Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Query options and security
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
I want to mention a few settings that will allow you to fine tune and customize the query behavior of your service.
0:07
First, you may want to use a different grammar. For example, you may want to use find instead of where and order instead of sort.
0:16
That's very easy, just change the corresponding default settings. Let's see how. Query where and query sort allow you to change the keyword
0:32
that clients will use to perform queries on your server, so if we save this change, restart and go back to Postman, we should see a difference.
0:44
Now a query like this can go by find and order by, it works as expected. Some time you might want to disable filters altogether,
1:01
or you might want to just pick which fields are searchable and which aren't. You control which fields are searchable
1:08
and which aren't with the allowed filter setting which defaults to a star, which means everything is searchable.
1:22
If we empty the list, we are basically saying Eve I don't want filters on my server, clients are not allowed to perform any kind of query.
1:37
If we fill this list with field name, we are whitelisting the fields we want to be searchable, so for example, last name, this list is telling Eve
1:49
that we only want the last name field to be searchable on our endpoints. However, this is a global setting, as you can tell by the uppercases here
1:59
so it doesn't really make a lot of sense to have a list of fields in the global settings because this will apply on all of our endpoints
2:08
and documents are going to have a different mapping depending on the endpoint So you probably want to do these at the local level
2:16
here in the people endpoint, we define that last name is the only searchable field
2:26
and then at the global level, we either want to disable filter altogether or enable them by simply not writing this setting at the global level
2:37
because the default is already the star which means all fields are searchable at all endpoints whereas if we go with the empty list,
2:45
we are disabling filters at all endpoints but still people, since it hasn't allowed filters definition itself,
2:52
will still allow the last name field to be searchable. We just saw how we can disable filters by setting allowed filters to an empty array
3:01
let's see how we can disable sorting instead well, this is super simple, you just set sorting false, by default it is true globally,
3:11
and sorting also has a local counterpart so if you want you can go to a specific endpoint and set sorting to false
3:21
just for the endpoint while you keep sorting enabled at the global level or vice versa,
3:33
Finally, let's talk a little bit about query security and performance. If you go to the Eve website and specifically to the configuration page,
3:42
where by the way we find all of the settings we've be in mentioning so far and so many others. If we find that there is a Mongo query blacklist option
3:53
now this is a list, and by default it has the where and regex operators blacklisted
3:59
which means that if a client attempts a query using these operators, they won't work, they will be ignored, and there is a reason for that.
4:09
These are Javascript operators, and Javascript tends to be slow, first of all,
4:15
and second, it is Javascript, so it can be used for injection attacks on the server. It is unlikely to happen,
4:24
Mongo is not subject to injection attacks as most of SQL servers are, but it can still happen, so you have them disabled by default.
4:32
If you need to enable them, you can simply go to your settings file and just set Mongo query operators to an empty list,
4:39
if you want to allow all of the Mongo operators or you can fine tune by just including only what you really want to be excluded
4:48
and here for example, if we are allowing regex operator to work because it is not in the list, while where is still excluded.