@terreno/api 0.13.0 → 0.13.2

package/src/githubAuth.test.ts

@@ -6,11 +6,48 @@ import passportLocalMongoose from "passport-local-mongoose";
 import supertest from "supertest";
 import type TestAgent from "supertest/lib/agent";
 
+import {generateTokens, type UserModel} from "./auth";
 import {setupServer} from "./expressServer";
 import {type GitHubUserFields, githubUserPlugin, setupGitHubAuth} from "./githubAuth";
 import {logger} from "./logger";
 import {createdUpdatedPlugin, isDisabledPlugin} from "./plugins";
 
+interface FakeStrategyOutcome {
+  type: "success" | "redirect" | "fail";
+  user?: unknown;
+  url?: string;
+  challenge?: {message: string};
+}
+
+let fakeGithubOutcome: FakeStrategyOutcome = {type: "redirect", url: "http://github.com/mock"};
+
+interface FakePassportStrategy {
+  name: string;
+  success: (user: unknown) => void;
+  fail: (challenge: {message: string}) => void;
+  redirect: (url: string) => void;
+  error: (err: Error) => void;
+  authenticate: (req: express.Request) => void;
+}
+
+const installFakeGithubStrategy = (): void => {
+  const strategy: Pick<FakePassportStrategy, "name" | "authenticate"> = {
+    authenticate(this: FakePassportStrategy): void {
+      if (fakeGithubOutcome.type === "success") {
+        this.success(fakeGithubOutcome.user);
+        return;
+      }
+      if (fakeGithubOutcome.type === "fail") {
+        this.fail(fakeGithubOutcome.challenge ?? {message: "auth failed"});
+        return;
+      }
+      this.redirect(fakeGithubOutcome.url ?? "http://github.com/mock");
+    },
+    name: "github",
+  };
+  passport.use("github", strategy as unknown as passport.Strategy);
+};
+
 interface TestUser extends GitHubUserFields {
   admin: boolean;
   name?: string;
@@ -19,6 +56,13 @@ interface TestUser extends GitHubUserFields {
   disabled?: boolean;
 }
 
+interface PasswordedDocument {
+  setPassword: (password: string) => Promise<unknown>;
+  save: () => Promise<unknown>;
+  hash?: string;
+  salt?: string;
+}
+
 // Create schema for GitHub-enabled user
 const testUserSchema = new Schema<TestUser>({
   admin: {default: false, description: "Whether the user has admin privileges", type: Boolean},
@@ -527,3 +571,286 @@ describe("addGitHubAuthRoutes link endpoints", () => {
     expect((updatedUser as any).githubProfileUrl).toBeUndefined();
   });
 });
+
+describe("GitHub callback handler (fake strategy)", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addMiddleware: (a) => {
+        // The handler reads (req as unknown as {session?: {returnTo?: string}}).session?.returnTo.
+        // setupServer does not install express-session, so prime a fake session from a request
+        // header for tests.
+        a.use((req, _res, next) => {
+          const headerReturnTo = req.headers["x-mock-return-to"];
+          if (typeof headerReturnTo === "string") {
+            (req as unknown as {session: {returnTo: string}}).session = {returnTo: headerReturnTo};
+          }
+          next();
+        });
+      },
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as unknown as UserModel,
+    });
+    // Swap the github strategy with our fake after setupServer registered it.
+    installFakeGithubStrategy();
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+    fakeGithubOutcome = {type: "redirect", url: "http://github.com/mock"};
+  });
+
+  it("GET /auth/github/callback returns JSON tokens on success", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "cb@example.com",
+      githubId: "cb-gh-1",
+      name: "CB User",
+    } as unknown as TestUser);
+
+    fakeGithubOutcome = {type: "success", user};
+
+    const res = await agent.get("/auth/github/callback").expect(200);
+    expect(res.body.data.token).toBeDefined();
+    expect(res.body.data.refreshToken).toBeDefined();
+    expect(res.body.data.userId).toBeDefined();
+  });
+
+  it("GET /auth/github/callback redirects to returnTo with tokens when session.returnTo is set", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "cb2@example.com",
+      githubId: "cb-gh-2",
+      name: "CB User 2",
+    } as unknown as TestUser);
+
+    fakeGithubOutcome = {type: "success", user};
+    const res = await agent
+      .get("/auth/github/callback")
+      .set("x-mock-return-to", "https://example.com/cb")
+      .expect(302);
+    expect(res.headers.location).toContain("https://example.com/cb");
+    expect(res.headers.location).toContain("token=");
+    expect(res.headers.location).toContain("refreshToken=");
+    expect(res.headers.location).toContain("userId=");
+  });
+
+  it("GET /auth/github/callback redirects on failure", async () => {
+    fakeGithubOutcome = {challenge: {message: "denied"}, type: "fail"};
+    const res = await agent.get("/auth/github/callback").expect(302);
+    expect(res.headers.location).toContain("/auth/github/failure");
+  });
+
+  it("GET /auth/github/callback returns 500 when token generation fails", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "cb3@example.com",
+      githubId: "cb-gh-3",
+      name: "CB User 3",
+    } as unknown as TestUser);
+
+    fakeGithubOutcome = {type: "success", user};
+
+    const savedSecret = process.env.TOKEN_SECRET;
+    process.env.TOKEN_SECRET = "";
+    try {
+      const res = await agent.get("/auth/github/callback").expect(500);
+      expect(res.body.message).toBe("Authentication failed");
+    } finally {
+      process.env.TOKEN_SECRET = savedSecret;
+    }
+  });
+});
+
+describe("GET /auth/github/link with JWT (fake strategy)", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as unknown as UserModel,
+    });
+    installFakeGithubStrategy();
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+    fakeGithubOutcome = {type: "redirect", url: "http://github.com/mock"};
+  });
+
+  it("GET /auth/github/link forwards to GitHub auth when JWT is valid", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "linkjwt@example.com",
+      name: "Link JWT User",
+    } as unknown as TestUser);
+    await (user as unknown as PasswordedDocument).setPassword("password123");
+    await user.save();
+
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "linkjwt@example.com", password: "password123"})
+      .expect(200);
+
+    fakeGithubOutcome = {type: "redirect", url: "http://github.com/auth"};
+    const res = await agent
+      .get("/auth/github/link")
+      .set("authorization", `Bearer ${loginRes.body.data.token}`)
+      .expect(302);
+    expect(res.headers.location).toBe("http://github.com/auth");
+  });
+});
+
+describe("DELETE /auth/github/unlink edge cases", () => {
+  let app: express.Application;
+  let agent: TestAgent;
+
+  beforeEach(async () => {
+    setSystemTime();
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+
+    function addRoutes(router: express.Router): void {
+      router.get("/test", (_req, res) => res.json({ok: true}));
+    }
+
+    app = setupServer({
+      addRoutes,
+      githubAuth: {
+        allowAccountLinking: true,
+        callbackURL: "http://localhost:9000/auth/github/callback",
+        clientId: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      skipListen: true,
+      userModel: GitHubTestUserModel as unknown as UserModel,
+    });
+    installFakeGithubStrategy();
+    agent = supertest.agent(app);
+  });
+
+  afterEach(() => {
+    setSystemTime();
+  });
+
+  it("returns 400 when user has no password (no other auth method)", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "ghonly@example.com",
+      githubId: "ghonly-1",
+      githubUsername: "ghonly",
+    } as unknown as TestUser);
+
+    const {token} = await generateTokens({_id: (user as unknown as {_id: unknown})._id});
+
+    const res = await agent
+      .delete("/auth/github/unlink")
+      .set("authorization", `Bearer ${token}`)
+      .expect(400);
+    expect(res.body.message).toContain("Cannot unlink GitHub account");
+  });
+
+  it("returns 500 when save throws during unlink", async () => {
+    const user = await GitHubTestUserModel.create({
+      email: "savefail@example.com",
+      githubId: "savefail-1",
+    } as unknown as TestUser);
+    await (user as unknown as PasswordedDocument).setPassword("password123");
+    await user.save();
+
+    const loginRes = await agent
+      .post("/auth/login")
+      .send({email: "savefail@example.com", password: "password123"})
+      .expect(200);
+
+    interface MockableFindById {
+      findById: (id: unknown) => {
+        select: (fields: string) => Promise<PasswordedDocument | null>;
+      };
+    }
+    const mockableModel = GitHubTestUserModel as unknown as MockableFindById;
+    const originalFindById = mockableModel.findById;
+    mockableModel.findById = () => ({
+      select: async () => ({
+        hash: "x",
+        salt: "y",
+        save: async () => {
+          throw new Error("boom");
+        },
+        setPassword: async () => undefined,
+      }),
+    });
+    try {
+      const res = await agent
+        .delete("/auth/github/unlink")
+        .set("authorization", `Bearer ${loginRes.body.data.token}`)
+        .expect(500);
+      expect(res.body.message).toBe("Failed to unlink GitHub account");
+    } finally {
+      mockableModel.findById = originalFindById;
+    }
+  });
+});
+
+describe("GitHub strategy verify callback edge cases", () => {
+  const testApp = {get: () => {}, use: () => {}} as unknown as express.Application;
+
+  beforeEach(async () => {
+    await connectDb();
+    await GitHubTestUserModel.deleteMany({});
+  });
+
+  it("returns 404 when linking a user whose record disappears", async () => {
+    const existingUser = await GitHubTestUserModel.create({
+      email: "gone@example.com",
+    } as unknown as TestUser);
+
+    setupGitHubAuth(testApp, GitHubTestUserModel as unknown as UserModel, {
+      allowAccountLinking: true,
+      callbackURL: "http://localhost:9000/auth/github/callback",
+      clientId: "id",
+      clientSecret: "secret",
+    });
+
+    // Delete user before verify runs to hit the 404 path.
+    await GitHubTestUserModel.deleteOne({_id: (existingUser as unknown as {_id: unknown})._id});
+
+    const req = {user: existingUser};
+    const result = await invokeGitHubVerify(req, "access", "refresh", {
+      id: "gh-missing-1",
+      username: "missing",
+    });
+    expect(result.err).toBeDefined();
+    expect(result.err?.status).toBe(404);
+  });
+});

package/src/models/consentForm.ts

@@ -2,16 +2,14 @@ import mongoose from "mongoose";
 import {createdUpdatedPlugin, findExactlyOne, findOneOrNone, isDeletedPlugin} from "../plugins";
 import type {ConsentFormDocument, ConsentFormModel} from "../types/consentForm";
 
-const consentFormTypeMap = {
-  agreement: "agreement",
-  custom: "custom",
-  hipaa: "hipaa",
-  privacy: "privacy",
-  research: "research",
-  terms: "terms",
-} as const;
-
-const consentFormTypeValues = Object.values(consentFormTypeMap);
+const consentFormTypeValues = [
+  "agreement",
+  "privacy",
+  "hipaa",
+  "research",
+  "terms",
+  "custom",
+] as const;
 
 const consentFormSchema = new mongoose.Schema<ConsentFormDocument, ConsentFormModel>(
   {

package/src/models/versionConfig.ts

@@ -17,7 +17,7 @@ export interface VersionConfigDocument extends mongoose.Document {
 
 export interface VersionConfigModel extends mongoose.Model<VersionConfigDocument> {
   findOneOrNone(
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<(Document & VersionConfigDocument) | null>;
 }

package/src/notifiers/slackNotifier.ts

@@ -7,7 +7,7 @@ import {logger} from "../logger";
 // If `url` is provided, it will be used directly instead of looking up from environment.
 // DEPRECATED: Looking up webhook URLs from the SLACK_WEBHOOKS environment variable by channel name
 // is deprecated and will be removed in a future version. Please pass the `url` parameter directly.
-export async function sendToSlack(
+export const sendToSlack = async (
   text: string,
   {
     slackChannel,
@@ -15,7 +15,7 @@ export async function sendToSlack(
     env,
     url,
   }: {slackChannel?: string; shouldThrow?: boolean; env?: string; url?: string} = {}
-) {
+) => {
   let slackWebhookUrl = url;
 
   if (!slackWebhookUrl) {
@@ -53,14 +53,15 @@ export async function sendToSlack(
     await axios.post(slackWebhookUrl, {
       text: formattedText,
     });
-  } catch (error: any) {
-    logger.error(`Error posting to slack: ${error.text ?? error.message}`);
+  } catch (error: unknown) {
+    const errorObj = error as {text?: string; message?: string};
+    logger.error(`Error posting to slack: ${errorObj.text ?? errorObj.message}`);
     Sentry.captureException(error);
     if (shouldThrow) {
       throw new APIError({
         status: 500,
-        title: `Error posting to slack: ${error.text ?? error.message}`,
+        title: `Error posting to slack: ${errorObj.text ?? errorObj.message}`,
       });
     }
   }
-}
+};

package/src/openApiEtag.ts

@@ -14,7 +14,7 @@ export const openApiEtagMiddleware = (req: Request, res: Response, next: NextFun
 
   const originalJson = res.json.bind(res);
 
-  res.json = (body: any) => {
+  res.json = (body: unknown) => {
     const jsonString = JSON.stringify(body);
     const etag = `"${crypto.createHash("sha256").update(jsonString).digest("hex").substring(0, 16)}"`;
 

package/src/plugins.ts

@@ -85,14 +85,14 @@ export const createdUpdatedPlugin = (schema: Schema<any, any, any, any>): void =
     }
     // If we aren't specifying created, use now.
     if (!this.created) {
-      this.created = new Date();
+      this.created = DateTime.now().toJSDate();
     }
     // All writes change the updated time.
-    this.updated = new Date();
+    this.updated = DateTime.now().toJSDate();
   });
 
   schema.pre(/save|updateOne|insertMany/, function () {
-    void this.updateOne({}, {$set: {updated: new Date()}});
+    void this.updateOne({}, {$set: {updated: DateTime.now().toJSDate()}});
   });
 };
 
@@ -253,7 +253,7 @@ export interface FindExactlyOnePlugin<T> {
 }
 
 export class DateOnly extends SchemaType {
-  constructor(key: string, options: SchemaTypeOptions<any>) {
+  constructor(key: string, options: SchemaTypeOptions<Date>) {
     super(key, options, "DateOnly");
   }
 
@@ -262,6 +262,7 @@ export class DateOnly extends SchemaType {
   }
 
   $conditionalHandlers = {
+    // noExplicitAny: $conditionalHandlers is not exposed on SchemaType's prototype in Mongoose's public type definitions
     ...(SchemaType as any).prototype.$conditionalHandlers,
     $gt: this.handleSingle,
     $gte: this.handleSingle,
@@ -273,6 +274,7 @@ export class DateOnly extends SchemaType {
   // When using $gt, $gte, $lt, $lte, etc, we need to cast the value to a Date
   castForQuery($conditional, val, context): Date | undefined {
     if ($conditional == null) {
+      // noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
       return (this as any).applySetters(val, context);
     }
 
@@ -287,7 +289,7 @@ export class DateOnly extends SchemaType {
 
   // When either setting a value to a DateOnly or fetching from the DB,
   // we want to strip off the time portion.
-  cast(val: any): Date | undefined {
+  cast(val: unknown): Date | undefined {
     if (val instanceof Date) {
       const date = DateTime.fromJSDate(val).toUTC().startOf("day");
       if (!date.isValid) {
@@ -314,7 +316,7 @@ export class DateOnly extends SchemaType {
     }
     // Handle $gte, $lte, etc
     if (typeof val === "object") {
-      return val;
+      return val as Date;
     }
     throw new MongooseError.CastError(
       "DateOnly",
@@ -324,10 +326,13 @@ export class DateOnly extends SchemaType {
     );
   }
 
-  get(val: any): this {
-    return (val instanceof Date ? DateTime.fromJSDate(val).startOf("day").toJSDate() : val) as any;
+  get(val: unknown): this {
+    return (val instanceof Date
+      ? DateTime.fromJSDate(val).startOf("day").toJSDate()
+      : val) as unknown as this;
   }
 }
 
 // Register DateOnly with Mongoose's Schema.Types
+// noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
 (mongoose.Schema.Types as any).DateOnly = DateOnly;

package/src/populate.test.ts

@@ -1,13 +1,14 @@
 import {beforeEach, describe, expect, it} from "bun:test";
-import mongoose, {Schema} from "mongoose";
+import mongoose, {type Document, type HydratedDocument, Schema} from "mongoose";
 
 import {fixMixedFields, getOpenApiSpecForModel, unpopulate} from "./populate";
-import {FoodModel, setupDb, UserModel} from "./tests";
+import {FoodModel, setupDb, type User, UserModel} from "./tests";
 
 describe("populate functions", () => {
-  let admin: any;
-  let notAdmin: any;
+  let admin: HydratedDocument<User>;
+  let notAdmin: HydratedDocument<User>;
 
+  // noExplicitAny: typing as HydratedDocument<Food> causes cascading errors on populated field access patterns (e.g. populated.ownerId.name)
   let spinach: any;
 
   beforeEach(async () => {
@@ -44,6 +45,7 @@ describe("populate functions", () => {
     expect(populated.likesIds[1].userId.id).toBe(notAdmin.id);
     expect(populated.likesIds[1].userId.name).toBe("Not Admin");
 
+    // noExplicitAny: unpopulate returns Document<T> which doesn't expose model properties; would require refactoring the return type
     let unpopulated: any = unpopulate(populated, "ownerId");
     expect(spinach.ownerId.name).toBeUndefined();
     expect(unpopulated.ownerId.toString()).toBe(admin.id);
@@ -68,7 +70,7 @@ describe("populate functions", () => {
 describe("unpopulate edge cases", () => {
   it("throws error when path is empty", () => {
     const doc = {name: "test"};
-    expect(() => unpopulate(doc as any, "")).toThrow("path is required");
+    expect(() => unpopulate(doc as unknown as Document<unknown>, "")).toThrow("path is required");
   });
 
   it("unpopulates single populated field", () => {
@@ -76,7 +78,9 @@ describe("unpopulate edge cases", () => {
       name: "test",
       ownerId: {_id: "owner-123", email: "owner@test.com"},
     };
-    const result = unpopulate(doc as any, "ownerId") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "ownerId") as unknown as {
+      ownerId: string;
+    };
     expect(result.ownerId).toBe("owner-123");
   });
 
@@ -85,7 +89,9 @@ describe("unpopulate edge cases", () => {
       items: [{_id: "item-1", name: "Item 1"}, {_id: "item-2", name: "Item 2"}, "item-3"],
       name: "test",
     };
-    const result = unpopulate(doc as any, "items") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "items") as unknown as {
+      items: string[];
+    };
     expect(result.items).toEqual(["item-1", "item-2", "item-3"]);
   });
 
@@ -99,13 +105,17 @@ describe("unpopulate edge cases", () => {
         ],
       },
     };
-    const result = unpopulate(doc as any, "nested.items") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "nested.items") as unknown as {
+      nested: {items: string[]};
+    };
     expect(result.nested.items).toEqual(["item-1", "item-2"]);
   });
 
   it("returns original doc when path does not exist", () => {
     const doc = {name: "test"};
-    const result = unpopulate(doc as any, "nonexistent") as any;
+    const result = unpopulate(doc as unknown as Document<unknown>, "nonexistent") as unknown as {
+      name: string;
+    };
     expect(result).toEqual(doc);
   });
 
@@ -117,7 +127,10 @@ describe("unpopulate edge cases", () => {
       ],
       name: "test",
     };
-    const result = unpopulate(doc as any, "containers.items") as any;
+    const result = unpopulate(
+      doc as unknown as Document<unknown>,
+      "containers.items"
+    ) as unknown as {containers: {items: string[]}[]};
     expect(result.containers[0].items).toEqual(["item-1", "item-2"]);
     expect(result.containers[1].items).toEqual(["item-3", "item-4"]);
   });
@@ -131,12 +144,14 @@ describe("fixMixedFields", () => {
 
   it("returns early when properties is missing", () => {
     const schema = new Schema({});
-    expect(() => fixMixedFields(schema, null as any)).not.toThrow();
+    expect(() => fixMixedFields(schema, null as unknown as Record<string, unknown>)).not.toThrow();
   });
 
   it("replaces Mixed fields with only description", () => {
     const schema = new Schema({data: {description: "any data", type: Schema.Types.Mixed}});
-    const properties: any = {data: {description: "any data", type: "object"}};
+    const properties: Record<string, Record<string, unknown>> = {
+      data: {description: "any data", type: "object"},
+    };
     fixMixedFields(schema, properties);
     expect(properties.data).toEqual({description: "any data"});
   });
@@ -144,14 +159,14 @@ describe("fixMixedFields", () => {
   it("recurses into arrays of sub-documents", () => {
     const subSchema = new Schema({meta: {type: Schema.Types.Mixed}});
     const schema = new Schema({items: [subSchema]});
-    const properties: any = {
+    const properties = {
       items: {
         items: {
           properties: {
-            meta: {type: "object"},
+            meta: {type: "object"} as Record<string, unknown>,
           },
         },
-        type: "array",
+        type: "array" as const,
       },
     };
     fixMixedFields(schema, properties);
@@ -211,7 +226,7 @@ describe("getOpenApiSpecForModel edge cases", () => {
       populatePaths: [{path: "eatenBy"}],
     });
     expect(result.properties.eatenBy).toBeDefined();
-    expect((result.properties.eatenBy as any).items).toBeDefined();
+    expect((result.properties.eatenBy as Record<string, unknown>).items).toBeDefined();
   });
 
   it("populates nested ref in sub-schema (likesIds.userId)", () => {
@@ -224,7 +239,7 @@ describe("getOpenApiSpecForModel edge cases", () => {
   it("includes virtuals from model schema", () => {
     const result = getOpenApiSpecForModel(FoodModel);
     expect(result.properties.description).toBeDefined();
-    expect((result.properties.description as any).type).toBe("any");
+    expect((result.properties.description as Record<string, unknown>).type).toBe("any");
   });
 
   it("includes virtuals from child schemas", () => {
@@ -240,7 +255,10 @@ describe("getOpenApiSpecForModel edge cases", () => {
       mongoose.models.ParentWithChildVirtual ||
       mongoose.model("ParentWithChildVirtual", parentSchema);
     const result = getOpenApiSpecForModel(ParentModel);
-    const detail = result.properties.detail as any;
+    const detail = result.properties.detail as Record<
+      string,
+      Record<string, Record<string, unknown>>
+    >;
     expect(detail.properties.displayAmount).toBeDefined();
     expect(detail.properties.displayAmount.type).toBe("any");
   });
@@ -251,7 +269,10 @@ describe("filterKeys (via getOpenApiSpecForModel populatePaths)", () => {
     const result = getOpenApiSpecForModel(FoodModel, {
       populatePaths: [{fields: ["name.nested"], path: "ownerId"}],
     });
-    const ownerProps = (result.properties.ownerId as any).properties;
+    const ownerProps = (result.properties.ownerId as Record<string, unknown>).properties as Record<
+      string,
+      unknown
+    >;
     expect(ownerProps.name).toBeDefined();
     expect(typeof ownerProps.name).toBe("object");
   });
@@ -261,8 +282,12 @@ describe("filterKeys (via getOpenApiSpecForModel populatePaths)", () => {
       populatePaths: [{fields: ["__proto__.polluted"], path: "ownerId"}],
     });
     expect(result.properties).toBeDefined();
+    // noExplicitAny: testing that prototype pollution did not add a 'polluted' property to Object.prototype
     expect((Object.prototype as any).polluted).toBeUndefined();
-    const ownerProps = (result.properties.ownerId as any).properties;
+    const ownerProps = (result.properties.ownerId as Record<string, unknown>).properties as Record<
+      string,
+      unknown
+    >;
     expect(ownerProps).toBeDefined();
     expect(Object.keys(ownerProps)).not.toContain("__proto__");
   });