Feat/validate query enhancement (#9705)

* feat(framework): Enhance query validation * feat(framework): Enhance query validation * feat(framework): Enhance query validation * feat(framework): Enhance query validation * fix * split restriction per http domain * fix * fix unit tests * fix middleware * cleanup allowed fields * update docs * missing allowed * export * missing allowed * missing fields * improvements * rm unnecessary fields * wip * update symbol support * update symbol support * update allowed * update allowed
2024-10-22 16:47:05 +02:00
parent 6e0a1e3a86
commit 29d9f90fbf
17 changed files with 372 additions and 64 deletions
--- a/packages/core/utils/src/common/tests/define-config.spec.ts
+++ b/packages/core/utils/src/common/tests/define-config.spec.ts
@@ -1,5 +1,5 @@
 import { Modules } from "../../modules-sdk"
-import { defineConfig } from "../define-config"
+import { DEFAULT_STORE_RESTRICTED_FIELDS, defineConfig } from "../define-config"

 describe("defineConfig", function () {
  it("should merge empty config with the defaults", function () {
@@ -133,6 +133,13 @@ describe("defineConfig", function () {
            "authCors": "http://localhost:7000,http://localhost:7001,http://localhost:5173",
            "cookieSecret": "supersecret",
            "jwtSecret": "supersecret",
+            "restrictedFields": {
+              "store": [
+                ${DEFAULT_STORE_RESTRICTED_FIELDS.map((v) => `"${v}"`).join(
+                  ",\n                "
+                )},
+              ],
+            },
            "storeCors": "http://localhost:8000",
          },
        },
@@ -282,6 +289,13 @@ describe("defineConfig", function () {
            "authCors": "http://localhost:7000,http://localhost:7001,http://localhost:5173",
            "cookieSecret": "supersecret",
            "jwtSecret": "supersecret",
+            "restrictedFields": {
+              "store": [
+                ${DEFAULT_STORE_RESTRICTED_FIELDS.map((v) => `"${v}"`).join(
+                  ",\n                "
+                )},
+              ],
+            },
            "storeCors": "http://localhost:8000",
          },
        },
@@ -439,6 +453,13 @@ describe("defineConfig", function () {
            "authCors": "http://localhost:7000,http://localhost:7001,http://localhost:5173",
            "cookieSecret": "supersecret",
            "jwtSecret": "supersecret",
+            "restrictedFields": {
+              "store": [
+                ${DEFAULT_STORE_RESTRICTED_FIELDS.map((v) => `"${v}"`).join(
+                  ",\n                "
+                )},
+              ],
+            },
            "storeCors": "http://localhost:8000",
          },
        },
@@ -597,6 +618,13 @@ describe("defineConfig", function () {
            "authCors": "http://localhost:7000,http://localhost:7001,http://localhost:5173",
            "cookieSecret": "supersecret",
            "jwtSecret": "supersecret",
+            "restrictedFields": {
+              "store": [
+                ${DEFAULT_STORE_RESTRICTED_FIELDS.map((v) => `"${v}"`).join(
+                  ",\n                "
+                )},
+              ],
+            },
            "storeCors": "http://localhost:8000",
          },
        },
@@ -743,6 +771,13 @@ describe("defineConfig", function () {
            "authCors": "http://localhost:7000,http://localhost:7001,http://localhost:5173",
            "cookieSecret": "supersecret",
            "jwtSecret": "supersecret",
+            "restrictedFields": {
+              "store": [
+                ${DEFAULT_STORE_RESTRICTED_FIELDS.map((v) => `"${v}"`).join(
+                  ",\n                "
+                )},
+              ],
+            },
            "storeCors": "http://localhost:8000",
          },
        },
@@ -889,6 +924,13 @@ describe("defineConfig", function () {
            "authCors": "http://localhost:7000,http://localhost:7001,http://localhost:5173",
            "cookieSecret": "supersecret",
            "jwtSecret": "supersecret",
+            "restrictedFields": {
+              "store": [
+                ${DEFAULT_STORE_RESTRICTED_FIELDS.map((v) => `"${v}"`).join(
+                  ",\n                "
+                )},
+              ],
+            },
            "storeCors": "http://localhost:8000",
          },
        },
--- a/packages/core/utils/src/common/define-config.ts
+++ b/packages/core/utils/src/common/define-config.ts
@@ -20,6 +20,15 @@ const DEFAULT_DATABASE_URL = "postgres://localhost/medusa-starter-default"
 const DEFAULT_ADMIN_CORS =
  "http://localhost:7000,http://localhost:7001,http://localhost:5173"

+export const DEFAULT_STORE_RESTRICTED_FIELDS = [
+  "order",
+  "orders",
+  /*"customer",
+  "customers",
+  "payment_collection",
+  "payment_collections"*/
+]
+
 type InternalModuleDeclarationOverride = InternalModuleDeclaration & {
  /**
   * Optional key to be used to identify the module, if not provided, it will be inferred from the module joiner config service name.
@@ -79,6 +88,9 @@ export function defineConfig(config: Config = {}): ConfigModule {
      authCors: process.env.AUTH_CORS || DEFAULT_ADMIN_CORS,
      jwtSecret: process.env.JWT_SECRET || DEFAULT_SECRET,
      cookieSecret: process.env.COOKIE_SECRET || DEFAULT_SECRET,
+      restrictedFields: {
+        store: DEFAULT_STORE_RESTRICTED_FIELDS,
+      },
      ...http,
    },
    ...restOfProjectConfig,