Hello MongoDB experts,
I am asking this after reading the following stackoverflow thread. Mine is slightly different.
I want to expose a collection GET API, say GET /api/endpoint/collection?query=<..>&options=<...>. I need to support any arbitrary query and options that is supported by the underlying MongoDB. My purpose is to provide a REST API wrapper proxy for the collections. That's all.
So instead of manually processing every query and options, we just want to take the whole JSON objects in the query and options in the GET and pass it to the find(query, options) or findOne(query, options) as-is. [FYI: Aggregation is not considered as of now.]
**Question-1**: Do the experts see any issue with this approach (as my purpose is just to build a REST API proxy .. that's all).
Now naturally the script injection is something needs to be considered.
The understanding here is:
1. We can still pass the pure JSON (i.e. we *need not to* convert it to BSON by someway). As Mongo stores data at disk and transit data over network in BSON format, so it's safe.
2. Still we need to check the presence of a few operators in both the query and the fields of type object in the options as mentioned in [Mongo FAQ](https://docs.mongodb.com/manual/faq/fundamentals/#bson).
**Question-2**: Are the above understanding correct?
Or we need to first BSON-ified the query and options before passing it to the find/findOne
Note: We are using Fastify.
