Let's follow these steps to add query parameters to our Express /api/post REST endpoint to support pagination. We will also implement some advanced filtering queries, including date range filtering to our API:
- First, we'll extend the list method of our /middleware/rest.js middleware to parse query parameters for _size and _page from our REST API URL parameters. The underscores are useful to denote that these properties are URL parameters, instead of Mongoose Query API parameters. Whether these properties are provided or not, we will set default values for them using a ternary operator, and append them sequentially to our main query operation:
...
module.exports = function(resourceId, store, serialize, deserialize, middleware) {
...
return resource({
...
list : function(req, res) {
var query = store.find();
var size = req.query._size ? parseInt(req.query._size) : 10;
var page = req.query._page ? parseInt(req.query._page) : 1;
query.limit(size);
query.skip(size * (page - 1));
query.exec(function(error, items) {
if (error) return res.status(400).json(storeError(error));
res.json(serializer.serialize(items));
});
},
...
});
};
- To expand the range of query options available, we will filter out the _size and _page query parameters and pass the rest through to a where query. This provides a very direct, very powerful option for querying through our REST API to MongoDB. We will include a middleware method option that we will use in the next step to secure this query API:
...
var _omit = require('lodash/omit');
module.exports = function(resourceId, store, serialize, deserialize, middleware) {
...
return resource({
...
middleware: middleware,
list : function(req, res) {
var query = store.find();
var size = req.query._size ? parseInt(req.query._size) : 10;
var page = req.query._page ? parseInt(req.query._page) : 1;
var filters = _omit(req.query, ['_size', '_page']);
query.where(filters);
query.limit(size);
query.skip(size * (page - 1));
query.exec(function(error, items) {
if (error) return res.status(400).json(storeError(error));
res.json(serializer.serialize(items));
});
},
...
});
};
- Having such a wide open API is very useful, but it can also be very exploitable from a security standpoint. Let's create a passthrough middleware in our /routes/api/posts.js configuration that will secure it. We'll use Lodash's pick operation to build a whitelist of what query parameters we allow through. This way, we can allow users to query certain parts of our database, but only those that we explicitly allow. We can also use this middleware to do some advanced parsing to support a date-range query for our published dates. URL parameters will always come through Express as strings, so to create a valid date-range query for Mongoose, we will need to parse it into JSON:
var restFactory = require('../../middleware/rest');
var Posts = require('../../models/posts');
var _pick = require('lodash/pick');
var serialize = {
attributes: ['title', 'content', 'published', 'author'],
author: {
ref: function (user, author) {
return author.id;
},
attributes: ['firstName', 'lastName', 'email']
}
};
var deserialize = {
keyForAttribute: 'dash-case'
};
module.exports = restFactory('posts', Posts, serialize, deserialize, function(req, res, next) {
req.query = _pick(req.query, ['_size', '_page', 'title', 'published']);
if (req.query.published) {
try {
req.query.published = JSON.parse(req.query.published);
} catch(error) {
console.error('unable to parse published date format');
}
}
next();
});
- Now, we can restart our Express application and start making requests to our http://localhost:3000/api/posts REST endpoint.