| Current Status. I am investigating two approaches using the knex.js library: https://knexjs.org Knex.js is a fantastic query builder library that allows you to build SQL queries in a very declarative manner. Approach 1 - Allow users to use the query builder inside a sandboxed environment using knex and vm2 https://www.npmjs.com/package/vm2 This approach would allow users to write some minimal amount of javascript that would be executed in a very tightly controlled sandbox environment where only the query builder object and any query/mutation arguments would be passed into the sandbox environment. It would not be possible to require() other libraries for example. Take a look at some of the syntax to get an idea of what a user could do:
knex.select('title', 'author', 'year').from('books') |
|
Outputs: |
|
select `title`, `author`, `year` from `books`
|
knex('users').where('id', 1).orWhere({votes: 100, user: 'knex'}) |
|
Outputs: |
|
select * from `users` where `id` = 1 or (`votes` = 100 and `user` = 'knex')
|
With this approach it would be possible to execute several queries against the database and even perform some limited amount of business logic. |
