graphql-apq icon indicating copy to clipboard operation
graphql-apq copied to clipboard

Published 20 hours ago verified publisher icon drupal-graphql

Option to upload query

Open Pasqualle opened this issue 7 years ago • 9 comments

We would like to use persisted queries, but not automated. It gives us a security benefit, that only the selected queries are allowed for clients.

  1. Option to add/upload queries manually, similarly as in graphql module (https://www.drupal.org/docs/8/modules/graphql/query-maps)
  2. Add an option to disallow unknown queries

Note: Using the persisted queries option provided by the graphql module is not wanted, as it works with a deprecated apollo package. https://github.com/apollographql/persistgraphql/pull/67

Pasqualle avatar Oct 17 '18 10:10 Pasqualle

I think what you are trying to accomplish should be addressed by the core graphql module, as none of it has to do with the concept of apq.

lucasconstantino avatar Oct 17 '18 18:10 lucasconstantino

I have discussed this earlier with Sebastian, and he suggested to open a PR against this module. I just wanted to be sure that we all agree on the solution.

As I mentioned the problem with the core graphql module is that it relies on an apollo package which will be deprecated. So there is only 1 apollo package apollo-link-persisted-queries which is usable, and your module works with that package. Therefore I should use your module or fork your module to achieve non-automated persistent queries. The current persisted queries solution in graphql core, the part which is related to the deprecated apollo package, should be moved into separate module in case someone is still using it. It should not be the recommended way to do persisted queries.

Therefore my suggestion is to make this module work with non-automated way also, then advertise it as a recommended solution to do persisted queries.

Pasqualle avatar Oct 19 '18 16:10 Pasqualle

I see your point. It is a bold move, though, and we should sync efforts with the graphql-core team. As of for now, this module states clearly it's meant only for Automatic Persisted Queries, so if we intend to change it, probably a fork would fit better than simple pull-requests, you see what I mean?

lucasconstantino avatar Oct 19 '18 16:10 lucasconstantino

I have asked for more comments on this on the slack channel. As I will need this functionality I can do it as a fork no problem..

Pasqualle avatar Oct 19 '18 16:10 Pasqualle

@Pasqualle nice! Perhaps the code related to APQ becomes a submodule of that fork one day ;)

lucasconstantino avatar Oct 19 '18 17:10 lucasconstantino

@Pasqualle with @lucasconstantino we develop a concept using a secret to encrypt de query hash, so in that way you can validate it before you "upload" the missing pair of hash and query on the server.

Here's a draft showing the approach: persisted queries with secret

sebas5384 avatar Oct 19 '18 21:10 sebas5384

I was thinking about this secret approach. As I understand it correctly the client must know the secret (need to know how to create the valid hash). That would mean it is not fully secure as new queries are allowed if someone extracts the secret from the client. Or you have a different client which knows the secret and is not public.

Pasqualle avatar Oct 20 '18 05:10 Pasqualle

We parse the queries on build time, thus having the "client" secret not actually know by the client application. There are both Babel plugins and webpack loaders that can help, depending on which you are used to.

lucasconstantino avatar Oct 20 '18 06:10 lucasconstantino

@Pasqualle I guess @lucasconstantino already answered your doubt about exposing the secret. We are using three libraries on the frontend:

  • https://github.com/apollographql/graphql-tag
  • https://github.com/leoasis/graphql-persisted-document-loader
  • https://github.com/apollographql/apollo-link-persisted-queries
  • https://github.com/sebas5384/crypty

sebas5384 avatar Oct 22 '18 18:10 sebas5384