Fix REST endpoint /set not protecting serverOnlyFields

[pubkey]

This PR contains:

• A BUGFIX
• IMPROVED TESTS
• CHANGELOG

Describe the problem you have without this PR

The REST endpoint /set handler was not properly protecting serverOnlyFields from being overwritten by clients. When a client included server-only field values in a write request to /set, those values would be stored directly instead of being ignored. This is a security issue as it allows clients to modify fields that should only be controlled by the server.

Solution

The fix applies the same protection mechanism used in the replication endpoint by:

1. Using mergeServerDocumentFieldsMonad to ensure server-only field values are always preserved from the server-side document, not taken from client input
2. Applying this merge logic in both insert and patch operations within the /set endpoint handler
3. This ensures consistency with how the replication endpoint handles server-only fields

Changes Made

• src/plugins/server/endpoint-rest.ts:

  • Import mergeServerDocumentFieldsMonad helper
  • Apply field merging for insert operations (new documents)
  • Apply field merging for patch operations (existing documents)

• test/unit/endpoint-rest.test.ts:

  • Added comprehensive test case verifying that clients cannot overwrite serverOnlyFields via /set
  • Test confirms server-only fields retain their original values even when clients attempt to modify them

• CHANGELOG.md:

  • Documented the bug fix

Test Plan

Added unit test should not allow clients to overwrite serverOnlyFields via /set that:

1. Creates a document with a server-only field (lastName)
2. Retrieves it from the client (field is stripped)
3. Attempts to modify both the server-only field and a regular field
4. Verifies the server-only field is preserved with its original value
5. Verifies the regular field is updated as expected

https://claude.ai/code/session_01VY6XkShCThZjtCYv7iRRmL