@terreno/api 0.13.0 → 0.13.2

package/dist/plugins.js

@@ -154,13 +154,13 @@ var createdUpdatedPlugin = function (schema) {
         }
         // If we aren't specifying created, use now.
         if (!this.created) {
-            this.created = new Date();
+            this.created = luxon_1.DateTime.now().toJSDate();
         }
         // All writes change the updated time.
-        this.updated = new Date();
+        this.updated = luxon_1.DateTime.now().toJSDate();
     });
     schema.pre(/save|updateOne|insertMany/, function () {
-        void this.updateOne({}, { $set: { updated: new Date() } });
+        void this.updateOne({}, { $set: { updated: luxon_1.DateTime.now().toJSDate() } });
     });
 };
 exports.createdUpdatedPlugin = createdUpdatedPlugin;
@@ -313,6 +313,7 @@ var DateOnly = /** @class */ (function (_super) {
     // When using $gt, $gte, $lt, $lte, etc, we need to cast the value to a Date
     DateOnly.prototype.castForQuery = function ($conditional, val, context) {
         if ($conditional == null) {
+            // noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
             return this.applySetters(val, context);
         }
         var handler = this.$conditionalHandlers[$conditional];
@@ -345,10 +346,13 @@ var DateOnly = /** @class */ (function (_super) {
         throw new mongoose_1.Error.CastError("DateOnly", val, this.path, new Error("Value is not a valid date"));
     };
     DateOnly.prototype.get = function (val) {
-        return (val instanceof Date ? luxon_1.DateTime.fromJSDate(val).startOf("day").toJSDate() : val);
+        return (val instanceof Date
+            ? luxon_1.DateTime.fromJSDate(val).startOf("day").toJSDate()
+            : val);
     };
     return DateOnly;
 }(mongoose_1.SchemaType));
 exports.DateOnly = DateOnly;
 // Register DateOnly with Mongoose's Schema.Types
+// noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
 mongoose_1.default.Schema.Types.DateOnly = DateOnly;

package/dist/populate.test.js

@@ -92,6 +92,7 @@ var tests_1 = require("./tests");
 (0, bun_test_1.describe)("populate functions", function () {
     var admin;
     var notAdmin;
+    // noExplicitAny: typing as HydratedDocument<Food> causes cascading errors on populated field access patterns (e.g. populated.ownerId.name)
     var spinach;
     (0, bun_test_1.beforeEach)(function () { return __awaiter(void 0, void 0, void 0, function () {
         var _a, _b;
@@ -228,7 +229,9 @@ var tests_1 = require("./tests");
     });
     (0, bun_test_1.it)("replaces Mixed fields with only description", function () {
         var schema = new mongoose_1.Schema({ data: { description: "any data", type: mongoose_1.Schema.Types.Mixed } });
-        var properties = { data: { description: "any data", type: "object" } };
+        var properties = {
+            data: { description: "any data", type: "object" },
+        };
         (0, populate_1.fixMixedFields)(schema, properties);
         (0, bun_test_1.expect)(properties.data).toEqual({ description: "any data" });
     });
@@ -338,6 +341,7 @@ var tests_1 = require("./tests");
             populatePaths: [{ fields: ["__proto__.polluted"], path: "ownerId" }],
         });
         (0, bun_test_1.expect)(result.properties).toBeDefined();
+        // noExplicitAny: testing that prototype pollution did not add a 'polluted' property to Object.prototype
         (0, bun_test_1.expect)(Object.prototype.polluted).toBeUndefined();
         var ownerProps = result.properties.ownerId.properties;
         (0, bun_test_1.expect)(ownerProps).toBeDefined();

package/dist/secretProviders.js

@@ -168,7 +168,10 @@ var GcpSecretProvider = /** @class */ (function () {
                     case 4:
                         SecretManagerServiceClient = (_b = mod.SecretManagerServiceClient) !== null && _b !== void 0 ? _b : (_c = mod.default) === null || _c === void 0 ? void 0 : _c.SecretManagerServiceClient;
                         if (!SecretManagerServiceClient) {
-                            throw new Error("SecretManagerServiceClient not found in @google-cloud/secret-manager module");
+                            throw new errors_1.APIError({
+                                status: 500,
+                                title: "SecretManagerServiceClient not found in @google-cloud/secret-manager module",
+                            });
                         }
                         this.client = new SecretManagerServiceClient();
                         _d.label = 5;

package/dist/tests.js

@@ -156,6 +156,7 @@ var foodSchema = new mongoose_1.Schema({
             type: mongoose_1.Schema.Types.ObjectId,
         },
     ],
+    // noExplicitAny: DateOnly is a custom SchemaType not recognized by Mongoose's built-in type definitions
     expiration: { description: "Expiration date of the food", type: plugins_1.DateOnly },
     hidden: {
         default: false,

package/dist/transformers.d.ts

@@ -6,7 +6,7 @@ export interface TerrenoTransformer<T> {
     transform?: (obj: Partial<T>, method: "create" | "update", user?: User) => Partial<T> | undefined;
     serialize?: (obj: T, user?: User) => Partial<T> | undefined;
 }
-export declare function AdminOwnerTransformer<T>(options: {
+export declare const AdminOwnerTransformer: <T>(options: {
     anonReadFields?: string[];
     authReadFields?: string[];
     ownerReadFields?: string[];
@@ -15,11 +15,11 @@ export declare function AdminOwnerTransformer<T>(options: {
     authWriteFields?: string[];
     ownerWriteFields?: string[];
     adminWriteFields?: string[];
-}): TerrenoTransformer<T>;
-export declare function transform<T>(options: ModelRouterOptions<T>, data: Partial<T> | Partial<T>[], method: "create" | "update", user?: User): Partial<T> | (Partial<T> | undefined)[] | undefined;
-export declare function serialize<T>(req: express.Request, options: ModelRouterOptions<T>, data: (Document<any, any, any> & T) | (Document<any, any, any> & T)[]): Partial<T> | (Partial<T> | undefined)[] | undefined;
+}) => TerrenoTransformer<T>;
+export declare const transform: <T>(options: ModelRouterOptions<T>, data: Partial<T> | Partial<T>[], method: "create" | "update", user?: User) => Partial<T> | (Partial<T> | undefined)[] | undefined;
+export declare const serialize: <T>(req: express.Request, options: ModelRouterOptions<T>, data: (Document & T) | (Document & T)[]) => Partial<T> | (Partial<T> | undefined)[] | undefined;
 /**
  * Default response handler for modelRouter. Calls toObject on each doc and returns the result,
  * using transformers.serializer if provided.
  */
-export declare function defaultResponseHandler<T>(doc: (Document<any, any, any> & T) | (Document<any, any, any> & T)[] | null, method: "list" | "create" | "read" | "update", request: express.Request, options: ModelRouterOptions<T>): Promise<Partial<T> | (Partial<T> | undefined)[] | null | undefined>;
+export declare const defaultResponseHandler: <T>(doc: (Document & T) | (Document & T)[] | null, method: "list" | "create" | "read" | "update", request: express.Request, options: ModelRouterOptions<T>) => Promise<Partial<T> | (Partial<T> | undefined)[] | null | undefined>;

package/dist/transformers.js

@@ -72,13 +72,10 @@ var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
     return to.concat(ar || Array.prototype.slice.call(from));
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AdminOwnerTransformer = AdminOwnerTransformer;
-exports.transform = transform;
-exports.serialize = serialize;
-exports.defaultResponseHandler = defaultResponseHandler;
+exports.defaultResponseHandler = exports.serialize = exports.transform = exports.AdminOwnerTransformer = void 0;
 var errors_1 = require("./errors");
 var logger_1 = require("./logger");
-function getUserType(user, obj) {
+var getUserType = function (user, obj) {
     if (user === null || user === void 0 ? void 0 : user.admin) {
         return "admin";
     }
@@ -89,9 +86,9 @@ function getUserType(user, obj) {
         return "auth";
     }
     return "anon";
-}
-function AdminOwnerTransformer(options) {
-    function pickFields(obj, fields) {
+};
+var AdminOwnerTransformer = function (options) {
+    var pickFields = function (obj, fields) {
         var e_1, _a;
         var newData = {};
         try {
@@ -110,7 +107,7 @@ function AdminOwnerTransformer(options) {
             finally { if (e_1) throw e_1.error; }
         }
         return newData;
-    }
+    };
     return {
         serialize: function (obj, user) {
             var _a, _b, _c, _d;
@@ -126,7 +123,6 @@ function AdminOwnerTransformer(options) {
             }
             return pickFields(obj, __spreadArray(__spreadArray([], __read(((_d = options.anonReadFields) !== null && _d !== void 0 ? _d : [])), false), ["id"], false));
         },
-        // TODO: Migrate AdminOwnerTransform to use pre-hooks.
         transform: function (obj, _method, user) {
             var _a, _b, _c, _d;
             var userType = getUserType(user, obj);
@@ -145,13 +141,17 @@ function AdminOwnerTransformer(options) {
             }
             var unallowedFields = Object.keys(obj).filter(function (k) { return !allowedFields.includes(k); });
             if (unallowedFields.length) {
-                throw new Error("User of type ".concat(userType, " cannot write fields: ").concat(unallowedFields.join(", ")));
+                throw new errors_1.APIError({
+                    status: 403,
+                    title: "User of type ".concat(userType, " cannot write fields: ").concat(unallowedFields.join(", ")),
+                });
             }
             return obj;
         },
     };
-}
-function transform(options, data, method, user) {
+};
+exports.AdminOwnerTransformer = AdminOwnerTransformer;
+var transform = function (options, data, method, user) {
     var _a, _b;
     if (!((_a = options.transformer) === null || _a === void 0 ? void 0 : _a.transform)) {
         return data;
@@ -163,8 +163,9 @@ function transform(options, data, method, user) {
         return transformFn(data, method, user);
     }
     return data.map(function (d) { return transformFn(d, method, user); });
-}
-function serialize(req, options, data) {
+};
+exports.transform = transform;
+var serialize = function (req, options, data) {
     var _a;
     var serializeFn = function (serializeData, serializeUser) {
         var _a, _b;
@@ -190,30 +191,30 @@ function serialize(req, options, data) {
         return serializeFn(data, req.user);
     }
     return data.map(function (d) { return serializeFn(d, req.user); });
-}
+};
+exports.serialize = serialize;
 /**
  * Default response handler for modelRouter. Calls toObject on each doc and returns the result,
  * using transformers.serializer if provided.
  */
-function defaultResponseHandler(doc, method, request, options) {
-    return __awaiter(this, void 0, void 0, function () {
-        var errorObj;
-        return __generator(this, function (_a) {
-            if (!doc) {
-                return [2 /*return*/, null];
-            }
-            try {
-                return [2 /*return*/, serialize(request, options, doc)];
-            }
-            catch (error) {
-                errorObj = error;
-                throw new errors_1.APIError({
-                    error: errorObj,
-                    status: 400,
-                    title: "Error serializing ".concat(method, " response: ").concat(errorObj.message),
-                });
-            }
-            return [2 /*return*/];
-        });
+var defaultResponseHandler = function (doc, method, request, options) { return __awaiter(void 0, void 0, void 0, function () {
+    var errorObj;
+    return __generator(this, function (_a) {
+        if (!doc) {
+            return [2 /*return*/, null];
+        }
+        try {
+            return [2 /*return*/, (0, exports.serialize)(request, options, doc)];
+        }
+        catch (error) {
+            errorObj = error;
+            throw new errors_1.APIError({
+                error: errorObj,
+                status: 400,
+                title: "Error serializing ".concat(method, " response: ").concat(errorObj.message),
+            });
+        }
+        return [2 /*return*/];
     });
-}
+}); };
+exports.defaultResponseHandler = defaultResponseHandler;

package/dist/utils.js

@@ -82,6 +82,7 @@ var __values = (this && this.__values) || function(o) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkModelsStrict = exports.timeout = exports.isValidObjectId = void 0;
 var mongoose_1 = __importStar(require("mongoose"));
+var errors_1 = require("./errors");
 var logger_1 = require("./logger");
 // A better version of mongoose's ObjectId.isValid,
 // which falsely will say any 12 character string is valid.
@@ -119,16 +120,25 @@ var checkModelsStrict = function (ignoredModels) {
             var model = models_1_1.value;
             var schema = mongoose_1.default.model(model).schema;
             if (((_b = schema.get("toObject")) === null || _b === void 0 ? void 0 : _b.virtuals) !== true) {
-                throw new Error("Model ".concat(model, " toObject.virtuals not set to true"));
+                throw new errors_1.APIError({
+                    status: 500,
+                    title: "Model ".concat(model, " toObject.virtuals not set to true"),
+                });
             }
             if (((_c = schema.get("toJSON")) === null || _c === void 0 ? void 0 : _c.virtuals) !== true) {
-                throw new Error("Model ".concat(model, " toJSON.virtuals not set to true"));
+                throw new errors_1.APIError({
+                    status: 500,
+                    title: "Model ".concat(model, " toJSON.virtuals not set to true"),
+                });
             }
             if (ignoredModels.includes(model)) {
                 continue;
             }
             if (schema.get("strict") !== "throw") {
-                throw new Error("Model ".concat(model, " is not set to strict mode."));
+                throw new errors_1.APIError({
+                    status: 500,
+                    title: "Model ".concat(model, " is not set to strict mode."),
+                });
             }
         }
     }

package/package.json

@@ -104,5 +104,5 @@
     "updateSnapshot": "bun test --update-snapshots"
   },
   "types": "dist/index.d.ts",
-  "version": "0.13.0"
+  "version": "0.13.2"
 }

package/src/api.test.ts

@@ -576,7 +576,7 @@ describe("@terreno/api", () => {
       );
       server = supertest(app);
 
-      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
+      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(403);
       expect(res.body.title).toContain("cannot write fields");
     });
 
@@ -1324,7 +1324,7 @@ describe("@terreno/api", () => {
       );
       server = supertest(app);
 
-      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(400);
+      const res = await server.post("/food").send({calories: 15, name: "Broccoli"}).expect(403);
       expect(res.body.title).toContain("cannot write fields");
     });
 

package/src/api.ts

@@ -528,6 +528,9 @@ function _buildModelRouter<T>(model: Model<T>, options: ModelRouterOptions<T>):
       try {
         body = transform<T>(options, req.body, "create", req.user);
       } catch (error: any) {
+        if (isAPIError(error)) {
+          throw error;
+        }
         throw new APIError({
           disableExternalErrorTracking: getDisableExternalErrorTracking(error),
           error,
@@ -827,6 +830,9 @@ function _buildModelRouter<T>(model: Model<T>, options: ModelRouterOptions<T>):
       try {
         body = transform<T>(options, req.body, "update", req.user);
       } catch (error: any) {
+        if (isAPIError(error)) {
+          throw error;
+        }
         throw new APIError({
           disableExternalErrorTracking: getDisableExternalErrorTracking(error),
           error,
@@ -1080,6 +1086,9 @@ function _buildModelRouter<T>(model: Model<T>, options: ModelRouterOptions<T>):
     try {
       body = transform<T>(options, body, "update", req.user) as Partial<T>;
     } catch (error: any) {
+      if (isAPIError(error)) {
+        throw error;
+      }
       throw new APIError({
         disableExternalErrorTracking: getDisableExternalErrorTracking(error),
         error,

package/src/consentApp.ts

@@ -6,7 +6,7 @@
  * endpoints for fetching pending consents and submitting responses.
  */
 
-import type express from "express";
+import {type Application, Router} from "express";
 import {DateTime} from "luxon";
 import {asyncHandler, modelRouter} from "./api";
 import type {User} from "./auth";
@@ -47,7 +47,7 @@ export class ConsentApp implements TerrenoPlugin {
     this.options = options;
   }
 
-  register(app: express.Application): void {
+  register(app: Application): void {
     const {auditTrail, resolveConsentForms, aiConfig} = this.options;
 
     // Admin CRUD for consent forms
@@ -192,7 +192,7 @@ export class ConsentApp implements TerrenoPlugin {
     );
 
     // User-facing consent endpoints
-    const router = require("express").Router() as express.Router;
+    const router = Router();
 
     // GET /consents/pending - fetch pending consent forms for the current user
     router.get(