Home > Software design >  Should we build Mongoose queries on the frontend or backend?
Should we build Mongoose queries on the frontend or backend?

Time:10-10

We can build complex queries with Mongoose with options like $lte, $gt, $ne and so on... but I'm wondering where/how we should build those queries?

If I have a form on my frontend that allows to input a range of dates I could send a request body that looks like this:

{
  date: {
    $gt: "01/01/2021",
    $lte: "31/01/2021"
  }
}

But is this good practice? If not, in what format should I send this and how can I transform it to a Mongoose query?

CodePudding user response:

assuming you're sending that in the request body, then this isn't how you're supposed to do it, this can expose a security flaw in that your attackers can write queries themselves and retrieve confidential information seeing that your backend will run ANY query this can potentially be used to expose sensitive information.

Database is something the backend is supposed to handle, not the frontend, don't make the frontend write the queries. Instead just send dat a like this:

{
  "startDate": "1/1/1",
  "endDate": "2/2/2" 
}

Then on your backend you can get the values from the request body and do it yourself

{
  date: {
    $gt: startDate,
    $lte: endDate
  }
}
  • Related