Merge pull request #15402 from muazahmed-dev/fix-findOneAndUpdate-empty-filter

Fix: Add strictFilter option to findOneAndUpdate (#14913)

Author: vkarpov15

lib/query.js

@@ -165,6 +165,32 @@ function Query(conditions, options, model, collection) {
   }
 }
 
+// Helper function to check if an object is empty or contains only empty objects/arrays
+function isEmptyFilter(obj) {
+  if (obj == null) return true;
+  if (typeof obj !== 'object') return true;
+  if (Object.keys(obj).length === 0) return true;
+
+  // Check $and, $or, $nor arrays
+  for (const key of ['$and', '$or', '$nor']) {
+    if (Array.isArray(obj[key])) {
+      // If array is empty or all elements are empty objects, consider it empty
+      if (obj[key].length === 0 || obj[key].every(item => isEmptyFilter(item))) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+// Helper function to check for empty/invalid filter
+function checkRequireFilter(filter, options) {
+  if (options && options.requireFilter && isEmptyFilter(filter)) {
+    throw new Error('Empty or invalid filter not allowed with requireFilter enabled');
+  }
+}
+
 /*!
  * inherit mquery
  */
@@ -3111,6 +3137,7 @@ function _handleSortValue(val, key) {
  *
  * @param {Object|Query} [filter] mongodb selector
  * @param {Object} [options] optional see [`Query.prototype.setOptions()`](https://mongoosejs.com/docs/api/query.html#Query.prototype.setOptions())
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @return {Query} this
  * @see DeleteResult https://mongodb.github.io/node-mongodb-native/6.15/interfaces/DeleteResult.html
  * @see deleteOne https://mongodb.github.io/node-mongodb-native/6.15/classes/Collection.html#deleteOne
@@ -3148,6 +3175,9 @@ Query.prototype._deleteOne = async function _deleteOne() {
   this._applyTranslateAliases();
   this._castConditions();
 
+  // Check for empty/invalid filter with requireFilter option
+  checkRequireFilter(this._conditions, this.options);
+
   if (this.error() != null) {
     throw this.error();
   }
@@ -3183,6 +3213,7 @@ Query.prototype._deleteOne = async function _deleteOne() {
  *
  * @param {Object|Query} [filter] mongodb selector
  * @param {Object} [options] optional see [`Query.prototype.setOptions()`](https://mongoosejs.com/docs/api/query.html#Query.prototype.setOptions())
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @return {Query} this
  * @see DeleteResult https://mongodb.github.io/node-mongodb-native/6.15/interfaces/DeleteResult.html
  * @see deleteMany https://mongodb.github.io/node-mongodb-native/6.15/classes/Collection.html#deleteMany
@@ -3220,6 +3251,9 @@ Query.prototype._deleteMany = async function _deleteMany() {
   this._applyTranslateAliases();
   this._castConditions();
 
+  // Check for empty/invalid filter with requireFilter option
+  checkRequireFilter(this._conditions, this.options);
+  
   if (this.error() != null) {
     throw this.error();
   }
@@ -3311,6 +3345,7 @@ function prepareDiscriminatorCriteria(query) {
  * - `maxTimeMS`: puts a time limit on the query - requires mongodb >= 2.6.0
  * - `runValidators`: if true, runs [update validators](https://mongoosejs.com/docs/validation.html#update-validators) on this command. Update validators validate the update operation against the model's schema.
  * - `setDefaultsOnInsert`: `true` by default. If `setDefaultsOnInsert` and `upsert` are true, mongoose will apply the [defaults](https://mongoosejs.com/docs/defaults.html) specified in the model's schema if a new document is created.
+ * - `requireFilter`: bool - if true, throws an error if the filter is empty (`{}`). Defaults to false.
  *
  * #### Example:
  *
@@ -3337,6 +3372,7 @@ function prepareDiscriminatorCriteria(query) {
  * @param {Boolean} [options.translateAliases=null] If set to `true`, translates any schema-defined aliases in `filter`, `projection`, `update`, and `distinct`. Throws an error if there are any conflicts where both alias and raw property are defined on the same object.
  * @param {Boolean} [options.overwriteDiscriminatorKey=false] Mongoose removes discriminator key updates from `update` by default, set `overwriteDiscriminatorKey` to `true` to allow updating the discriminator key
  * @param {Boolean} [options.overwriteImmutable=false] Mongoose removes updated immutable properties from `update` by default (excluding $setOnInsert). Set `overwriteImmutable` to `true` to allow updating immutable properties using other update operators.
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @see Tutorial https://mongoosejs.com/docs/tutorials/findoneandupdate.html
  * @see findAndModify command https://www.mongodb.com/docs/manual/reference/command/findAndModify/
  * @see ModifyResult https://mongodb.github.io/node-mongodb-native/4.9/interfaces/ModifyResult.html
@@ -3417,6 +3453,9 @@ Query.prototype._findOneAndUpdate = async function _findOneAndUpdate() {
   this._applyTranslateAliases();
   this._castConditions();
 
+  // Check for empty/invalid filter with requireFilter option
+  checkRequireFilter(this._conditions, this.options);
+
   _castArrayFilters(this);
 
   if (this.error()) {
@@ -3500,6 +3539,7 @@ Query.prototype._findOneAndUpdate = async function _findOneAndUpdate() {
  *
  * - `sort`: if multiple docs are found by the conditions, sets the sort order to choose which doc to update
  * - `maxTimeMS`: puts a time limit on the query - requires mongodb >= 2.6.0
+ * - `requireFilter`: bool - if true, throws an error if the filter is empty (`{}`). Defaults to false.
  *
  * #### Example:
  *
@@ -3512,6 +3552,7 @@ Query.prototype._findOneAndUpdate = async function _findOneAndUpdate() {
  * @param {Object} [filter]
  * @param {Object} [options]
  * @param {Boolean} [options.includeResultMetadata] if true, returns the full [ModifyResult from the MongoDB driver](https://mongodb.github.io/node-mongodb-native/4.9/interfaces/ModifyResult.html) rather than just the document
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @param {ClientSession} [options.session=null] The session associated with this query. See [transactions docs](https://mongoosejs.com/docs/transactions.html).
  * @param {Boolean|String} [options.strict] overwrites the schema's [strict mode option](https://mongoosejs.com/docs/guide.html#strict)
  * @return {Query} this
@@ -3551,6 +3592,9 @@ Query.prototype._findOneAndDelete = async function _findOneAndDelete() {
   this._applyTranslateAliases();
   this._castConditions();
 
+  // Check for empty/invalid filter with requireFilter option
+  checkRequireFilter(this._conditions, this.options);
+
   if (this.error() != null) {
     throw this.error();
   }
@@ -3590,6 +3634,7 @@ Query.prototype._findOneAndDelete = async function _findOneAndDelete() {
  * - `sort`: if multiple docs are found by the conditions, sets the sort order to choose which doc to update
  * - `maxTimeMS`: puts a time limit on the query - requires mongodb >= 2.6.0
  * - `includeResultMetadata`: if true, returns the full [ModifyResult from the MongoDB driver](https://mongodb.github.io/node-mongodb-native/4.9/interfaces/ModifyResult.html) rather than just the document
+ * - `requireFilter`: bool - if true, throws an error if the filter is empty (`{}`). Defaults to false.
  *
  * #### Example:
  *
@@ -3612,6 +3657,7 @@ Query.prototype._findOneAndDelete = async function _findOneAndDelete() {
  * @param {Boolean} [options.timestamps=null] If set to `false` and [schema-level timestamps](https://mongoosejs.com/docs/guide.html#timestamps) are enabled, skip timestamps for this update. Note that this allows you to overwrite timestamps. Does nothing if schema-level timestamps are not set.
  * @param {Boolean} [options.returnOriginal=null] An alias for the `new` option. `returnOriginal: false` is equivalent to `new: true`.
  * @param {Boolean} [options.translateAliases=null] If set to `true`, translates any schema-defined aliases in `filter`, `projection`, `update`, and `distinct`. Throws an error if there are any conflicts where both alias and raw property are defined on the same object.
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @return {Query} this
  * @api public
  */
@@ -3667,6 +3713,10 @@ Query.prototype.findOneAndReplace = function(filter, replacement, options) {
 Query.prototype._findOneAndReplace = async function _findOneAndReplace() {
   this._applyTranslateAliases();
   this._castConditions();
+
+  // Check for empty/invalid filter with requireFilter option
+  checkRequireFilter(this._conditions, this.options);
+
   if (this.error() != null) {
     throw this.error();
   }
@@ -3969,6 +4019,9 @@ async function _updateThunk(op) {
 
   this._castConditions();
 
+  // Check for empty/invalid filter with requireFilter option
+  checkRequireFilter(this._conditions, this.options);
+
   _castArrayFilters(this);
 
   if (this.error() != null) {
@@ -4119,6 +4172,7 @@ Query.prototype._replaceOne = async function _replaceOne() {
  * @param {Boolean} [options.translateAliases=null] If set to `true`, translates any schema-defined aliases in `filter`, `projection`, `update`, and `distinct`. Throws an error if there are any conflicts where both alias and raw property are defined on the same object.
  * @param {Boolean} [options.overwriteDiscriminatorKey=false] Mongoose removes discriminator key updates from `update` by default, set `overwriteDiscriminatorKey` to `true` to allow updating the discriminator key
  * @param {Boolean} [options.overwriteImmutable=false] Mongoose removes updated immutable properties from `update` by default (excluding $setOnInsert). Set `overwriteImmutable` to `true` to allow updating immutable properties using other update operators.
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @return {Query} this
  * @see Model.update https://mongoosejs.com/docs/api/model.html#Model.update()
  * @see Query docs https://mongoosejs.com/docs/queries.html
@@ -4193,6 +4247,7 @@ Query.prototype.updateMany = function(conditions, doc, options, callback) {
  * @param {Boolean} [options.translateAliases=null] If set to `true`, translates any schema-defined aliases in `filter`, `projection`, `update`, and `distinct`. Throws an error if there are any conflicts where both alias and raw property are defined on the same object.
  * @param {Boolean} [options.overwriteDiscriminatorKey=false] Mongoose removes discriminator key updates from `update` by default, set `overwriteDiscriminatorKey` to `true` to allow updating the discriminator key
  * @param {Boolean} [options.overwriteImmutable=false] Mongoose removes updated immutable properties from `update` by default (excluding $setOnInsert). Set `overwriteImmutable` to `true` to allow updating immutable properties using other update operators.
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @return {Query} this
  * @see Model.update https://mongoosejs.com/docs/api/model.html#Model.update()
  * @see Query docs https://mongoosejs.com/docs/queries.html
@@ -4259,6 +4314,7 @@ Query.prototype.updateOne = function(conditions, doc, options, callback) {
  * @param {Object} [options.writeConcern=null] sets the [write concern](https://www.mongodb.com/docs/manual/reference/write-concern/) for replica sets. Overrides the [schema-level write concern](https://mongoosejs.com/docs/guide.html#writeConcern)
  * @param {Boolean} [options.timestamps=null] If set to `false` and [schema-level timestamps](https://mongoosejs.com/docs/guide.html#timestamps) are enabled, skip timestamps for this update. Does nothing if schema-level timestamps are not set.
  * @param {Boolean} [options.translateAliases=null] If set to `true`, translates any schema-defined aliases in `filter`, `projection`, `update`, and `distinct`. Throws an error if there are any conflicts where both alias and raw property are defined on the same object.
+ * @param {Boolean} [options.requireFilter=false] If true, throws an error if the filter is empty (`{}`)
  * @return {Query} this
  * @see Model.update https://mongoosejs.com/docs/api/model.html#Model.update()
  * @see Query docs https://mongoosejs.com/docs/queries.html