UNPKG

@loopback/docs

Version:

Documentation files rendered at [https://loopback.io](https://loopback.io)

github.com/loopbackio/loopback-next/tree/master/docs

loopbackio/loopback-next

455 lines (373 loc) 12.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
--- lang: en title: 'Querying data' keywords: LoopBack 4.0, LoopBack 4, Node.js, TypeScript, OpenAPI sidebar: lb4_sidebar permalink: /doc/en/lb4/Querying-data.html --- ## Overview A _query_ is a read operation on models that returns a set of data or results. As we introduced in [Working with data](Working-with-data.md), repositories add behavior to models. Once you have them set up, you can query instances using a Node.js API and a REST API with _filters_ as outlined in the following table. Filters specify criteria for the returned data set. The capabilities and options of the two APIs are the same. The only difference is the syntax used in HTTP requests versus Node function calls. In both cases, LoopBack models return JSON. <table> <thead> <tr> <th>Query</th> <th>Model API (Node)</th> <th>REST API</th> </tr> </thead> <tbody> <tr> <td> Find all model instances using specified filters. </td> <td> <code><a href="https://loopback.io/doc/en/lb4/apidocs.repository.defaultcrudrepository.find.html" class="external-link">find(filter, options?)</a></code> Where filter is a JSON object containing the query filters. </td> <td> <code>GET /<em>modelName</em>?filter...</code> </td> </tr> <tr> <td>Find first model instance using specified filters.</td> <td> <code><a href="https://loopback.io/doc/en/lb4/apidocs.repository.defaultcrudrepository.findone.html" class="external-link">findOne(filter, options?)</a></code> Where filter is a JSON object containing the query filters. </td> <td> <code><span>GET /<em>modelName</em>/findOne?filter...</span></code> </td> </tr> <tr> <td>Find instance by ID.</td> <td> <code><a href="https://loopback.io/doc/en/lb4/apidocs.repository.defaultcrudrepository.findbyid.html" class="external-link">findById(id, filter?, options?)</a></code> Where optional filter is a JSON object <span>containing the query filters.</span> </td> <td> <code><span>GET /</span><em>modelName</em><span>/</span><em>modelID</em></code> </td> </tr> </tbody> </table> LB4 supports standard REST syntax and also "stringified JSON" in REST queries. Please read on to see more details and examples of different types of `filter` and example usages of REST API. ## Filters LoopBack supports a specific filter syntax: it's a lot like SQL, but designed specifically to serialize safely without injection and to be native to JavaScript. LoopBack 4 supports the following kinds of filters: - [Fields filter](Fields-filter.md) - [Include filter](Include-filter.md) - [Limit filter](Limit-filter.md) - [Order filter](Order-filter.md) - [Skip filter](Skip-filter.md) - [Where filter](Where-filter.md) More additional examples of each kind of filter can be found in the individual articles on filters (for example [Where filter](Where-filter.md)). Those examples show different syntaxes in REST and Node.js. The following table describes LoopBack's filter types: <table> <thead> <tr> <th>Filter type</th> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>fields</code></td> <td>Object, Array, or String</td> <td> Specify fields to include in or exclude from the response. See <a href="Fields-filter.html">Fields filter</a>. </td> </tr> <tr> <td><code>include</code></td> <td>String, Object, or Array</td> <td> Include results from related models, for relations such as <em>belongsTo</em> and <em>hasMany</em>. See <a href="Include-filter.html">Include filter</a>. </td> </tr> <tr> <td><code>limit</code></td> <td>Number</td> <td> Limit the number of instances to return. See <a href="Limit-filter.html">Limit filter</a>. </td> </tr> <tr> <td><code>order</code></td> <td>String</td> <td> Specify sort order: ascending or descending. See <a href="Order-filter.html">Order filter</a>. </td> </tr> <tr> <td><code>skip</code> (offset)</td> <td>Number</td> <td> Skip the specified number of instances. See <a href="Skip-filter.html">Skip filter</a>. </td> </tr> <tr> <td><code>where</code></td> <td>Object</td> <td> Specify search criteria; similar to a WHERE clause in SQL. See <a href="Where-filter.html">Where filter</a>. </td> </tr> </tbody> </table> The following is an example of using the `find()` method with both a _where_ and a _limit_ filter: ```ts await accountRepository.find({where: {name: 'John'}, limit: 3}); ``` Equivalent using REST: `/accounts?filter[where][name]=John&filter[limit]=3` ## Syntax In both Node.js API and REST, you can use any number of filters to define a query. ### Node.js syntax Specify filters as the first argument to `find*()`: ```ts { filterType: spec, filterType: spec, ... } ``` There is no theoretical limit on the number of filters you can apply. Where: - *filterType* is the filter: [where](Where-filter.md), [include](Include-filter.md), [order](Order-filter.md), [limit](Limit-filter.md), [skip](Skip-filter.md), or [fields](Fields-filter.md). - *spec* is the specification of the filter: for example for a *where* filter, this is a logical condition that the results must match. For an *include* filter it specifies the related fields to include. ### REST syntax Specify filters in the [HTTP query string](http://en.wikipedia.org/wiki/Query_string): `/modelName?filter=[filterType1]=val1&filter[filterType2]=val2...` or `/modelName/id?filter=[filterType1]=val1&filter[filterType2]=val2...` The number of filters that you can apply to a single request is limited only by the maximum URL length, which generally depends on the client used. {% include important.html content=" There is no equal sign after `?filter` in the query string; for example `http://localhost:3000/api/books?filter[where][id]=1`  " %} If the filter gets too long, you can encode it. For example: ```ts const filter = { include: [ { relation: 'orders', scope: { include: [{relation: 'manufacturers'}], }, }, ], }; encodeURIComponent(JSON.stringify(filter)); ``` the url would be: `/customers?filter=<encodeResult>` {% include important.html content=" A REST query must include the literal string \"filter\" in the URL query string. The Node.js API call does not include the literal string \"filter\" in the JSON. " %} {% include tip.html content=" If you are trying [query filters](#filters) with curl, use the `-g` or `--globoff`  option to use brackets `[` and `]` in request URLs. " %} ### Using "stringified" JSON in REST queries Instead of the standard REST syntax described above, you can also use "stringified JSON" in REST queries. To do this, simply use the JSON specified for the Node.js syntax, as follows: `?filter={ Stringified-JSON }` where *Stringified-JSON* is the stringified JSON from Node.js syntax. However, in the JSON all text keys/strings must be enclosed in quotes ("). {% include important.html content=" When using stringified JSON, you must use an equal sign after `?filter` in the query string. For example: `http://localhost:3000/books?filter={%22where%22:{%22id%22:2}}`  " %} For example: `GET /api/activities/findOne?filter={"where":{"id":1234}}` ### Build filters with FilterBuilder Besides writing the filter yourself, you can also use [`FilterBuilder`](https://loopback.io/doc/en/lb4/apidocs.filter.filterbuilder.html) to help you create or combine `where` clauses. For example, you can build the filter ```ts const filter = { where: {id: 3}, include: [{relation: 'orders', scope: {where: {name: 'toy'}}] }; ``` with the `FilterBuilder`: ```ts import {FilterBuilder} from '@loopback/repository'; ... const filterBuilder = new FilterBuilder(); filterBuilder .include( {relation: 'orders', scope: {where: {name: 'ray'}}}, ) .where({id:3}) .build(); ``` Another usage of [`FilterBuilder`](https://loopback.io/doc/en/lb4/apidocs.filter.filterbuilder.html) is to combine the `where` clause by using `FilterBuilder.impose`. For example, ```ts const filter = new FilterBuilder().limit(5).where({id: 101}); filter.impose({where: {id: 999, name: 'LoopBack'}}); ``` The `where` clauses is combined as: ```ts { limit: 5, where: { and: [{id: 101}, {id: 999, name: 'LoopBack'}], } } ``` This also can be done with the [`WhereBuilder`](https://loopback.io/doc/en/lb4/apidocs.filter.wherebuilder.html). See more examples in the [`Where Filter`](Where-filter.md#wherebuilder) page. <!-- TODO: (Agnes) need to double check. ### Filtering nested properties LoopBack supports filtering nested properties in three NoSQL connectors: MongoDB, Cloudant, and memory. For example, model `User` contains a nested property `user.address.tags.tag`: ```javascript db.define('User', { name: {type: String, index: true}, email: {type: String, index: true}, address: { street: String, city: String, tags: [ { tag: String, } ] } }); ``` users can do a nested query like `User.find({where: {'address.tags.tag': 'business'}}`. Data source connectors for relational databases don't support filtering nested properties. --> ### Sanitizing filter and data objects <!-- TODO: (Agnes) need to double check. Filters are very powerful and flexible. To prevent them from creating potential security risks, LoopBack sanitizes filter objects as follows: 1. Normalizes `undefined` values The policy is controlled by the `normalizeUndefinedInQuery` setting at datasource or model level. There are three options: - 'nullify': Set `undefined` to `null` - 'throw': Throw an error if `undefined` is found - 'ignore': Remove `undefined`. This is the default behavior if `normalizeUndefinedInQuery` is not configured For example: {% include code-caption.html content="datasources/db.datasources.config.json" %} ```json { "db": { "name": "db", "connector": "memory", "normalizeUndefinedInQuery": "ignore" } } ``` {% include code-caption.html content="server/model-config.json" %} ```json { "project": { "dataSource": "db", "public": true, "normalizeUndefinedInQuery": "throw" } } ``` --> #### Prohibits hidden/protected properties from being searched [Hidden or protected properties](Model.md#hidden-properties) can expose sensitive information if they are allowed to be searched. LoopBack introduces `prohibitHiddenPropertiesInQuery` setting at datasource/model level to control if hidden/protected properties can be used in the `where` object. By default, its value is `true`. For example, {% include code-caption.html content="datasources/db.datasources.config.json" %} ```js { "db": { "name": "db", "connector": "memory", "prohibitHiddenPropertiesInQuery": true } } ``` With the following model definition: ```ts @model( settings:{hidden:['secret']}} ) export class MyModel extends Entity { // other props @property({ type: 'string', }) secret?: string; //... } ``` `myModelRepository.find({where: {secret: 'guess'}});` will be sanitized as `myModelRepository.find({where: {}};` and a warning will be printed on the console: ```sh Potential security alert: hidden/protected properties ["secret"] are used in query. ``` #### Reports circular references If the filter object has circular references, LoopBack throws an error as follows: ```js { message: 'The query object is circular', statusCode: 400, code: 'QUERY_OBJECT_IS_CIRCULAR' } ``` #### Constrains the maximum depth of query and data objects Deep filter objects may be mapped to very complex queries that can potentially break your application. To mitigate such risks, LoopBack allows you to configure `maxDepthOfQuery` and `maxDepthOfData` in datasource/model settings. The default value is `12`. Please note the `depth` is calculated based on the level of child properties of an JSON object. For example: {% include code-caption.html content="datasources/db.datasources.config.json" %} ```js { "db": { "name": "db", "connector": "memory", "maxDepthOfQuery": 5, "maxDepthOfData": 16 } } ``` If the filter or data object exceeds the maximum depth, an error will be reported: ```js { message: 'The query object exceeds maximum depth 5', statusCode: 400, code: 'QUERY_OBJECT_TOO_DEEP' } ```