bedrockio · andrewplummer · May 19, 2020 · May 13, 2020 · May 14, 2020 · May 14, 2020
diff --git a/services/api/package.json b/services/api/package.json
@@ -31,6 +31,7 @@
     "koa-router": "^8.0.8",
     "lodash": "^4.17.15",
     "mongoose": "^5.9.11",
+    "mongoose-autopopulate": "^0.12.2",
     "postmark": "^2.5.2"
   },
   "devDependencies": {

diff --git a/services/api/scripts/setup-fixtures.js b/services/api/scripts/setup-fixtures.js
@@ -54,7 +54,7 @@ const createUsers = async () => {
   });
 
   for (let i = 0; i < 15; i++) {
-    await Product.create({ name: `Product ${i + 1}`, shopId: shop.id });
+    await Product.create({ name: `Product ${i + 1}`, shop });
   }
   return true;
 };

diff --git a/services/api/src/lib/Schema.js b/services/api/src/lib/Schema.js
@@ -0,0 +1,45 @@
+const mongoose = require('mongoose');
+
+class Schema extends mongoose.Schema {
+
+  constructor(schema, options = {}) {
+    super({
+      deletedAt: { type: Date },
+      ...schema,
+    }, {
+
+      // Include timestamps by default.
+      timestamps: true,
+
+      // Export "id" getter and omit "__v" as
+      // well as private fields.
+      toJSON: {
+        getters: true,
+        versionKey: false,
+        transform: (doc, ret) => {
+          for (let key of Object.keys(ret)) {
+            const field = doc.schema.obj[key];
+            // Omit any key with a private prefix "_" or marked
+            // "access": "private" in the schema. Note that virtuals are
+            // excluded by default so they don't need to be removed.
+            if (key[0] === '_' || (field && field.access === 'private')) {
+              delete ret[key];
+            }
+          }
+        }
+      },
+      ...options
+    });
+    Object.assign(this.methods, {
+      delete: this.delete,
+    });
+  }
+
+  delete() {
+    this.deletedAt = new Date();
+    return this.save();
+  }
+
+}
+
+module.exports = Schema;
diff --git a/services/api/src/lib/__tests__/Schema.js b/services/api/src/lib/__tests__/Schema.js
@@ -0,0 +1,134 @@
+const Schema = require('../Schema');
+const mongoose = require('mongoose');
+const { setupDb, teardownDb } = require('../../test-helpers');
+
+beforeAll(async () => {
+  await setupDb();
+});
+
+afterAll(async () => {
+  await teardownDb();
+});
+
+
+let counter = 0;
+
+function createModel(schema) {
+  return mongoose.model(`SchemaTestModel${counter++}`, schema);
+}
+
+describe('Schema', () => {
+
+  describe('basic functionality', () => {
+
+    it('should be able to create basic schema', async () => {
+      const User = createModel(new Schema({
+        name: { type: String, validate: /[a-z]/ }
+      }));
+      const user = new User({ name: 'foo' });
+
+      expect(user.name).toBe('foo');
+
+      await expect(async () => {
+        user.name = 'FOO';
+        await user.save();
+      }).rejects.toThrow();
+
+    });
+  });
+
+  describe('defaults', () => {
+
+    it('should add timestamps by default', async () => {
+      const User = createModel(new Schema());
+      const user = new User();
+      await user.save();
+      expect(user.createdAt).toBeInstanceOf(Date);
+      expect(user.updatedAt).toBeInstanceOf(Date);
+    });
+
+    it('should add deletedAt by default', async () => {
+      const User = createModel(new Schema());
+      const user = new User();
+      await user.save();
+      await user.delete();
+      expect(user.deletedAt).toBeInstanceOf(Date);
+    });
+
+  });
+
+  describe('serialization', () => {
+
+    it('should expose id', () => {
+      const User = createModel(new Schema());
+      const user = new User();
+      const data = JSON.parse(JSON.stringify(user));
+      expect(data.id).toBe(user.id);
+    });
+
+    it('should not expose _id or __v', () => {
+      const User = createModel(new Schema());
+      const user = new User();
+      const data = JSON.parse(JSON.stringify(user));
+      expect(data._id).toBeUndefined();
+      expect(data.__v).toBeUndefined();
+    });
+
+    it('should not expose fields with underscore or marked private', () => {
+      const User = createModel(new Schema({
+        _private: String,
+        password: { type: String, access: 'private' },
+      }));
+      const user = new User();
+      user._private = 'private';
+      user.password = 'fake password';
+
+      expect(user._private).toBe('private');
+      expect(user.password).toBe('fake password');
+
+      const data = JSON.parse(JSON.stringify(user));
+
+      expect(data._private).toBeUndefined();
+      expect(data.password).toBeUndefined();
+    });
+
+  });
+
+  describe('autopopulate', () => {
+
+    it('should not expose private fields when using with autopopulate', async () => {
+      const User = createModel(new Schema({
+        password: { type: String, access: 'private' },
+      }));
+
+      const shopSchema = new Schema({
+        user: {
+          ref: User.modelName,
+          type: mongoose.Schema.Types.ObjectId,
+          autopopulate: true,
+        }
+      });
+
+      shopSchema.plugin(require('mongoose-autopopulate'));
+      const Shop = createModel(shopSchema);
+
+      const user = new User();
+      user.password = 'fake password';
+      await user.save();
+
+      let shop = new Shop();
+      shop.user = user;
+      await shop.save();
+
+      shop = await Shop.findById(shop.id);
+
+      const data = JSON.parse(JSON.stringify(shop));
+
+      expect(data.user.id).toBe(user.id);
+      expect(data.user._id).toBeUndefined();
+      expect(data.user.__v).toBeUndefined();
+      expect(data.user.password).toBeUndefined();
+    });
+
+  });
+});
diff --git a/services/api/src/models/__tests__/user.js b/services/api/src/models/__tests__/user.js
@@ -0,0 +1,35 @@
+const User = require('../../models/user');
+
+describe('User', () => {
+
+  describe('serialization', () => {
+
+    it('should expose id', () => {
+      const user = new User();
+      const data = JSON.parse(JSON.stringify(user));
+      expect(data.id).toBe(user.id);
+    });
+
+    it('should not expose _id or __v', () => {
+      const user = new User();
+      const data = JSON.parse(JSON.stringify(user));
+      expect(data._id).toBeUndefined();
+      expect(data.__v).toBeUndefined();
+    });
+
+    it('should not expose _password or hashedPassword serialize', () => {
+      const user = new User({
+        password: 'fake password',
+        hashedPassword: 'fake hash',
+      });
+      expect(user._password).toBe('fake password');
+      expect(user.hashedPassword).toBe('fake hash');
+
+      const data = JSON.parse(JSON.stringify(user));
+      expect(data.password).toBeUndefined();
+      expect(data._password).toBeUndefined();
+      expect(data.hashedPassword).toBeUndefined();
+    });
+
+  });
+});
diff --git a/services/api/src/models/category.js b/services/api/src/models/category.js
@@ -1,20 +1,10 @@
-const { omit } = require('lodash');
 const mongoose = require('mongoose');
+const Schema = require('../lib/Schema');
 
-const schema = new mongoose.Schema(
+const schema = new Schema(
   {
     name: { type: String, trim: true, required: true }
-  },
-  {
-    timestamps: true
   }
 );
 
-schema.methods.toResource = function toResource() {
-  return {
-    id: this._id,
-    ...omit(this.toObject(), ['_id', '__v'])
-  };
-};
-
-module.exports = mongoose.models.Invite || mongoose.model('Category', schema);
+module.exports = mongoose.models.Category || mongoose.model('Category', schema);
diff --git a/services/api/src/models/invite.js b/services/api/src/models/invite.js
@@ -1,31 +1,16 @@
 const { omit } = require('lodash');
 const mongoose = require('mongoose');
+const Schema = require('../lib/Schema');
 
-const schema = new mongoose.Schema(
+const schema = new Schema(
   {
     email: { type: String, trim: true, lowercase: true, required: true },
     status: { type: String },
-    deletedAt: { type: Date }
   },
-  {
-    timestamps: true
-  }
 );
 
 schema.methods.assign = function assign(fields) {
   Object.assign(this, omit(fields, ['createdAt', 'updatedAt', 'deletedAt', 'id']));
 };
 
-schema.methods.delete = function deleteFn() {
-  this.deletedAt = new Date();
-  return this.save();
-};
-
-schema.methods.toResource = function toResource() {
-  return {
-    id: this._id,
-    ...omit(this.toObject(), ['_id', '__v'])
-  };
-};
-
 module.exports = mongoose.models.Invite || mongoose.model('Invite', schema);
diff --git a/services/api/src/models/product.js b/services/api/src/models/product.js
@@ -1,34 +1,25 @@
-const { omit } = require('lodash');
 const mongoose = require('mongoose');
+const Schema = require('../lib/Schema');
 
 const { ObjectId } = mongoose.Schema.Types;
 
-const schema = new mongoose.Schema(
+const schema = new Schema(
   {
     name: { type: String, trim: true, required: true },
     description: { type: String, trim: true, required: false },
     isFeatured: { type: Boolean },
     expiresAt: { type: Date },
     priceUsd: { type: Number },
     sellingPoints: [{ type: String }],
-    shopId: { type: ObjectId, required: true, ref: 'Shop' },
-    deletedAt: { type: Date }
+    shop: {
+      ref: 'Shop',
+      type: ObjectId,
+      required: true,
+      autopopulate: true,
+    },
   },
-  {
-    timestamps: true
-  }
 );
 
-schema.methods.delete = function deleteFn() {
-  this.deletedAt = new Date();
-  return this.save();
-};
-
-schema.methods.toResource = function toResource() {
-  return {
-    id: this._id,
-    ...omit(this.toObject(), ['_id', '__v', 'images'])
-  };
-};
+schema.plugin(require('mongoose-autopopulate'));
 
 module.exports = mongoose.models.Product || mongoose.model('Product', schema);
diff --git a/services/api/src/models/shop.js b/services/api/src/models/shop.js
@@ -1,32 +1,21 @@
-const { omit } = require('lodash');
 const mongoose = require('mongoose');
+const Schema = require('../lib/Schema');
 const { ObjectId } = mongoose.Schema.Types;
 
-const schema = new mongoose.Schema(
+const schema = new Schema(
   {
     name: { type: String, trim: true, required: true },
     description: { type: String, trim: true },
-    images: [{ type: ObjectId, ref: 'Upload' }],
+    images: [{
+      type: ObjectId,
+      ref: 'Upload',
+      autopopulate: true
+    }],
     categories: [{ type: ObjectId, ref: 'Categories' }],
-    country: { type: String },
-    deletedAt: { type: Date }
-  },
-  {
-    timestamps: true
+    country: { type: String }
   }
 );
 
-schema.methods.delete = function deleteFn() {
-  this.deletedAt = new Date();
-  return this.save();
-};
-
-schema.methods.toResource = function toResource() {
-  return {
-    id: this._id,
-    ...omit(this.toObject(), ['_id', '__v']),
-    images: this.images.map((object) => (object.toObject ? object.toResource() : object))
-  };
-};
+schema.plugin(require('mongoose-autopopulate'));
 
 module.exports = mongoose.models.Shop || mongoose.model('Shop', schema);