Comments (12)
I suppose if all the clients already know what they are going to call there is no need for introspection. There is not currently an option to reject any query that includes introspection fields. It might be worth adding though or maybe provide another optional argument to the field methods.
Can you try something and see if you can make it work? Define a Schema Ruby class and instead of @query
as a field of the schema try def query(arg1, arg2)
arg2 should be the request. If you search for __
in the request that might be enough to determine there are introspection elements. After that there just needs to be a way to disable the graphql/schema path. Work with me and I'm sure we can come up with something.
from agoo.
I suspect it is the default values for the arguments. It throws off what Ruby returns for arity. Try removing those.
from agoo.
Maybe, let me look into it a bit more tonight. Maybe have the exception respond to a request for the status code or something.
from agoo.
Just finished the other part you need. By default Agoo returns the schema with the graphql/schema path. I just added an option to hide that. Called :hide_schema
. Just add hide_schema: true
to the server init options. I'll push the in a few minutes.
from agoo.
Released v2.15.1 with the fixes.
from agoo.
I suppose if all the clients already know what they are going to call there is no need for introspection. There is not currently an option to reject any query that includes introspection fields. It might be worth adding though or maybe provide another optional argument to the field methods.
Can you try something and see if you can make it work? Define a Schema Ruby class and instead of
@query
as a field of the schema trydef query(arg1, arg2)
arg2 should be the request. If you search for__
in the request that might be enough to determine there are introspection elements. After that there just needs to be a way to disable the graphql/schema path. Work with me and I'm sure we can come up with something.
Thanks, @ohler55.
I have tried to add the arguments to the query but both of them are always empty
module GraphQL
module Schemas
class Schema
#attr_reader :mutation
attr_reader :subscription
def query(args = {}, arg2 = {})
Logging::logger.info("arg1: '#{arg1.to_s}'")
Logging::logger.info("arg2: '#{arg2.to_s}'")
Queries::Query.new
end
def mutation(args = {}, req = {})
Mutations::Mutation.new
end
end
end
end
The output logs
api_1 | I, [2022-06-13T20:42:42.961785 #1] INFO -- : args: '{}'
api_1 | I, [2022-06-13T20:42:42.961910 #1] INFO -- : req: '{}'
Do you have any other suggestions?
from agoo.
Looks like no-introspection option is needed then or I need to figure out why the second argument isn't being filled in. Maybe both.
from agoo.
Please take a look at the deny-introspection branch. Also at the songs example (example/graphql/songs.rb). That is what should have worked. Fixed that bug so you should be able to inspect the query and decide to continue or raise.
There is one other option I need to add to allow the graphql/schema path to be blocked.
from agoo.
Now all the requests (even without introspection) are returning the following error. I just changed to the deny-introspection branch, version 2.15.1b1, and I did not add any code yet to handle the request.
api_1 | D 2022/06/14 14:21:16.828771900 DEBUG: HTTP response on 2: HTTP/1.1 400 Bad Request
api_1 | Content-Type: application/json
api_1 | Content-Length: 123
api_1 |
api_1 | {"errors":[{"message":"Not a supported operation type.","code":"eval error","timestamp":"2022-06-14T14:21:16.818605400Z"}]}
from agoo.
Thank you, @ohler55. It worked! Just a doubt: is there any way to catch this exception at a higher level, for returning a different status code for example?
def query(args, req)
if !req.nil? && req.body.include? "__schema"
raise InvalidQueryException.new
end
Queries::Query.new
end
from agoo.
I will close the issue as it was solved and open another one for discussing the topic that I have mentioned. Thanks, @ohler55 !
from agoo.
Raising an exception that responds to code
will use the exception code as the HTTP status code. Give the branch a try. I have been using the example/graphql/songs.rb as my test bed. I left a comment in there for schema query.
from agoo.
Related Issues (20)
- Fragment usage HOT 17
- CORS issues HOT 8
- Agoo dumps core on malformed SDL HOT 5
- fails to launch in clustered mode HOT 17
- Agoo Fragment Cycle Security Vulnerability HOT 2
- Changes on args or req does not get fowarded to the other calls HOT 9
- Static asset with space in filename HOT 4
- gem install agoo fails on MacOS Ventura 13.2.1 HOT 9
- Static .txt files are not served with utf-8 encoding HOT 8
- Agoo crash and exit HOT 7
- CLI options for SSL/TLS HOT 3
- localhost is crashing as bind address HOT 4
- 502 via nginx proxy_pass HOT 3
- TypeError: no implicit conversion of Array into String HOT 4
- rackup -r agoo -s agoo Doesn't Work HOT 8
- Out of curiousity would anything have been lost or gained by using ABI, or FFI, or *.SO over the current API method of directly calling in the Ruby C file headers? HOT 3
- Configuring worker count and thread count when used with Rails HOT 5
- Port cleanup on shutdown? HOT 3
- REMOTE_ADDR not set on ENV HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agoo.