Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Query options and security

Login or purchase this course to watch this video and the rest of the course contents.
0:01 I want to mention a few settings that will allow you to fine tune and customize the query behavior of your service.
0:07 First, you may want to use a different grammar. For example, you may want to use find instead of where and order instead of sort.
0:16 That's very easy, just change the corresponding default settings. Let's see how. Query where and query sort allow you to change the keyword
0:32 that clients will use to perform queries on your server, so if we save this change, restart and go back to Postman, we should see a difference.
0:44 Now a query like this can go by find and order by, it works as expected. Some time you might want to disable filters altogether,
1:01 or you might want to just pick which fields are searchable and which aren't. You control which fields are searchable
1:08 and which aren't with the allowed filter setting which defaults to a star, which means everything is searchable.
1:22 If we empty the list, we are basically saying Eve I don't want filters on my server, clients are not allowed to perform any kind of query.
1:37 If we fill this list with field name, we are whitelisting the fields we want to be searchable, so for example, last name, this list is telling Eve
1:49 that we only want the last name field to be searchable on our endpoints. However, this is a global setting, as you can tell by the uppercases here
1:59 so it doesn't really make a lot of sense to have a list of fields in the global settings because this will apply on all of our endpoints
2:08 and documents are going to have a different mapping depending on the endpoint So you probably want to do these at the local level
2:16 here in the people endpoint, we define that last name is the only searchable field
2:26 and then at the global level, we either want to disable filter altogether or enable them by simply not writing this setting at the global level
2:37 because the default is already the star which means all fields are searchable at all endpoints whereas if we go with the empty list,
2:45 we are disabling filters at all endpoints but still people, since it hasn't allowed filters definition itself,
2:52 will still allow the last name field to be searchable. We just saw how we can disable filters by setting allowed filters to an empty array
3:01 let's see how we can disable sorting instead well, this is super simple, you just set sorting false, by default it is true globally,
3:11 and sorting also has a local counterpart so if you want you can go to a specific endpoint and set sorting to false
3:21 just for the endpoint while you keep sorting enabled at the global level or vice versa,
3:33 Finally, let's talk a little bit about query security and performance. If you go to the Eve website and specifically to the configuration page,
3:42 where by the way we find all of the settings we've be in mentioning so far and so many others. If we find that there is a Mongo query blacklist option
3:53 now this is a list, and by default it has the where and regex operators blacklisted
3:59 which means that if a client attempts a query using these operators, they won't work, they will be ignored, and there is a reason for that.
4:09 These are Javascript operators, and Javascript tends to be slow, first of all,
4:15 and second, it is Javascript, so it can be used for injection attacks on the server. It is unlikely to happen,
4:24 Mongo is not subject to injection attacks as most of SQL servers are, but it can still happen, so you have them disabled by default.
4:32 If you need to enable them, you can simply go to your settings file and just set Mongo query operators to an empty list,
4:39 if you want to allow all of the Mongo operators or you can fine tune by just including only what you really want to be excluded
4:48 and here for example, if we are allowing regex operator to work because it is not in the list, while where is still excluded.

Talk Python's Mastodon Michael Kennedy's Mastodon