I've create an interesting API and I'm wondering if there is a security issue I haven't thought of. So basically my get route allows the user to send an entire stringified mongo query, which I then just pass to the mongo driver.
I make sure that any query containing $where or function are invalid. Other then that I couldn't think of any other issue I might run in to by allowing the client to send queries.
I'm really interested to hear your thoughts, am I missing something totally obvious here?
Related
Recently we are working with a customer who want's one of our mongodb collection to be shared with them. I'm pretty new to Dev/Sys Ops so I'm wondering what would be the best way to share collection with them?
Client needs to be able to specify dates and then pull all of the data in that range from collection (so some sort of query is needed).
I was considering giving them access to mongo through ssh, but would that be secure and appropiate?
Second thing I consider was by creating some simple webapp and then sending it over as POST
Thoughts? Cheers
Posting my comment as an answer after a small discussion with OP
A simple REST API should suffice - sending the search criteria to your API, then querying MongoDB.
Returning in JSON format would be easier - though this depends on your customers requirements.
Thanks for your help. I have ended up simply creating username and password to mongo to my client and set correct permissions leaving them with doing all the heavy lifting.
Express js uses qs parser to parse query strings into objects. Is there a lib out there for use on front-end applications that does the reverse? I would love to be able to write a mongo db query on the front end in object form and have it parsed automatically into the format qs parser is expecting right before the request is made.
I would love to be able to write a mongo db query on the front end in object form
You should absolutely not do this unless you're OK with essentially giving any user of your web app an open shell to do whatever they want to your database.
But with that said, I found this in bower.io:
https://github.com/fernandofleury/query-object
More here:
http://bower.io/search/?q=qs
Stumbled upon this question, I suppose you don't need it anymore, but I hope this helps other users who end up here:
Meet graphQL. It's an open standard, which lets you query backend api's in a flexible manner.
Mongodb even supports it out of the box and it is permission based, so no worries about frontend users hacking into your database (you should of course properly configure those permissions to limit access to specific resources).
Read more on https://docs.mongodb.com/realm/graphql
Im in the start up phase of creating an internal system based on PHP and MongoDB. The users of this system are Javascript programmers and would like to be able to make custom queries to the Mongo database from a frontend gui with arbitrary Mongo shell queries. Of course this would not be a problem at all if I forced them to to write the queries with proper PHP arrays etc, but i would definitely like to avoid this.
I am not quite sure how to approach a feature like this without writing some advanced methods being able to restructure the queries to proper formated arrays that can be used in MongoClient PHP. One approach would be making use of the i.e. MongoDB::execute() method and run the javascript on the database server - a method i don't fancy at all.
Im kindly asking if you have any ideas on how to achieve the requested functionalities to some extend.
Thank you in advance.
Are you looking for something like this : http://rockmongo.com/ ?
I've been told that it's bad to expose database internals but I've started noticing lots of relatively high profile sites doing it, e.g. Chartboost and ServerDensity both expose the MongoDB document _id field in their URLs.
Can someone shed some light as to why that's bad to do? The only thing I can think of is that it's bad for SEO because they're not human readable URLs, but is this even true?
By "exposing database internals" I understand stuff like exposing the database server to the internet or letting user run arbitrary queries. This stuff is unquestionably bad. Or, if you somehow expose your database schema, a malicious user can use this to his advantage.
Using object ids in urls is fine. Humans do not memorize urls anyway, and search engines don't care if link to a post is made of post slug or post id.
Even stackoverflow show its database ID-s in URL. It could be surrogate key or natural, anyway you have to identify resource somehow. Basically, every single site use some kind of identification in URL, usually PK. Why do you think they use MongoDb ? It could be even relation database with GUID instead of Long PK
Even if you show someone database schema, nothing will happen, until you are protected from sql-injection.
I'm trying to separate my mongodb code in a nodejs express app and am having troubles understanding how to shuffle things around.
here's a gist of what I have
https://gist.github.com/759446
I've dumbed it down to almost nothing in the middleware.
When I start the server, res.myvar is correctly set to "object" in the first request. Every subsequent request fails with res.myvar being "undefined".
I just want to stick the db code in a single place and then be able to use it in my various routes. Am I going about this wrong? All the examples on the mongodb nodejs driver page just make db queries etc. I'm not finding much integrating the whole thing in an express app.
What I had originally was opening new db connections on every request.
I've edited the gist and left the old stuff commented out.
It works now.
Many thanks to Ciaran's blog post http://howtonode.org/express-mongodb
It's kinda old but still helped.
I am writing node-fourm, I have the same problem at beginning. There is a db folder and controller folder in node-fourm, they are seperated now, and I can define method for each collection now. Check the code for detail.
I wrote mongoskin to make it possible.