Open nin-ack opened 1 year ago
trevor-scheer
commented
1 year ago Batching is disabled by default in AS4 and configurable to be enabled if it's desired. https://www.apollographql.com/docs/apollo-server/migration/#http-batching-is-off-by-default
trevor-scheer
commented
1 year ago Hm, after re-reading I see your question might be a bit more specific. Let me know if that's the solution you're looking for or if you're suggesting something more fine-grained (i.e. a function that's called per-request that evaluates to true/false to block some requests and not others).
nin-ack
commented
1 year ago @trevor-scheer I wasn't aware of it being disabled in v4 so thank you for that!
The feature(s) I was envisioning were:
allowBatchedHttpRequests: true.Appreciate the discussion!
trevor-scheer
commented
1 year ago Glad that helps. I'm not certain I know what you mean for 2, but I think I understand. Are you just saying that you'd like to inspect the request and/or operation(s) in order to permit or block the request?
If so, you could handle this logic in your context function. Unfortunately you don't have resolved operations / parsed documents yet so you might duplicate that work.
Plugins do receive the information that a graphql request "belongs" to a batched http request (along with all the other information you might need to make a decision about an operation) and can throw various errors / set status codes accordingly which will prevent execution. Is that the behavior you're looking for?
Feature Request
I would like to propose an enhancement to Apollo that allows users to restrict or disable request batching for specific objects, or server-wide, in order to mitigate potential security risks. Appears to be something that was previously discussed and referenced here.
Security Risks/Reasoning
Batching queries can be useful, however when applied to sensitive objects it can result in security issues like:
-and more.
OWASP Reference.
If this already exists elsewhere I apologize, I was unable to find a matching request ticket.