feat(model): expose collections via read-only OAuth2Server getter #27

[alloalexandre]

Summary

Exposes the MongoDB collections (AccessTokens, RefreshTokens, AuthCodes, Clients) via a read-only collections getter on OAuth2Server. The getter returns a frozen object to prevent mutations, ensuring OAuth2 compliance while allowing custom queries/indexing.

Changes

• Exported collections from lib/model/meteor-model.js.
• Assigned this.collections in OAuthMeteorModel constructor (lib/model/model.js).
• Added get collections() getter to OAuth2Server (lib/oauth.js) using Object.freeze for read-only access.
• Updated API.md via meteor npm run build:docs.
• Added test in tests/model-tests.js to verify getter and read-only behavior.

Motivation

Users need direct access to collections for custom logic (e.g., querying expired tokens or creating indexes). This provides a safe, controlled way without exposing internal model details or requiring low-level MongoDB driver APIs.

Testing

• All existing tests pass (meteor npm run test).
• New test verifies collections getter returns Mongo.Collection instances and enforces read-only behavior.
• Linter passes (meteor npm run lint).

Example Usage

import { OAuth2Server } from 'meteor/leaonline:oauth2-server';

const server = new OAuth2Server({ /* config */ });
const expiredTokens = server.collections.AccessTokens.find({
  accessTokenExpiresAt: { $lt: new Date() }
}).fetch();
console.log(expiredTokens); // Array of expired access tokens
// Mutation attempt fails:
server.collections.AccessTokens = {}; // TypeError: Cannot assign to read only property

Notes

• No development Branch: The CONTRIBUTING.md mentioning development seems outdated.