next-data-kit 1.0.0 → 2.0.0

package/dist/index.d.cts

@@ -155,7 +155,7 @@ type TSortEntry = {
  */
 type TFilterConfig = {
     [key: string]: {
-        type: 'regex' | 'exact';
+        type: 'REGEX' | 'EXACT';
         field?: string;
     };
 };
@@ -182,7 +182,7 @@ type TDataKitInput<T = unknown> = {
     limit?: number;
     sort?: TSortOptions<T>;
     sorts?: TSortEntry[];
-    query?: Record<string, unknown>;
+    query?: Record<string, string | number | boolean>;
     filter?: Record<string, unknown>;
     filterConfig?: TFilterConfig;
     filterCustom?: TFilterCustomConfig<T>;
@@ -493,6 +493,9 @@ type TDataKitServerActionOptions<T, R> = {
     filter?: (filterInput?: Record<string, unknown>) => TMongoFilterQuery<T>;
     filterCustom?: TFilterCustomConfigWithFilter<T, TMongoFilterQuery<T>>;
     defaultSort?: TSortOptions<T>;
+    maxLimit?: number;
+    filterAllowed?: string[];
+    queryAllowed?: string[];
 };
 declare const dataKitServerAction: <T, R>(props: Readonly<TDataKitServerActionOptions<T, R>>) => Promise<TDataKitResult<R>>;
 
@@ -506,6 +509,7 @@ declare const mongooseAdapter: <M extends TMongoModel<unknown, object>, DocType
     filter?: (filterInput?: Record<string, unknown>) => TMongoFilterQuery<DocType>;
     filterCustom?: TFilterCustomConfigWithFilter<DocType, TMongoFilterQuery<DocType>>;
     defaultSort?: TSortOptions<DocType>;
+    [key: string]: any;
 }>) => TDataKitAdapter<DocType>;
 
 /**

package/dist/index.d.ts

@@ -155,7 +155,7 @@ type TSortEntry = {
  */
 type TFilterConfig = {
     [key: string]: {
-        type: 'regex' | 'exact';
+        type: 'REGEX' | 'EXACT';
         field?: string;
     };
 };
@@ -182,7 +182,7 @@ type TDataKitInput<T = unknown> = {
     limit?: number;
     sort?: TSortOptions<T>;
     sorts?: TSortEntry[];
-    query?: Record<string, unknown>;
+    query?: Record<string, string | number | boolean>;
     filter?: Record<string, unknown>;
     filterConfig?: TFilterConfig;
     filterCustom?: TFilterCustomConfig<T>;
@@ -493,6 +493,9 @@ type TDataKitServerActionOptions<T, R> = {
     filter?: (filterInput?: Record<string, unknown>) => TMongoFilterQuery<T>;
     filterCustom?: TFilterCustomConfigWithFilter<T, TMongoFilterQuery<T>>;
     defaultSort?: TSortOptions<T>;
+    maxLimit?: number;
+    filterAllowed?: string[];
+    queryAllowed?: string[];
 };
 declare const dataKitServerAction: <T, R>(props: Readonly<TDataKitServerActionOptions<T, R>>) => Promise<TDataKitResult<R>>;
 
@@ -506,6 +509,7 @@ declare const mongooseAdapter: <M extends TMongoModel<unknown, object>, DocType
     filter?: (filterInput?: Record<string, unknown>) => TMongoFilterQuery<DocType>;
     filterCustom?: TFilterCustomConfigWithFilter<DocType, TMongoFilterQuery<DocType>>;
     defaultSort?: TSortOptions<DocType>;
+    [key: string]: any;
 }>) => TDataKitAdapter<DocType>;
 
 /**

package/dist/index.js

@@ -21,8 +21,30 @@ var calculatePagination = (page, limit, total) => ({
   hasPrevPage: page > 1
 });
 
+// src/server/utils.ts
+var escapeRegex = (str) => {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+};
+var createSearchFilter = (fields) => {
+  return (value) => {
+    if (!value || typeof value !== "string") {
+      return {};
+    }
+    const escapedValue = escapeRegex(value);
+    return {
+      $or: fields.map((field) => ({
+        [field]: { $regex: escapedValue, $options: "i" }
+      }))
+    };
+  };
+};
+
 // src/server/adapters/mongoose.ts
 var isProvided = (value) => value !== void 0 && value !== null && value !== "";
+var isSafeKey = (key) => {
+  const unsafeKeys = ["__proto__", "constructor", "prototype"];
+  return !unsafeKeys.includes(key);
+};
 var mongooseAdapter = (model, options = {}) => {
   const { filter: customFilterFn, filterCustom, defaultSort = { _id: -1 } } = options;
   return async ({ filter, sorts, limit, skip, input }) => {
@@ -42,7 +64,7 @@ var mongooseAdapter = (model, options = {}) => {
     let filterQuery = {};
     if (input.query) {
       Object.entries(input.query).forEach(([key, value]) => {
-        if (isProvided(value)) {
+        if (isProvided(value) && isSafeKey(key)) {
           filterQuery[key] = value;
         }
       });
@@ -54,28 +76,28 @@ var mongooseAdapter = (model, options = {}) => {
     if (filter && !customFilterFn) {
       if (input.filterConfig) {
         Object.entries(filter).forEach(([key, value]) => {
-          if (isProvided(value) && input.filterConfig?.[key]) {
+          if (isProvided(value) && isSafeKey(key) && input.filterConfig?.[key]) {
             const config = input.filterConfig[key];
             const fieldName = config?.field ?? key;
-            if (config?.type === "regex") {
+            if (config?.type === "REGEX") {
               filterQuery[fieldName] = {
-                $regex: value,
+                $regex: escapeRegex(String(value)),
                 $options: "i"
               };
-            } else if (config?.type === "exact") {
+            } else if (config?.type === "EXACT") {
               filterQuery[fieldName] = value;
             }
           }
         });
       } else {
         Object.entries(filter).forEach(([key, value]) => {
-          if (isProvided(value)) {
+          if (isProvided(value) && isSafeKey(key)) {
             if (typeof value === "string") {
               filterQuery[key] = {
-                $regex: value,
+                $regex: escapeRegex(value),
                 $options: "i"
               };
-            } else {
+            } else if (typeof value === "number" || typeof value === "boolean") {
               filterQuery[key] = value;
             }
           }
@@ -84,7 +106,7 @@ var mongooseAdapter = (model, options = {}) => {
     }
     if (filterCustom && filter) {
       Object.entries(filter).forEach(([key, value]) => {
-        if (isProvided(value) && filterCustom[key]) {
+        if (isProvided(value) && isSafeKey(key) && filterCustom[key]) {
           const customFilter = filterCustom[key](value);
           filterQuery = { ...filterQuery, ...customFilter };
         }
@@ -98,18 +120,44 @@ var mongooseAdapter = (model, options = {}) => {
 
 // src/server/action.ts
 var dataKitServerAction = async (props) => {
-  const { input, adapter, item, filter, filterCustom, defaultSort } = props;
-  const finalAdapter = typeof adapter === "function" ? adapter : mongooseAdapter(adapter, {
-    filter,
-    filterCustom,
-    defaultSort
-  });
+  const { input, adapter, item, maxLimit = 100, filterAllowed, queryAllowed } = props;
+  if (input.query) {
+    const safeQuery = {};
+    Object.keys(input.query).forEach((key) => {
+      if (queryAllowed && !queryAllowed.includes(key)) {
+        throw new Error(`[Security] Query field '${key}' is not allowed.`);
+      }
+      const val = input.query[key];
+      if (val !== null && typeof val === "object") {
+        throw new Error(`[Security] Query value for '${key}' must be a primitive.`);
+      }
+      if (val !== void 0) {
+        safeQuery[key] = val;
+      }
+    });
+    input.query = safeQuery;
+  }
+  if (input.filter) {
+    const safeFilter = {};
+    Object.keys(input.filter).forEach((key) => {
+      if (filterAllowed && !filterAllowed.includes(key)) {
+        throw new Error(`[Security] Filter field '${key}' is not allowed.`);
+      }
+      const val = input.filter[key];
+      if (val !== null && typeof val === "object") {
+        throw new Error(`[Security] Filter value for '${key}' must be a primitive.`);
+      }
+      safeFilter[key] = val;
+    });
+    input.filter = safeFilter;
+  }
+  const finalAdapter = typeof adapter === "function" ? adapter : mongooseAdapter(adapter, props);
   switch (input.action ?? "FETCH") {
     case "FETCH": {
       if (!input.limit || !input.page) {
         throw new Error("Invalid input: missing limit or page");
       }
-      const limit = input.limit;
+      const limit = Math.min(input.limit, maxLimit);
       const skip = limit * (input.page - 1);
       const { items, total } = await finalAdapter({
         filter: input.filter ?? {},
@@ -215,39 +263,22 @@ var adapterMemory = (dataset, options = {}) => {
     return { items, total };
   };
 };
-
-// src/server/utils.ts
-var escapeRegex = (str) => {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-};
-var createSearchFilter = (fields) => {
-  return (value) => {
-    if (!value || typeof value !== "string") {
-      return {};
-    }
-    const escapedValue = escapeRegex(value);
-    return {
-      $or: fields.map((field) => ({
-        [field]: { $regex: escapedValue, $options: "i" }
-      }))
-    };
-  };
-};
 z.object({
   page: z.number().int().positive().optional(),
-  limit: z.number().int().positive().max(100, "Maximum limit is 100").optional(),
-  query: z.record(z.string(), z.unknown()).optional(),
-  filter: z.record(z.string(), z.unknown()).optional(),
+  limit: z.number().int().positive().optional(),
+  query: z.record(z.string(), z.union([z.string(), z.number(), z.boolean()])).optional(),
+  filter: z.record(z.string(), z.union([z.string(), z.number(), z.boolean(), z.null()])).optional(),
   filterConfig: z.record(z.string(), z.object({
-    type: z.enum(["regex", "exact"]),
+    type: z.enum(["REGEX", "EXACT"]),
     field: z.string().optional()
   })).optional(),
   sorts: z.array(z.object({
     path: z.string().max(100),
     // Limit path length to prevent abuse
     value: z.literal(-1).or(z.literal(1))
-  })).max(5).optional()
+  })).max(5).optional(),
   // Limit to 5 sort fields
+  sort: z.record(z.string(), z.literal(1).or(z.literal(-1))).optional()
 });
 
 // src/client/utils/cn.ts
@@ -1278,7 +1309,7 @@ var DataKitRoot = (props) => {
             /* @__PURE__ */ jsx(DropdownMenuContent, { align: "start", container: overlayContainer, children: Object.entries(selectable.actions).map(([key, action2]) => /* @__PURE__ */ jsx(DropdownMenuItem, { disabled: !!actionLoading, onSelect: () => handleSelectionAction(key), children: actionLoading === key ? "Working\u2026" : action2.name }, key)) })
           ] })
         ] }) }),
-        columns.map((col, idx) => /* @__PURE__ */ jsx(React2__default.Fragment, { children: col.sortable ? /* @__PURE__ */ jsx(TableHead, { children: /* @__PURE__ */ jsxs(
+        columns.map((col, idx) => /* @__PURE__ */ jsx(React2__default.Fragment, { children: col.sortable ? /* @__PURE__ */ jsx(TableHead, { ...React2__default.isValidElement(col.head) ? col.head.props : {}, children: /* @__PURE__ */ jsxs(
           Button,
           {
             variant: "ghost",
@@ -1293,7 +1324,10 @@ var DataKitRoot = (props) => {
           }
         ) }) : col.head }, idx))
       ] }) }),
-      /* @__PURE__ */ jsx(TableBody, { children: dataKit.state.isLoading ? /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colSpan, className: "h-24 text-center", children: /* @__PURE__ */ jsx(Loader2, { className: "mx-auto size-5 animate-spin" }) }) }) : dataKit.items.length === 0 ? /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colSpan, className: "h-24 text-center text-muted-foreground", children: "No results found." }) }) : dataKit.items.map((item, idx) => /* @__PURE__ */ jsxs(TableRow, { children: [
+      /* @__PURE__ */ jsx(TableBody, { children: dataKit.state.isLoading ? /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colSpan, className: "h-24 text-center", children: /* @__PURE__ */ jsx(Loader2, { className: "mx-auto size-5 animate-spin" }) }) }) : dataKit.state.error ? /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsxs(TableCell, { colSpan, className: "h-24 text-center text-red-500", children: [
+        "Error: ",
+        dataKit.state.error.message
+      ] }) }) : dataKit.items.length === 0 ? /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colSpan, className: "h-24 text-center text-muted-foreground", children: "No results found." }) }) : dataKit.items.map((item, idx) => /* @__PURE__ */ jsxs(TableRow, { children: [
         selectable?.enabled && /* @__PURE__ */ jsx(TableCell, { children: /* @__PURE__ */ jsx(
           Checkbox,
           {