Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Query options and security
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
I want to mention a few settings that will allow you
0:03
to fine tune and customize the query behavior of your service.
0:06
First, you may want to use a different grammar.
0:10
For example, you may want to use find instead of where
0:13
and order instead of sort.
0:15
That's very easy, just change the corresponding default settings. Let's see how.
0:27
Query where and query sort allow you to change the keyword
0:31
that clients will use to perform queries on your server,
0:35
so if we save this change, restart
0:39
and go back to Postman, we should see a difference.
0:43
Now a query like this can go by find and order by, it works as expected.
0:56
Some time you might want to disable filters altogether,
1:00
or you might want to just pick which fields are searchable and which aren't.
1:05
You control which fields are searchable
1:07
and which aren't with the allowed filter setting
1:13
which defaults to a star, which means everything is searchable.
1:21
If we empty the list, we are basically saying Eve
1:27
I don't want filters on my server,
1:30
clients are not allowed to perform any kind of query.
1:36
If we fill this list with field name,
1:39
we are whitelisting the fields we want to be searchable,
1:43
so for example, last name, this list is telling Eve
1:48
that we only want the last name field to be searchable on our endpoints.
1:53
However, this is a global setting, as you can tell by the uppercases here
1:58
so it doesn't really make a lot of sense
2:01
to have a list of fields in the global settings
2:04
because this will apply on all of our endpoints
2:07
and documents are going to have a different mapping depending on the endpoint
2:12
So you probably want to do these at the local level
2:15
here in the people endpoint,
2:21
we define that last name is the only searchable field
2:25
and then at the global level, we either want to disable filter altogether
2:29
or enable them by simply not writing this setting at the global level
2:36
because the default is already the star which means
2:39
all fields are searchable at all endpoints
2:42
whereas if we go with the empty list,
2:44
we are disabling filters at all endpoints
2:47
but still people, since it hasn't allowed filters definition itself,
2:51
will still allow the last name field to be searchable.
2:55
We just saw how we can disable filters
2:58
by setting allowed filters to an empty array
3:00
let's see how we can disable sorting instead
3:03
well, this is super simple, you just set sorting false, by default it is true globally,
3:10
and sorting also has a local counterpart
3:14
so if you want you can go to a specific endpoint and set sorting to false
3:20
just for the endpoint while you keep sorting enabled
3:27
at the global level or vice versa,
3:32
Finally, let's talk a little bit about query security and performance.
3:36
If you go to the Eve website and specifically to the configuration page,
3:41
where by the way we find all of the settings
3:45
we've be in mentioning so far and so many others.
3:48
If we find that there is a Mongo query blacklist option
3:52
now this is a list, and by default it has the
3:56
where and regex operators blacklisted
3:58
which means that if a client attempts a query using these operators,
4:03
they won't work, they will be ignored, and there is a reason for that.
4:08
These are Javascript operators,
4:10
and Javascript tends to be slow, first of all,
4:14
and second, it is Javascript, so it can be used for injection attacks on the server.
4:20
It is unlikely to happen,
4:23
Mongo is not subject to injection attacks as most of SQL servers are,
4:27
but it can still happen, so you have them disabled by default.
4:31
If you need to enable them, you can simply go to your settings file
4:35
and just set Mongo query operators to an empty list,
4:38
if you want to allow all of the Mongo operators
4:41
or you can fine tune by just including only what you really want to be excluded
4:47
and here for example, if we are allowing regex operator to work
4:52
because it is not in the list, while where is still excluded.