Parse md json strings (#1347)

* Parse md json strings

* parse execQuery params

* move to direct only

* make params an object

* remove console log

---------

Co-authored-by: Anthony Ramirez <[email protected]>

Author: t-ramz

core/database/foxx/api/data_router.js

@@ -101,7 +101,7 @@ function recordCreate(client, record, result) {
     }
 
     if (record.md) {
-        obj.md = record.md;
+        obj.md = JSON.parse(record.md); // parse escaped JSON string TODO: this could be dangerous
         if (Array.isArray(obj.md)) throw [g_lib.ERR_INVALID_PARAM, "Metadata cannot be an array"];
     }
 
@@ -463,7 +463,7 @@ function recordUpdate(client, record, result) {
         obj.md_err_msg = null;
         obj.md_err = false;
     } else if (record.md) {
-        obj.md = record.md;
+        obj.md = JSON.parse(record.md);
         if (Array.isArray(obj.md)) {
             throw [g_lib.ERR_INVALID_PARAM, "Metadata cannot be an array"];
         }

core/database/foxx/api/query_router.js

@@ -301,10 +301,12 @@ router
     .summary("List client saved queries")
     .description("List client saved queries");
 
-function execQuery(client, mode, published, query) {
+function execQuery(client, mode, published, orig_query) {
     var col_chk = true,
         ctxt = client._id;
-
+    let query = {
+        ...orig_query,
+    };
     if (!published) {
         // For searches over private data, must perform access checks based on owner field and client id
 
@@ -533,7 +535,11 @@ router
         try {
             const client = g_lib.getUserFromClientID_noexcept(req.queryParams.client);
 
-            var results = execQuery(client, req.body.mode, req.body.published, req.body);
+            const query = {
+                ...req.body,
+                params: JSON.parse(req.body.params),
+            };
+            var results = execQuery(client, req.body.mode, req.body.published, query);
 
             res.send(results);
         } catch (e) {
@@ -549,7 +555,7 @@ router
                 qry_begin: joi.string().required(),
                 qry_end: joi.string().required(),
                 qry_filter: joi.string().optional().allow(""),
-                params: joi.object().required(),
+                params: joi.string().required(),
                 limit: joi.number().integer().required(),
             })
             .required(),

core/server/DatabaseAPI.cpp

@@ -1292,7 +1292,7 @@ void DatabaseAPI::generalSearch(const Auth::SearchRequest &a_request,
   payload["qry_begin"] = qry_begin;
   payload["qry_end"] = qry_end;
   payload["qry_filter"] = qry_filter;
-  payload["params"] = params;
+  payload["params"] = "{" + params + "}";
   payload["limit"] = to_string(cnt);
 
   string body = payload.dump(-1, ' ', true);