search

apollographql / meteor-integration

🚀 meteor add apollo
http://dev.apollodata.com/core/meteor.html
108 stars 45 forks source link

Solution to deny unauthorized access to graphql queries #112

Closed townmulti closed 7 years ago

townmulti commented 7 years ago

Can anyone offer a solution to denying access to graphql queries through api calls?

For example, if you take the url query from the in-browser GraphQL IDE (graphiql) and place it in any browser the data is loaded in json format with no problem. Anyone knowing the graphql api query call can load the data in development or production. I also tested running this query in a desktop app Postman and the data is readily accessible. Is there some setting I may need to add to prevent unauthorized access to my data. I have the the basic code setup from the guides.

lorensr commented 7 years ago

If you only wanted your users to access data, you could check the context in resolvers:

export const resolvers = {
  Query: {
    data(root, args, context) {
      if (!context.userId) {
        return null
      }
    },
  },
  User: ...
}

Or if you had API keys, you could write a configOptions.configServer that gives an empty response when a header or query param is missing.

https://www.apollographql.com/docs/react/recipes/meteor.html#createApolloServer

townmulti commented 7 years ago

@lorensr Thanks for your response! Yes, I only want my users to access the data. I had decided on your first solution, but it seemed like there should be an overall check I could put in the server config. As in your second solution, I was trying several ways but I it wasn't coming out as expected.

I'm not sure how to achieve this with cors. I had this code which is not working. 

const whitelist = [
  'https://www.mywebsitedomain.com',
  'https://mywebsitedomain.com'
];
const corsOptions = {
    origin: function (origin, callback) {
        const originIsWhitelisted = whitelist.indexOf(origin) !== -1;
        callback(null, originIsWhitelisted);
    },
    credentials: true
};

createApolloServer({
  context(context) {
    // console.log(context);
    return context;
  },  
  schema: executableSchema
}, {
  configServer: graphQLServer => graphQLServer.use(cors(corsOptions)),
});

Maybe cors wasn't a solution to this. If you could please give an example of the API key config strategy that would be great!

lorensr commented 7 years ago

there should be an overall check

don't think that's possible with the current version of this package, but probably in the next version.

townmulti commented 7 years ago

@lorensr thanks for your help! Closing...