lighthouse
lighthouse copied to clipboard
nuwave
Allow disabling batched queries
We are trying to disable batched queries using the provided config setting: 'batched_queries' = false,. The app still process all incoming queries, however, seemingly ignoring the setting.
I would expect to be thrown an error, for there to be an error message for each subsequent batched request, or for the additional requests to have been ignored entirely.
Steps to reproduce
- Set
'batched_queries' => falsein theconfig/lighthouse.phpfile - Rebuild containers and/or clear caches as appropriate
- Send the below JSON as the body of a POST request to the graphql endpoint
- Receive a response containing an array of two results instead of denying the request
[
{
"query": "query { batchOne: me { uuid } }"
},
{
"query": "query { batchTwo: user(uuid: \"{UNIQUE_ID}\") { first_name } }"
}
]
Output/Logs
Lighthouse Version
^5.38
Looking through the commit history, I found that this setting was ignored since mid-2019. The need for this appears to be very slim, so I am reformulating this issue as a feature request.
I am genuinely curious: why do you need this?
Batched requests are a vulnerability in the app. Since they are not a technical requirement, disabling them would help protect the app from username enumeration and denial of service attacks.
I am happy to aid in the development of this feature.
protect the app from username enumeration
I think this has nothing to do with batched queries.
denial of service attacks
Those are somewhat related, but I reckon you will need other sorts of protection for heavy attacks.
One can enumerate/ddos without batched queries. Like this:
mutation {
try1: login(name: "try1", password: "try1password"){
__typename
}
try2: login(name: "try2", password: "try2password"){
__typename
}
}
