Query Filter & Pagination Middleware

Overview

Express middleware layer that handles entity filtering and cursor-based pagination for API list endpoints. Includes input sanitization to prevent NoSQL injection attacks.

How it works

Two middleware functions work together:

createFilterEntities — Parses query parameters into a MongoDB filter object. Only whitelisted keys are accepted, and all values are sanitized to strip MongoDB operators ($ne, $where, etc.).
filterEntitiesFromId — Implements cursor-based pagination using _id sorting and direct ObjectId comparison. Supports a ?limit=N query parameter to control page size.

Key files

app/middleware/createFilterEntities.js — Query parameter parsing, key whitelisting, value sanitization
app/middleware/filterEntitiesFromId.js — Cursor-based pagination with ObjectId sorting and limit support

Technical decisions

Key whitelisting over blacklisting: Only ALLOWED_FILTER_KEYS are accepted in query filters, rejecting anything unknown. More secure than trying to block specific dangerous keys.
ObjectId-based cursor: Pagination uses _id comparison instead of the created timestamp field, which avoids issues with duplicate timestamps and is naturally monotonic.
Sanitization at middleware level: NoSQL injection prevention is handled at the middleware layer rather than per-route, ensuring consistent protection across all endpoints.

Known issues

None currently

Next steps

Add rate limiting to list endpoints

Overview​

How it works​

Key files​

Technical decisions​

Known issues​

Next steps​