Access Control Options 🔒 (#29)

Adding access control options, making the converter error if a
disallowed column/field is queried.

Previously this library has been insecure by default, users could easily
make the mistake of opening up their entire database. This change makes
it required to supply at least one access control option.

New options:
- `filter.WithAllowAllColumns()`  
  Allow filtering of all columns, same as the previous behaviour
- `filter.WithAllowColumns(...)`  
  Allow only selected columns
- `filter.WithDisallowColumns(...)`  
Disallow certain columns, used in combination with WithAllowAllColumns()
and WithNestedJSONB().


Note: This change is not backwards compatible! ⚠️

Author: koenbollen

README.md

@@ -32,8 +32,12 @@ import (
 
 func main() {
   // Create a converter with options:
+  // - WithAllowAllColumns: allow all columns to be filtered.
   // - WithArrayDriver: to convert arrays to the correct driver type, required when using lib/pq
-  converter := filter.NewConverter(filter.WithArrayDriver(pq.Array))
+  converter, err := filter.NewConverter(filter.WithAllowAllColumns(), filter.WithArrayDriver(pq.Array))
+	if err != nil {
+		// handle error
+	}
 
   // Convert a filter query to a WHERE clause and values:
   input := []byte(`{"title": "Jurassic Park"}`)

examples/basic_test.go

@@ -9,7 +9,10 @@ import (
 
 func ExampleNewConverter() {
 	// Remeber to use `filter.WithArrayDriver(pg.Array)` when using github.com/lib/pq
-	converter := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	converter, err := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"name": "John",
@@ -30,7 +33,10 @@ func ExampleNewConverter() {
 }
 
 func ExampleNewConverter_emptyfilter() {
-	converter := filter.NewConverter(filter.WithEmptyCondition("TRUE")) // The default is FALSE if you don't change it.
+	converter, err := filter.NewConverter(filter.WithAllowAllColumns(), filter.WithEmptyCondition("TRUE")) // The default is FALSE if you don't change it.
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{}`
 	conditions, _, err := converter.Convert([]byte(mongoFilterQuery), 1)
@@ -44,7 +50,10 @@ func ExampleNewConverter_emptyfilter() {
 }
 
 func ExampleNewConverter_nonIsolatedConditions() {
-	converter := filter.NewConverter()
+	converter, err := filter.NewConverter(filter.WithAllowAllColumns())
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"$or": [

examples/readme_test.go

@@ -8,7 +8,10 @@ import (
 
 func ExampleNewConverter_readme() {
 	// Remeber to use `filter.WithArrayDriver(pg.Array)` when using github.com/lib/pq
-	converter := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	converter, err := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"$and": [

filter/converter.go

@@ -30,9 +30,12 @@ const defaultPlaceholderName = "__filter_placeholder"
 
 // Converter converts MongoDB filter queries to SQL conditions and values. Use [filter.NewConverter] to create a new instance.
 type Converter struct {
-	nestedColumn     string
-	nestedExemptions []string
-	arrayDriver      func(a any) interface {
+	allowAllColumns   bool
+	allowedColumns    []string
+	disallowedColumns []string
+	nestedColumn      string
+	nestedExemptions  []string
+	arrayDriver       func(a any) interface {
 		driver.Valuer
 		sql.Scanner
 	}
@@ -45,16 +48,23 @@ type Converter struct {
 // NewConverter creates a new [Converter] with optional nested JSONB field mapping.
 //
 // Note: When using https://github.com/lib/pq, the [filter.WithArrayDriver] should be set to pq.Array.
-func NewConverter(options ...Option) *Converter {
+func NewConverter(options ...Option) (*Converter, error) {
 	converter := &Converter{
 		// don't set defaults, use the once.Do in #Convert()
 	}
+	seenAccessOption := false
 	for _, option := range options {
-		if option != nil {
-			option(converter)
+		if option.f != nil {
+			option.f(converter)
 		}
+		if option.isAccessOption {
+			seenAccessOption = true
+		}
+	}
+	if !seenAccessOption {
+		return nil, ErrNoAccessOption
 	}
-	return converter
+	return converter, nil
 }
 
 // Convert converts a MongoDB filter query into SQL conditions and values.
@@ -165,6 +175,9 @@ func (c *Converter) convertFilter(filter map[string]any, paramIndex int) (string
 			if !isValidPostgresIdentifier(key) {
 				return "", nil, fmt.Errorf("invalid column name: %s", key)
 			}
+			if !c.isColumnAllowed(key) {
+				return "", nil, ColumnNotAllowedError{Column: key}
+			}
 
 			switch v := value.(type) {
 			case map[string]any:
@@ -346,6 +359,26 @@ func (c *Converter) columnName(column string) string {
 	return fmt.Sprintf(`%q->>'%s'`, c.nestedColumn, column)
 }
 
+func (c *Converter) isColumnAllowed(column string) bool {
+	for _, disallowed := range c.disallowedColumns {
+		if disallowed == column {
+			return false
+		}
+	}
+	if c.allowAllColumns {
+		return true
+	}
+	if c.nestedColumn != "" {
+		return true
+	}
+	for _, allowed := range c.allowedColumns {
+		if allowed == column {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *Converter) isNestedColumn(column string) bool {
 	if c.nestedColumn == "" {
 		return false