@terreno/api 0.13.3 → 0.14.1

package/src/permissions.ts

@@ -1,4 +1,3 @@
-// Defaults closed
 import * as Sentry from "@sentry/bun";
 import type express from "express";
 import type {NextFunction} from "express";
@@ -27,7 +26,6 @@ export const OwnerQueryFilter = (user?: User) => {
   if (user) {
     return {ownerId: user?.id};
   }
-  // Return a null, so we know to return no results.
   return null;
 };
 
@@ -50,7 +48,7 @@ export const Permissions = {
     }
     return method === "list" || method === "read";
   },
-  IsOwner: (_method: RESTMethod, user?: User, obj?: any) => {
+  IsOwner: (_method: RESTMethod, user?: User, obj?: unknown) => {
     // When checking if we can possibly perform the action, return true.
     if (!obj) {
       return true;
@@ -61,10 +59,12 @@ export const Permissions = {
     if (user?.admin) {
       return true;
     }
-    const ownerId = obj?.ownerId?._id || obj?.ownerId;
-    return user?.id && ownerId && String(ownerId) === String(user?.id);
+    const withOwner = obj as {ownerId?: {_id?: unknown} | unknown};
+    const ownerObj = withOwner.ownerId as {_id?: unknown} | undefined;
+    const ownerId = ownerObj?._id ?? withOwner.ownerId;
+    return Boolean(user?.id && ownerId && String(ownerId) === String(user?.id));
   },
-  IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: any) => {
+  IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: unknown) => {
     // When checking if we can possibly perform the action, return true.
     if (!obj) {
       return true;
@@ -73,37 +73,37 @@ export const Permissions = {
       return true;
     }
 
-    if (user?.id && obj?.ownerId && String(obj?.ownerId) === String(user?.id)) {
+    const withOwner = obj as {ownerId?: unknown};
+    if (user?.id && withOwner.ownerId && String(withOwner.ownerId) === String(user?.id)) {
       return true;
     }
     return method === "list" || method === "read";
   },
 };
 
-export async function checkPermissions<T>(
+export const checkPermissions = async <T>(
   method: RESTMethod,
   permissions: PermissionMethod<T>[],
   user?: User,
   obj?: T
-): Promise<boolean> {
+): Promise<boolean> => {
   let anyTrue = false;
   for (const perm of permissions) {
-    // May or may not be a promise.
     if (!(await perm(method, user, obj))) {
       return false;
     }
     anyTrue = true;
   }
   return anyTrue;
-}
+};
 
 // Check the permissions for a given model and method. If the method is a read, update, or delete,
 // finds the relevant object, checks the permissions, and attaches the object to the request as
 // req.obj.
-export function permissionMiddleware<T>(
+export const permissionMiddleware = <T>(
   model: Model<T>,
   options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">
-) {
+) => {
   return async (req: express.Request, _res: express.Response, next: NextFunction) => {
     if (req.method === "OPTIONS") {
       return next();
@@ -146,10 +146,14 @@ export function permissionMiddleware<T>(
       }
 
       const builtQuery = model.findById(req.params.id);
-      const populatedQuery = addPopulateToQuery(builtQuery as any, options.populatePaths);
-      let data;
+      const populatedQuery = addPopulateToQuery(
+        // biome-ignore lint/suspicious/noExplicitAny: Query types vary based on populate paths
+        builtQuery as any,
+        options.populatePaths
+      );
+      let data: T | null;
       try {
-        data = await populatedQuery.exec();
+        data = (await populatedQuery.exec()) as T | null;
       } catch (error: unknown) {
         throw new APIError({
           error: error as Error,
@@ -174,13 +178,14 @@ export function permissionMiddleware<T>(
         }
 
         // Document exists but is hidden
-        const reason: {[key: string]: string} | null = hiddenDoc.deleted
-          ? {deleted: "true"}
-          : hiddenDoc.disabled
-            ? {disabled: "true"}
-            : hiddenDoc.archived
-              ? {archived: "true"}
-              : null;
+        let reason: {[key: string]: string} | null = null;
+        if (hiddenDoc.deleted) {
+          reason = {deleted: "true"};
+        } else if (hiddenDoc.disabled) {
+          reason = {disabled: "true"};
+        } else if (hiddenDoc.archived) {
+          reason = {archived: "true"};
+        }
 
         // If no reason found, treat as not found
         if (!reason) {
@@ -207,7 +212,7 @@ export function permissionMiddleware<T>(
         });
       }
 
-      (req as any).obj = data;
+      (req as express.Request & {obj?: T | null}).obj = data;
 
       return next();
     } catch (error) {
@@ -215,4 +220,4 @@ export function permissionMiddleware<T>(
       return next(error);
     }
   };
-}
+};

package/src/plugins.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {beforeEach, describe, expect, it, setSystemTime} from "bun:test";
 import type express from "express";
 import {type Document, type Model, model, Schema} from "mongoose";
@@ -58,7 +59,6 @@ const StuffModel = model<Stuff>("Stuff", stuffSchema) as unknown as StuffModelTy
 describe("baseUserPlugin", () => {
   it("adds admin and email fields to the schema", () => {
     const testSchema = new Schema({});
-    // biome-ignore lint/suspicious/noExplicitAny: test schema
     baseUserPlugin(testSchema as Schema<any, any, any, any>);
 
     const adminPath = testSchema.path("admin");

package/src/plugins.ts

@@ -16,6 +16,7 @@ export interface BaseUser {
   email: string;
 }
 
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
 export const baseUserPlugin = (schema: Schema<any, any, any, any>): void => {
   schema.add({
     admin: {default: false, description: "Whether the user has admin privileges", type: Boolean},
@@ -29,6 +30,7 @@ export interface IsDeleted {
   deleted: boolean;
 }
 
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
 export const isDeletedPlugin = (schema: Schema<any, any, any, any>, defaultValue = false): void => {
   schema.add({
     deleted: {
@@ -40,6 +42,7 @@ export const isDeletedPlugin = (schema: Schema<any, any, any, any>, defaultValue
       type: Boolean,
     },
   });
+  // biome-ignore lint/suspicious/noExplicitAny: Query<any, any> must be loose to accept arbitrary consumer queries
   const applyDeleteFilter = (q: Query<any, any>): void => {
     const query = q.getQuery();
     if (query && query.deleted === undefined) {
@@ -55,6 +58,7 @@ export const isDeletedPlugin = (schema: Schema<any, any, any, any>, defaultValue
 };
 
 export const isDisabledPlugin = (
+  // biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
   schema: Schema<any, any, any, any>,
   defaultValue = false
 ): void => {
@@ -73,6 +77,7 @@ export interface CreatedDeleted {
   created: {type: Date; required: true};
 }
 
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics must be loose to accept arbitrary consumer schemas
 export const createdUpdatedPlugin = (schema: Schema<any, any, any, any>): void => {
   schema.add({
     updated: {description: "When this document was last updated", index: true, type: Date},
@@ -111,7 +116,7 @@ export const firebaseJWTPlugin = (schema: Schema): void => {
  */
 export const findOneOrNone = <T>(schema: Schema<T>): void => {
   schema.statics.findOneOrNone = async function (
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<(Document & T) | null> {
     const results = await this.find(query);
@@ -174,7 +179,7 @@ export const findOneOrNoneFor = async <T>(
  */
 export const findExactlyOne = <T>(schema: Schema<T>): void => {
   schema.statics.findExactlyOne = async function (
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<Document & T> {
     const results = await this.find(query);
@@ -204,10 +209,12 @@ export const findExactlyOne = <T>(schema: Schema<T>): void => {
  * match the conditions to prevent ambiguous updates.
  * @param schema Mongoose Schema
  */
+// biome-ignore lint/suspicious/noExplicitAny: Schema generics with unknown collide with mongoose's loose this-binding on schema.statics
 export const upsertPlugin = <T>(schema: Schema<any, any, any, any>): void => {
   schema.statics.upsert = async function (
-    conditions: Record<string, any>,
-    update: Record<string, any>
+    this: mongoose.Model<T>,
+    conditions: Record<string, unknown>,
+    update: Record<string, unknown>
   ): Promise<T> {
     // Try to find the document with the given conditions.
     const docs = await this.find(conditions);
@@ -223,31 +230,31 @@ export const upsertPlugin = <T>(schema: Schema<any, any, any, any>): void => {
     if (doc) {
       // If the document exists, update it with the provided update values.
       Object.assign(doc, update);
-      return doc.save();
+      return (await doc.save()) as unknown as T;
     }
     // If the document doesn't exist, create a new one with the combined conditions and update
     // values.
     const combinedData = {...conditions, ...update};
     const newDoc = new this(combinedData);
-    return newDoc.save();
+    return (await newDoc.save()) as unknown as T;
   };
 };
 
 /** For models with the upsertPlugin, extend this interface to add the upsert static method. */
 export interface HasUpsert<T> {
-  upsert(conditions: Record<string, any>, update: Record<string, any>): Promise<T>;
+  upsert(conditions: Record<string, unknown>, update: Record<string, unknown>): Promise<T>;
 }
 
 export interface FindOneOrNonePlugin<T> {
   findOneOrNone(
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<(Document & T) | null>;
 }
 
 export interface FindExactlyOnePlugin<T> {
   findExactlyOne(
-    query: Record<string, any>,
+    query: Record<string, unknown>,
     errorArgs?: Partial<APIErrorConstructor>
   ): Promise<Document & T>;
 }
@@ -257,12 +264,12 @@ export class DateOnly extends SchemaType {
     super(key, options, "DateOnly");
   }
 
-  handleSingle(val) {
+  handleSingle(val: unknown) {
     return this.cast(val);
   }
 
   $conditionalHandlers = {
-    // noExplicitAny: $conditionalHandlers is not exposed on SchemaType's prototype in Mongoose's public type definitions
+    // biome-ignore lint/suspicious/noExplicitAny: $conditionalHandlers is not exposed on SchemaType's prototype in Mongoose's public type definitions
     ...(SchemaType as any).prototype.$conditionalHandlers,
     $gt: this.handleSingle,
     $gte: this.handleSingle,
@@ -272,9 +279,9 @@ export class DateOnly extends SchemaType {
 
   // Based on castForQuery in mongoose/lib/schema/date.js
   // When using $gt, $gte, $lt, $lte, etc, we need to cast the value to a Date
-  castForQuery($conditional, val, context): Date | undefined {
+  castForQuery($conditional: string | undefined, val: unknown, context: unknown): Date | undefined {
     if ($conditional == null) {
-      // noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
+      // biome-ignore lint/suspicious/noExplicitAny: applySetters is an internal Mongoose SchemaType method not in public type definitions
       return (this as any).applySetters(val, context);
     }
 
@@ -334,5 +341,5 @@ export class DateOnly extends SchemaType {
 }
 
 // Register DateOnly with Mongoose's Schema.Types
-// noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
+// biome-ignore lint/suspicious/noExplicitAny: DateOnly is a custom SchemaType not declared in Mongoose's Schema.Types interface
 (mongoose.Schema.Types as any).DateOnly = DateOnly;

package/src/populate.test.ts

@@ -1,3 +1,4 @@
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 import {beforeEach, describe, expect, it} from "bun:test";
 import mongoose, {type Document, type HydratedDocument, Schema} from "mongoose";
 

package/src/populate.ts

@@ -1,5 +1,5 @@
 import isArray from "lodash/isArray";
-import type {Document} from "mongoose";
+import type {Document, Schema} from "mongoose";
 import m2s from "mongoose-to-swagger";
 
 import {APIError} from "./errors";
@@ -8,7 +8,19 @@ const m2sOptions = {
   props: ["readOnly", "required", "enum", "default"],
 };
 
-export type PopulatePath = {
+interface OpenApiSchemaNode {
+  description?: string;
+  items?: OpenApiSchemaNode;
+  properties?: Record<string, OpenApiSchemaNode>;
+  type?: string;
+}
+
+interface SchemaPathInfo {
+  instance: string;
+  schema?: Schema;
+}
+
+export interface PopulatePath {
   // Mongoose style path population.
   // "ownerId" // populates the User that matches `ownerId`
   // "ownerId.organizationId" Nested. Populates the User that matches `ownerId`, as well as their organization.
@@ -17,28 +29,25 @@ export type PopulatePath = {
   // If not provided and path is provided, will use the path and optionally fields to
   // automatically generate the types. If only generatePathFields is provided, the type will be
   // any.
-  openApiComponent?: any;
+  openApiComponent?: string;
   // An array of strings to filter on the populated objects, following Mongoose's select
   // rules. If each field starts a preceding "-", will act as a block list and only remove those
   // fields. If each field does not start with a "-", will act as an allow list and only
   // return those fields.
   fields?: string[];
-};
+}
 
-// This function filters an object to only include specified keys.
-// It supports nested keys using dot notation (e.g., 'user.name').
-// If no keys are provided, it returns the original object.
-// The function recursively traverses the object structure to handle nested properties.
-const filterKeys = (obj: Record<string, any>, keysToKeep?: string[]): Record<string, any> => {
+// Keeps only the specified dot-notation keys from an object.
+const filterKeys = (obj: Record<string, unknown>, keysToKeep?: string[]): Record<string, unknown> => {
   if (!keysToKeep) {
     return obj;
   }
 
-  const result: Record<string, any> = {};
+  const result: Record<string, unknown> = {};
 
   const filterNestedKeys = (
-    currentObj: Record<string, any>,
-    currentResult: Record<string, any>,
+    currentObj: Record<string, unknown>,
+    currentResult: Record<string, unknown>,
     remainingKeys: string[]
   ) => {
     const currentKey = remainingKeys[0];
@@ -52,7 +61,7 @@ const filterKeys = (obj: Record<string, any>, keysToKeep?: string[]): Record<str
       if (!currentResult[firstKey]) {
         currentResult[firstKey] = {};
       }
-      filterNestedKeys(currentObj[firstKey], currentResult[firstKey], [
+      filterNestedKeys(currentObj[firstKey] as Record<string, unknown>, currentResult[firstKey] as Record<string, unknown>, [
         rest.join("."),
         ...remainingKeys.slice(1),
       ]);
@@ -73,7 +82,7 @@ const filterKeys = (obj: Record<string, any>, keysToKeep?: string[]): Record<str
 
 // Helper function to get the path in the OpenAPI schema, so we can swap out the type for the
 // populated model component or generated type.
-function getPathInSchema(schema: any, path: string): string {
+const getPathInSchema = (schema: OpenApiSchemaNode, path: string): string => {
   const keys = path.split(".");
   let currentSchema = schema;
   let fullPath = "";
@@ -94,52 +103,50 @@ function getPathInSchema(schema: any, path: string): string {
       // If we're at the last key and it's an array, we don't need to add anything
       break;
     } else {
-      throw new Error(`Path ${path} not found in schema at key ${key}`);
+      throw new APIError({status: 500, title: `Path ${path} not found in schema at key ${key}`});
     }
   }
 
   return fullPath;
-}
+};
 
-// Replaces populated properties with the populated schema.
-// Recursively walks a Mongoose schema and fixes any Mixed fields in the
-// OpenAPI properties so they use an empty schema (accepts any type) instead
-// of the `{type: "object", properties: {}}` that mongoose-to-swagger emits.
-export const fixMixedFields = (schema: any, properties: Record<string, any>): void => {
+// Corrects Mixed-type fields in OpenAPI properties so they accept any value.
+export const fixMixedFields = (schema: Schema | null, properties: Record<string, OpenApiSchemaNode> | Record<string, unknown> | null): void => {
   if (!properties || !schema) {
     return;
   }
 
-  for (const key of Object.keys(properties)) {
-    const schemaPath = schema.path(key);
+  const props = properties as Record<string, OpenApiSchemaNode>;
+  for (const key of Object.keys(props)) {
+    const schemaPath = schema.path(key) as unknown as SchemaPathInfo | undefined;
     if (!schemaPath) {
       continue;
     }
 
     // Direct Mixed field
     if (schemaPath.instance === "Mixed") {
-      properties[key] = {description: properties[key]?.description};
+      props[key] = {description: props[key]?.description};
       continue;
     }
 
     // Array of sub-documents — check each sub-field for Mixed
-    if (
-      schemaPath.instance === "Array" &&
-      schemaPath.schema &&
-      properties[key]?.items?.properties
-    ) {
-      fixMixedFields(schemaPath.schema, properties[key].items.properties);
+    if (schemaPath.instance === "Array" && schemaPath.schema) {
+      const itemProperties = props[key]?.items?.properties;
+      if (itemProperties) {
+        fixMixedFields(schemaPath.schema, itemProperties);
+      }
     }
   }
 };
 
-export function getOpenApiSpecForModel(
+export const getOpenApiSpecForModel = (
+  // biome-ignore lint/suspicious/noExplicitAny: noExplicitAny: Mongoose Model param uses deep internal APIs (schema.path().options.ref, schema.virtuals, schema.childSchemas, db.model) that are not exposed in public type definitions
   model: any,
   {
     populatePaths,
     extraModelProperties,
   }: {populatePaths?: PopulatePath[]; extraModelProperties?: Record<string, unknown>} = {}
-): {properties: Record<string, unknown>; required: string[]} {
+): {properties: Record<string, unknown>; required: string[]} => {
   const modelSwagger = m2s(model, {
     props: ["required", "enum"],
   });
@@ -241,19 +248,20 @@ export function getOpenApiSpecForModel(
     properties: {...modelSwagger.properties, ...extraModelProperties},
     required: modelSwagger.required ?? [],
   };
-}
+};
 
 // Helper function to unpopulate a document that has been populated.
 // This is helpful for supporting backwards compatibility. E.g. you use populatePaths
 // to populate a document but if the version header for the request is below the version
 // that the populatePath was added, we remove the population and just return the _id.
-export function unpopulate<T>(doc: Document<T>, path: string): Document<T> {
+export const unpopulate = <T>(doc: Document<T>, path: string): Document<T> => {
   if (!path) {
     throw new APIError({status: 500, title: "path is required for unpopulate"});
   }
   const pathParts = path.split(".");
 
   // Recursive because we need to support nested paths.
+  // biome-ignore lint/suspicious/noExplicitAny: noExplicitAny: recursive document traversal uses bracket-notation indexing on arbitrary nested document shapes that Mongoose Document types do not expose
   const recursiveUnpopulate = (current: any, parts: string[]): any => {
     const part = parts[0];
 
@@ -266,7 +274,7 @@ export function unpopulate<T>(doc: Document<T>, path: string): Document<T> {
       // Base case: we've reached the last part of the path
       if (Array.isArray(current[part])) {
         // If the field is an array, recursively unpopulate each element
-        current[part] = current[part].map((item: any) => {
+        current[part] = current[part].map((item) => {
           return item?._id ? item._id : item;
         });
       } else if (current[part]?._id) {
@@ -288,4 +296,4 @@ export function unpopulate<T>(doc: Document<T>, path: string): Document<T> {
   };
 
   return recursiveUnpopulate(doc, pathParts);
-}
+};