vanta-api 1.1.5 → 1.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/api-features.js +33 -13
  3. package/src/config.js +0 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "vanta-api",
3
- "version": "1.1.5",
3
+ "version": "1.1.6",
4
4
  "description": "Advanced API features and security configuration for Node.js/MongoDB.",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/src/api-features.js CHANGED
@@ -215,24 +215,44 @@ export class ApiFeatures {
215
215
  });
216
216
  }
217
217
 
218
- _parseQueryFilters() {
219
- const obj = { ...this.query };
220
- ["page", "limit", "sort", "fields", "populate"].forEach(
221
- (k) => delete obj[k]
222
- );
223
-
224
- // Whitelist operators
225
- const out = {};
226
- for (const [k, v] of Object.entries(obj)) {
227
- if (["or", "and"].includes(k)) {
228
- out[`$${k}`] = Array.isArray(v) ? v : [v];
218
+ _parseQueryFilters() {
219
+ const obj = { ...this.query };
220
+ // پاک کردن پارامترهای سیستماتیک
221
+ ["page", "limit", "sort", "fields", "populate"].forEach(k => delete obj[k]);
222
+
223
+ const out = {};
224
+
225
+ for (const [rawKey, rawVal] of Object.entries(obj)) {
226
+ if (typeof rawVal === 'object' && !Array.isArray(rawVal)) {
227
+ out[rawKey] = {};
228
+ for (let [op, val] of Object.entries(rawVal)) {
229
+ const cleanOp = op.replace(/^\$/, '');
230
+ if (securityConfig.allowedOperators.includes(cleanOp)) {
231
+ const v = /^[0-9]+$/.test(val) ? parseInt(val, 10) : val;
232
+ out[rawKey][`$${cleanOp}`] = v;
233
+ }
234
+ }
235
+ }
236
+ else if (/^\w+\[\$?\w+\]$/.test(rawKey)) {
237
+ const [, field, op] = rawKey.match(/^(\w+)\[\$?(\w+)\]$/);
238
+ if (securityConfig.allowedOperators.includes(op)) {
239
+ const v = /^[0-9]+$/.test(rawVal) ? parseInt(rawVal, 10) : rawVal;
240
+ out[field] = { [`$${op}`]: v };
241
+ }
242
+ }
243
+ else {
244
+ if (typeof rawVal === "string" && rawVal.includes(",")) {
245
+ out[rawKey] = rawVal.split(",");
229
246
  } else {
230
- out[k] = typeof v === "string" && v.includes(",") ? v.split(",") : v;
247
+ out[rawKey] = rawVal;
231
248
  }
232
249
  }
233
- return out;
234
250
  }
235
251
 
252
+ return out;
253
+ }
254
+
255
+
236
256
  _sanitizeFilters(filters) {
237
257
  // Simple deep clone with ObjectId and boolean parsing
238
258
  return JSON.parse(JSON.stringify(filters), (key, val) => {
package/src/config.js CHANGED
@@ -8,7 +8,6 @@ try {
8
8
  const userPath = path.resolve(process.cwd(), "security-config.js");
9
9
  userConfig = (await import(userPath))?.securityConfig || {};
10
10
  } catch (err) {
11
- // کاربر security-config نداشت، مشکلی نیست
12
11
  }
13
12
 
14
13
  export const securityConfig = {