2.6.0

Validate query and payload

.eslintrc

@@ -1,3 +1,9 @@
 {
-  "extends": "pichak"
+  "plugins": [
+    "ava"
+  ],
+  "extends": [
+    "pichak",
+    "plugin:ava/recommended"
+  ]
 }

README.md

@@ -1,4 +1,4 @@
-hapi-sequelize-crud
+hapi-sequelize-crud [![CircleCI](https://circleci.com/gh/mdibaiee/hapi-sequelize-crud.svg?style=svg)](https://circleci.com/gh/mdibaiee/hapi-sequelize-crud)
 ===================
 
 Automatically generate a RESTful API for your models and associations
@@ -11,6 +11,9 @@ npm install -S hapi-sequelize-crud
 
 ##Configure
 
+Please note that you should register `hapi-sequelize-crud` after defining your
+associations.
+
 ```javascript
 // First, register hapi-sequelize
 await register({
@@ -35,6 +38,7 @@ await register({
     // `models` property. If you omit this property, all models will have
     // models defined for them. e.g.
     models: ['cat', 'dog'] // only the cat and dog models will have routes created
+
     // or
     models: [
       // possible methods: list, get, scope, create, destroy, destroyAll, destroyScope, update
@@ -54,20 +58,59 @@ await register({
 ```
 
 ### Methods
-* list: get all rows in a table
-* get: get a single row
-* scope: reference a [sequelize scope](http://docs.sequelizejs.com/en/latest/api/model/#scopeoptions-model)
-* create: create a new row
-* destroy: delete a row
-* destroyAll: delete all models in the table
-* destroyScope: use a [sequelize scope](http://docs.sequelizejs.com/en/latest/api/model/#scopeoptions-model) to find rows, then delete them
-* update: update a row
+* **list**: get all rows in a table
+* **get**: get a single row
+* **scope**: reference a [sequelize scope](http://docs.sequelizejs.com/en/latest/api/model/#scopeoptions-model)
+* **create**: create a new row
+* **destroy**: delete a row
+* **destroyAll**: delete all models in the table
+* **destroyScope**: use a [sequelize scope](http://docs.sequelizejs.com/en/latest/api/model/#scopeoptions-model) to find rows, then delete them
+* **update**: update a row
 
+## `where` queries
+It's easy to restrict your requests using Sequelize's `where` query option. Just pass a query parameter.
 
-Please note that you should register `hapi-sequelize-crud` after defining your
-associations.
+```js
+// returns only teams that have a `city` property of "windsor"
+// GET /team?city=windsor
 
-##What do I get
+// results in the Sequelize query:
+Team.findOne({ where: { city: 'windsor' }})
+```
+
+You can also do more complex queries by setting the value of a key to JSON.
+
+```js
+// returns only teams that have a `address.city` property of "windsor"
+// GET /team?city={"address": "windsor"}
+// or
+// GET /team?city[address]=windsor
+
+// results in the Sequelize query:
+Team.findOne({ where: { address: { city: 'windsor' }}})
+```
+
+## `include` queries
+Getting related models is easy, just use a query parameter `include`.
+
+```js
+// returns all teams with their related City model
+// GET /teams?include=City
+
+// results in a Sequelize query:
+Team.findAll({include: City})
+```
+
+If you want to get multiple related models, just pass multiple `include` parameters.
+```js
+// returns all teams with their related City and Uniform models
+// GET /teams?include=City&include=Uniform
+
+// results in a Sequelize query:
+Team.findAll({include: [City, Uniform]})
+```
+
+## Full list of methods
 
 Let's say you have a `many-to-many` association like this:
 
@@ -82,8 +125,9 @@ You get these:
 # get an array of records
 GET /team/{id}/roles
 GET /role/{id}/teams
-# might also append query parameters to search for
+# might also append `where` query parameters to search for
 GET /role/{id}/teams?members=5
+GET /role/{id}/teams?city=healdsburg
 
 # you might also use scopes
 GET /teams/{scope}/roles/{scope}

circle.yml

@@ -0,0 +1,9 @@
+machine:
+  node:
+    version: 6.5.0
+
+dependencies:
+  pre:
+    - npm prune
+  post:
+    - mkdir -p $CIRCLE_TEST_REPORTS/ava

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hapi-sequelize-crud",
-  "version": "2.5.4",
+  "version": "2.6.0",
   "description": "Hapi plugin that automatically generates RESTful API for CRUD",
   "main": "build/index.js",
   "config": {
@@ -9,8 +9,9 @@
     }
   },
   "scripts": {
-    "lint": "eslint src test",
-    "test": "echo \"Error: no test specified\" && exit 1",
+    "lint": "eslint src",
+    "test": "ava --require babel-register --source='*.test.js' --tap=${CI-false} | $(if [ -z ${CI:-} ]; then echo 'tail'; else tap-xunit > $CIRCLE_TEST_REPORTS/ava/ava.xml; fi;)",
+    "tdd": "ava --require babel-register --source='*.test.js' --watch",
     "build": "scripty",
     "watch": "scripty"
   },
@@ -23,21 +24,26 @@
   "author": "Mahdi Dibaiee <mdibaiee@aol.com> (http://dibaiee.ir/)",
   "license": "MIT",
   "devDependencies": {
-    "babel-cli": "^6.10.1",
+    "ava": "^0.16.0",
+    "babel-cli": "^6.14.0",
     "babel-plugin-add-module-exports": "^0.2.1",
     "babel-plugin-closure-elimination": "^1.0.6",
     "babel-plugin-transform-decorators-legacy": "^1.3.4",
-    "babel-plugin-transform-es2015-modules-commonjs": "^6.10.3",
-    "babel-preset-stage-1": "^6.5.0",
-    "eslint": "2.10.2",
-    "eslint-config-pichak": "1.1.0",
-    "ghooks": "1.0.3",
-    "scripty": "^1.6.0"
+    "babel-plugin-transform-es2015-modules-commonjs": "^6.14.0",
+    "babel-preset-stage-1": "^6.13.0",
+    "eslint": "^3.4.0",
+    "eslint-config-pichak": "^1.1.2",
+    "eslint-plugin-ava": "^3.0.0",
+    "ghooks": "^1.3.2",
+    "scripty": "^1.6.0",
+    "sinon": "^1.17.5",
+    "sinon-bluebird": "^3.0.2",
+    "tap-xunit": "^1.4.0"
   },
   "dependencies": {
-    "boom": "^3.2.2",
-    "joi": "7.2.1",
-    "lodash": "4.0.0"
+    "boom": "^4.0.0",
+    "joi": "^9.0.4",
+    "lodash": "^4.15.0"
   },
   "optionalDependencies": {
     "babel-polyfill": "^6.13.0"

src/crud.js

@@ -1,13 +1,32 @@
 import joi from 'joi';
+import path from 'path';
 import error from './error';
 import _ from 'lodash';
 import { parseInclude, parseWhere } from './utils';
 import { notFound } from 'boom';
 import * as associations from './associations/index';
+import getConfigForMethod from './get-config-for-method.js';
 
-const createAll = ({ server, model, prefix, config }) => {
+const createAll = ({
+  server,
+  model,
+  prefix,
+  config,
+  attributeValidation,
+  associationValidation,
+}) => {
   Object.keys(methods).forEach((method) => {
-    methods[method]({ server, model, prefix, config });
+    methods[method]({
+      server,
+      model,
+      prefix,
+      config: getConfigForMethod({
+        method,
+        attributeValidation,
+        associationValidation,
+        config,
+      }),
+    });
   });
 };
 
@@ -33,13 +52,43 @@ models: {
 
 export default (server, model, { prefix, defaultConfig: config, models: permissions }) => {
   const modelName = model._singular;
+  const modelAttributes = Object.keys(model.attributes);
+  const modelAssociations = Object.keys(model.associations);
 
+  const attributeValidation = modelAttributes.reduce((params, attribute) => {
+    params[attribute] = joi.any();
+    return params;
+  }, {});
+
+  const associationValidation = {
+    include: joi.array().items(joi.string().valid(...modelAssociations)),
+  };
+
+  // if we don't have any permissions set, just create all the methods
   if (!permissions) {
-    createAll({ server, model, prefix, config });
+    createAll({
+      server,
+      model,
+      prefix,
+      config,
+      attributeValidation,
+      associationValidation,
+    });
+  // if permissions are set, but we can't parse them, throw an error
   } else if (!Array.isArray(permissions)) {
     throw new Error('hapi-sequelize-crud: `models` property must be an array');
+  // if permissions are set, but the only thing we've got is a model name, there
+  // are no permissions to be set, so just create all methods and move on
   } else if (permissions.includes(modelName)) {
-    createAll({ server, model, prefix, config });
+    createAll({
+      server,
+      model,
+      prefix,
+      config,
+      attributeValidation,
+      associationValidation,
+    });
+  // if we've gotten here, we have complex permissions and need to set them
   } else {
     const permissionOptions = permissions.filter((permission) => {
       return permission.model === modelName;
@@ -55,21 +104,33 @@ export default (server, model, { prefix, defaultConfig: config, models: permissi
               server,
               model,
               prefix,
-              config: permissionConfig,
+              config: getConfigForMethod({
+                method,
+                attributeValidation,
+                associationValidation,
+                config: permissionConfig,
+              }),
             });
           });
         } else {
-          createAll({ server, model, prefix, config: permissionConfig });
+          createAll({
+            server,
+            model,
+            prefix,
+            attributeValidation,
+            associationValidation,
+            config: permissionConfig,
+          });
         }
       }
     });
   }
 };
 
-export const list = ({ server, model, prefix, config }) => {
+export const list = ({ server, model, prefix = '/', config }) => {
   server.route({
     method: 'GET',
-    path: `${prefix}/${model._plural}`,
+    path: path.join(prefix, model._plural),
 
     @error
     async handler(request, reply) {
@@ -89,10 +150,10 @@ export const list = ({ server, model, prefix, config }) => {
   });
 };
 
-export const get = ({ server, model, prefix, config }) => {
+export const get = ({ server, model, prefix = '/', config }) => {
   server.route({
     method: 'GET',
-    path: `${prefix}/${model._singular}/{id?}`,
+    path: path.join(prefix, model._singular, '{id?}'),
 
     @error
     async handler(request, reply) {
@@ -101,52 +162,56 @@ export const get = ({ server, model, prefix, config }) => {
       const { id } = request.params;
       if (id) where[model.primaryKeyField] = id;
 
+      if (include instanceof Error) return void reply(include);
+
       const instance = await model.findOne({ where, include });
 
       if (!instance) return void reply(notFound(`${id} not found.`));
 
       reply(instance);
     },
-    config: _.defaultsDeep({
+    config: _.defaultsDeep(config, {
       validate: {
-        params: joi.object().keys({
+        params: {
           id: joi.any(),
-        }),
+        },
       },
-    }, config),
+    }),
   });
 };
 
-export const scope = ({ server, model, prefix, config }) => {
+export const scope = ({ server, model, prefix = '/', config }) => {
   const scopes = Object.keys(model.options.scopes);
 
   server.route({
     method: 'GET',
-    path: `${prefix}/${model._plural}/{scope}`,
+    path: path.join(prefix, model._plural, '{scope}'),
 
     @error
     async handler(request, reply) {
       const include = parseInclude(request);
       const where = parseWhere(request);
 
+      if (include instanceof Error) return void reply(include);
+
       const list = await model.scope(request.params.scope).findAll({ include, where });
 
       reply(list);
     },
-    config: _.defaultsDeep({
+    config: _.defaultsDeep(config, {
       validate: {
-        params: joi.object().keys({
+        params: {
           scope: joi.string().valid(...scopes),
-        }),
+        },
       },
-    }, config),
+    }),
   });
 };
 
-export const create = ({ server, model, prefix, config }) => {
+export const create = ({ server, model, prefix = '/', config }) => {
   server.route({
     method: 'POST',
-    path: `${prefix}/${model._singular}`,
+    path: path.join(prefix, model._singular),
 
     @error
     async handler(request, reply) {
@@ -159,10 +224,10 @@ export const create = ({ server, model, prefix, config }) => {
   });
 };
 
-export const destroy = ({ server, model, prefix, config }) => {
+export const destroy = ({ server, model, prefix = '/', config }) => {
   server.route({
     method: 'DELETE',
-    path: `${prefix}/${model._singular}/{id?}`,
+    path: path.join(prefix, model._singular, '{id?}'),
 
     @error
     async handler(request, reply) {
@@ -180,10 +245,10 @@ export const destroy = ({ server, model, prefix, config }) => {
   });
 };
 
-export const destroyAll = ({ server, model, prefix, config }) => {
+export const destroyAll = ({ server, model, prefix = '/', config }) => {
   server.route({
     method: 'DELETE',
-    path: `${prefix}/${model._plural}`,
+    path: path.join(prefix, model._plural),
 
     @error
     async handler(request, reply) {
@@ -200,47 +265,45 @@ export const destroyAll = ({ server, model, prefix, config }) => {
   });
 };
 
-export const destroyScope = ({ server, model, prefix, config }) => {
+export const destroyScope = ({ server, model, prefix = '/', config }) => {
   const scopes = Object.keys(model.options.scopes);
 
   server.route({
     method: 'DELETE',
-    path: `${prefix}/${model._plural}/{scope}`,
+    path: path.join(prefix, model._plural, '{scope}'),
 
     @error
     async handler(request, reply) {
       const include = parseInclude(request);
       const where = parseWhere(request);
 
+      if (include instanceof Error) return void reply(include);
+
       const list = await model.scope(request.params.scope).findAll({ include, where });
 
       await Promise.all(list.map(instance => instance.destroy()));
 
       reply(list);
     },
-    config: _.defaultsDeep({
+    config: _.defaultsDeep(config, {
       validate: {
-        params: joi.object().keys({
+        params: {
           scope: joi.string().valid(...scopes),
-        }),
+        },
       },
-    }, config),
+    }),
   });
 };
 
-export const update = ({ server, model, prefix, config }) => {
+export const update = ({ server, model, prefix = '/', config }) => {
   server.route({
     method: 'PUT',
-    path: `${prefix}/${model._singular}/{id}`,
+    path: path.join(prefix, model._singular, '{id}'),
 
     @error
     async handler(request, reply) {
       const { id } = request.params;
-      const instance = await model.findOne({
-        where: {
-          id,
-        },
-      });
+      const instance = await model.findById(id);
 
       if (!instance) return void reply(notFound(`${id} not found.`));
 
@@ -249,11 +312,14 @@ export const update = ({ server, model, prefix, config }) => {
       reply(instance);
     },
 
-    config: _.defaultsDeep({
+    config: _.defaultsDeep(config, {
       validate: {
         payload: joi.object().required(),
+        params: {
+          id: joi.any(),
+        },
       },
-    }, config),
+    }),
   });
 };
 

src/crud.test.js

@@ -0,0 +1,146 @@
+import test from 'ava';
+import { list } from './crud.js';
+import { stub } from 'sinon';
+import 'sinon-bluebird';
+
+const METHODS = {
+  GET: 'GET',
+};
+
+test.beforeEach('setup server', (t) => {
+  t.context.server = {
+    route: stub(),
+  };
+});
+
+test.beforeEach('setup model', (t) => {
+  t.context.model = {
+    findAll: stub(),
+    _plural: 'models',
+    _singular: 'model',
+  };
+});
+
+test.beforeEach('setup request stub', (t) => {
+  t.context.request = {
+    query: {},
+    payload: {},
+    models: [t.context.model],
+  };
+});
+
+test.beforeEach('setup reply stub', (t) => {
+  t.context.reply = stub();
+});
+
+test('crud#list without prefix', (t) => {
+  const { server, model } = t.context;
+
+  list({ server, model });
+  const { path } = server.route.args[0][0];
+
+  t.falsy(
+    path.includes('undefined'),
+    'correctly sets the path without a prefix defined',
+  );
+
+  t.is(
+    path,
+    `/${model._plural}`,
+    'the path sets to the plural model'
+  );
+});
+
+test('crud#list with prefix', (t) => {
+  const { server, model } = t.context;
+  const prefix = '/v1';
+
+  list({ server, model, prefix });
+  const { path } = server.route.args[0][0];
+
+  t.is(
+    path,
+    `${prefix}/${model._plural}`,
+    'the path sets to the plural model with the prefix'
+  );
+});
+
+test('crud#list method', (t) => {
+  const { server, model } = t.context;
+
+  list({ server, model });
+  const { method } = server.route.args[0][0];
+
+  t.is(
+    method,
+    METHODS.GET,
+    `sets the method to ${METHODS.GET}`
+  );
+});
+
+test('crud#list config', (t) => {
+  const { server, model } = t.context;
+  const userConfig = {};
+
+  list({ server, model, config: userConfig });
+  const { config } = server.route.args[0][0];
+
+  t.is(
+    config,
+    userConfig,
+    'sets the user config'
+  );
+});
+
+test('crud#list handler', async (t) => {
+  const { server, model, request, reply } = t.context;
+  const allModels = [{ id: 1 }, { id: 2 }];
+
+  list({ server, model });
+  const { handler } = server.route.args[0][0];
+  model.findAll.resolves(allModels);
+
+  try {
+    await handler(request, reply);
+  } catch (e) {
+    t.ifError(e, 'does not error while handling');
+  } finally {
+    t.pass('does not error while handling');
+  }
+
+  t.truthy(
+    reply.calledOnce
+    , 'calls reply only once'
+  );
+
+  const response = reply.args[0][0];
+
+  t.is(
+    response,
+    allModels,
+    'responds with the list of models'
+  );
+});
+
+test('crud#list handler if parseInclude errors', async (t) => {
+  const { server, model, request, reply } = t.context;
+  // we _want_ the error
+  delete request.models;
+
+  list({ server, model });
+  const { handler } = server.route.args[0][0];
+
+  await handler(request, reply);
+
+  t.truthy(
+    reply.calledOnce
+    , 'calls reply only once'
+  );
+
+  const response = reply.args[0][0];
+
+  t.truthy(
+    response.isBoom,
+    'responds with a Boom error'
+  );
+});

src/get-config-for-method.js

@@ -0,0 +1,88 @@
+import { defaultsDeep } from 'lodash';
+import joi from 'joi';
+
+export const sequelizeOperators = {
+  $and: joi.any(),
+  $or: joi.any(),
+  $gt: joi.any(),
+  $gte: joi.any(),
+  $lt: joi.any(),
+  $lte: joi.any(),
+  $ne: joi.any(),
+  $eq: joi.any(),
+  $not: joi.any(),
+  $between: joi.any(),
+  $notBetween: joi.any(),
+  $in: joi.any(),
+  $notIn: joi.any(),
+  $like: joi.any(),
+  $notLike: joi.any(),
+  $iLike: joi.any(),
+  $notILike: joi.any(),
+  $overlap: joi.any(),
+  $contains: joi.any(),
+  $contained: joi.any(),
+  $any: joi.any(),
+  $col: joi.any(),
+};
+
+export const whereMethods = [
+  'list',
+  'get',
+  'scope',
+  'destroy',
+  'destoryScope',
+  'destroyAll',
+];
+
+export const includeMethods = [
+  'list',
+  'get',
+  'scope',
+  'destoryScope',
+];
+
+export const payloadMethods = [
+  'create',
+  'update',
+];
+
+export default ({ method, attributeValidation, associationValidation, config = {} }) => {
+  const hasWhere = whereMethods.includes(method);
+  const hasInclude = includeMethods.includes(method);
+  const hasPayload = payloadMethods.includes(method);
+  const methodConfig = { ...config };
+
+  if (hasWhere) {
+    defaultsDeep(methodConfig, {
+      validate: {
+        query: {
+          ...attributeValidation,
+          ...sequelizeOperators,
+        },
+      },
+    });
+  }
+
+  if (hasInclude) {
+    defaultsDeep(methodConfig, {
+      validate: {
+        query: {
+          ...associationValidation,
+        },
+      },
+    });
+  }
+
+  if (hasPayload) {
+    defaultsDeep(methodConfig, {
+      validate: {
+        payload: {
+          ...attributeValidation,
+        },
+      },
+    });
+  }
+
+  return methodConfig;
+};

src/get-config-for-method.test.js

@@ -0,0 +1,117 @@
+import test from 'ava';
+import joi from 'joi';
+import
+  getConfigForMethod, {
+  whereMethods,
+  includeMethods,
+  payloadMethods,
+  sequelizeOperators,
+} from './get-config-for-method.js';
+
+test.beforeEach((t) => {
+  t.context.attributeValidation = {
+    myKey: joi.any(),
+  };
+
+  t.context.associationValidation = {
+    include: ['MyModel'],
+  };
+
+  t.context.config = {
+    cors: {},
+  };
+});
+
+test('get-config-for-method validate.query seqeulizeOperators', (t) => {
+  whereMethods.forEach((method) => {
+    const configForMethod = getConfigForMethod({ method });
+    const { query } = configForMethod.validate;
+    const configForMethodValidateQueryKeys = Object.keys(query);
+
+    t.truthy(
+      query,
+      `applies query validation for ${method}`
+    );
+
+    Object.keys(sequelizeOperators).forEach((operator) => {
+      t.truthy(
+        configForMethodValidateQueryKeys.includes(operator),
+        `applies sequelize operator "${operator}" in validate.where for ${method}`
+      );
+    });
+  });
+});
+
+test('get-config-for-method validate.query attributeValidation', (t) => {
+  const { attributeValidation } = t.context;
+
+  whereMethods.forEach((method) => {
+    const configForMethod = getConfigForMethod({ method, attributeValidation });
+    const { query } = configForMethod.validate;
+
+    Object.keys(attributeValidation).forEach((key) => {
+      t.truthy(
+        query[key]
+        , `applies attributeValidation (${key}) to validate.query`
+      );
+    });
+  });
+});
+
+test('get-config-for-method validate.query associationValidation', (t) => {
+  const { attributeValidation, associationValidation } = t.context;
+
+  includeMethods.forEach((method) => {
+    const configForMethod = getConfigForMethod({
+      method,
+      attributeValidation,
+      associationValidation,
+    });
+    const { query } = configForMethod.validate;
+
+    Object.keys(attributeValidation).forEach((key) => {
+      t.truthy(
+        query[key]
+        , `applies attributeValidation (${key}) to validate.query when include should be applied`
+      );
+    });
+
+    Object.keys(associationValidation).forEach((key) => {
+      t.truthy(
+        query[key]
+        , `applies associationValidation (${key}) to validate.query when include should be applied`
+      );
+    });
+  });
+});
+
+test('get-config-for-method validate.payload associationValidation', (t) => {
+  const { attributeValidation } = t.context;
+
+  payloadMethods.forEach((method) => {
+    const configForMethod = getConfigForMethod({ method, attributeValidation });
+    const { payload } = configForMethod.validate;
+
+    Object.keys(attributeValidation).forEach((key) => {
+      t.truthy(
+        payload[key]
+        , `applies attributeValidation (${key}) to validate.payload`
+      );
+    });
+  });
+});
+
+test('get-config-for-method does not modify initial config on multiple passes', (t) => {
+  const { config } = t.context;
+  const originalConfig = { ...config };
+
+  whereMethods.forEach((method) => {
+    getConfigForMethod({ method, config });
+  });
+
+  t.deepEqual(
+    config
+    , originalConfig
+    , 'does not modify the original config object'
+  );
+});

src/utils.js

@@ -1,4 +1,5 @@
 import { omit, identity } from 'lodash';
+import { notImplemented } from 'boom';
 
 export const parseInclude = request => {
   const include = Array.isArray(request.query.include) ? request.query.include
@@ -8,7 +9,7 @@ export const parseInclude = request => {
   const noRequestModels = !request.models;
 
   if (noGetDb && noRequestModels) {
-    return new Error('`request.getDb` or `request.models` are not defined.'
+    return notImplemented('`request.getDb` or `request.models` are not defined.'
                    + 'Be sure to load hapi-sequelize before hapi-sequelize-crud.');
   }