fix: minor bugs

Author: arashsheyda

client/app/pages/[...collection]/index.vue

@@ -107,7 +107,9 @@ const filtered = computed(() => {
     return documents.value
   return documents.value.filter((document: any) => {
     for (const field of fields.value) {
-      if (document[field].toString().toLowerCase().includes(search.value.toLowerCase()))
+      // Add null/undefined check to prevent crashes
+      const value = document[field]
+      if (value != null && value.toString().toLowerCase().includes(search.value.toLowerCase()))
         return true
     }
     return false

src/rpc/database.ts

@@ -115,6 +115,10 @@ export function setupDatabaseRPC({}: DevtoolsServerContext) {
         if (!db) {
           return createError(new Error('Database not connected'))
         }
+        // Validate ObjectId format
+        if (!mongoose.Types.ObjectId.isValid(id)) {
+          return createError(new Error('Invalid ObjectId format'))
+        }
         return await db.collection(collection).findOne({ _id: new mongoose.Types.ObjectId(id) })
       }
       catch (error) {
@@ -128,6 +132,10 @@ export function setupDatabaseRPC({}: DevtoolsServerContext) {
         if (!db) {
           return createError(new Error('Database not connected'))
         }
+        // Validate ObjectId format
+        if (!mongoose.Types.ObjectId.isValid(_id)) {
+          return createError(new Error('Invalid ObjectId format'))
+        }
         return await db.collection(collection).updateOne({ _id: new mongoose.Types.ObjectId(_id) }, { $set: rest })
       }
       catch (error) {
@@ -140,6 +148,10 @@ export function setupDatabaseRPC({}: DevtoolsServerContext) {
         if (!db) {
           return createError(new Error('Database not connected'))
         }
+        // Validate ObjectId format
+        if (!mongoose.Types.ObjectId.isValid(id)) {
+          return createError(new Error('Invalid ObjectId format'))
+        }
         return await db.collection(collection).deleteOne({ _id: new mongoose.Types.ObjectId(id) })
       }
       catch (error) {

src/rpc/index.ts

@@ -11,7 +11,9 @@ export function setupRPC(ctx: DevtoolsServerContext): ServerFunctions {
     logger.warn('MongoDB autoconnect is disabled, configure `uri` to enable.')
   }
   else {
-    mongoose.connect(ctx.options.uri, ctx.options.options)
+    mongoose.connect(ctx.options.uri, ctx.options.options).catch((err) => {
+      logger.error('Failed to connect to MongoDB:', err)
+    })
   }
 
   return {

src/rpc/resource.ts

@@ -1,14 +1,14 @@
 import fs from 'fs-extra'
 import { join } from 'pathe'
 import mongoose from 'mongoose'
-import type { Collection, DevtoolsServerContext, Resource, ServerFunctions } from '../types'
+import type { CollectionDefinition, DevtoolsServerContext, Resource, ServerFunctions } from '../types'
 import { capitalize, generateApiRoute, generateSchemaFile, pluralize, singularize } from '../utils'
 
 export function setupResourceRPC({ nuxt }: DevtoolsServerContext): any {
   const config = nuxt.options.runtimeConfig.mongoose
 
   return {
-    async generateResource(collection: Collection, resources: Resource[]) {
+    async generateResource(collection: CollectionDefinition, resources: Resource[]) {
       const singular = singularize(collection.name).toLowerCase()
       const plural = pluralize(collection.name).toLowerCase()
       const dbName = capitalize(singular)
@@ -56,7 +56,9 @@ export function setupResourceRPC({ nuxt }: DevtoolsServerContext): any {
         const content = fs.readFileSync(schemaPath, 'utf-8').match(/schema: \{(.|\n)*\}/g)
         if (content) {
           const schemaString = content[0].replace('schema: ', '').slice(0, -3)
-          const schema = eval(`(${schemaString})`)
+          // SECURITY FIX: Use Function constructor instead of eval
+          // eslint-disable-next-line no-new-func
+          const schema = new Function(`return ${schemaString}`)()
           return schema
         }
       }

src/types/index.ts

@@ -31,7 +31,7 @@ export interface ServerFunctions {
   deleteDocument(collection: string, id: string): Promise<RPCResult<DeleteResult>>
 
   // Resource - api-routes & models
-  generateResource(collection: MCollection, resources: Resource[]): Promise<any>
+  generateResource(collection: CollectionDefinition, resources: Resource[]): Promise<any>
   resourceSchema(collection: string): Promise<any>
   getCollectionSchema(collection: string): Promise<RPCResult<Record<string, { type: string }>>>
 
@@ -48,7 +48,7 @@ export interface DevtoolsServerContext {
   wsServer: Promise<WebSocketServer>
 }
 
-export interface Collection {
+export interface CollectionDefinition {
   name: string
   fields?: object[]
 }