Disabling introspection for GraphQL about agoo HOT 12 CLOSED

I suppose if all the clients already know what they are going to call there is no need for introspection. There is not currently an option to reject any query that includes introspection fields. It might be worth adding though or maybe provide another optional argument to the field methods.

Can you try something and see if you can make it work? Define a Schema Ruby class and instead of @query as a field of the schema try def query(arg1, arg2) arg2 should be the request. If you search for __ in the request that might be enough to determine there are introspection elements. After that there just needs to be a way to disable the graphql/schema path. Work with me and I'm sure we can come up with something.

from agoo.

I suspect it is the default values for the arguments. It throws off what Ruby returns for arity. Try removing those.

from agoo.

Maybe, let me look into it a bit more tonight. Maybe have the exception respond to a request for the status code or something.

from agoo.

Just finished the other part you need. By default Agoo returns the schema with the graphql/schema path. I just added an option to hide that. Called :hide_schema. Just add hide_schema: true to the server init options. I'll push the in a few minutes.

from agoo.

Released v2.15.1 with the fixes.

from agoo.

I suppose if all the clients already know what they are going to call there is no need for introspection. There is not currently an option to reject any query that includes introspection fields. It might be worth adding though or maybe provide another optional argument to the field methods.

Can you try something and see if you can make it work? Define a Schema Ruby class and instead of @query as a field of the schema try def query(arg1, arg2) arg2 should be the request. If you search for __ in the request that might be enough to determine there are introspection elements. After that there just needs to be a way to disable the graphql/schema path. Work with me and I'm sure we can come up with something.

Thanks, @ohler55.
I have tried to add the arguments to the query but both of them are always empty

module GraphQL
  module Schemas
    class Schema
      #attr_reader :mutation
      attr_reader :subscription

      def query(args = {}, arg2 = {})
        Logging::logger.info("arg1: '#{arg1.to_s}'")
        Logging::logger.info("arg2: '#{arg2.to_s}'")
        Queries::Query.new
      end

      def mutation(args = {}, req = {})
        Mutations::Mutation.new
      end

    end
  end
end

The output logs

api_1  | I, [2022-06-13T20:42:42.961785 #1]  INFO -- : args: '{}'
api_1  | I, [2022-06-13T20:42:42.961910 #1]  INFO -- : req: '{}'

Do you have any other suggestions?

from agoo.

Looks like no-introspection option is needed then or I need to figure out why the second argument isn't being filled in. Maybe both.

from agoo.

Please take a look at the deny-introspection branch. Also at the songs example (example/graphql/songs.rb). That is what should have worked. Fixed that bug so you should be able to inspect the query and decide to continue or raise.

There is one other option I need to add to allow the graphql/schema path to be blocked.

from agoo.

Now all the requests (even without introspection) are returning the following error. I just changed to the deny-introspection branch, version 2.15.1b1, and I did not add any code yet to handle the request.

api_1  | D 2022/06/14 14:21:16.828771900 DEBUG: HTTP response on 2: HTTP/1.1 400 Bad Request
api_1  | Content-Type: application/json
api_1  | Content-Length: 123
api_1  |
api_1  | {"errors":[{"message":"Not a supported operation type.","code":"eval error","timestamp":"2022-06-14T14:21:16.818605400Z"}]}

from agoo.

Thank you, @ohler55. It worked! Just a doubt: is there any way to catch this exception at a higher level, for returning a different status code for example?

      def query(args, req)
        if !req.nil? && req.body.include? "__schema"
          raise InvalidQueryException.new
        end
        Queries::Query.new
      end

from agoo.

I will close the issue as it was solved and open another one for discussing the topic that I have mentioned. Thanks, @ohler55 !

from agoo.

Raising an exception that responds to code will use the exception code as the HTTP status code. Give the branch a try. I have been using the example/graphql/songs.rb as my test bed. I left a comment in there for schema query.

from agoo.