gqlify icon indicating copy to clipboard operation
gqlify copied to clipboard
verified publisher icon Gqlify

Security Features

Open jthegedus opened this issue 6 years ago • 3 comments

Is your feature request related to a problem? Please describe. Aside from graphql-rbac what other security features are you planning on implementing via Directives?

I recently discovered graphql-rate-limit which is interesting and supports custom data sources for the tracking data for the current rate/req.

Are there other or similar considerations in mind?

Edit: here are some considerations https://blog.apollographql.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b

jthegedus avatar Jan 22 '19 00:01 jthegedus

Hi @jthegedus

Currently, I only plan to implement graphql-rbac at our next release, but I did think about malicious queries protection before.

Since most of them are apollo schema directives, I could probably open up an API for schema directives. If it's not, we can still transform it into graphql middleware.

I'll think about it more. I'll see If it's sth I can implement with graphql-rbac and come up with a general API.

Thanks!

wwwy3y3 avatar Jan 23 '19 02:01 wwwy3y3

I think opening up the API to allow users to specify their own directives and 3rd part tools would be ideal.

Just as a side note, it would be good to get some examples in the docs that demonstrate how people can use their existing Apollo Configs with gqlify. Currently I'm doing this:

  new Gqlify({
    // provide datamodel to gqlify
    sdl,

    // provide data-sources map to GQLify,
    // so GQLify would know how to create data-source for each model
    dataSources: {
      firestore: args => new FirestoreDataSource({ collection: args.key }),
    },
    skipPrint: true,
  })


...


function createApolloConfig() {
  return {
    introspection: true,
    playground: true,
    onHealthCheck: () =>
      new Promise((resolve, reject) => {
        // check your downstream services for health status
        // this could be internal or external dbs etc
        console.info("checking health");
        resolve();
      }),
    formatError: error => {
      console.error(error); // log the error in the Cloud Function logs
      return new Error("Internal server error"); // mask the error returned to the frontend
    },
  };
}


...


async function createGQLServer() {
  const app = express();

  // GQLify will provide GraphQL apis & resolvers to apollo-server
  const gqlify = await createGqlify();
  const gqlifyApolloConfig = gqlify.createApolloConfig();
  const apolloConfig = createApolloConfig();

  const finalServerConfig = {
    ...gqlifyApolloConfig,
    ...apolloConfig,
  };

  const server = new ApolloServer(finalServerConfig);

  ...

jthegedus avatar Jan 23 '19 09:01 jthegedus

Hi @wwwy3y3, is there any progress or roadmap we can see for these types of features? Happy to help contribute where I can

jthegedus avatar Jun 13 '19 02:06 jthegedus