Add typed filter value normalization

Normalize filter query values through schema types before applying filters, including nested arrays, objects, operator payloads, and comma-separated arrays.

Expose filter type/operator metadata in OpenAPI, update Laravel filters to share the normalization path, and preserve precise JSON:API source parameters for nested filter errors.

Author: tobyzerner

docs/errors.md

@@ -93,11 +93,16 @@ error object from the context in which it is thrown:
 
 ```php
 throw (new UnknownFieldException('email'))
-    ->source(['pointer' => '/data/attributes/email'])
+    ->prependSourcePointer('/data/attributes/email')
     ->meta(['suggestion' => 'Did you mean "emailAddress"?'])
     ->links(['about' => 'https://example.com/docs/fields']);
 ```
 
+Use `prependSourcePointer()` for request body locations and
+`prependSourceParameter()` for query parameters. If an error comes from nested validation, use
+`prependSourcePath()` to accumulate relative path segments before anchoring it to
+a pointer or parameter.
+
 ## Multiple Errors
 
 When multiple validation errors occur (e.g., multiple field validation
@@ -111,7 +116,7 @@ use Tobyz\JsonApiServer\Exception\InvalidFieldValueException;
 throw new JsonApiErrorsException([
     new RequiredFieldException(),
     new InvalidFieldValueException('Must be a valid email address'),
-])->prependSource(['pointer' => '/data/attributes/email']);
+])->prependSourcePointer('/data/attributes/email');
 ```
 
 This will return a JSON:API error response with multiple error objects:

docs/filtering.md

@@ -29,10 +29,12 @@ provided to make it easy to implement filtering on your resource.
 
 The easiest way to define a filter is to use the `CustomFilter` class, which
 accepts the name of the filter parameter and a callback to apply the filter to
-the query. The value received by a filter can be a string or an array, so you
-will need to handle both:
+the query. Without a declared type, the value received by a filter is the raw
+query string value: either a string or an array, depending on how the filter was
+used in the URL:
 
 ```php
+use Tobyz\JsonApiServer\Context;
 use Tobyz\JsonApiServer\Schema\CustomFilter;
 
 CustomFilter::make('name', function (
@@ -51,7 +53,110 @@ GET /posts?filter[name]=Toby
 GET /posts?filter[name][]=Toby&filter[name][]=Franz
 ```
 
-## Boolean Filters
+### Typed Values
+
+Filters receive raw query string values by default. If you want a filter to
+receive a validated value, declare its type using the same type system used by
+fields and parameters:
+
+```php
+use Tobyz\JsonApiServer\Schema\CustomFilter;
+use Tobyz\JsonApiServer\Schema\Type;
+
+CustomFilter::make('published', function ($query, bool $value) {
+    $query->where('published', $value);
+})->type(Type\Boolean::make());
+
+CustomFilter::make('ids', function ($query, array $ids) {
+    $query->whereKey($ids);
+})->type(
+    Type\Arr::make()->items(Type\Integer::make())
+);
+```
+
+### Arrays
+
+Array filters accept repeated query parameters, and scalar values are treated as
+one-item arrays. If you want a comma-delimited string to be split into array
+items, use `commaSeparated()` on the array type:
+
+```php
+CustomFilter::make('ids', function ($query, array $ids) {
+    $query->whereKey($ids);
+})->type(
+    Type\Arr::make()->items(Type\Integer::make())->commaSeparated()
+);
+```
+
+Now all of these requests pass an integer array to the callback:
+
+```http
+GET /posts?filter[ids]=1
+GET /posts?filter[ids]=1,2,3
+GET /posts?filter[ids][]=1&filter[ids][]=2
+```
+
+### Operators
+
+You may also opt into operator syntax:
+
+```php
+CustomFilter::make('views', function ($query, array $value) {
+    foreach ($value as $operator => $views) {
+        $query->where('views', [
+            'eq' => '=',
+            'gt' => '>',
+            'gte' => '>=',
+            'lt' => '<',
+            'lte' => '<=',
+        ][$operator], $views);
+    }
+})
+    ->type(Type\Integer::make())
+    ->operators(['eq', 'gt', 'gte', 'lt', 'lte']);
+```
+
+```http
+GET /posts?filter[views]=100
+GET /posts?filter[views][gt]=100
+```
+
+The value passed to the callback is an array keyed by operator. When no operator
+is specified, the first configured operator is used.
+
+## Writing Filters
+
+If you need to reuse filter logic across resources, create your own filter
+class by extending `Tobyz\JsonApiServer\Schema\Filter` and implementing the
+`applyValue` method:
+
+```php
+use Tobyz\JsonApiServer\Context;
+use Tobyz\JsonApiServer\Schema\Filter;
+use Tobyz\JsonApiServer\Schema\Type;
+
+class WhereIn extends Filter
+{
+    public static function make(string $name): static
+    {
+        return new static($name);
+    }
+
+    public function __construct(string $name)
+    {
+        parent::__construct($name);
+
+        $this->type(Type\Arr::make()->items(Type\Str::make()));
+    }
+
+    protected function applyValue(object $query, mixed $value, Context $context): void
+    {
+        $query->whereIn($this->name, $value);
+    }
+}
+```
+
+## Boolean Groups
 
 By default it is assumed that each filter applied to the query will be combined
 with a logical `AND`. When a resource implements
@@ -69,8 +174,8 @@ GET /posts
   &filter[and][1][or][1][not][status]=archived
 ```
 
-In this request every result must be published, and it must also either have
-more than 100 views or it is not archived.
+In this request every result must be published, and it must either have more
+than 100 views or not be archived.
 
 ```http
 GET /posts
@@ -83,27 +188,6 @@ This request returns drafts, or posts that are published and have comments. The
 second example also shows that in certain cases you can omit `[and]` groups and
 numeric indices; sibling filters at the same level default to `AND` behaviour.
 
-## Writing Filters
-
-To create your own filter class, extend the `Tobyz\JsonApiServer\Schema\Filter`
-class and implement the `apply` method:
-
-```php
-use Tobyz\JsonApiServer\Context;
-use Tobyz\JsonApiServer\Schema\Filter;
-
-class WhereIn extends Filter
-{
-    public function apply(
-        object $query,
-        string|array $value,
-        Context $context,
-    ): void {
-        $query->whereIn($this->name, $value);
-    }
-}
-```
-
 ## Visibility
 
 If you want to restrict the ability to use a filter, use the `visible` or

docs/laravel.md

@@ -180,6 +180,7 @@ WhereNull::make('draft')->column('published_at');
 WhereNotNull::make('published')->column('published_at');
 Scope::make('withTrashed')->asBoolean();
 Scope::make('trashed')->scope('onlyTrashed');
+Scope::make('ids')->commaSeparated();
 ```
 
 ### Boolean Filters

src/Endpoint/Concerns/MutatesResource.php

@@ -135,7 +135,7 @@ private function assertFieldsWritable(Context $context, bool $creating = false):
             try {
                 $this->assertFieldWritable($context, $field, $creating);
             } catch (Sourceable $e) {
-                throw $e->prependSource(['pointer' => '/data' . field_path($field)]);
+                throw $e->prependSourcePointer('/data' . field_path($field));
             }
         }
     }
@@ -169,7 +169,7 @@ private function deserializeValues(Context $context, bool $creating = false): vo
             try {
                 set_value($context->data, $field, $field->deserializeValue($value, $context));
             } catch (Sourceable $e) {
-                throw $e->prependSource(['pointer' => '/data' . field_path($field)]);
+                throw $e->prependSourcePointer('/data' . field_path($field));
             }
         }
     }
@@ -218,7 +218,7 @@ private function validateField(Context $context, Field|Id $field, mixed $value):
                 );
             }
 
-            $errors[] = $error->source(['pointer' => '/data' . field_path($field)]);
+            $errors[] = $error->prependSourcePointer('/data' . field_path($field));
         };
 
         $field->validateValue($value, $fail, $context->withField($field));

src/Endpoint/Concerns/ResolvesList.php

@@ -27,15 +27,26 @@ protected function listParameters(
         $params = [];
 
         if ($filters = $collection->filters()) {
-            $params[] = Parameter::make('filter')->type(Type\Obj::make());
+            $filterProperties = [];
 
-            // TODO: properties of above?
             foreach ($filters as $filter) {
-                $params[] = Parameter::make("filter[{$filter->name}]")->type(Type\Any::make());
+                $filterProperties[$filter->name] = $filter->getSchema();
             }
+
+            $params[] = Parameter::make('filter')
+                ->type(Type\Obj::make())
+                ->schema([
+                    'style' => 'deepObject',
+                    'explode' => true,
+                    'schema' => [
+                        'type' => 'object',
+                        'additionalProperties' => true,
+                        'properties' => $filterProperties,
+                    ],
+                ]);
         }
 
-        if ($sorts = $collection->sorts()) {
+        if ($collection->sorts()) {
             $params[] = Parameter::make('sort')
                 ->type(Type\Str::make())
                 ->default($defaultSort ?? $collection->defaultSort());
@@ -115,7 +126,7 @@ private function applyListFilters(
         try {
             apply_filters($query, $filters, $collection, $context);
         } catch (Sourceable $e) {
-            throw $e->prependSource(['parameter' => 'filter']);
+            throw $e->prependSourceParameter('filter');
         }
     }
 }

src/Exception/Concerns/JsonApiError.php

@@ -7,6 +7,7 @@
 trait JsonApiError
 {
     public array $error = [];
+    private array $sourcePath = [];
 
     public function __construct(array|string $message = '')
     {
@@ -20,15 +21,66 @@ public function __construct(array|string $message = '')
 
     public function source(array $source): static
     {
+        $this->sourcePath = [];
         $this->error['source'] = $source;
 
         return $this;
     }
 
+    public function prependSourceParameter(string $parameter): static
+    {
+        if ($this->sourcePath) {
+            $parameter .= implode(
+                '',
+                array_map(fn(int|string $segment) => '[' . $segment . ']', $this->sourcePath),
+            );
+
+            $this->sourcePath = [];
+        }
+
+        $this->error['source']['parameter'] =
+            $parameter . ($this->error['source']['parameter'] ?? '');
+
+        return $this;
+    }
+
+    public function prependSourcePointer(string $pointer): static
+    {
+        if ($this->sourcePath) {
+            $pointer .= '/' . implode(
+                '/',
+                array_map(
+                    fn(int|string $segment) => strtr((string) $segment, ['~' => '~0', '/' => '~1']),
+                    $this->sourcePath,
+                ),
+            );
+
+            $this->sourcePath = [];
+        }
+
+        $this->error['source']['pointer'] = $pointer . ($this->error['source']['pointer'] ?? '');
+
+        return $this;
+    }
+
+    public function prependSourcePath(int|string ...$path): static
+    {
+        $this->sourcePath = [...$path, ...$this->sourcePath];
+
+        return $this;
+    }
+
+    /** @deprecated Use prependSourcePath() and prependSourceParameter() or prependSourcePointer(). */
     public function prependSource(array $source): static
     {
         foreach ($source as $k => $v) {
-            $this->error['source'][$k] = $v . ($this->error['source'][$k] ?? '');
+            if ($k === 'parameter') {
+                $this->prependSourceParameter($v);
+            } elseif ($k === 'pointer') {
+                $this->prependSourcePointer($v);
+            } else {
+                $this->error['source'][$k] = $v . ($this->error['source'][$k] ?? '');
+            }
         }
 
         return $this;

src/Exception/JsonApiErrorsException.php

@@ -17,11 +17,32 @@ public function __construct(public array $errors)
         }
     }
 
+    public function prependSourcePath(int|string ...$path): static
+    {
+        return $this->eachSourceable(fn(Sourceable $error) => $error->prependSourcePath(...$path));
+    }
+
+    public function prependSourceParameter(string $parameter): static
+    {
+        return $this->eachSourceable(fn(Sourceable $error) => $error->prependSourceParameter($parameter));
+    }
+
+    public function prependSourcePointer(string $pointer): static
+    {
+        return $this->eachSourceable(fn(Sourceable $error) => $error->prependSourcePointer($pointer));
+    }
+
+    /** @deprecated Use prependSourcePath() and prependSourceParameter() or prependSourcePointer(). */
     public function prependSource(array $source): static
+    {
+        return $this->eachSourceable(fn(Sourceable $error) => $error->prependSource($source));
+    }
+
+    private function eachSourceable(callable $callback): static
     {
         foreach ($this->errors as $error) {
             if ($error instanceof Sourceable) {
-                $error->prependSource($source);
+                $callback($error);
             }
         }
 

src/Exception/Sourceable.php

@@ -4,5 +4,12 @@
 
 interface Sourceable
 {
+    public function prependSourcePath(int|string ...$path): static;
+
+    public function prependSourceParameter(string $parameter): static;
+
+    public function prependSourcePointer(string $pointer): static;
+
+    /** @deprecated Use prependSourcePath() and prependSourceParameter() or prependSourcePointer(). */
     public function prependSource(array $source): static;
 }

src/Extension/Atomic/Atomic.php

@@ -64,7 +64,7 @@ public function handle(Context $context): ?Response
                     default => throw new InvalidAtomicOperationException($operation['op'] ?? null),
                 };
             } catch (Sourceable $e) {
-                throw $e->prependSource(['pointer' => "/atomic:operations/$i"]);
+                throw $e->prependSourcePointer("/atomic:operations/$i");
             }
 
             $results[] = json_decode($response->getBody(), true);