@terreno/api 0.13.3 → 0.14.1

package/dist/notifiers/googleChatNotifier.test.js

@@ -99,6 +99,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var Sentry = __importStar(require("@sentry/bun"));
 var axios_1 = __importDefault(require("axios"));

package/dist/notifiers/slackNotifier.js

@@ -112,11 +112,11 @@ var sendToSlack = function (text_1) {
         args_1[_i - 1] = arguments[_i];
     }
     return __awaiter(void 0, __spreadArray([text_1], __read(args_1), false), void 0, function (text, _a) {
-        var slackWebhookUrl, slackWebhooksString, slackWebhooks, channel, formattedText, error_1, errorObj;
-        var _b, _c, _d;
-        var _e = _a === void 0 ? {} : _a, slackChannel = _e.slackChannel, _f = _e.shouldThrow, shouldThrow = _f === void 0 ? false : _f, env = _e.env, url = _e.url;
-        return __generator(this, function (_g) {
-            switch (_g.label) {
+        var slackWebhookUrl, slackWebhooksString, slackWebhooks, channel, formattedText, error_1, message;
+        var _b;
+        var _c = _a === void 0 ? {} : _a, slackChannel = _c.slackChannel, _d = _c.shouldThrow, shouldThrow = _d === void 0 ? false : _d, env = _c.env, url = _c.url;
+        return __generator(this, function (_e) {
+            switch (_e.label) {
                 case 0:
                     slackWebhookUrl = url;
                     if (!slackWebhookUrl) {
@@ -130,8 +130,10 @@ var sendToSlack = function (text_1) {
                         channel = slackChannel !== null && slackChannel !== void 0 ? slackChannel : "default";
                         slackWebhookUrl = (_b = slackWebhooks[channel]) !== null && _b !== void 0 ? _b : slackWebhooks.default;
                         if (!slackWebhookUrl) {
-                            Sentry.captureException(new Error("No webhook url set in env for ".concat(channel, ". Slack message not sent")));
-                            logger_1.logger.debug("No webhook url set in env for ".concat(channel, "."));
+                            Sentry.captureException(new errors_1.APIError({
+                                status: 500,
+                                title: "No webhook url set in env for ".concat(channel, ". Slack message not sent"),
+                            }));
                             return [2 /*return*/];
                         }
                     }
@@ -139,24 +141,24 @@ var sendToSlack = function (text_1) {
                     if (env) {
                         formattedText = "[".concat(env.toUpperCase(), "] ").concat(text);
                     }
-                    _g.label = 1;
+                    _e.label = 1;
                 case 1:
-                    _g.trys.push([1, 3, , 4]);
+                    _e.trys.push([1, 3, , 4]);
                     return [4 /*yield*/, axios_1.default.post(slackWebhookUrl, {
                             text: formattedText,
                         })];
                 case 2:
-                    _g.sent();
+                    _e.sent();
                     return [3 /*break*/, 4];
                 case 3:
-                    error_1 = _g.sent();
-                    errorObj = error_1;
-                    logger_1.logger.error("Error posting to slack: ".concat((_c = errorObj.text) !== null && _c !== void 0 ? _c : errorObj.message));
+                    error_1 = _e.sent();
+                    message = (0, errors_1.errorMessage)(error_1);
+                    logger_1.logger.error("Error posting to slack: ".concat(message));
                     Sentry.captureException(error_1);
                     if (shouldThrow) {
                         throw new errors_1.APIError({
                             status: 500,
-                            title: "Error posting to slack: ".concat((_d = errorObj.text) !== null && _d !== void 0 ? _d : errorObj.message),
+                            title: "Error posting to slack: ".concat(message),
                         });
                     }
                     return [3 /*break*/, 4];

package/dist/notifiers/slackNotifier.test.js

@@ -102,6 +102,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 var bun_test_1 = require("bun:test");
 var Sentry = __importStar(require("@sentry/bun"));
 var axios_1 = __importDefault(require("axios"));
+var errors_1 = require("../errors");
 var slackNotifier_1 = require("./slackNotifier");
 (0, bun_test_1.describe)("sendToSlack", function () {
     var mockAxiosPost;
@@ -213,8 +214,44 @@ var slackNotifier_1 = require("./slackNotifier");
             }
         });
     }); });
+    (0, bun_test_1.it)("reports to Sentry and returns early when channel has no webhook and no default", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var captured;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0:
+                    process.env.SLACK_WEBHOOKS = JSON.stringify({ ops: "https://slack.example/ops" });
+                    return [4 /*yield*/, (0, slackNotifier_1.sendToSlack)("orphan message", { slackChannel: "alerts" })];
+                case 1:
+                    _a.sent();
+                    (0, bun_test_1.expect)(mockAxiosPost.mock.calls.length).toBe(0);
+                    (0, bun_test_1.expect)(Sentry.captureException.mock.calls.length).toBe(1);
+                    captured = Sentry.captureException.mock
+                        .calls[0][0];
+                    (0, bun_test_1.expect)(captured).toBeInstanceOf(errors_1.APIError);
+                    (0, bun_test_1.expect)(captured.title).toContain("alerts");
+                    return [2 /*return*/];
+            }
+        });
+    }); });
+    (0, bun_test_1.it)("posts directly using the url parameter without env lookup", function () { return __awaiter(void 0, void 0, void 0, function () {
+        var _a, url, payload;
+        return __generator(this, function (_b) {
+            switch (_b.label) {
+                case 0:
+                    mockAxiosPost.mockResolvedValue({ status: 200 });
+                    return [4 /*yield*/, (0, slackNotifier_1.sendToSlack)("direct msg", { url: "https://direct.example/hook" })];
+                case 1:
+                    _b.sent();
+                    (0, bun_test_1.expect)(mockAxiosPost.mock.calls.length).toBe(1);
+                    _a = __read(mockAxiosPost.mock.calls[0], 2), url = _a[0], payload = _a[1];
+                    (0, bun_test_1.expect)(url).toBe("https://direct.example/hook");
+                    (0, bun_test_1.expect)(payload).toEqual({ text: "direct msg" });
+                    return [2 /*return*/];
+            }
+        });
+    }); });
     (0, bun_test_1.it)("captures error and throws APIError when shouldThrow=true", function () { return __awaiter(void 0, void 0, void 0, function () {
-        var error_1;
+        var error_1, apiError;
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
@@ -231,8 +268,9 @@ var slackNotifier_1 = require("./slackNotifier");
                     throw new Error("Expected sendToSlack to throw APIError");
                 case 3:
                     error_1 = _a.sent();
-                    (0, bun_test_1.expect)(error_1.name).toBe("APIError");
-                    (0, bun_test_1.expect)(error_1.title).toMatch(/Error posting to slack/i);
+                    apiError = error_1;
+                    (0, bun_test_1.expect)(apiError.name).toBe("APIError");
+                    (0, bun_test_1.expect)(apiError.title).toMatch(/Error posting to slack/i);
                     return [3 /*break*/, 4];
                 case 4:
                     (0, bun_test_1.expect)(mockAxiosPost.mock.calls.length).toBe(1);

package/dist/notifiers/zoomNotifier.js

@@ -103,7 +103,7 @@ var logger_1 = require("../logger");
  * Uses Zoom's rich message format (format=full) with structured header and body.
  */
 var sendToZoom = function (_a, _b) { return __awaiter(void 0, [_a, _b], void 0, function (_c, _d) {
-    var zoomWebhooksString, msg, zoomWebhooks, zoomChannel, zoomWebhookUrl, msg, zoomToken, msg, messageBody, error_1, errorMessage;
+    var zoomWebhooksString, msg, zoomWebhooks, zoomChannel, zoomWebhookUrl, msg, zoomToken, msg, messageBody, error_1, message;
     var _e, _f, _g, _h, _j, _k;
     var header = _c.header, body = _c.body, subheader = _c.subheader;
     var channel = _d.channel, _l = _d.shouldThrow, shouldThrow = _l === void 0 ? false : _l, env = _d.env;
@@ -113,8 +113,7 @@ var sendToZoom = function (_a, _b) { return __awaiter(void 0, [_a, _b], void 0,
                 zoomWebhooksString = process.env.ZOOM_CHAT_WEBHOOKS;
                 if (!zoomWebhooksString) {
                     msg = "ZOOM_CHAT_WEBHOOKS not set. Zoom message not sent";
-                    Sentry.captureException(new Error(msg));
-                    logger_1.logger.error(msg);
+                    Sentry.captureException(new errors_1.APIError({ status: 500, title: msg }));
                     return [2 /*return*/];
                 }
                 zoomWebhooks = JSON.parse(zoomWebhooksString !== null && zoomWebhooksString !== void 0 ? zoomWebhooksString : "{}");
@@ -122,15 +121,13 @@ var sendToZoom = function (_a, _b) { return __awaiter(void 0, [_a, _b], void 0,
                 zoomWebhookUrl = (_f = (_e = zoomWebhooks[zoomChannel]) === null || _e === void 0 ? void 0 : _e.channel) !== null && _f !== void 0 ? _f : (_g = zoomWebhooks.default) === null || _g === void 0 ? void 0 : _g.channel;
                 if (!zoomWebhookUrl) {
                     msg = "No webhook url set in env for ".concat(zoomChannel, ". Zoom message not sent");
-                    Sentry.captureException(new Error(msg));
-                    logger_1.logger.error(msg);
+                    Sentry.captureException(new errors_1.APIError({ status: 500, title: msg }));
                     return [2 /*return*/];
                 }
                 zoomToken = (_j = (_h = zoomWebhooks[zoomChannel]) === null || _h === void 0 ? void 0 : _h.verificationToken) !== null && _j !== void 0 ? _j : (_k = zoomWebhooks.default) === null || _k === void 0 ? void 0 : _k.verificationToken;
                 if (!zoomToken) {
                     msg = "No verification token set in env for ".concat(zoomChannel, ". Zoom message not sent");
-                    Sentry.captureException(new Error(msg));
-                    logger_1.logger.error(msg);
+                    Sentry.captureException(new errors_1.APIError({ status: 500, title: msg }));
                     return [2 /*return*/];
                 }
                 messageBody = {
@@ -163,13 +160,13 @@ var sendToZoom = function (_a, _b) { return __awaiter(void 0, [_a, _b], void 0,
                 return [3 /*break*/, 4];
             case 3:
                 error_1 = _m.sent();
-                errorMessage = error_1 instanceof Error ? error_1.message : String(error_1);
-                logger_1.logger.error("Error posting to Zoom: ".concat(errorMessage));
+                message = (0, errors_1.errorMessage)(error_1);
+                logger_1.logger.error("Error posting to Zoom: ".concat(message));
                 Sentry.captureException(error_1);
                 if (shouldThrow) {
                     throw new errors_1.APIError({
                         status: 500,
-                        title: "Error posting to Zoom: ".concat(errorMessage),
+                        title: "Error posting to Zoom: ".concat(message),
                     });
                 }
                 return [3 /*break*/, 4];

package/dist/notifiers/zoomNotifier.test.js

@@ -99,6 +99,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var Sentry = __importStar(require("@sentry/bun"));
 var axios_1 = __importDefault(require("axios"));

package/dist/openApi.d.ts

@@ -58,4 +58,4 @@ export declare function listOpenApiMiddleware<T>(model: Model<T>, options: Parti
 export declare function createOpenApiMiddleware<T>(model: Model<T>, options: Partial<ModelRouterOptions<T>>): express.RequestHandler;
 export declare function patchOpenApiMiddleware<T>(model: Model<T>, options: Partial<ModelRouterOptions<T>>): express.RequestHandler;
 export declare function deleteOpenApiMiddleware<T>(model: Model<T>, options: Partial<ModelRouterOptions<T>>): express.RequestHandler;
-export declare function readOpenApiMiddleware<T>(options: Partial<ModelRouterOptions<T>>, properties: any, required: string[], queryParameters: any): any;
+export declare function readOpenApiMiddleware<T>(options: Partial<ModelRouterOptions<T>>, properties: Record<string, unknown>, required: string[], queryParameters: Array<Record<string, unknown>>): express.RequestHandler;

package/dist/openApi.test.js

@@ -66,6 +66,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var supertest_1 = __importDefault(require("supertest"));
 var api_1 = require("./api");

package/dist/openApiBuilder.d.ts

@@ -1,3 +1,35 @@
+/**
+ * OpenAPI Middleware Builder
+ *
+ * This module provides a fluent builder pattern for constructing OpenAPI middleware
+ * for Express routes that don't directly map to Mongoose models. It allows you to
+ * define custom API documentation with full control over request/response schemas.
+ *
+ * @packageDocumentation
+ *
+ * @example
+ * ```typescript
+ * import {createOpenApiBuilder} from "./openApiBuilder";
+ *
+ * // Create middleware with custom documentation
+ * const middleware = createOpenApiBuilder(options)
+ *   .withTags(["users"])
+ *   .withSummary("Get user statistics")
+ *   .withDescription("Returns aggregated statistics for the current user")
+ *   .withQueryParameter("period", {type: "string"}, {
+ *     description: "Time period for statistics",
+ *     required: false,
+ *   })
+ *   .withResponse<{count: number; average: number}>(200, {
+ *     count: {type: "number", description: "Total count"},
+ *     average: {type: "number", description: "Average value"},
+ *   })
+ *   .build();
+ *
+ * router.get("/stats", middleware, statsHandler);
+ * ```
+ */
+import type express from "express";
 import type { ModelRouterOptions } from "./api";
 /**
  * Defines a property within an OpenAPI schema.
@@ -68,7 +100,7 @@ export interface OpenApiSchemaProperty {
  * };
  * ```
  */
-export type OpenApiSchema = {
+export interface OpenApiSchema {
     /** The JSON Schema type (typically "object" or "array") */
     type: string;
     /** Property definitions for object types */
@@ -79,7 +111,8 @@ export type OpenApiSchema = {
     items?: OpenApiSchemaProperty;
     /** Schema for additional properties or boolean to allow/disallow them */
     additionalProperties?: OpenApiSchemaProperty | boolean;
-};
+    [key: string]: unknown;
+}
 /**
  * Defines a parameter in an OpenAPI operation.
  *
@@ -159,7 +192,7 @@ export interface OpenApiResponse {
  */
 export interface OpenApiBuildResult {
     /** The OpenAPI documentation middleware */
-    middleware: any;
+    middleware: express.RequestHandler;
     /** Request body schema if defined */
     bodySchema?: Record<string, OpenApiSchemaProperty>;
     /** Query parameter schemas if defined */
@@ -275,7 +308,7 @@ export declare class OpenApiMiddlewareBuilder {
      * });
      * ```
      */
-    withRequestBody<T extends Record<string, any>>(schema: {
+    withRequestBody<T extends Record<string, unknown>>(schema: {
         [K in keyof T]: OpenApiSchemaProperty;
     }, options?: {
         required?: boolean;
@@ -306,7 +339,7 @@ export declare class OpenApiMiddlewareBuilder {
      * builder.withResponse(204, "No content");
      * ```
      */
-    withResponse<T extends Record<string, any>>(statusCode: number, schema: {
+    withResponse<T extends Record<string, unknown>>(statusCode: number, schema: {
         [K in keyof T]: OpenApiSchemaProperty;
     } | string, options?: {
         description?: string;
@@ -334,7 +367,7 @@ export declare class OpenApiMiddlewareBuilder {
      * }, {description: "List of users"});
      * ```
      */
-    withArrayResponse<T extends Record<string, any>>(statusCode: number, itemSchema: {
+    withArrayResponse<T extends Record<string, unknown>>(statusCode: number, itemSchema: {
         [K in keyof T]: OpenApiSchemaProperty;
     }, options?: {
         description?: string;

package/dist/openApiBuilder.js

@@ -31,37 +31,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createOpenApiBuilder = exports.OpenApiMiddlewareBuilder = void 0;
-/**
- * OpenAPI Middleware Builder
- *
- * This module provides a fluent builder pattern for constructing OpenAPI middleware
- * for Express routes that don't directly map to Mongoose models. It allows you to
- * define custom API documentation with full control over request/response schemas.
- *
- * @packageDocumentation
- *
- * @example
- * ```typescript
- * import {createOpenApiBuilder} from "./openApiBuilder";
- *
- * // Create middleware with custom documentation
- * const middleware = createOpenApiBuilder(options)
- *   .withTags(["users"])
- *   .withSummary("Get user statistics")
- *   .withDescription("Returns aggregated statistics for the current user")
- *   .withQueryParameter("period", {type: "string"}, {
- *     description: "Time period for statistics",
- *     required: false,
- *   })
- *   .withResponse<{count: number; average: number}>(200, {
- *     count: {type: "number", description: "Total count"},
- *     average: {type: "number", description: "Average value"},
- *   })
- *   .build();
- *
- * router.get("/stats", middleware, statsHandler);
- * ```
- */
 var merge_1 = __importDefault(require("lodash/merge"));
 var logger_1 = require("./logger");
 var openApi_1 = require("./openApi");
@@ -469,6 +438,7 @@ var OpenApiMiddlewareBuilder = /** @class */ (function () {
      * router.get("/users/:id", middleware, getUserHandler);
      * ```
      */
+    // biome-ignore lint/suspicious/noExplicitAny: returns either a single RequestHandler or an array depending on validation config — callers spread or invoke
     OpenApiMiddlewareBuilder.prototype.build = function () {
         var _c, _d, _e, _f, _g;
         var noop = function (_a, _b, next) { return next(); };

package/dist/openApiBuilder.test.js

@@ -50,6 +50,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var supertest_1 = __importDefault(require("supertest"));
 var api_1 = require("./api");

package/dist/openApiValidator.js

@@ -191,6 +191,7 @@ var getAjvInstance = function () {
             useDefaults: true,
             validateSchema: false,
         });
+        // biome-ignore lint/suspicious/noExplicitAny: ajv-formats has a known type compat issue with AJV instances
         (0, ajv_formats_1.default)(instance);
         ajvCache.set(key, instance);
     }

package/dist/openApiValidator.test.js

@@ -72,6 +72,7 @@ var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
     return to.concat(ar || Array.prototype.slice.call(from));
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var api_1 = require("./api");
 var auth_1 = require("./auth");

package/dist/permissions.d.ts

@@ -19,8 +19,8 @@ export declare const Permissions: {
     IsAny: () => boolean;
     IsAuthenticated: (_method: RESTMethod, user?: User) => boolean;
     IsAuthenticatedOrReadOnly: (method: RESTMethod, user?: User) => boolean;
-    IsOwner: (_method: RESTMethod, user?: User, obj?: any) => any;
-    IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: any) => boolean;
+    IsOwner: (_method: RESTMethod, user?: User, obj?: unknown) => boolean;
+    IsOwnerOrReadOnly: (method: RESTMethod, user?: User, obj?: unknown) => boolean;
 };
-export declare function checkPermissions<T>(method: RESTMethod, permissions: PermissionMethod<T>[], user?: User, obj?: T): Promise<boolean>;
-export declare function permissionMiddleware<T>(model: Model<T>, options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">): (req: express.Request, _res: express.Response, next: NextFunction) => Promise<void>;
+export declare const checkPermissions: <T>(method: RESTMethod, permissions: PermissionMethod<T>[], user?: User, obj?: T) => Promise<boolean>;
+export declare const permissionMiddleware: <T>(model: Model<T>, options: Pick<ModelRouterOptions<T>, "permissions" | "populatePaths">) => (req: express.Request, _res: express.Response, next: NextFunction) => Promise<void>;

package/dist/permissions.js

@@ -83,10 +83,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Permissions = exports.OwnerQueryFilter = void 0;
-exports.checkPermissions = checkPermissions;
-exports.permissionMiddleware = permissionMiddleware;
-// Defaults closed
+exports.permissionMiddleware = exports.checkPermissions = exports.Permissions = exports.OwnerQueryFilter = void 0;
 var Sentry = __importStar(require("@sentry/bun"));
 var mongoose_1 = __importDefault(require("mongoose"));
 var api_1 = require("./api");
@@ -96,7 +93,6 @@ var OwnerQueryFilter = function (user) {
     if (user) {
         return { ownerId: user === null || user === void 0 ? void 0 : user.id };
     }
-    // Return a null, so we know to return no results.
     return null;
 };
 exports.OwnerQueryFilter = OwnerQueryFilter;
@@ -131,8 +127,10 @@ exports.Permissions = {
         if (user === null || user === void 0 ? void 0 : user.admin) {
             return true;
         }
-        var ownerId = ((_a = obj === null || obj === void 0 ? void 0 : obj.ownerId) === null || _a === void 0 ? void 0 : _a._id) || (obj === null || obj === void 0 ? void 0 : obj.ownerId);
-        return (user === null || user === void 0 ? void 0 : user.id) && ownerId && String(ownerId) === String(user === null || user === void 0 ? void 0 : user.id);
+        var withOwner = obj;
+        var ownerObj = withOwner.ownerId;
+        var ownerId = (_a = ownerObj === null || ownerObj === void 0 ? void 0 : ownerObj._id) !== null && _a !== void 0 ? _a : withOwner.ownerId;
+        return Boolean((user === null || user === void 0 ? void 0 : user.id) && ownerId && String(ownerId) === String(user === null || user === void 0 ? void 0 : user.id));
     },
     IsOwnerOrReadOnly: function (method, user, obj) {
         // When checking if we can possibly perform the action, return true.
@@ -142,61 +140,59 @@ exports.Permissions = {
         if (user === null || user === void 0 ? void 0 : user.admin) {
             return true;
         }
-        if ((user === null || user === void 0 ? void 0 : user.id) && (obj === null || obj === void 0 ? void 0 : obj.ownerId) && String(obj === null || obj === void 0 ? void 0 : obj.ownerId) === String(user === null || user === void 0 ? void 0 : user.id)) {
+        var withOwner = obj;
+        if ((user === null || user === void 0 ? void 0 : user.id) && withOwner.ownerId && String(withOwner.ownerId) === String(user === null || user === void 0 ? void 0 : user.id)) {
             return true;
         }
         return method === "list" || method === "read";
     },
 };
-function checkPermissions(method, permissions, user, obj) {
-    return __awaiter(this, void 0, void 0, function () {
-        var anyTrue, permissions_1, permissions_1_1, perm, e_1_1;
-        var e_1, _a;
-        return __generator(this, function (_b) {
-            switch (_b.label) {
-                case 0:
-                    anyTrue = false;
-                    _b.label = 1;
-                case 1:
-                    _b.trys.push([1, 6, 7, 8]);
-                    permissions_1 = __values(permissions), permissions_1_1 = permissions_1.next();
-                    _b.label = 2;
-                case 2:
-                    if (!!permissions_1_1.done) return [3 /*break*/, 5];
-                    perm = permissions_1_1.value;
-                    return [4 /*yield*/, perm(method, user, obj)];
-                case 3:
-                    // May or may not be a promise.
-                    if (!(_b.sent())) {
-                        return [2 /*return*/, false];
-                    }
-                    anyTrue = true;
-                    _b.label = 4;
-                case 4:
-                    permissions_1_1 = permissions_1.next();
-                    return [3 /*break*/, 2];
-                case 5: return [3 /*break*/, 8];
-                case 6:
-                    e_1_1 = _b.sent();
-                    e_1 = { error: e_1_1 };
-                    return [3 /*break*/, 8];
-                case 7:
-                    try {
-                        if (permissions_1_1 && !permissions_1_1.done && (_a = permissions_1.return)) _a.call(permissions_1);
-                    }
-                    finally { if (e_1) throw e_1.error; }
-                    return [7 /*endfinally*/];
-                case 8: return [2 /*return*/, anyTrue];
-            }
-        });
+var checkPermissions = function (method, permissions, user, obj) { return __awaiter(void 0, void 0, void 0, function () {
+    var anyTrue, permissions_1, permissions_1_1, perm, e_1_1;
+    var e_1, _a;
+    return __generator(this, function (_b) {
+        switch (_b.label) {
+            case 0:
+                anyTrue = false;
+                _b.label = 1;
+            case 1:
+                _b.trys.push([1, 6, 7, 8]);
+                permissions_1 = __values(permissions), permissions_1_1 = permissions_1.next();
+                _b.label = 2;
+            case 2:
+                if (!!permissions_1_1.done) return [3 /*break*/, 5];
+                perm = permissions_1_1.value;
+                return [4 /*yield*/, perm(method, user, obj)];
+            case 3:
+                if (!(_b.sent())) {
+                    return [2 /*return*/, false];
+                }
+                anyTrue = true;
+                _b.label = 4;
+            case 4:
+                permissions_1_1 = permissions_1.next();
+                return [3 /*break*/, 2];
+            case 5: return [3 /*break*/, 8];
+            case 6:
+                e_1_1 = _b.sent();
+                e_1 = { error: e_1_1 };
+                return [3 /*break*/, 8];
+            case 7:
+                try {
+                    if (permissions_1_1 && !permissions_1_1.done && (_a = permissions_1.return)) _a.call(permissions_1);
+                }
+                finally { if (e_1) throw e_1.error; }
+                return [7 /*endfinally*/];
+            case 8: return [2 /*return*/, anyTrue];
+        }
     });
-}
+}); };
+exports.checkPermissions = checkPermissions;
 // Check the permissions for a given model and method. If the method is a read, update, or delete,
 // finds the relevant object, checks the permissions, and attaches the object to the request as
 // req.obj.
-function permissionMiddleware(model, options) {
-    var _this = this;
-    return function (req, _res, next) { return __awaiter(_this, void 0, void 0, function () {
+var permissionMiddleware = function (model, options) {
+    return function (req, _res, next) { return __awaiter(void 0, void 0, void 0, function () {
         var method, reqMethod, builtQuery, populatedQuery, data, error_1, hiddenDoc, error, reason, error, error_2;
         var _a, _b;
         return __generator(this, function (_c) {
@@ -233,7 +229,7 @@ function permissionMiddleware(model, options) {
                             title: "Method ".concat(req.method, " not allowed"),
                         });
                     }
-                    return [4 /*yield*/, checkPermissions(method, options.permissions[method], req.user)];
+                    return [4 /*yield*/, (0, exports.checkPermissions)(method, options.permissions[method], req.user)];
                 case 2:
                     // All methods check for permissions.
                     if (!(_c.sent())) {
@@ -247,14 +243,16 @@ function permissionMiddleware(model, options) {
                         return [2 /*return*/, next()];
                     }
                     builtQuery = model.findById(req.params.id);
-                    populatedQuery = (0, api_1.addPopulateToQuery)(builtQuery, options.populatePaths);
+                    populatedQuery = (0, api_1.addPopulateToQuery)(
+                    // biome-ignore lint/suspicious/noExplicitAny: Query types vary based on populate paths
+                    builtQuery, options.populatePaths);
                     data = void 0;
                     _c.label = 3;
                 case 3:
                     _c.trys.push([3, 5, , 6]);
                     return [4 /*yield*/, populatedQuery.exec()];
                 case 4:
-                    data = _c.sent();
+                    data = (_c.sent());
                     return [3 /*break*/, 6];
                 case 5:
                     error_1 = _c.sent();
@@ -279,13 +277,16 @@ function permissionMiddleware(model, options) {
                         error.meta = undefined;
                         throw error;
                     }
-                    reason = hiddenDoc.deleted
-                        ? { deleted: "true" }
-                        : hiddenDoc.disabled
-                            ? { disabled: "true" }
-                            : hiddenDoc.archived
-                                ? { archived: "true" }
-                                : null;
+                    reason = null;
+                    if (hiddenDoc.deleted) {
+                        reason = { deleted: "true" };
+                    }
+                    else if (hiddenDoc.disabled) {
+                        reason = { disabled: "true" };
+                    }
+                    else if (hiddenDoc.archived) {
+                        reason = { archived: "true" };
+                    }
                     // If no reason found, treat as not found
                     if (!reason) {
                         error = new errors_1.APIError({
@@ -302,7 +303,7 @@ function permissionMiddleware(model, options) {
                         status: 404,
                         title: "Document ".concat(req.params.id, " not found for model ").concat(model.modelName),
                     });
-                case 8: return [4 /*yield*/, checkPermissions(method, options.permissions[method], req.user, data)];
+                case 8: return [4 /*yield*/, (0, exports.checkPermissions)(method, options.permissions[method], req.user, data)];
                 case 9:
                     if (!(_c.sent())) {
                         throw new errors_1.APIError({
@@ -320,4 +321,5 @@ function permissionMiddleware(model, options) {
             }
         });
     }); };
-}
+};
+exports.permissionMiddleware = permissionMiddleware;

package/dist/permissions.middleware.test.js

@@ -96,6 +96,7 @@ var __read = (this && this.__read) || function (o, n) {
     return ar;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var Sentry = __importStar(require("@sentry/bun"));
 var errors_1 = require("./errors");

package/dist/permissions.test.js

@@ -55,6 +55,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+// biome-ignore-all lint/suspicious/noExplicitAny: test mock typing
 var bun_test_1 = require("bun:test");
 var supertest_1 = __importDefault(require("supertest"));
 var api_1 = require("./api");