Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Query options and security

Login or purchase this course to watch this video and the rest of the course contents.
0:01 I want to mention a few settings that will allow you
0:03 to fine tune and customize the query behavior of your service.
0:06 First, you may want to use a different grammar.
0:10 For example, you may want to use find instead of where
0:13 and order instead of sort.
0:15 That's very easy, just change the corresponding default settings. Let's see how.
0:27 Query where and query sort allow you to change the keyword
0:31 that clients will use to perform queries on your server,
0:35 so if we save this change, restart
0:39 and go back to Postman, we should see a difference.
0:43 Now a query like this can go by find and order by, it works as expected.
0:56 Some time you might want to disable filters altogether,
1:00 or you might want to just pick which fields are searchable and which aren't.
1:05 You control which fields are searchable
1:07 and which aren't with the allowed filter setting
1:13 which defaults to a star, which means everything is searchable.
1:21 If we empty the list, we are basically saying Eve
1:27 I don't want filters on my server,
1:30 clients are not allowed to perform any kind of query.
1:36 If we fill this list with field name,
1:39 we are whitelisting the fields we want to be searchable,
1:43 so for example, last name, this list is telling Eve
1:48 that we only want the last name field to be searchable on our endpoints.
1:53 However, this is a global setting, as you can tell by the uppercases here
1:58 so it doesn't really make a lot of sense
2:01 to have a list of fields in the global settings
2:04 because this will apply on all of our endpoints
2:07 and documents are going to have a different mapping depending on the endpoint
2:12 So you probably want to do these at the local level
2:15 here in the people endpoint,
2:21 we define that last name is the only searchable field
2:25 and then at the global level, we either want to disable filter altogether
2:29 or enable them by simply not writing this setting at the global level
2:36 because the default is already the star which means
2:39 all fields are searchable at all endpoints
2:42 whereas if we go with the empty list,
2:44 we are disabling filters at all endpoints
2:47 but still people, since it hasn't allowed filters definition itself,
2:51 will still allow the last name field to be searchable.
2:55 We just saw how we can disable filters
2:58 by setting allowed filters to an empty array
3:00 let's see how we can disable sorting instead
3:03 well, this is super simple, you just set sorting false, by default it is true globally,
3:10 and sorting also has a local counterpart
3:14 so if you want you can go to a specific endpoint and set sorting to false
3:20 just for the endpoint while you keep sorting enabled
3:27 at the global level or vice versa,
3:32 Finally, let's talk a little bit about query security and performance.
3:36 If you go to the Eve website and specifically to the configuration page,
3:41 where by the way we find all of the settings
3:45 we've be in mentioning so far and so many others.
3:48 If we find that there is a Mongo query blacklist option
3:52 now this is a list, and by default it has the
3:56 where and regex operators blacklisted
3:58 which means that if a client attempts a query using these operators,
4:03 they won't work, they will be ignored, and there is a reason for that.
4:08 These are Javascript operators,
4:10 and Javascript tends to be slow, first of all,
4:14 and second, it is Javascript, so it can be used for injection attacks on the server.
4:20 It is unlikely to happen,
4:23 Mongo is not subject to injection attacks as most of SQL servers are,
4:27 but it can still happen, so you have them disabled by default.
4:31 If you need to enable them, you can simply go to your settings file
4:35 and just set Mongo query operators to an empty list,
4:38 if you want to allow all of the Mongo operators
4:41 or you can fine tune by just including only what you really want to be excluded
4:47 and here for example, if we are allowing regex operator to work
4:52 because it is not in the list, while where is still excluded.