npm - vanta-api - Versions diffs - 1.4.3 → 1.4.5 - Mend

vanta-api 1.4.3 → 1.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/api-features.js +81 -47

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vanta-api",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "description": "Advanced API features and security configuration for Node.js/MongoDB.",
   "main": "index.js",
   "scripts": {

package/src/api-features.js CHANGED Viewed

@@ -24,7 +24,6 @@ export class ApiFeatures {
     this.pipeline = [];
     this.manualFilters = {};
     this.useCursor = false;
     this.userRole =
       userRole && securityConfig.accessLevels?.[userRole] ? userRole : "guest";
@@ -33,10 +32,16 @@ export class ApiFeatures {
   filter() {
     const queryFilters = this._parseQueryFilters();
+    const normalizedManualFilters = this._normalizeLogicalOperators(
+      this.manualFilters
+    );
     const mergedFilters = this._deepMergeFilters(
       queryFilters,
-      this.manualFilters
+      normalizedManualFilters
     );
     const sanitizedFilters = this._sanitizeFilters(mergedFilters);
     const safeFilters = this._applySecurityFilters(sanitizedFilters);
@@ -49,7 +54,12 @@ export class ApiFeatures {
   addManualFilters(filters = {}) {
     if (filters && typeof filters === "object" && !Array.isArray(filters)) {
-      this.manualFilters = this._deepMergeFilters(this.manualFilters, filters);
+      const normalizedFilters = this._normalizeLogicalOperators(filters);
+      this.manualFilters = this._deepMergeFilters(
+        this.manualFilters,
+        normalizedFilters
+      );
     }
     return this;
@@ -57,11 +67,9 @@ export class ApiFeatures {
   search(fields = []) {
     const q = this.query.q;
     if (!q || !Array.isArray(fields) || !fields.length) return this;
     const safeQ = this._escapeRegex(String(q).trim());
     if (!safeQ) return this;
     const conditions = fields
@@ -109,7 +117,6 @@ export class ApiFeatures {
   limitFields(input = "") {
     const rawFields = [input, this.query.fields].filter(Boolean).join(",");
     if (!rawFields) return this;
     const fields = rawFields
@@ -128,9 +135,7 @@ export class ApiFeatures {
     for (const field of fields) {
       const cleanField = field.replace(/^-/, "");
       if (this._isForbiddenField(cleanField)) continue;
       project[cleanField] = field.startsWith("-") ? 0 : 1;
     }
@@ -513,13 +518,13 @@ export class ApiFeatures {
   _applyPopulateSelect({ path, select, isArray }) {
     const parsed = this._parseSelect(select);
     if (!parsed.fields.length) return;
     if (parsed.mode === "exclude") {
       this.pipeline.push({
         $unset: parsed.fields.map((field) => `${path}.${field}`),
       });
       return;
     }
@@ -564,7 +569,6 @@ export class ApiFeatures {
   _applyNestedObjectSelectInsideArray({ arrayPath, objectPath, select }) {
     const parsed = this._parseSelect(select);
     if (!parsed.fields.length) return;
     if (parsed.mode === "exclude") {
@@ -573,6 +577,7 @@ export class ApiFeatures {
           (field) => `${arrayPath}.${objectPath}.${field}`
         ),
       });
       return;
     }
@@ -658,7 +663,6 @@ export class ApiFeatures {
   _parseQueryFilters() {
     const obj = { ...this.query };
     RESERVED_QUERY_KEYS.forEach((key) => delete obj[key]);
     const out = {};
@@ -704,50 +708,47 @@ export class ApiFeatures {
     return out;
   }
-_sanitizeFilters(filters = {}) {
-  const sanitizeNode = (node, key = "") => {
-    if (
-      node instanceof mongoose.Types.ObjectId ||
-      node instanceof ObjectId
-    ) {
-      return node;
-    }
-    if (node === null || node === "null") return null;
-    if (node === "true") return true;
-    if (node === "false") return false;
-    if (Array.isArray(node)) {
-      return node.map((item) => sanitizeNode(item, key));
-    }
+  _sanitizeFilters(filters = {}) {
+    const sanitizeNode = (node, key = "") => {
+      if (node instanceof mongoose.Types.ObjectId || node instanceof ObjectId) {
+        return node;
+      }
-    if (node && typeof node === "object") {
-      const result = {};
+      if (node === null || node === "null") return null;
+      if (node === "true") return true;
+      if (node === "false") return false;
-      for (const [childKey, childVal] of Object.entries(node)) {
-        result[childKey] = sanitizeNode(childVal, childKey);
+      if (Array.isArray(node)) {
+        return node.map((item) => sanitizeNode(item, key));
       }
-      return result;
-    }
+      if (node && typeof node === "object") {
+        const result = {};
+        for (const [childKey, childVal] of Object.entries(node)) {
+          result[childKey] = sanitizeNode(childVal, childKey);
+        }
-    if (typeof node === "string") {
-      if (this.#isStrictObjectId(node) && this._shouldConvertToObjectId(key)) {
-        return new ObjectId(node);
+        return result;
       }
-      if (/^[0-9]+$/.test(node)) {
-        return node.length > 1 && node.startsWith("0")
-          ? node
-          : parseInt(node, 10);
+      if (typeof node === "string") {
+        if (this.#isStrictObjectId(node) && this._shouldConvertToObjectId(key)) {
+          return new ObjectId(node);
+        }
+        if (/^[0-9]+$/.test(node)) {
+          return node.length > 1 && node.startsWith("0")
+            ? node
+            : parseInt(node, 10);
+        }
       }
-    }
-    return node;
-  };
+      return node;
+    };
-  return sanitizeNode(filters);
-}
+    return sanitizeNode(filters);
+  }
   _shouldConvertToObjectId(key = "") {
     const cleanKey = String(key).replace(/^\$/, "").toLowerCase();
@@ -763,6 +764,39 @@ _sanitizeFilters(filters = {}) {
     );
   }
+  _normalizeLogicalOperators(filters = {}) {
+    if (Array.isArray(filters)) {
+      return filters.map((item) => this._normalizeLogicalOperators(item));
+    }
+    if (
+      !filters ||
+      typeof filters !== "object" ||
+      filters instanceof mongoose.Types.ObjectId ||
+      filters instanceof ObjectId ||
+      filters instanceof Date
+    ) {
+      return filters;
+    }
+    const out = {};
+    for (const [key, value] of Object.entries(filters)) {
+      const normalizedKey =
+        key === "and"
+          ? "$and"
+          : key === "or"
+            ? "$or"
+            : key === "nor"
+              ? "$nor"
+              : key;
+      out[normalizedKey] = this._normalizeLogicalOperators(value);
+    }
+    return out;
+  }
   _deepMergeFilters(a = {}, b = {}) {
     const out = { ...a };
@@ -799,7 +833,6 @@ _sanitizeFilters(filters = {}) {
       for (const [key, value] of Object.entries(node)) {
         if (this._isForbiddenField(key)) continue;
         result[key] = cleanNode(value);
       }
@@ -828,7 +861,6 @@ _sanitizeFilters(filters = {}) {
       if (typeof item === "string") {
         const trimmed = item.trim();
         if (!trimmed) return;
         if (trimmed.includes(".")) {
@@ -884,9 +916,11 @@ _sanitizeFilters(filters = {}) {
       return input
         .flatMap((item) => {
           if (typeof item === "string") return this._normalizePopulateInput(item);
           if (item && typeof item === "object" && item.path) {
             return [this._normalizePopulateObject(item)];
           }
           return [];
         })
         .filter(Boolean);