Sorry, we don't support your browser.  Install a modern browser

Protect GraphQL schema by token (avoid making it publicly available to anyone)#58

It is currently possible for anyone to download the whole schema structure without token, which is, to me, a business and security issue.

If our schema is meant to be public, then it should obvisouly be public, but as soon as we are using tokens to read/write our data, then we should have the ability to protect the schema with a token as well.

It is a risk as it is right now, since anyone can just query the schema and understand the whole data structure. This could be used by other businesses to copy our work, or hackers that attempt to steal data, etc.

10 months ago

Thanks for your feedback, Ambroise!

For completeness: If you don’t expose your GraphCMS endpoint anywhere and use your own server to request the data from there, a potential attacker would have no way of even knowing that another endpoint is involved, meaning they would also have to guess the randomly generated identifier of your API endpoint. The same risk for “data structures being compromised” is also present on the public website you might be hosting.

10 months ago

Indeed, it’s a not really a GraphCMS security issue per say, but rather related to how GraphQL works.

For those who are concerned and wish to use an implementation that hides their GCMS endpoint (as Fabian states) can take a look at https://github.com/UnlyEd/graphCMS-cache-contingency-boilerplate which implements such design and COULD fit your needs.

At the very least, it’s a good example for anyone who wishes to build a similar setup.

10 months ago

It would be great if GraphCMS could ensure that instrospection queries (any interaction really) on token-restricted endpoints is secure. That should be addressable at the HTTP level, and not complicate the GraphQL layer at all. I haven’t tested this thoroughly, so it may already be the case.

Related to this, once GraphCMS introduces an authorization layer, it would be nice to have granular control over field visibility/mutability, be it by role, ACL, or whatever scheme is chosen.

There’s an interesting, somewhat related discussion happening over at this issue: https://github.com/graphql/graphql-js/issues/113

…where one commenter mentions using Apollo’s Transformation API: https://www.apollographql.com/docs/graphql-tools/schema-transforms

10 months ago
1

Is it adviced to proxy the requests via an own server? I also have high security concerns and would like to see some access protection features.

9 months ago
1

Well, there is no issue using a proxy server, I’m doing it using a fork from https://github.com/UnlyEd/GraphCMS-cache-boilerplate (disclaimer: We built the boilerplate)

It allows me to hide my credentials, which were used on the frontend before using this proxy. Il also improve speed, stability, and I haven’t met any issue so far, been using it for a couple of months in multiple production systems now.

But it’s not related at all to introspection, it doesn’t fix that.

9 months ago