medusajs · olivermrbl · Feb 28, 2023 · Feb 23, 2023 · Feb 23, 2023 · Feb 23, 2023
@@ -0,0 +1,5 @@
+---
+"@medusajs/medusa": patch
+---
+
+fix(medusa): Clean response data usage for admin and store fields/expand
@@ -1615,6 +1615,16 @@ describe("/admin/orders", () => {
               id: "test-billing-address",
               first_name: "lebron",
             }),
+            shipping_total: expect.any(Number),
+            discount_total: expect.any(Number),
+            tax_total: expect.any(Number),
+            refunded_total: expect.any(Number),
+            total: expect.any(Number),
+            subtotal: expect.any(Number),
+            paid_total: expect.any(Number),
+            refundable_amount: expect.any(Number),
+            gift_card_total: expect.any(Number),
+            gift_card_tax_total: expect.any(Number),
           },
         ])
       )

@@ -177,6 +177,17 @@ describe("/store/carts", () => {
         "customer",
         "payments",
         "region",
+        // default
+        "shipping_total",
+        "discount_total",
+        "tax_total",
+        "refunded_total",
+        "total",
+        "subtotal",
+        "paid_total",
+        "refundable_amount",
+        "gift_card_total",
+        "gift_card_tax_total",
       ])
     })
 
@@ -197,6 +208,17 @@ describe("/store/carts", () => {
         "customer",
         "payments",
         "region",
+        // default
+        "shipping_total",
+        "discount_total",
+        "tax_total",
+        "refunded_total",
+        "total",
+        "subtotal",
+        "paid_total",
+        "refundable_amount",
+        "gift_card_total",
+        "gift_card_tax_total",
       ])
     })
 
@@ -212,6 +234,17 @@ describe("/store/carts", () => {
         "status",
         // selected relations
         "billing_address",
+        // default
+        "shipping_total",
+        "discount_total",
+        "tax_total",
+        "refunded_total",
+        "total",
+        "subtotal",
+        "paid_total",
+        "refundable_amount",
+        "gift_card_total",
+        "gift_card_tax_total",
       ])
     })
 

@@ -13,11 +13,11 @@ export function transformIncludesOptions(
   expectedIncludesFields: string[] = []
 ) {
   return (req: Request, res: Response, next: NextFunction): void => {
-    if (!allowedIncludesFields.length || !req.query["fields"]) {
+    if (!allowedIncludesFields.length || !req.query.fields) {
       return next()
     }
 
-    const fields = (req.query["fields"] as string).split(",") ?? []
+    const fields = (req.query.fields as string).split(",") ?? []
 
     for (const includesField of allowedIncludesFields) {
       const fieldIndex = fields.indexOf(includesField as keyof Order) ?? -1
@@ -40,16 +40,16 @@ export function transformIncludesOptions(
           )
         }
 
-        req["includes"] = req["includes"] ?? {}
-        req["includes"][includesField] = true
+        req.includes = req.includes ?? {}
+        req.includes[includesField] = true
       }
     }
 
-    if (req.query["fields"]) {
+    if (req.query.fields) {
       if (fields.length) {
-        req.query["fields"] = fields.join(",")
+        req.query.fields = fields.join(",")
       } else {
-        delete req.query["fields"]
+        delete req.query.fields
       }
     }
 

@@ -39,25 +39,17 @@ export function transformQuery<
       ])
       req.filterableFields = removeUndefinedProperties(req.filterableFields)
 
-      if (
-        (queryConfig?.defaultFields || validated.fields) &&
-        (queryConfig?.defaultRelations || validated.expand)
-      ) {
-        req.allowedProperties = [
-          ...(validated.fields
-            ? validated.fields.split(",")
-            : queryConfig?.allowedFields || [])!,
-          ...(validated.expand
-            ? validated.expand.split(",")
-            : queryConfig?.allowedRelations || [])!,
-        ] as unknown as string[]
-      }
+      req.storeAllowedProperties = getStoreAllowedProperties(
+        validated,
+        req.includes ?? {},
+        queryConfig
+      )
 
-      const includesFields = Object.keys(req["includes"] ?? {})
-      if (includesFields.length) {
-        req.allowedProperties = req.allowedProperties ?? []
-        req.allowedProperties.push(...includesFields)
-      }
+      req.adminAllowedProperties = getAdminAllowedProperties(
+        validated,
+        req.includes ?? {},
+        queryConfig
+      )
 
       if (queryConfig?.isList) {
         req.listConfig = prepareListQuery(
@@ -77,3 +69,67 @@ export function transformQuery<
     }
   }
 }
+
+/**
+ * Build the store allowed props based on the custom fields query params, the defaults and the includes options.
+ * This can be used later with `cleanResponseData` in order to clean up the returned objects to the client.
+ * @param queryConfig
+ * @param validated
+ * @param includesOptions
+ */
+function getStoreAllowedProperties<TEntity extends BaseEntity>(
+  validated: RequestQueryFields,
+  includesOptions: Record<string, boolean>,
+  queryConfig?: QueryConfig<TEntity>
+): string[] {
+  const allowed: string[] = []
+  if (
+    (queryConfig?.defaultFields || validated.fields) &&
+    (queryConfig?.defaultRelations || validated.expand)
+  ) {
+    allowed.push(
+      ...(validated.fields
+        ? validated.fields.split(",")
+        : queryConfig?.allowedFields || []),
+      ...(validated.expand
+        ? validated.expand.split(",")
+        : queryConfig?.allowedRelations || [])
+    )
+  }
+
+  const includeKeys = Object.keys(includesOptions)
+  if (includeKeys) {
+    allowed.push(...includeKeys)
+  }
+
+  return allowed
+}
+
+/**
+ * Build the admin allowed props based on the custom fields query params, the defaults and the includes options.
+ * Since admin can access everything, it is only in order to return what the user asked for through fields and expand query params.
+ * This can be used later with `cleanResponseData` in order to clean up the returned objects to the client.
+ * @param queryConfig
+ * @param validated
+ * @param includesOptions
+ */
+function getAdminAllowedProperties<TEntity extends BaseEntity>(
+  validated: RequestQueryFields,
+  includesOptions: Record<string, boolean>,
+  queryConfig?: QueryConfig<TEntity>
+): string[] {
+  const allowed: string[] = []
+  if (validated.fields || validated.expand) {
+    allowed.push(
+      ...(validated.fields?.split(",") ?? []),
+      ...(validated.expand?.split(",") ?? [])
+    )
+  }
+
+  const includeKeys = Object.keys(includesOptions)
+  if (includeKeys) {
+    allowed.push(...includeKeys)
+  }
+
+  return allowed
+}
@@ -1,5 +1,7 @@
 import { OrderService } from "../../../../services"
 import { FindParams } from "../../../../types/common"
+import { cleanResponseData } from "../../../../utils/clean-response-data"
+import { Order } from "../../../../models"
 
 /**
  * @oas [get] /admin/orders/{id}
@@ -60,9 +62,15 @@ export default async (req, res) => {
 
   const orderService: OrderService = req.scope.resolve("orderService")
 
-  const order = await orderService.retrieveWithTotals(id, req.retrieveConfig, {
-    includes: req.includes,
-  })
+  let order: Partial<Order> = await orderService.retrieveWithTotals(
+    id,
+    req.retrieveConfig,
+    {
+      includes: req.includes,
+    }
+  )
+
+  order = cleanResponseData(order, req.adminAllowedProperties)
 
   res.json({ order: order })
 }

@@ -1,10 +1,9 @@
 import { IsNumber, IsOptional, IsString } from "class-validator"
 
 import { AdminListOrdersSelector } from "../../../../types/orders"
-import { Order } from "../../../../models"
 import { OrderService } from "../../../../services"
 import { Type } from "class-transformer"
-import { pick } from "lodash"
+import { cleanResponseData } from "../../../../utils/clean-response-data"
 
 /**
  * @oas [get] /admin/orders
@@ -200,19 +199,14 @@ import { pick } from "lodash"
 export default async (req, res) => {
   const orderService: OrderService = req.scope.resolve("orderService")
 
-  const { skip, take, select, relations } = req.listConfig
+  const { skip, take } = req.listConfig
 
   const [orders, count] = await orderService.listAndCount(
     req.filterableFields,
     req.listConfig
   )
 
-  let data: Partial<Order>[] = orders
-
-  const fields = [...select, ...relations]
-  if (fields.length) {
-    data = orders.map((o) => pick(o, fields))
-  }
+  const data = cleanResponseData(orders, req.adminAllowedProperties)
 
   res.json({ orders: data, count, offset: skip, limit: take })
 }

diff --git a/packages/medusa/src/api/routes/store/orders/get-order.ts b/packages/medusa/src/api/routes/store/orders/get-order.ts
@@ -54,7 +54,7 @@ export default async (req, res) => {
   const order = await orderService.retrieveWithTotals(id, req.retrieveConfig)
 
   res.json({
-    order: cleanResponseData(order, req.allowedProperties || []),
+    order: cleanResponseData(order, req.storeAllowedProperties || []),
   })
 }
 

@@ -100,7 +100,9 @@ export default async (req, res) => {
 
   const order = orders[0]
 
-  res.json({ order: cleanResponseData(order, req.allowedProperties || []) })
+  res.json({
+    order: cleanResponseData(order, req.storeAllowedProperties || []),
+  })
 }
 
 export class ShippingAddressPayload {

diff --git a/packages/medusa/src/api/routes/store/products/get-product.ts b/packages/medusa/src/api/routes/store/products/get-product.ts
@@ -118,7 +118,7 @@ export default async (req, res) => {
   )
 
   res.json({
-    product: cleanResponseData(product, req.allowedProperties || []),
+    product: cleanResponseData(product, req.storeAllowedProperties || []),
   })
 }
 

diff --git a/packages/medusa/src/api/routes/store/products/list-products.ts b/packages/medusa/src/api/routes/store/products/list-products.ts
@@ -253,7 +253,10 @@ export default async (req, res) => {
   ])
 
   res.json({
-    products: cleanResponseData(computedProducts, req.allowedProperties || []),
+    products: cleanResponseData(
+      computedProducts,
+      req.storeAllowedProperties || []
+    ),
     count,
     offset: validated.offset,
     limit: validated.limit,

@@ -16,7 +16,9 @@ declare global {
       listConfig: FindConfig<unknown>
       retrieveConfig: FindConfig<unknown>
       filterableFields: Record<string, unknown>
-      allowedProperties: string[]
+      storeAllowedProperties: string[]
+      adminAllowedProperties: string[]
+      includes?: Record<string, boolean>
       errors: string[]
     }
   }

@@ -1,21 +1,53 @@
 import { pick } from "lodash"
 
+// TODO: once the legacy totals decoration will be removed.
+// We will be able to only compute the totals if one of the total fields is present
+// and therefore avoid totals computation if the user don't want them to appear in the response
+// and therefore the below const will be removed
+const EXCLUDED_FIELDS = [
+  "shipping_total",
+  "discount_total",
+  "tax_total",
+  "refunded_total",
+  "total",
+  "subtotal",
+  "paid_total",
+  "refundable_amount",
+  "gift_card_total",
+  "gift_card_tax_total",
+  "item_tax_total",
+  "shipping_tax_total",
+  "refundable",
+  "original_total",
+  "original_tax_total",
+]
+
 /**
- * Filter response data to contain props specified in the fields array.
+ * Filter response data to contain props specified in the `storeAllowedProperties` or `adminAllowedProperties`.
+ * You can read more in the transformQuery middleware utility methods.
  *
  * @param data - record or an array of records in the response
  * @param fields - record props allowed in the response
  */
-function cleanResponseData<T>(data: T, fields: string[]) {
+function cleanResponseData<T extends unknown | unknown[]>(
+  data: T,
+  fields: string[]
+): T extends [] ? Partial<T>[] : Partial<T> {
   if (!fields.length) {
-    return data
+    return data as T extends [] ? Partial<T>[] : Partial<T>
   }
 
-  if (Array.isArray(data)) {
-    return data.map((record) => pick(record, fields))
-  }
+  const isDataArray = Array.isArray(data)
+  const fieldsSet = new Set([...fields, ...EXCLUDED_FIELDS])
+
+  fields = [...fieldsSet]
+
+  let arrayData: Partial<T>[] = isDataArray ? data : [data]
+  arrayData = arrayData.map((record) => pick(record, fields))
 
-  return pick(data, fields)
+  return (isDataArray ? arrayData : arrayData[0]) as T extends []
+    ? Partial<T>[]
+    : Partial<T>
 }
 
 export { cleanResponseData }
-Original file line number
+Diff line change
@@ Expand Up / @@ -118,7 +118,7 @@ export default async (req, res) => { @@
       )
       res.json({
-        product: cleanResponseData(product, req.allowedProperties || []),
+        product: cleanResponseData(product, req.storeAllowedProperties || []),
       })
     }
@@ Expand Down @@