@terreno/api 0.13.2 → 0.14.0

package/src/openApi.ts

@@ -199,7 +199,7 @@ export function listOpenApiMiddleware<T>(
       // Remove _id from queryFields, we handle that above.
       ?.filter((field) => field !== "_id")
       .map((field) => {
-        const params: {name: string; in: "query"; schema: any}[] = [];
+        const params: {name: string; in: "query"; schema: Record<string, unknown>}[] = [];
 
         // Check for datetime/number to support gt/gte/lt/lte
         if (
@@ -462,10 +462,10 @@ export function deleteOpenApiMiddleware<T>(
 // Useful for endpoints that don't directly map to a model.
 export function readOpenApiMiddleware<T>(
   options: Partial<ModelRouterOptions<T>>,
-  properties: any,
+  properties: Record<string, unknown>,
   required: string[],
-  queryParameters: any
-): any {
+  queryParameters: Array<Record<string, unknown>>
+): express.RequestHandler {
   if (!options.openApi?.path) {
     // Just log this once rather than for each middleware.
     logger.debug(

package/src/openApiBuilder.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {beforeEach, describe, expect, it} from "bun:test";
 import type express from "express";
 import type {Router} from "express";

package/src/openApiBuilder.ts

@@ -29,6 +29,7 @@
  * router.get("/stats", middleware, statsHandler);
  * ```
  */
+import type express from "express";
 import merge from "lodash/merge";
 
 import type {ModelRouterOptions} from "./api";
@@ -111,7 +112,7 @@ export interface OpenApiSchemaProperty {
  * };
  * ```
  */
-export type OpenApiSchema = {
+export interface OpenApiSchema {
   /** The JSON Schema type (typically "object" or "array") */
   type: string;
   /** Property definitions for object types */
@@ -122,7 +123,8 @@ export type OpenApiSchema = {
   items?: OpenApiSchemaProperty;
   /** Schema for additional properties or boolean to allow/disallow them */
   additionalProperties?: OpenApiSchemaProperty | boolean;
-};
+  [key: string]: unknown;
+}
 
 /**
  * Defines a parameter in an OpenAPI operation.
@@ -246,7 +248,7 @@ interface ValidationConfig {
  */
 export interface OpenApiBuildResult {
   /** The OpenAPI documentation middleware */
-  middleware: any;
+  middleware: express.RequestHandler;
   /** Request body schema if defined */
   bodySchema?: Record<string, OpenApiSchemaProperty>;
   /** Query parameter schemas if defined */
@@ -397,7 +399,7 @@ export class OpenApiMiddlewareBuilder {
    * });
    * ```
    */
-  withRequestBody<T extends Record<string, any>>(
+  withRequestBody<T extends Record<string, unknown>>(
     schema: {
       [K in keyof T]: OpenApiSchemaProperty;
     },
@@ -454,7 +456,7 @@ export class OpenApiMiddlewareBuilder {
    * builder.withResponse(204, "No content");
    * ```
    */
-  withResponse<T extends Record<string, any>>(
+  withResponse<T extends Record<string, unknown>>(
     statusCode: number,
     schema:
       | {
@@ -508,7 +510,7 @@ export class OpenApiMiddlewareBuilder {
    * }, {description: "List of users"});
    * ```
    */
-  withArrayResponse<T extends Record<string, any>>(
+  withArrayResponse<T extends Record<string, unknown>>(
     statusCode: number,
     itemSchema: {
       [K in keyof T]: OpenApiSchemaProperty;
@@ -671,10 +673,10 @@ export class OpenApiMiddlewareBuilder {
    * ```
    */
   buildWithSchemas(): OpenApiBuildResult {
-    const noop = (_a: any, _b: any, next: () => void): void => next();
+    const noop: express.RequestHandler = (_a, _b, next) => next();
 
     // Build the OpenAPI documentation middleware only (no validation middleware)
-    let openApiMiddleware: any = noop;
+    let openApiMiddleware: express.RequestHandler = noop;
     if (this.options.openApi?.path) {
       openApiMiddleware = this.options.openApi.path(
         merge(
@@ -733,11 +735,12 @@ export class OpenApiMiddlewareBuilder {
    * router.get("/users/:id", middleware, getUserHandler);
    * ```
    */
+  // biome-ignore lint/suspicious/noExplicitAny: returns either a single RequestHandler or an array depending on validation config — callers spread or invoke
   build(): any {
-    const noop = (_a: any, _b: any, next: () => void): void => next();
+    const noop: express.RequestHandler = (_a, _b, next) => next();
 
     // Build the OpenAPI documentation middleware
-    let openApiMiddleware: any = noop;
+    let openApiMiddleware: express.RequestHandler = noop;
     if (this.options.openApi?.path) {
       openApiMiddleware = this.options.openApi.path(
         merge(
@@ -768,7 +771,7 @@ export class OpenApiMiddlewareBuilder {
     }
 
     // Build validation middleware
-    const validators: any[] = [openApiMiddleware];
+    const validators: express.RequestHandler[] = [openApiMiddleware];
 
     // Add body validation if we have a request body schema
     if (this.validationConfig.validateBody && this.requestBodySchema) {

package/src/openApiValidator.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {afterEach, beforeEach, describe, expect, it} from "bun:test";
 import type {ErrorObject} from "ajv";
 
@@ -161,6 +162,64 @@ describe("openApiValidator", () => {
     });
   });
 
+  describe("per-route validation: object-form options", () => {
+    it("applies object validation options with per-operation control", async () => {
+      configureOpenApiValidator({removeAdditional: true});
+
+      const removedProps: string[] = [];
+      const errorsCaught: ErrorObject[][] = [];
+
+      const freshApp = await setupFreshApp();
+      freshApp.use(
+        "/required",
+        modelRouter(RequiredModel, {
+          ...requiredRouterOptions,
+          validation: {
+            excludeFromCreate: ["about"],
+            onAdditionalPropertiesRemoved: (props) => {
+              removedProps.push(...props);
+            },
+            onError: (errors) => {
+              errorsCaught.push(errors);
+            },
+            validateCreate: true,
+            validateQuery: true,
+            validateUpdate: true,
+          },
+        })
+      );
+      const admin = await authAsUser(freshApp, "admin");
+
+      const res = await admin.post("/required").send({name: "Validated"}).expect(201);
+      expect(res.body.data.name).toBe("Validated");
+    });
+
+    it("disables create validation when validateCreate is false", async () => {
+      configureOpenApiValidator({removeAdditional: true});
+
+      const freshApp = await setupFreshApp();
+      freshApp.use(
+        "/required",
+        modelRouter(RequiredModel, {
+          ...requiredRouterOptions,
+          validation: {
+            excludeFromUpdate: ["about"],
+            validateCreate: false,
+            validateUpdate: true,
+          },
+        })
+      );
+      const admin = await authAsUser(freshApp, "admin");
+
+      // Even with extra field, should pass since create validation is disabled
+      const res = await admin
+        .post("/required")
+        .send({extraField: "ignored", name: "NoCreateValidation"})
+        .expect(201);
+      expect(res.body.data.name).toBe("NoCreateValidation");
+    });
+  });
+
   describe("sanitization of non-standard mongoose-to-swagger types", () => {
     it("validates models with ObjectId and DateOnly fields after sanitization", async () => {
       configureOpenApiValidator({removeAdditional: true});

package/src/openApiValidator.ts

@@ -184,6 +184,7 @@ const getAjvInstance = (): Ajv => {
       useDefaults: true,
       validateSchema: false,
     });
+    // biome-ignore lint/suspicious/noExplicitAny: ajv-formats has a known type compat issue with AJV instances
     addFormats(instance as any);
     ajvCache.set(key, instance);
   }
@@ -644,7 +645,7 @@ export const createValidator = (
   return (req: Request, res: Response, next: NextFunction): void => {
     // Run body validation first
     if (bodyValidator) {
-      bodyValidator(req, res, ((err?: any) => {
+      bodyValidator(req, res, ((err?: unknown) => {
         if (err) {
           next(err);
           return;
@@ -714,7 +715,7 @@ const m2sOptions = {
  */
 export const getSchemaFromModel = <T>(model: Model<T>): Record<string, OpenApiSchemaProperty> => {
   const modelSwagger = m2s(model, m2sOptions);
-  fixMixedFields((model as any).schema, modelSwagger.properties);
+  fixMixedFields(model.schema, modelSwagger.properties);
   return modelSwagger.properties as Record<string, OpenApiSchemaProperty>;
 };
 

package/src/permissions.middleware.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {describe, expect, it, mock, spyOn} from "bun:test";
 import * as Sentry from "@sentry/bun";
 import type express from "express";

package/src/permissions.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {beforeEach, describe, expect, it} from "bun:test";
 import type express from "express";
 import supertest from "supertest";

package/src/permissions.ts

@@ -1,4 +1,3 @@
-// Defaults closed
 import * as Sentry from "@sentry/bun";
 import type express from "express";
 import type {NextFunction} from "express";
@@ -27,7 +26,6 @@ export const OwnerQueryFilter = (user?: User) => {
   if (user) {
     return {ownerId: user?.id};
   }
-  // Return a null, so we know to return no results.
   return null;
 };
 
@@ -50,7 +48,7 @@ export const Permissions = {
     }
     return method === "list" || method === "read";
   },
-  IsOwner: (_method: RESTMethod, user?: User, obj?: any) => {
+  IsOwner: (_method: RESTMethod, user?: User, obj?: unknown) => {
     // When checking if we can possibly perform the action, return true.
     if (!obj) {
       return true;
@@ -61,10 +59,12 @@ export const Permissions = {
     if (user?.admin) {
       return true;
     }
-    const ownerId = obj?.ownerId?._id || obj?.ownerId;
-    return user?.id && ownerId && String(ownerId) === String(user?.id);
+    const withOwner = obj as {ownerId?: {_id?: unknown} | unknown};
+    const ownerObj = withOwner.ownerId as {_id?: unknown} | undefined;
+    const ownerId = ownerObj?._id ?? withOwner.ownerId;
+    return Boolean(user?.id && ownerId && String(ownerId) === String(user?.id));
   },
-  IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: any) => {
+  IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: unknown) => {
     // When checking if we can possibly perform the action, return true.
     if (!obj) {
       return true;
@@ -73,37 +73,37 @@ export const Permissions = {
       return true;
     }
 
-    if (user?.id && obj?.ownerId && String(obj?.ownerId) === String(user?.id)) {
+    const withOwner = obj as {ownerId?: unknown};
+    if (user?.id && withOwner.ownerId && String(withOwner.ownerId) === String(user?.id)) {
       return true;
     }
     return method === "list" || method === "read";
   },
 };
 
-export async function checkPermissions<T>(
+export const checkPermissions = async <T>(
   method: RESTMethod,
   permissions: PermissionMethod<T>[],
   user?: User,
   obj?: T
-): Promise<boolean> {
+): Promise<boolean> => {
   let anyTrue = false;
   for (const perm of permissions) {
-    // May or may not be a promise.
     if (!(await perm(method, user, obj))) {
       return false;
     }
     anyTrue = true;
   }
   return anyTrue;
-}
+};
 
 // Check the permissions for a given model and method. If the method is a read, update, or delete,
 // finds the relevant object, checks the permissions, and attaches the object to the request as
 // req.obj.
-export function permissionMiddleware<T>(
+export const permissionMiddleware = <T>(
   model: Model<T>,
   options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">
-) {
+) => {
   return async (req: express.Request, _res: express.Response, next: NextFunction) => {
     if (req.method === "OPTIONS") {
       return next();
@@ -146,10 +146,14 @@ export function permissionMiddleware<T>(
       }
 
       const builtQuery = model.findById(req.params.id);
-      const populatedQuery = addPopulateToQuery(builtQuery as any, options.populatePaths);
-      let data;
+      const populatedQuery = addPopulateToQuery(
+        // biome-ignore lint/suspicious/noExplicitAny: Query types vary based on populate paths
+        builtQuery as any,
+        options.populatePaths
+      );
+      let data: T | null;
       try {
-        data = await populatedQuery.exec();
+        data = (await populatedQuery.exec()) as T | null;
       } catch (error: unknown) {
         throw new APIError({
           error: error as Error,
@@ -174,13 +178,14 @@ export function permissionMiddleware<T>(
         }
 
         // Document exists but is hidden
-        const reason: {[key: string]: string} | null = hiddenDoc.deleted
-          ? {deleted: "true"}
-          : hiddenDoc.disabled
-            ? {disabled: "true"}
-            : hiddenDoc.archived
-              ? {archived: "true"}
-              : null;
+        let reason: {[key: string]: string} | null = null;
+        if (hiddenDoc.deleted) {
+          reason = {deleted: "true"};
+        } else if (hiddenDoc.disabled) {
+          reason = {disabled: "true"};
+        } else if (hiddenDoc.archived) {
+          reason = {archived: "true"};
+        }
 
         // If no reason found, treat as not found
         if (!reason) {
@@ -207,7 +212,7 @@ export function permissionMiddleware<T>(
         });
       }
 
-      (req as any).obj = data;
+      (req as express.Request & {obj?: T | null}).obj = data;
 
       return next();
     } catch (error) {
@@ -215,4 +220,4 @@ export function permissionMiddleware<T>(
       return next(error);
     }
   };
-}
+};

package/src/plugins.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {beforeEach, describe, expect, it, setSystemTime} from "bun:test";
 import type express from "express";
 import {type Document, type Model, model, Schema} from "mongoose";
@@ -58,7 +59,6 @@ const StuffModel = model<Stuff>("Stuff", stuffSchema) as unknown as StuffModelTy
 describe("baseUserPlugin", () => {
   it("adds admin and email fields to the schema", () => {
     const testSchema = new Schema({});
-    // biome-ignore lint/suspicious/noExplicitAny: test schema
     baseUserPlugin(testSchema as Schema<any, any, any, any>);
 
     const adminPath = testSchema.path("admin");

package/src/plugins.ts

@@ -16,6 +16,7 @@ export interface BaseUser {
   email: string;
 }
 
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
 export const baseUserPlugin = (schema: Schema<any, any, any, any>): void => {
   schema.add({
     admin: {default: false, description: "Whether the user has admin privileges", type: Boolean},
@@ -29,6 +30,7 @@ export interface IsDeleted {
   deleted: boolean;
 }
 
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
 export const isDeletedPlugin = (schema: Schema<any, any, any, any>, defaultValue = false): void => {
   schema.add({
     deleted: {
@@ -40,6 +42,7 @@ export const isDeletedPlugin = (schema: Schema<any, any, any, any>, defaultValue
       type: Boolean,
     },
   });
+  // biome-ignore lint/suspicious/noExplicitAny: Query<any, any> must be loose to accept arbitrary consumer queries
   const applyDeleteFilter = (q: Query<any, any>): void => {
     const query = q.getQuery();
     if (query && query.deleted === undefined) {
@@ -55,6 +58,7 @@ export const isDeletedPlugin = (schema: Schema<any, any, any, any>, defaultValue
 };
 
 export const isDisabledPlugin = (
+  // biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
   schema: Schema<any, any, any, any>,
   defaultValue = false
 ): void => {
@@ -73,6 +77,7 @@ export interface CreatedDeleted {
   created: {type: Date; required: true};
 }
 
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
 export const createdUpdatedPlugin = (schema: Schema<any, any, any, any>): void => {
   schema.add({
     updated: {description: "When this document was last updated", index: true, type: Date},
@@ -111,7 +116,7 @@ export const firebaseJWTPlugin = (schema: Schema): void => {
  */
 export const findOneOrNone = <T>(schema: Schema<T>): void => {
   schema.statics.findOneOrNone = async function (
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<(Document & T) | null> {
     const results = await this.find(query);
@@ -174,7 +179,7 @@ export const findOneOrNoneFor = async <T>(
  */
 export const findExactlyOne = <T>(schema: Schema<T>): void => {
   schema.statics.findExactlyOne = async function (
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<Document & T> {
     const results = await this.find(query);
@@ -204,10 +209,12 @@ export const findExactlyOne = <T>(schema: Schema<T>): void => {
  * match the conditions to prevent ambiguous updates.
  * @param schema Mongoose Schema
  */
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics with unknown collide with mongoose's loose this-binding on schema.statics
 export const upsertPlugin = <T>(schema: Schema<any, any, any, any>): void => {
   schema.statics.upsert = async function (
-    conditions: Record<string, any>,
-    update: Record<string, any>
+    this: mongoose.Model<T>,
+    conditions: Record<string, unknown>,
+    update: Record<string, unknown>
   ): Promise<T> {
     // Try to find the document with the given conditions.
     const docs = await this.find(conditions);
@@ -223,31 +230,31 @@ export const upsertPlugin = <T>(schema: Schema<any, any, any, any>): void => {
     if (doc) {
       // If the document exists, update it with the provided update values.
       Object.assign(doc, update);
-      return doc.save();
+      return (await doc.save()) as unknown as T;
     }
     // If the document doesn't exist, create a new one with the combined conditions and update
     // values.
     const combinedData = {...conditions, ...update};
     const newDoc = new this(combinedData);
-    return newDoc.save();
+    return (await newDoc.save()) as unknown as T;
   };
 };
 
 /** For models with the upsertPlugin, extend this interface to add the upsert static method. */
 export interface HasUpsert<T> {
-  upsert(conditions: Record<string, any>, update: Record<string, any>): Promise<T>;
+  upsert(conditions: Record<string, unknown>, update: Record<string, unknown>): Promise<T>;
 }
 
 export interface FindOneOrNonePlugin<T> {
   findOneOrNone(
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<(Document & T) | null>;
 }
 
 export interface FindExactlyOnePlugin<T> {
   findExactlyOne(
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<Document & T>;
 }
@@ -257,12 +264,12 @@ export class DateOnly extends SchemaType {
     super(key, options, "DateOnly");
   }
 
-  handleSingle(val) {
+  handleSingle(val: unknown) {
     return this.cast(val);
   }
 
   $conditionalHandlers = {
-    // noExplicitAny: $conditionalHandlers is not exposed on SchemaType's prototype in Mongoose's public type definitions
+    // biome-ignore lint/suspicious/noExplicitAny: $conditionalHandlers is not exposed on SchemaType's prototype in Mongoose's public type definitions
     ...(SchemaType as any).prototype.$conditionalHandlers,
     $gt: this.handleSingle,
     $gte: this.handleSingle,
@@ -272,9 +279,9 @@ export class DateOnly extends SchemaType {
 
   // Based on castForQuery in mongoose/lib/schema/date.js
   // When using $gt, $gte, $lt, $lte, etc, we need to cast the value to a Date
-  castForQuery($conditional, val, context): Date | undefined {
+  castForQuery($conditional: string | undefined, val: unknown, context: unknown): Date | undefined {
     if ($conditional == null) {
-      // noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
+      // biome-ignore lint/suspicious/noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
       return (this as any).applySetters(val, context);
     }
 
@@ -334,5 +341,5 @@ export class DateOnly extends SchemaType {
 }
 
 // Register DateOnly with Mongoose's Schema.Types
-// noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
+// biome-ignore lint/suspicious/noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
 (mongoose.Schema.Types as any).DateOnly = DateOnly;

package/src/populate.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {beforeEach, describe, expect, it} from "bun:test";
 import mongoose, {type Document, type HydratedDocument, Schema} from "mongoose";