStrict = (ignoredModels: string[] = []): void => {
     const schema = mongoose.model(model).schema;
 
     if (schema.get("toObject")?.virtuals !== true) {
-      throw new Error(`Model ${model} toObject.virtuals not set to true`);
+      throw new APIError({
+        status: 500,
+        title: `Model ${model} toObject.virtuals not set to true`,
+      });
     }
     if (schema.get("toJSON")?.virtuals !== true) {
-      throw new Error(`Model ${model} toJSON.virtuals not set to true`);
+      throw new APIError({
+        status: 500,
+        title: `Model ${model} toJSON.virtuals not set to true`,
+      });
     }
 
     if (ignoredModels.includes(model)) {
       continue;
     }
     if (schema.get("strict") !== "throw") {
-      throw new Error(`Model ${model} is not set to strict mode.`);
+      throw new APIError({
+        status: 500,
+        title: `Model ${model} is not set to strict mode.`,
+      });
     }
   }
 };