router
router copied to clipboard
apollographql
Require client awareness, operation name and headers
Is your feature request related to a problem? Please describe. A common best practice is to require clients to pass in operation names and headers: https://www.apollographql.com/docs/technotes/TN0001-client-id-enforcement/
This makes sure all requests can properly be tracked in GraphOS and help with logging and o11y.
Describe the solution you'd like Add a new config option that will error out if the operation document does not have a name defined and/or client headers are not passed in. Probably a good place is a new option in the request limits:
limits:
require_operation_name: true
require_client_headers: true
Describe alternatives you've considered This can be achieved with Rhai scripts and coprocessors but this is called out by the Solutions team as something everyone should be doing so it seems like an easy win to just make this a built in feature
Additional context Solutions Tech Note https://www.apollographql.com/docs/technotes/TN0001-client-id-enforcement/
Configuring client awareness and identification https://www.apollographql.com/docs/router/managed-federation/client-awareness/
Adding on to this it would also be helpful to restrict client names to a fixed list, maybe something like
limits:
require_client_headers: true
allowed_client_names:
- "ios-app"
- "web"
- "andriod-client"
- "tiger-team"