How to operation safelist / guard against unwanted operations

pistachiomatt · October 7, 2022, 9:25pm

Hey friends,

I’m struggling to find info on how to protect my graph from randos making arbitrary queries to collect any data they want.

The only documentation is to use the Apollo CLI to npx apollo client:push to a safelist, but this feature is gated under the “Enterprise” plan (with the new pricing changes, is unclear how to even pay for this.)

This seems like a core feature to use Apollo, right? Otherwise anyone could run a query { getUser { sensitiveField } } With the little documentation on the topic, I feel like I’m missing a core concept. How do you guard against unwanted operations?

SoftCareTech · October 9, 2022, 7:38pm

Check out context and autheticatication

my example here

context: async ({ req }) => {
      const token = req.headers.authorization || '';
      const user = getUser(token);
      return {
        user: user ? user : undefined,
        models: {
          Auth: generateAuthModel(),
          User: user ? generateUserModel({ user }) : undefined,
          Admin: user ?
            user.level > 2 ?
              generateAdminModel({ user }) : undefined
            : undefined,
        }
      };

Now if you are not login resolvers will not be created for you
if level did reach admin you query admin functions

Topic		Replies	Views
Authenticate all query/mutations except few Help server	0	578	October 26, 2021
This operation has been blocked as a potential Cross-Site Request Forgery (CSRF) Help server	8	13130	February 13, 2023
Limiting/disabling batching in apollo-server Help server	4	3774	July 5, 2023
Apollo Client and Content Security Policy Help client , web	3	1631	June 17, 2021
Securing resolvers via token - best practice Help server	0	246	November 14, 2022

How to operation safelist / guard against unwanted operations

Related topics