@terreno/api 0.20.1 → 0.21.0

package/src/api.test.ts

@@ -2040,5 +2040,174 @@ describe("@terreno/api", () => {
 
       expect(res.body.data.name).toBe("Spinach");
     });
+
+    it("returns 400 when X-Unmodified-Since-ISO header is an invalid date", async () => {
+      const res = await agent
+        .patch(`/food/${spinach._id}`)
+        .set("X-Unmodified-Since-ISO", "not-a-date")
+        .send({name: "Bad Date"})
+        .expect(400);
+
+      expect(res.body.title).toBe("Invalid conflict-detection timestamp");
+      expect(res.body.detail).toContain("X-Unmodified-Since-ISO");
+    });
+
+    it("returns 400 when If-Unmodified-Since header is an invalid HTTP date", async () => {
+      const res = await agent
+        .patch(`/food/${spinach._id}`)
+        .set("If-Unmodified-Since", "not-a-valid-http-date")
+        .send({name: "Bad HTTP Date"})
+        .expect(400);
+
+      expect(res.body.title).toBe("Invalid conflict-detection timestamp");
+      expect(res.body.detail).toContain("If-Unmodified-Since");
+    });
+
+    it("returns 400 when _updatedAt body field is an invalid date", async () => {
+      const res = await agent
+        .patch(`/food/${spinach._id}`)
+        .send({_updatedAt: "garbage-date", name: "Bad Body Date"})
+        .expect(400);
+
+      expect(res.body.title).toBe("Invalid conflict-detection timestamp");
+      expect(res.body.detail).toContain("_updatedAt");
+    });
+
+    it("handles doc timestamp stored as ISO string", async () => {
+      await FoodModel.collection.updateOne(
+        {_id: spinach._id as unknown as mongoose.Types.ObjectId},
+        {$set: {updated: "2025-06-15T12:00:00.000Z"}}
+      );
+
+      const res = await agent
+        .patch(`/food/${spinach._id}`)
+        .set("If-Unmodified-Since", DateTime.fromISO("2025-06-15T11:00:00.000Z").toHTTP()!)
+        .send({name: "String Timestamp"})
+        .expect(409);
+
+      expect(res.body.error).toBe("Conflict");
+    });
+  });
+
+  describe("three-arg modelRouter registration", () => {
+    it("returns a ModelRouterRegistration with path and realtime", () => {
+      const registration = modelRouter("/food", FoodModel, {
+        permissions: {
+          create: [Permissions.IsAny],
+          delete: [Permissions.IsAny],
+          list: [Permissions.IsAny],
+          read: [Permissions.IsAny],
+          update: [Permissions.IsAny],
+        },
+        realtime: {methods: ["create", "update", "delete"], roomStrategy: "model"},
+      });
+      expect(registration).toHaveProperty("__type", "modelRouter");
+      expect(registration).toHaveProperty("path", "/food");
+      expect(registration).toHaveProperty("router");
+      expect(registration).toHaveProperty("_buildWithOpenApi");
+    });
+
+    it("logs a warning when realtime config is used without the path form", () => {
+      const router = modelRouter(FoodModel, {
+        permissions: {
+          create: [Permissions.IsAny],
+          delete: [Permissions.IsAny],
+          list: [Permissions.IsAny],
+          read: [Permissions.IsAny],
+          update: [Permissions.IsAny],
+        },
+        realtime: {methods: ["create", "update", "delete"], roomStrategy: "model"},
+      });
+      // Returns a plain Router, not a registration, because no path was given
+      expect(router).toBeDefined();
+      expect(router).not.toHaveProperty("__type");
+    });
+  });
+
+  describe("create transform error wrapping", () => {
+    let admin: mongoose.HydratedDocument<User>;
+    let agent: TestAgent;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as unknown as Parameters<typeof setupAuth>[1]);
+      addAuthRoutes(app, UserModel as unknown as Parameters<typeof addAuthRoutes>[1]);
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          transformer: {
+            transform: () => {
+              throw new Error("generic transform error");
+            },
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+    });
+
+    it("wraps non-APIError transform errors in a 400 APIError on create", async () => {
+      const res = await agent
+        .post("/food")
+        .send({calories: 10, name: "New Food", ownerId: admin._id})
+        .expect(400);
+
+      expect(res.body.title).toContain("generic transform error");
+    });
+  });
+
+  describe("update transform error wrapping", () => {
+    let admin: mongoose.HydratedDocument<User>;
+    let agent: TestAgent;
+    let spinach: Food;
+
+    beforeEach(async () => {
+      [admin] = await setupDb();
+      spinach = await FoodModel.create({
+        calories: 10,
+        created: new Date(),
+        hidden: false,
+        name: "Spinach",
+        ownerId: admin._id,
+      });
+
+      app = getBaseServer();
+      setupAuth(app, UserModel as unknown as Parameters<typeof setupAuth>[1]);
+      addAuthRoutes(app, UserModel as unknown as Parameters<typeof addAuthRoutes>[1]);
+      app.use(
+        "/food",
+        modelRouter(FoodModel, {
+          permissions: {
+            create: [Permissions.IsAny],
+            delete: [Permissions.IsAny],
+            list: [Permissions.IsAny],
+            read: [Permissions.IsAny],
+            update: [Permissions.IsAny],
+          },
+          transformer: {
+            transform: () => {
+              throw new Error("update transform error");
+            },
+          },
+        })
+      );
+      server = supertest(app);
+      agent = await authAsUser(app, "admin");
+    });
+
+    it("wraps non-APIError transform errors in a 403 APIError on update", async () => {
+      const res = await agent.patch(`/food/${spinach._id}`).send({name: "Updated"}).expect(403);
+
+      expect(res.body.title).toContain("update transform error");
+    });
   });
 });

package/src/api.ts

@@ -342,6 +342,75 @@ export interface ModelRouterOptions<T> {
   realtime?: RealtimeConfig;
 }
 
+/**
+ * Parses a date-range query bound from an ISO-8601 string using Luxon, throwing a 400
+ * APIError when the value cannot be parsed. Centralizes date-string parsing so the repo's
+ * Luxon convention is honored for admin changelist date-range filters.
+ */
+const parseDateRangeBound = (rawValue: unknown, queryKey: string): Date => {
+  const parsed = DateTime.fromISO(String(rawValue), {zone: "utc"});
+  if (!parsed.isValid) {
+    throw new APIError({
+      status: 400,
+      title: `Invalid date for query parameter ${queryKey}`,
+    });
+  }
+  return parsed.toJSDate();
+};
+
+/**
+ * Collapses `field_gte` / `field_lte` query pairs into `{ field: { $gte, $lte } }` for Date paths,
+ * so admin changelist date-range filters map to valid Mongoose range queries.
+ */
+const mergeDateRangeQueryParams = <T>(
+  model: Model<T>,
+  query: Record<string, unknown>
+): Record<string, unknown> => {
+  const schema = model.schema;
+  const result: Record<string, unknown> = {...query};
+  const dateRangeBases = new Set<string>();
+  for (const key of Object.keys(result)) {
+    const match = /^(.+)_(gte|lte)$/.exec(key);
+    if (!match) {
+      continue;
+    }
+    const baseField = match[1];
+    const path = schema.path(baseField);
+    if (!path || path.instance !== "Date") {
+      continue;
+    }
+    dateRangeBases.add(baseField);
+  }
+  for (const baseField of dateRangeBases) {
+    const gteKey = `${baseField}_gte`;
+    const lteKey = `${baseField}_lte`;
+    const gteRaw = result[gteKey];
+    const lteRaw = result[lteKey];
+    const bounds: {$gte?: Date; $lte?: Date} = {};
+    if (gteRaw !== undefined && gteRaw !== null && String(gteRaw).trim() !== "") {
+      bounds.$gte = parseDateRangeBound(gteRaw, gteKey);
+    }
+    if (lteRaw !== undefined && lteRaw !== null && String(lteRaw).trim() !== "") {
+      bounds.$lte = parseDateRangeBound(lteRaw, lteKey);
+    }
+    if (Object.keys(bounds).length === 0) {
+      continue;
+    }
+    delete result[gteKey];
+    delete result[lteKey];
+    const direct = result[baseField];
+    if (direct !== undefined && direct !== null && typeof direct !== "object") {
+      delete result[baseField];
+    }
+    if (typeof direct === "object" && direct !== null && !Array.isArray(direct)) {
+      result[baseField] = {...(direct as Record<string, unknown>), ...bounds};
+    } else {
+      result[baseField] = bounds;
+    }
+  }
+  return result;
+};
+
 // Ensures query params are allowed. Also checks nested query params when using $and/$or.
 const checkQueryParamAllowed = (
   queryParam: string,
@@ -711,6 +780,8 @@ function _buildModelRouter<T>(model: Model<T>, options: ModelRouterOptions<T>):
         }
       }
 
+      query = mergeDateRangeQueryParams(model, query);
+
       // Special operators. NOTE: these request Mongo Atlas.
       if (req.query.$search) {
         mongoose.connection.db?.collection(model.collection.collectionName);

package/src/auth.test.ts

@@ -7,9 +7,9 @@ import type TestAgent from "supertest/lib/agent";
 
 import {modelRouter} from "./api";
 import {addAuthRoutes, addMeRoutes, generateTokens, setupAuth} from "./auth";
-import {setupServer} from "./expressServer";
 import {Permissions} from "./permissions";
 import {getCurrentRequestContext} from "./requestContext";
+import {TerrenoApp} from "./terrenoApp";
 import {type Food, FoodModel, getBaseServer, setupDb, UserModel} from "./tests";
 import {AdminOwnerTransformer} from "./transformers";
 import {timeout} from "./utils";
@@ -151,11 +151,11 @@ describe("auth tests", () => {
         })
       );
     }
-    app = setupServer({
-      addRoutes,
+    app = new TerrenoApp({
+      configureApp: addRoutes,
       skipListen: true,
       userModel: UserModel as any,
-    });
+    }).build();
     agent = supertest.agent(app);
   });
 
@@ -827,11 +827,11 @@ describe("addAuthRoutes /refresh_token error paths", () => {
   beforeEach(async () => {
     setSystemTime();
     await setupDb();
-    app = setupServer({
-      addRoutes: () => {},
+    app = new TerrenoApp({
+      configureApp: () => {},
       skipListen: true,
       userModel: UserModel as any,
-    });
+    }).build();
     agent = supertest.agent(app);
   });
 
@@ -892,11 +892,11 @@ describe("addMeRoutes edge cases", () => {
   beforeEach(async () => {
     setSystemTime();
     await setupDb();
-    app = setupServer({
-      addRoutes: () => {},
+    app = new TerrenoApp({
+      configureApp: () => {},
       skipListen: true,
       userModel: UserModel as any,
-    });
+    }).build();
     agent = supertest.agent(app);
   });
 

package/src/betterAuth.ts

@@ -63,7 +63,7 @@ export interface BetterAuthConfig {
 }
 
 /**
- * Auth provider selection for setupServer.
+ * Auth provider selection for TerrenoApp.
  * - "jwt": Traditional JWT/Passport authentication (default)
  * - "better-auth": Better Auth with OAuth support
  */

package/src/consentApp.test.ts

@@ -39,6 +39,7 @@ describe("ConsentApp", () => {
     it("returns empty list when no forms exist", async () => {
       const res = await adminAgent.get("/consent-forms").expect(200);
       expect(res.body.data).toHaveLength(0);
+      expect(res.body.requestId).toBe(res.headers["x-request-id"]);
     });
 
     it("lists consent forms for admins", async () => {

package/src/example.ts

@@ -4,7 +4,6 @@ import passportLocalMongoose from "passport-local-mongoose";
 
 import {type ModelRouterOptions, modelRouter} from "./api";
 import {addAuthRoutes, setupAuth, type UserModel as UserMongooseModel} from "./auth";
-import {setupServer} from "./expressServer";
 import {logger} from "./logger";
 import {Permissions} from "./permissions";
 import {
@@ -14,6 +13,7 @@ import {
   findOneOrNone,
   isDeletedPlugin,
 } from "./plugins";
+import {TerrenoApp} from "./terrenoApp";
 
 mongoose
   .connect("mongodb://localhost:27017/example")
@@ -116,12 +116,12 @@ const getBaseServer = () => {
     );
   };
 
-  return setupServer({
-    addRoutes,
+  return new TerrenoApp({
+    configureApp: addRoutes,
     loggingOptions: {
       level: "debug",
     },
     userModel: UserModel as unknown as UserMongooseModel,
-  });
+  }).build();
 };
 getBaseServer();