Fix deep filters in app, fix current-user/current-role in filters

api/src/app.ts

@@ -112,6 +112,10 @@ export default async function createApp() {
 		app.use(rateLimiter);
 	}
 
+	app.use(authenticate);
+
+	app.use(checkIP);
+
 	app.use(sanitizeQuery);
 
 	app.use(cache);
@@ -120,10 +124,6 @@ export default async function createApp() {
 
 	app.use('/auth', authRouter);
 
-	app.use(authenticate);
-
-	app.use(checkIP);
-
 	app.use('/graphql', graphqlRouter);
 
 	app.use('/activity', activityRouter);

api/src/utils/validate-query.ts

@@ -42,6 +42,8 @@ function validateFilter(filter: Query['filter']) {
 	for (let [key, nested] of Object.entries(filter)) {
 		if (key === '_and' || key === '_or') {
 			nested.forEach(validateFilter);
+		} else if (isPlainObject(nested)) {
+			validateFilter(nested);
 		} else if (key.startsWith('_')) {
 			const value = nested;
 

app/src/utils/filters-to-query/filters-to-query.ts

@@ -13,7 +13,18 @@ export default function filtersToQuery(filters: readonly Filter[]) {
 
 		if (!value) continue;
 
-		filterList.push({ [field]: { [`_${operator}`]: value } });
+		if (field.includes('.')) {
+			let filter: Record<string, any> = { [`_${operator}`]: value };
+			const path = field.split('.');
+
+			for (const field of path.reverse()) {
+				filter = { [field]: filter };
+			}
+
+			filterList.push(filter);
+		} else {
+			filterList.push({ [field]: { [`_${operator}`]: value } });
+		}
 	}
 
 	let filterQuery: Record<string, any> = {};