Looking for Cloud Services or Professional Support? Check restheart.com

Using Variables

Passing variables to change stream

The aggregation stages of the change stream can use variables, as in the following example:

    "uri": "mine",
    "stages": [
        { "$match": { "fullDocument::name": { "$var": "n" } } }

The $match stage uses the variable n, specified as { "$var": "n" }.

The client can pass the variable using the avar query parameter.

GET /messages/_streams/mine?avars={"n":"Andrea"} HTTP/1.1

In case of the change stream mine described in the examples, the variable n is used to restrict notifications only to changes on documents with the property name matching it.

Predefined variables

The change stream aggregation can use predefined variables, as in the following example:

    "uri": "mine",
    "stages": [
        { "$match": { "fullDocument::name": { "$var": "@user._id" } } }

The $match stage uses the predefined variable @user._id, specified as { "$var": "@user._id" }.

the predefined variables are resolved server side, i.e. the client does not need to pass the variable and the server will resolve it, making sure its value is trusted. In the example, the name property is matched against the user id of the authenticated user.

Refer to Aggregation documentation page for more information.

Security considerations

By default RESTHeart makes sure that the variables passed as query parameters don’t contains MongoDB operators.

This behavior is required to protect data from undesirable malicious query injection.

Even though is highly discouraged, is possible to disable this check by editing the following property in the restheart.yml configuration file.

## Security

# Check if aggregation variables use operators.
# Allowing operators in aggregation variables is risky
# because requester can inject operators modifying the query

aggregation-check-operators: true