laravel-graphql
laravel-graphql copied to clipboard
folkloreinc
Mutation exposes data as query string parameters
Lets say I have a simple User mutation like this:
mutation updateUsersEmail{updateUser(id:30,email:"[email protected]", password:"my password"){id,email,name}}
When I check the network request that was made it shows the following:
My password is visible in the query string params. Isn't this a security flaw? My data would be exposed, whereas in a traditional REST approach the data will be hidden in the payload as it will be using a POST request.
You dont have to use the GET method, you also can use the POST method as well.
Do you have an example of how to use this with POST? I'd be interested to know how this works as GraphQL utlilizes the url a lot.
I have tested this with POSTMAN. I ran the exact same mutation with a POST request, and it still exposes the parameters as GET variables.
When I test this by doing dd($_GET) I get the following:
When I test with dd($_POST) I get nothing.
So what's happening here is it is not sending the actual params as POST payload data, it always sends them as query string params which is very wrong if you want to be posting sensitive data.
So how do we actually send the data as POST payload data?
GraphQl doesn't have restrictions on HTTP methods.
You are sending the mutation over query strings, so you will get those in $_GET always
If you want to get data in $_POST, you need to use the body/payload.
Example:
I recommend you to use Insomnia tool, it has some options to write graphql query easily
If you want to make restrictions on the HTTP methods you will need to create your own routing layer.
To create your own layer/filter, you can set a new controller in the package options and then use something like:
if($route->named('graphql.query'))
if($route->named('graphql.query.post'))
There are an option also to split queries and mutations in different urls
hope this help!