npm - adapt-authoring-api - Versions diffs - 3.2.1 → 3.2.2 - Mend

adapt-authoring-api 3.2.1 → 3.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/AbstractApiModule.js +99 -107
package/package.json +1 -1

package/lib/AbstractApiModule.js CHANGED Viewed

@@ -142,8 +142,6 @@ class AbstractApiModule extends AbstractModule {
     const config = await loadRouteConfig(this.rootDir, this, {
       schema: 'apiroutes',
       handlerAliases: {
-        default: this.requestHandler(),
-        query: this.queryHandler(),
         serveSchema: this.serveSchema.bind(this)
       },
       defaults: new URL('../default-routes.json', import.meta.url).pathname
@@ -380,135 +378,129 @@ class AbstractApiModule extends AbstractModule {
    * Middleware to handle a generic API request. Supports POST, GET, PUT and DELETE of items in the database.
    * @return {Function} Express middleware function
    */
-  requestHandler () {
-    const requestHandler = async (req, res, next) => {
-      const method = req.method.toLowerCase()
-      const func = this[httpMethodToDBFunction(method)]
-      if (!func) {
-        return next(this.app.errors.HTTP_METHOD_NOT_SUPPORTED.setData({ method }))
-      }
-      let data
-      try {
-        await this.requestHook.invoke(req)
-        const preCheck = method !== 'get' && method !== 'post'
-        const postCheck = method === 'get'
-        if (preCheck) {
-          await this.checkAccess(req, req.apiData.query)
-        }
-        data = await func.apply(this, argsFromReq(req))
-        if (postCheck) {
-          data = await this.checkAccess(req, data)
-        }
-        data = await this.sanitise(req.apiData.schemaName, data, { isInternal: true, strict: false })
-      } catch (e) {
-        return next(e)
+  async requestHandler (req, res, next) {
+    const method = req.method.toLowerCase()
+    const func = this[httpMethodToDBFunction(method)]
+    if (!func) {
+      return next(this.app.errors.HTTP_METHOD_NOT_SUPPORTED.setData({ method }))
+    }
+    let data
+    try {
+      await this.requestHook.invoke(req)
+      const preCheck = method !== 'get' && method !== 'post'
+      const postCheck = method === 'get'
+      if (preCheck) {
+        await this.checkAccess(req, req.apiData.query)
       }
-      if (Array.isArray(data) && req.params._id) { // special case for when _id param is present
-        if (!data.length) {
-          return next(this.app.errors.NOT_FOUND.setData({ id: req.params._id, type: req.apiData.schemaName }))
-        }
-        data = data[0]
+      data = await func.apply(this, argsFromReq(req))
+      if (postCheck) {
+        data = await this.checkAccess(req, data)
       }
-      if (method !== 'get') {
-        const resource = Array.isArray(data) ? req.apiData.query : data._id.toString()
-        this.log('debug', `API_${func.name.toUpperCase()}`, resource, 'by', req.auth.user._id.toString())
+      data = await this.sanitise(req.apiData.schemaName, data, { isInternal: true, strict: false })
+    } catch (e) {
+      return next(e)
+    }
+    if (Array.isArray(data) && req.params._id) { // special case for when _id param is present
+      if (!data.length) {
+        return next(this.app.errors.NOT_FOUND.setData({ id: req.params._id, type: req.apiData.schemaName }))
       }
-      res.status(this.mapStatusCode(method)).json(data)
+      data = data[0]
+    }
+    if (method !== 'get') {
+      const resource = Array.isArray(data) ? req.apiData.query : data._id.toString()
+      this.log('debug', `API_${func.name.toUpperCase()}`, resource, 'by', req.auth.user._id.toString())
     }
-    return requestHandler
+    res.status(this.mapStatusCode(method)).json(data)
   }
   /**
    * Express request handler for advanced API queries. Supports collation/limit/page/skip/sort and pagination. For incoming query data to be correctly parsed, it must be sent as body data using a POST request.
    * @return {function}
    */
-  queryHandler () {
-    const queryHandler = async (req, res, next) => {
-      try {
-        const opts = {
-          schemaName: req.apiData.schemaName,
-          collectionName: req.apiData.collectionName
-        }
-        const mongoOpts = {}
-        // find and remove mongo options from the query
-        Object.entries(req.apiData.query).forEach(([key, val]) => {
-          if (['collation', 'limit', 'page', 'skip', 'sort'].includes(key)) {
-            try {
-              mongoOpts[key] = JSON.parse(req.apiData.query[key])
-            } catch (e) {
-              this.log('warn', `failed to parse query ${key} param '${mongoOpts[key]}', ${e}`)
-            }
-            delete req.apiData.query[key]
-          } else {
-            // otherwise assume we have a query field or option and store for later processing
-            opts[key] = val
-          }
-        })
-        // handle search parameter
-        const search = req.apiData.query.search
-        if (search) {
-          delete req.apiData.query.search
+  async queryHandler (req, res, next) {
+    try {
+      const opts = {
+        schemaName: req.apiData.schemaName,
+        collectionName: req.apiData.collectionName
+      }
+      const mongoOpts = {}
+      // find and remove mongo options from the query
+      Object.entries(req.apiData.query).forEach(([key, val]) => {
+        if (['collation', 'limit', 'page', 'skip', 'sort'].includes(key)) {
           try {
-            const schema = await this.getSchema(req.apiData.schemaName)
-            if (schema && schema.built && schema.built.properties) {
-              const searchableFields = Object.keys(schema.built.properties).filter(
-                field => schema.built.properties[field].isSearchable === true
-              )
-              if (searchableFields.length) {
-                // escape special regex characters to prevent ReDoS attacks
-                const escapedSearch = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
-                const regex = { $regex: escapedSearch, $options: 'i' }
-                const searchConditions = searchableFields.map(f => ({ [f]: regex }))
-                // merge with existing $or if present
-                if (req.apiData.query.$or) {
-                  req.apiData.query.$and = [
-                    { $or: req.apiData.query.$or },
-                    { $or: searchConditions }
-                  ]
-                  delete req.apiData.query.$or
-                } else {
-                  req.apiData.query.$or = searchConditions
-                }
+            mongoOpts[key] = JSON.parse(req.apiData.query[key])
+          } catch (e) {
+            this.log('warn', `failed to parse query ${key} param '${mongoOpts[key]}', ${e}`)
+          }
+          delete req.apiData.query[key]
+        } else {
+          // otherwise assume we have a query field or option and store for later processing
+          opts[key] = val
+        }
+      })
+      // handle search parameter
+      const search = req.apiData.query.search
+      if (search) {
+        delete req.apiData.query.search
+        try {
+          const schema = await this.getSchema(req.apiData.schemaName)
+          if (schema && schema.built && schema.built.properties) {
+            const searchableFields = Object.keys(schema.built.properties).filter(
+              field => schema.built.properties[field].isSearchable === true
+            )
+            if (searchableFields.length) {
+              // escape special regex characters to prevent ReDoS attacks
+              const escapedSearch = search.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+              const regex = { $regex: escapedSearch, $options: 'i' }
+              const searchConditions = searchableFields.map(f => ({ [f]: regex }))
+              // merge with existing $or if present
+              if (req.apiData.query.$or) {
+                req.apiData.query.$and = [
+                  { $or: req.apiData.query.$or },
+                  { $or: searchConditions }
+                ]
+                delete req.apiData.query.$or
+              } else {
+                req.apiData.query.$or = searchConditions
               }
             }
-          } catch (e) {
-            this.log('warn', `failed to process search parameter, ${e.message}`)
           }
+        } catch (e) {
+          this.log('warn', `failed to process search parameter, ${e.message}`)
         }
-        req.apiData.query = await this.parseQuery(req.apiData.schemaName, req.body, mongoOpts)
-        // remove any valid query keys from the options
-        Object.keys(req.apiData.query).forEach(key => delete opts[key])
+      }
+      req.apiData.query = await this.parseQuery(req.apiData.schemaName, req.body, mongoOpts)
+      // remove any valid query keys from the options
+      Object.keys(req.apiData.query).forEach(key => delete opts[key])
-        await this.requestHook.invoke(req)
+      await this.requestHook.invoke(req)
-        await this.setUpPagination(req, res, mongoOpts)
+      await this.setUpPagination(req, res, mongoOpts)
-        let results = await this.find(req.apiData.query, opts, mongoOpts)
+      let results = await this.find(req.apiData.query, opts, mongoOpts)
-        results = await this.checkAccess(req, results)
+      results = await this.checkAccess(req, results)
-        // If checkAccess filtered some results, fetch more to fill the page
-        const pageSize = mongoOpts.limit
-        if (pageSize && results.length < pageSize) {
-          let fetchSkip = mongoOpts.skip + pageSize
-          while (results.length < pageSize) {
-            const extra = await this.find(req.apiData.query, opts, { ...mongoOpts, skip: fetchSkip })
-            if (!extra.length) break
-            const filtered = await this.checkAccess(req, extra)
-            results = results.concat(filtered)
-            fetchSkip += extra.length
-          }
-          if (results.length > pageSize) results = results.slice(0, pageSize)
+      // If checkAccess filtered some results, fetch more to fill the page
+      const pageSize = mongoOpts.limit
+      if (pageSize && results.length < pageSize) {
+        let fetchSkip = mongoOpts.skip + pageSize
+        while (results.length < pageSize) {
+          const extra = await this.find(req.apiData.query, opts, { ...mongoOpts, skip: fetchSkip })
+          if (!extra.length) break
+          const filtered = await this.checkAccess(req, extra)
+          results = results.concat(filtered)
+          fetchSkip += extra.length
         }
+        if (results.length > pageSize) results = results.slice(0, pageSize)
+      }
-        results = await this.sanitise(req.apiData.schemaName, results, { isInternal: true, strict: false })
+      results = await this.sanitise(req.apiData.schemaName, results, { isInternal: true, strict: false })
-        res.status(this.mapStatusCode('get')).json(results)
-      } catch (e) {
-        return next(e)
-      }
+      res.status(this.mapStatusCode('get')).json(results)
+    } catch (e) {
+      return next(e)
     }
-    return queryHandler
   }
   /**

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "adapt-authoring-api",
-  "version": "3.2.1",
+  "version": "3.2.2",
   "description": "Abstract module for creating APIs",
   "homepage": "https://github.com/adapt-security/adapt-authoring-api",
   "license": "GPL-3.0",