graphql-query-whitelist
A simple GraphQL query whitelist toolkit for express.
It includes:
- An
expressmiddleware that prevents queries not in the whitelist to be executed. It also allows to execute queries just passing a previously storedqueryIdinstead of the full query. - A REST API to create/get/list/enable/disable/delete queries from the whitelist
- A
MemoryStoreandRedisStoreto store the queries - An utility class (
QueryRepository) to perform CRUD operations programmatically - A binary (
gql-whitelist) that whitelist all the files with.graphqlextension in a specified directory (useful to automatically whitelist queries on build time)
A UI to manage the whitelisted queries is available here
Rationale
One of the security concerns for a typical GraphQL app is that it lacks of a security mechanism out of the box.
By default, anyone can query any field of your GraphQL app, and if your schema supports nested queries, a malicious attacker could make a query that consumes all the resources of the server.
Example:
query RecursiveQuery {
friends {
username
friends {
username
friends {
username
friends { ... }
}
}
}
}
This middleware avoids this type of queries checking if the incoming query is whitelisted or not.
(more info: source 1, source 2)
Installation
npm install --save graphql-query-whitelist graphql body-parser
In your app:
import express from 'express'
import bodyParser from 'body-parser'
import graphqlWhitelist, { MemoryStore } from 'graphql-query-whitelist'
const app = express()
const store = new MemoryStore()
// body-parser must be included before including the query whitelist middleware
app.use(bodyParser.json())
app.post('/graphql', graphqlWhitelist({ store }))Before each request is processed by GraphQL, it will check if the inbound query is in the whitelist or not. If it's not in the whitelist, it will respond with a 401 status code.
Running queries only sending the queryId
Since the server has access to the query store, and the store has access to the full queries, it's possible to run a query just by sending the queryId.
E.g: POST /graphql?queryId=dSPDigYWUw2w9wTI9g0RrbakmsJiRFIvTUa59jnZsV4=
Storing and retrieving queries
There are 2 ways of storing and retrieving queries:
Rest API
Normally you would want to automate the process of storing queries at the build time.
This library includes a Rest API that you can mount in any express app to list, create, get, enable/disable and delete queries.
Example:
import { Api as whitelistAPI, RedisStore } from 'graphql-query-whitelist'
app.use('/whitelist', whitelistAPI(new RedisStore()))It will mount these routes:
GET /whitelist/queries
GET /whitelist/queries/:id
POST /whitelist/queries
PUT /whitelist/queries/:id
DELETE /whitelist/queries/:id
Programmatically using the QueryRepository
Example:
import { QueryRepository, MemoryStore } from 'graphql-query-whitelist'
const store = new MemoryStore()
const repository = new QueryRepository(store)
const query = `
query MyQuery {
users {
firstName
}
}
`
repository.put(query).then(console.log)
/*
* Prints:
* {
* id: 'dSPDigYWUw2w9wTI9g0RrbakmsJiRFIvTUa59jnZsV4=',
* query: 'query MyQuery {\n users {\n firstName\n }\n}\n',
* operationName: 'MyQuery',
* enabled: true
* }
*/The QueryRepository class exposes the following methods:
get(queryId)put(query)update(queryId, properties)entries()delete(queryId)
Stores
A store is the medium to list, get, store and delete queries.
It must implement the following methods:
get(key)
It returns a Promise that resolves to the value for that key
set(key, value)
Returns a Promise that is resolved after the value is saved in the store
entries()
Returns a Promise that resolves to an array of all the entries stored, having the following format:
[[key1, val1], [key2, val2], ...]
delete(key)
Returns a Promise that is resolved after the element is deleted from the store
clear()
Returns a Promise that is resolved after all the elements are deleted from the store
Including in this library are 2 stores:
MemoryStoreRedisStore(needs to have ioredis installed)
The RedisStore receives the same constructor arguments as ioredis.
Middleware Options
store
This property is mandatory and must be a valid query store.
skipValidationFn
This property is optional and must be a function that receives the express request object and returns a boolean value. If a truthy value is returned, the whitelist check is skipped and the query is executed.
This option is very useful to skip the whitelist check for certain apps that are already sending dynamic queries that are impossible to add to the whitelist.
Example:
const skipValidationFn = (req) => req.get('X-App-Version') !== 'legacy-app-1.0'
app.post('/graphql', graphqlWhitelist({ store, skipValidationFn }))validationErrorFn
This property is optional and must be a function that receives the express request object and will be called for every query that is prevented to be executed by this middleware.
Example:
import { verbose, warn } from 'utils/log'
const validationErrorFn = (req) => {
warn(`Query '${req.operationName} (${req.queryId})' is not in the whitelist`)
verbose(`Unauthorized query: ${req.body.query}`)
}
app.post('/graphql', graphqlWhitelist({ store, validationErrorFn }))storeIntrospectionQueries
If this option is set to true, graphql-query-whitelist will add to the whitelist all GraphQL and GraphiQL introspection queries.
This option is disabled by default, but is needed if you are using GraphiQL and need to have the introspection queries whitelisted in order to have the autocompletion feature working.
Example:
app.post('/graphql', graphqlWhitelist({ store, storeIntrospectionQueries: true }))dryRun
If this option is set to true, graphql-query-whitelist will validate the query against the whitelist and the validationErrorFn will be called, but the query will be executed as if the middleware is disabled.
This is useful if you are starting to whitelist the queries long after your GraphQL server was first launched, and you need to log all the queries that are not yet whitelisted.
Example:
app.post('/graphql', graphqlWhitelist({ store, dryRun: true }))Whitelisting queries automatically
You may want to whitelist new queries everytime a query is added/changed in your project. This depends on graphql so make sure graphql is installed as well.
$ npm install -g graphql-query-whitelist graphql
$ gql-whitelist --endpoint http://your.graphql-endpoint.com/graphql /path/to/directory/containing/.graphql/filesAdditionally, you can specify headers using the option --header
$ gql-whitelist --endpoint http://your.graphql-endpoint.com/graphql --header key=value --header key2=value2 /path/to/directory/containing/.graphql/filesLicense
Copyright (c) 2016 Restorando
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.