Gathering detailed insights and metrics for loopback-connector-mongodb
Gathering detailed insights and metrics for loopback-connector-mongodb
Gathering detailed insights and metrics for loopback-connector-mongodb
Gathering detailed insights and metrics for loopback-connector-mongodb
The official MongoDB connector for the LoopBack framework.
npm install loopback-connector-mongodb
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
187 Stars
733 Commits
237 Forks
61 Watching
72 Branches
71 Contributors
Updated on 13 Nov 2024
JavaScript (98.91%)
Shell (0.82%)
Makefile (0.28%)
Cumulative downloads
Total Downloads
Last day
3.8%
3,680
Compared to previous day
Last week
1.4%
16,974
Compared to previous week
Last month
1.1%
68,403
Compared to previous month
Last year
-20.1%
796,684
Compared to previous year
The official MongoDB connector for the LoopBack framework.
In your application root directory, enter this command to install the connector:
1npm install loopback-connector-mongodb --save
This installs the module from npm and adds it as a dependency to the application's package.json
file.
If you create a MongoDB data source using the data source generator as described below, you don't have to do this, since the generator will run npm install
for you.
Starting from the version 6.0.0, this connector is no longer compatible with LoopBack 3. Please use the latest 5.x version in your LoopBack 3 applications.
This module adopts the Module Long Term Support (LTS) policy, with the following End Of Life (EOL) dates:
Version | Status | Published | EOL | LoopBack | Juggler |
---|---|---|---|---|---|
6.x | Current | Mar 2021 | Apr 2025 (minimum) | 4 | 4.x |
5.x | Active LTS | Jun 2019 | Apr 2023 | 3, 4 | 3.x, 4.x |
4.x | Maintenance LTS | Nov 2018 | Apr 2021 | 3, 4 | 3.x, 4.x |
For LoopBack 4 users, use the LB4 Command-line interface to generate a DataSource with MongoDB connector to your LB4 application. Run lb4 datasource
, it will prompt for configurations such as host, post, etc. that are required to connect to a MongoDB database.
After setting it up, the configuration can be found under src/datasources/<DataSourceName>.datasource.ts
, which would look like this:
1const config = { 2 name: 'db', 3 connector: 'mongodb', 4 url: '', 5 host: 'localhost', 6 port: 27017, 7 user: '', 8 password: '', 9 database: 'testdb', 10};
If your username or password contains special characters like @
, $
etc, encode the whole
username or password using encodeURIComponent.
Eg: pa$$wd
would become pa%24%24wd
.
Property | Type | Description |
---|---|---|
connector | String | Connector name, either "loopback-connector-mongodb" or "mongodb" . |
database | String | Database name |
host | String | Database host name |
name | String | Name of the datasource in the app |
password | String | Password to connect to database |
port | Number | Database TCP port |
url | String | Connection URL of form mongodb://user:password@host/db . Overrides other connection settings (see below). |
user | String | Username to connect to database |
authSource | String | Optional. Authentification database name. Usually "admin" value. |
If you run a MongoDB with authentification (Docker's example here), you need to specify which database to authenticate against. More details can be found in MongoDB documentation on Authentification Methods. The default value is usually "admin"
, like in the official docker image.
NOTE: In addition to these properties, you can use additional Single Server Connection parameters supported by node-mongodb-native
.
Property | Type | Default | Description |
---|---|---|---|
allowExtendedOperators | Boolean | false | Set to true to enable using MongoDB operators such as $currentDate, $inc, $max, $min, $mul, $rename, $setOnInsert, $set, $unset, $addToSet, $pop, $pullAll, $pull, $push , and $bit . See Update Operators section below |
enableGeoIndexing | Boolean | false | Set to true to enable 2d sphere indexing for model properties of type GeoPoint . This allows for indexed near queries. |
lazyConnect | Boolean | false | When set to true , the database instance will not be attached to the datasource and the connection is deferred. It will try to establish the connection automatically once users hit the endpoint. If the MongoDB server is offline, the app will start, however, the endpoints will not work. |
disableDefaultSort | Boolean | false | Set to true to disable the default sorting behavior on id column, this will help performance using indexed columns available in MongoDB. |
collation | String | N/A | Specify language-specific rules for string comparison, such as rules for letter-case and accent marks. See MongoDB documentation for details. It can also be used to create case insensitive indexes. |
You can set the url
property to a connection URL in <datasourceName>.datasources.ts
to override individual connection parameters such as host
, user
, and password
. E.g loopback:pa55w0rd@localhost:27017/testdb
.
MongoDB supports a protocol called mongodb+srv
for connecting to replica sets without having to give the hostname of every server in the replica set.
To use mongodb+srv
as the protocol set the protocol
connection property in the datasource.json to mongodb+srv
. For example:
1const config = { 2 name: 'db', 3 connector: 'mongodb', 4 host: 'myserver', 5 database: 'testdb', 6 protocol: 'mongodb+srv', 7};
Note: the port is not specified when using the mongodb+srv
protocol and will be ignored if given.
Note: SSL options deprecated since MongoDB 4.2
1const config = { 2 name: 'db', 3 connector: 'mongodb', 4 url: '', 5 host: 'localhost', 6 port: 27017, 7 user: '', 8 password: '', 9 database: 'testdb', 10 tls: true, 11 tlsCertificateKeyFile: '/local/path/to/pem-file', 12 tlsCAFile: '/local/path/to/ca-file', 13};
MongoDB Driver allows the $where
operator to pass in JavaScript to execute on the Driver which can be used for NoSQL Injection. See MongoDB: Server-side JavaScript for more on this MongoDB feature.
To protect users against this potential vulnerability, LoopBack will automatically remove the $where
and mapReduce
operators from a query before it's passed to the MongoDB Driver. If you need to use these properties from within LoopBack programmatically, you can disable the sanitization by passing in an options
object with disableSanitization
property set to true
.
Example:
1await PostRepository.find( 2 { where: { $where: "function() { /*JS function here*/}" } }, 3 { disableSanitization: true } 4);
See LoopBack 4 types (or LoopBack 3 types) for details on LoopBack's data types.
Type conversion is mainly handled by MongoDB. See 'node-mongodb-native' for details.
Except the comparison and logical operators LoopBack supports in the operator list of Where
filter, you can also enable MongoDB update operators for update*
methods by setting the flag allowExtendedOperators
to true
in the datasource configuration.
Here is an example of updating the price for all the products under category furniture
if their current price is lower than 100:
await productRepo.updateAll({ $max: { price: 100 }}, { category: {eq: 'furniture'} // where clause goes in here });
{% include tip.html content="you will not need the dollar sign '$'
for operators in the Where
clause." %}
MongoDB uses ObjectId
for its primary key, which is an object instead of a
string. In queries, string values must be cast to ObjectId
, otherwise they are
not considered as the same value. Therefore, you might want to specify the data
type of properties to enforce ObjectId
coercion. Such coercion would make sure
the property value converts from ObjectId-like string to ObjectId
when it
accesses to the database and converts ObjectId
to ObjectId-like string when
the app gets back the value. (An ObjectId-like string is a string that has length 12 or 24 and has the format of an ObjectId
i.e /^[0-9a-fA-F]{24}$/.)
LoopBack provides two scopes to handle such coercion: per model or per property. Please check the following to see which configuration meets your requirements.
{% include important.html content="please make sure you are using loopback-connector-mongodb
package version 5.2.1
or above to handle ObjectId
properly." %}
No ObjectId
coercion: CRUD operations can be operated with non-ObjectId-like
string or ObjectId-like string ids.
Enforce ObjectId
coercion: the property value can only be ObjectId
or
ObjectId-like string, otherwise it will be rejected.
Enforcing ObjectId
coercion can be done by setting the flag
strictObjectIDCoercion
in the model definition or by specifying
dataType: ObjecId
in the property definition.
This scope would do the conversion for all properties in the model.
1@model({settings: { 2 strictObjectIDCoercion: true 3}}) 4export class User extends Entity { 5@property({ 6 type: 'string', 7 id: true, 8 }) 9 id: string; 10... 11}
This scope would only convert an ObjectId-like string to ObjectId
with a certain property in the model.
1@property({ 2 type: 'string', 3 id: true, 4 mongodb: {dataType: 'ObjectId'} 5 } 6 id: string;
Also notice that for RELATIONS, if the primary key/source key has set to enforce ObjectId coercion
(no matter by strictObjectIDCoercion: true
or dataType: 'ObjectId'
). The corresponding foreign key will need to have it
set as well to make sure relations work smoothly.
1@model() 2export class User extends Entity { 3// source key 4@property({ 5 type: 'string', 6 id: true, 7 mongodb: {dataType: 'ObjectId'} 8 }) 9 id: string; 10... 11} 12 13@model(// ) 14export class Address extends Entity { 15 ... 16 // foreign key 17 @belongsTo(() => User, 18 {}, //relation metadata goes in here 19 {// property definition goes in here 20 mongodb: {dataType: 'ObjectId'} 21 }) 22 UserId: string; 23}
loopback-connector-mongodb
allows you to have different collection and field names from the models. Such configurations can be added to the model definition and the property definition respectively as mongodb:{ <field>: <customValue>}
. For example, the following setting would define a collection with custom name Custom_Collection_User
, and it has a custom field name Custom_Name
in the database:
{% include code-caption.html content="/src/models/User.model.ts" %}
1@model({ 2 settings: { 3 // model definition goes in here 4 mongodb: { collection: "Custom_Collection_User" }, 5 }, 6}) 7export class User extends Entity { 8 @property({ 9 type: "string", 10 id: true, 11 generated: true, 12 }) 13 id: string; 14 15 @property({ 16 type: "string", 17 mongodb: { 18 fieldName: "Custom_Name", 19 }, 20 }) 21 name?: string; 22}
{% include important.html content="Since in MongoDB _id
is reserved for the primary key, LoopBack does not allow customization of the field name for the id property. Please use id
as is. Customizing the id property would cause errors." %}
If you have a local or remote MongoDB instance and would like to use that to run the test suite, use the following command:
1MONGODB_HOST=<HOST> MONGODB_PORT=<PORT> MONGODB_DATABASE=<DATABASE> CI=true npm test
1SET MONGODB_HOST=<HOST> SET MONGODB_PORT=<PORT> SET MONGODB_DATABASE=<DATABASE> SET CI=true npm test
If you do not have a local MongoDB instance, you can also run the test suite with very minimal requirements.
1source setup.sh <HOST> <PORT> <DATABASE>
where <HOST>
, <PORT>
and <DATABASE>
are optional parameters. The default values are localhost
, 27017
and testdb
respectively.
1npm test
Tests run for 100 iterations by default, but can be increased by setting the
env var ITERATIONS
.
make leak-detection # run 100 iterations (default)
or
ITERATIONS=1000 make leak-detection # run 1000 iterations
Benchmarks must be run on a Unix-like operating system.
make benchmarks
The results will be output in ./benchmarks/results.md
.
_id
to client API, except if specifically specified in the model definitionThe latest stable version of the package.
Stable Version
2
0/10
Summary
NoSQL Injection in loopback-connector-mongodb
Affected Versions
<= 3.5.0
Patched Versions
3.6.0
0/10
Summary
NoSQL Injection in loopback-connector-mongodb
Affected Versions
< 3.6.0
Patched Versions
3.6.0
No security vulnerabilities found.