medusajs · carlos-r-l-rodrigues · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026 · Jan 15, 2026
@@ -48,6 +48,7 @@ describe("Middleware file loader", () => {
         },
       ]
     `)
+
     expect(loader.getMiddlewares()).toMatchInlineSnapshot(`
       [
         {

@@ -1,9 +1,7 @@
 import { z } from "@medusajs/deps/zod"
-import { MedusaError } from "@medusajs/utils"
-import { validateAndTransformQuery } from "../utils/validate-query"
 import { MedusaNextFunction, MedusaRequest, MedusaResponse } from "../types"
 import { RestrictedFields } from "../utils/restricted-fields"
-import { QueryConfig } from "@medusajs/types"
+import { validateAndTransformQuery } from "../utils/validate-query"
 
 export const createSelectParams = () => {
   return z.object({
@@ -453,307 +451,4 @@ describe("validateAndTransformQuery", () => {
       })
     )
   })
-
-  it("should throw when attempting to transform the input if disallowed fields are requested", async () => {
-    let mockRequest = {
-      restrictedFields: new RestrictedFields(),
-      query: {
-        fields: "+test_prop",
-      },
-    } as unknown as MedusaRequest
-    const mockResponse = {} as MedusaResponse
-    const nextFunction: MedusaNextFunction = jest.fn()
-
-    let queryConfig: any = {
-      defaults: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      allowed: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      isList: true,
-    }
-
-    let middleware = validateAndTransformQuery(createFindParams(), queryConfig)
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [test_prop] are not valid`
-      )
-    )
-
-    mockRequest = {
-      ...mockRequest,
-      query: {
-        fields: "product",
-      },
-    } as unknown as MedusaRequest
-
-    queryConfig = {
-      defaults: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      allowed: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      isList: true,
-    }
-
-    middleware = validateAndTransformQuery(createFindParams(), queryConfig)
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [product] are not valid`
-      )
-    )
-
-    mockRequest = {
-      ...mockRequest,
-      query: {
-        fields: "store",
-      },
-    } as unknown as MedusaRequest
-
-    queryConfig = {
-      defaults: [
-        "id",
-        "created_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      allowed: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-        "product",
-        "product.variants",
-        "store.name",
-      ],
-      isList: true,
-    }
-
-    middleware = validateAndTransformQuery(createFindParams(), queryConfig)
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [store] are not valid`
-      )
-    )
-
-    mockRequest = {
-      ...mockRequest,
-      query: {
-        fields: "*product",
-      },
-    } as unknown as MedusaRequest
-
-    queryConfig = {
-      defaults: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      allowed: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      isList: true,
-    }
-
-    middleware = validateAndTransformQuery(createFindParams(), queryConfig)
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [product] are not valid`
-      )
-    )
-
-    mockRequest = {
-      ...mockRequest,
-      query: {
-        fields: "*product.variants",
-      },
-    } as unknown as MedusaRequest
-
-    queryConfig = {
-      defaults: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      allowed: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-        "product",
-      ],
-      isList: true,
-    }
-
-    middleware = validateAndTransformQuery(createFindParams(), queryConfig)
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [product.variants] are not valid`
-      )
-    )
-
-    mockRequest = {
-      ...mockRequest,
-      query: {
-        fields: "*product",
-      },
-    } as unknown as MedusaRequest
-
-    queryConfig = {
-      defaults: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      allowed: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-        "product.title",
-      ],
-      isList: true,
-    }
-
-    middleware = validateAndTransformQuery(createFindParams(), queryConfig)
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [product] are not valid`
-      )
-    )
-  })
-
-  it("should throw when attempting to transform the input if restricted fields are requested", async () => {
-    const restrictedFields = new RestrictedFields()
-    let mockRequest = {
-      restrictedFields,
-      query: {
-        fields: "*product",
-      },
-    } as unknown as MedusaRequest
-
-    restrictedFields.add(["product"])
-
-    const mockResponse = {} as MedusaResponse
-    const nextFunction: MedusaNextFunction = jest.fn()
-
-    const queryConfig: QueryConfig<any> = {
-      defaults: [
-        "id",
-        "created_at",
-        "updated_at",
-        "deleted_at",
-        "metadata.id",
-        "metadata.parent.id",
-        "metadata.children.id",
-        "metadata.product.id",
-      ],
-      isList: true,
-    }
-
-    const middleware = validateAndTransformQuery(
-      createFindParams(),
-      queryConfig
-    )
-
-    await middleware(mockRequest, mockResponse, nextFunction)
-
-    expect(nextFunction).toHaveBeenLastCalledWith(
-      new MedusaError(
-        MedusaError.Types.INVALID_DATA,
-        `Requested fields [metadata.product.id, product] are not valid`
-      )
-    )
-  })
 })
@@ -1,6 +1,6 @@
+import { z } from "@medusajs/deps/zod"
 import { dynamicImport, FileSystem, isFileSkipped } from "@medusajs/utils"
 import { join } from "path"
-import { z } from "@medusajs/deps/zod"
 
 import { logger } from "../logger"
 import {
@@ -124,8 +124,15 @@ export class MiddlewareFileLoader {
           })
         }
 
-        if (route.middlewares) {
-          route.middlewares.forEach((middleware) => {
+        if (route.middlewares || route.policies) {
+          const middlewares = route.middlewares ?? []
+          if (route.policies && !route.middlewares?.length) {
+            middlewares.push((_, __, next) => {
+              next()
+            })
+          }
+
+          middlewares.forEach((middleware) => {
             result.middleware.push({
               handler: middleware,
               matcher: matcher,

@@ -1,5 +1,5 @@
 import { MedusaError } from "@medusajs/utils"
-import { hasPermission } from "../../utils/has-permission"
+import { hasPermission } from "../../policies/has-permission"
 import type {
   AuthenticatedMedusaRequest,
   MedusaNextFunction,
-Original file line number
+Diff line change
@@ Expand Up / @@ -48,6 +48,7 @@ describe("Middleware file loader", () => { @@
             },
           ]
         `)
         expect(loader.getMiddlewares()).toMatchInlineSnapshot(`
           [
             {
@@ Expand Down @@