ariadne icon indicating copy to clipboard operation
ariadne copied to clipboard
verified publisher icon mirumee

Support for query whitelisting

Open Gabxi opened this issue 4 years ago • 7 comments

I was wondering if ariadne has support for query whitelisting. I didn't see anything about it in the docs, so please tell me if so.

Gabxi avatar Mar 10 '21 00:03 Gabxi

Can you explain what you mean by query whitelisting or how this compares to query persistence that Apollo documents on their docs?

rafalp avatar Mar 12 '21 13:03 rafalp

I believe query persistence covers it. I want to be able to defend against arbitrary graphql queries.

Ideally, the system would only accept queries or subset of queries that have been registered.

Gabxi avatar Mar 12 '21 17:03 Gabxi

I don't think this is the case. Docs describe this as caching mechanism for query strings where client sends hash generated from query it intents to run and if server doesn't know query's hash it requests proper query being sent to it instead so it can cache it for future queries. There's no allowed queries list involved on the server side here.

rafalp avatar Mar 12 '21 18:03 rafalp

Ah yeah, my bad.

So does ariadne have support for query whitelisting/safelisting? AKA if the query's hash doesn't exist, it's rejected.

Gabxi avatar Mar 12 '21 19:03 Gabxi

It doesn't.

To be honest such requirement sounds like you would want to implement regular restful API instead of GraphQL which's primary selling point is yielding control on what data is loaded when to the client.

Can you share what problem you seek to solve that can't be done with query costs limit?

rafalp avatar Mar 12 '21 19:03 rafalp

Oh, just defending against a case where a data schema has sensitive information in certain contexts.

If an engineer is careful about designing their resolvers and payloads, it's not a problem. It's a defense against the chance that someone makes a mistake.

Gabxi avatar Mar 12 '21 19:03 Gabxi

It's part of Apollo Enterprise now: https://www.apollographql.com/docs/studio/operation-registry/

They ditched this open-source effort: https://github.com/apollographql/persistgraphql

To be honest such requirement sounds like you would want to implement regular restful API instead of GraphQL which's primary selling point is yielding control on what data is loaded when to the client.

In teams in control of both frontend and backend, this is not an issue.

bartenra avatar Mar 24 '21 08:03 bartenra

Looks like this would be resolved if we supported custom query parser option, eg:

class AllowedQueriesParser:
    ...


allowed_queries_parser = AllowedQueriesParser(
    allowed_queries={
        "GetUsers": gql(
            """
            query GetUsers {
                users {
                    id
                    name
                    email
                }
            }
            """
        )
    }
)

app = GraphQL(
    schema,
    query_parser=allowed_queries_parser,
)

rafalp avatar Oct 07 '22 17:10 rafalp

Punting this for Ariadne 0.17, but I'll open separate issue for configurable parsers.

rafalp avatar Nov 18 '22 16:11 rafalp

This is possible as of Ariadne 0.18. To do this one has to implement custom query parser that discards query part of payload and returns custom parsed query based on its other contents, like an operationName.

rafalp avatar Jun 06 '23 16:06 rafalp