feat: add support for insecureRawNoSQL filter in MongoDB and update documentation

Author: NoOne7135

adminforth/dataConnectors/baseConnector.ts

@@ -94,26 +94,30 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
       }, { ok: true, error: '' });
     }
 
-    if ((filters as IAdminForthSingleFilter).field) {
+    const filtersAsSingle = filters as IAdminForthSingleFilter;
+    if (filtersAsSingle.field) {
       // if "field" is present, filter must be Single
       if (!filters.operator) {
         return { ok: false, error: `Field "operator" not specified in filter object: ${JSON.stringify(filters)}` };
       }
-      if ((filters as IAdminForthSingleFilter).value === undefined) {
+      if (filtersAsSingle.value === undefined) {
         return { ok: false, error: `Field "value" not specified in filter object: ${JSON.stringify(filters)}` };
       }
-      if ((filters as IAdminForthSingleFilter).insecureRawSQL) {
+      if (filtersAsSingle.insecureRawSQL) {
         return { ok: false, error: `Field "insecureRawSQL" should not be specified in filter object alongside "field": ${JSON.stringify(filters)}` };
       }
+      if (filtersAsSingle.insecureRawNoSQL) {
+        return { ok: false, error: `Field "insecureRawNoSQL" should not be specified in filter object alongside "field": ${JSON.stringify(filters)}` };
+      }
       if (![AdminForthFilterOperators.EQ, AdminForthFilterOperators.NE, AdminForthFilterOperators.GT,
       AdminForthFilterOperators.LT, AdminForthFilterOperators.GTE, AdminForthFilterOperators.LTE,
       AdminForthFilterOperators.LIKE, AdminForthFilterOperators.ILIKE, AdminForthFilterOperators.IN,
       AdminForthFilterOperators.NIN].includes(filters.operator)) {
         return { ok: false, error: `Field "operator" has wrong value in filter object: ${JSON.stringify(filters)}` };
       }
-      const fieldObj = resource.dataSourceColumns.find((col) => col.name == (filters as IAdminForthSingleFilter).field);
+      const fieldObj = resource.dataSourceColumns.find((col) => col.name == filtersAsSingle.field);
       if (!fieldObj) {
-        const similar = suggestIfTypo(resource.dataSourceColumns.map((col) => col.name), (filters as IAdminForthSingleFilter).field);
+        const similar = suggestIfTypo(resource.dataSourceColumns.map((col) => col.name), filtersAsSingle.field);
 
         let isPolymorphicTarget = false;
         if (global.adminforth?.config?.resources) {
@@ -126,10 +130,10 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
           );
         }
         if (isPolymorphicTarget) {
-          process.env.HEAVY_DEBUG && console.log(`⚠️  Field '${(filters as IAdminForthSingleFilter).field}' not found in polymorphic target resource '${resource.resourceId}', allowing query to proceed.`);
+          process.env.HEAVY_DEBUG && console.log(`⚠️  Field '${filtersAsSingle.field}' not found in polymorphic target resource '${resource.resourceId}', allowing query to proceed.`);
           return { ok: true, error: '' };
         } else {
-          throw new Error(`Field '${(filters as IAdminForthSingleFilter).field}' not found in resource '${resource.resourceId}'. ${similar ? `Did you mean '${similar}'?` : ''}`);
+          throw new Error(`Field '${filtersAsSingle.field}' not found in resource '${resource.resourceId}'. ${similar ? `Did you mean '${similar}'?` : ''}`);
         }
       }
       // value normalization
@@ -139,7 +143,7 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
         }
         if (filters.value.length === 0) {
           // nonsense, and some databases might not accept IN []
-          const colType = resource.dataSourceColumns.find((col) => col.name == (filters as IAdminForthSingleFilter).field)?.type;
+          const colType = resource.dataSourceColumns.find((col) => col.name == filtersAsSingle.field)?.type;
           if (colType === AdminForthDataTypes.STRING || colType === AdminForthDataTypes.TEXT) {
             filters.value = [randomUUID()];
             return { ok: true,  error: `` };
@@ -149,15 +153,15 @@ export default class AdminForthBaseConnector implements IAdminForthDataSourceCon
         }
         filters.value = filters.value.map((val: any) => this.setFieldValue(fieldObj, val));
       } else {
-        (filters as IAdminForthSingleFilter).value = this.setFieldValue(fieldObj, (filters as IAdminForthSingleFilter).value);
+        filtersAsSingle.value = this.setFieldValue(fieldObj, filtersAsSingle.value);
       }
-    } else if ((filters as IAdminForthSingleFilter).insecureRawSQL) {
+    } else if (filtersAsSingle.insecureRawSQL || filtersAsSingle.insecureRawNoSQL) {
       // if "insecureRawSQL" filter is insecure sql string
-      if ((filters as IAdminForthSingleFilter).operator) {
-        return { ok: false, error: `Field "operator" should not be specified in filter object alongside "insecureRawSQL": ${JSON.stringify(filters)}` };
+      if (filtersAsSingle.operator) {
+        return { ok: false, error: `Field "operator" should not be specified in filter object alongside "insecureRawSQL" or "insecureRawNoSQL": ${JSON.stringify(filters)}` };
       }
-      if ((filters as IAdminForthSingleFilter).value !== undefined) {
-        return { ok: false, error: `Field "value" should not be specified in filter object alongside "insecureRawSQL": ${JSON.stringify(filters)}` };
+      if (filtersAsSingle.value !== undefined) {
+        return { ok: false, error: `Field "value" should not be specified in filter object alongside "insecureRawSQL" or "insecureRawNoSQL": ${JSON.stringify(filters)}` };
       }
     } else if ((filters as IAdminForthAndOrFilter).subFilters) {
       // if "subFilters" is present, filter must be AndOr

adminforth/dataConnectors/mongo.ts

@@ -212,6 +212,17 @@ class MongoConnector extends AdminForthBaseConnector implements IAdminForthDataS
     }
 
     getFilterQuery(resource: AdminForthResource, filter: IAdminForthSingleFilter | IAdminForthAndOrFilter): any {
+        // accept raw NoSQL filters for MongoDB
+        if ((filter as IAdminForthSingleFilter).insecureRawNoSQL !== undefined) {
+            return (filter as IAdminForthSingleFilter).insecureRawNoSQL;
+        }
+
+        // explicitly ignore raw SQL filters for MongoDB
+        if ((filter as IAdminForthSingleFilter).insecureRawSQL !== undefined) {
+            console.warn('⚠️  Ignoring insecureRawSQL filter for MongoDB:', (filter as IAdminForthSingleFilter).insecureRawSQL);
+            return {};
+        }
+
         if ((filter as IAdminForthSingleFilter).field) {
             const column = resource.dataSourceColumns.find((col) => col.name === (filter as IAdminForthSingleFilter).field);
             if (['integer', 'decimal', 'float'].includes(column.type)) {
@@ -222,7 +233,7 @@ class MongoConnector extends AdminForthBaseConnector implements IAdminForthDataS
 
         // filter is a AndOr filter
         return this.OperatorsMap[filter.operator]((filter as IAdminForthAndOrFilter).subFilters
-            // mongodb should ignore raw sql
+            // mongodb should ignore raw SQL, but allow raw NoSQL
             .filter((f) => (f as IAdminForthSingleFilter).insecureRawSQL === undefined)
             .map((f) => this.getFilterQuery(resource, f)));
     }

adminforth/documentation/docs/tutorial/03-Customization/03-virtualColumns.md

@@ -176,6 +176,48 @@ import sqlstring from 'sqlstring';
 This example will allow to search for some nested field in JSONB column, however you can use any SQL query here.
 
 
+### Custom Mongo queries with `insecureRawNoSQL`
+
+For MongoDB data sources, you can inject a raw Mongo filter object via `insecureRawNoSQL`. This is useful when the built-in filters are not enough or you need dot-notation and operators not covered by AdminForth helpers.
+
+Important: The object you provide is sent directly to MongoDB. Validate and sanitize any user inputs to prevent abuse of operators like `$where`, `$regex`, etc.
+
+Example — filter by nested field using dot-notation:
+
+```ts title='./resources/apartments.ts'
+...
+hooks: {
+  list: {
+    beforeDatasourceRequest: async ({ query, body }: { query: any, body: any }) => {
+      // Add raw Mongo filter: meta.is_active must equal body.is_active
+      query.filters.push({
+        insecureRawNoSQL: { 'meta.is_active': body.is_active },
+      });
+      return { ok: true, error: '' };
+    },
+  },
+},
+```
+
+You can combine it with other AdminForth filters using AND/OR:
+
+```ts
+import { Filters } from 'adminforth';
+
+query.filters = [
+  Filters.AND(
+    { insecureRawNoSQL: { 'meta.is_active': true } },
+    Filters.EQ('status', 'active'),
+  )
+];
+```
+
+Notes:
+- `insecureRawNoSQL` is Mongo-only. For SQL databases, use `insecureRawSQL`.
+- If both `field`/`operator`/`value` and `insecureRawNoSQL` are present in one filter object, validation will fail.
+- `insecureRawSQL` is ignored by the Mongo connector.
+
+
 
 ## Virtual columns for editing.
 

adminforth/types/Back.ts

@@ -131,6 +131,7 @@ export interface IAdminForthSingleFilter {
   | AdminForthFilterOperators.IN | AdminForthFilterOperators.NIN;
   value?: any;
   insecureRawSQL?: string;
+  insecureRawNoSQL?: any;
 }
 export interface IAdminForthAndOrFilter {
   operator: AdminForthFilterOperators.AND | AdminForthFilterOperators.OR;