Feature Request: Hiding unauthenticated fields/types from introspection schema

aws / aws-appsync-community

The AWS AppSync community

https://aws.amazon.com/appsync

Apache License 2.0

507 stars 32 forks source link

Feature Request: Hiding unauthenticated fields/types from introspection schema #20

Open acburdine opened 5 years ago

acburdine commented 5 years ago

This is somewhat related to #1, but different enough that it probably warrants a separate issue.

Say you have the following schema in a Cognito-authenticated AppSync api:

type Query {
  posts: [Post]!
}

type Mutation {
  addPost(id: ID!, content: String!): Post
  @aws_auth(cognito_groups : [ "editors" ])
}

With appsync as it currently stands, if you were to run the following query with a cognito user that's not in the editors group:

{
  __schema {
    types {
      name
      fields {
        name
      }
    }
  }
}

you would still be able to see the addPost field on the Mutation type, even though if you actually tried to run the addPost mutation, you would get a 401 error.

It would be nice if the introspection schema only showed fields that you would have permission to query.

vlekakis commented 5 years ago

Thank you very much for your interest in AppSync. I will bring this to the team

khola commented 5 years ago

So much this.

This is particularly important if you want to have one API shared with external users and used internally.

BabyDino commented 4 years ago

I am working on a single API. The API will be used for front- and backend (for both authenticated and unauthenticated users and admins).

It would be nice to disable the schema introspection completely for everyone except administrators.

kyptov commented 3 years ago

It would be nice to disable the schema introspection completely for everyone except administrators.

Try to deny access to field .../types/Query/fields/__schema in your policy. Example

- Effect: Deny
  Resource: !Join ['', [!GetAtt AppSync.Arn, '/types/Query/fields/__schema']]
  Action: appsync:GraphQL

rodrigoreis22 commented 3 years ago

It would be nice to disable the schema introspection completely for everyone except administrators.

Try to deny access to field .../types/Query/fields/__schema in your policy. Example
- Effect: Deny
  Resource: !Join ['', [!GetAtt AppSync.Arn, '/types/Query/fields/__schema']]
  Action: appsync:GraphQL

@kyptov do you know if this works if I'm not using IAM authentication? We use just API Key.

kyptov commented 3 years ago

rodrigoreis22

Looks like there is no any policy or role while using API key. Maybe WAF can help you

drewler9 commented 3 years ago

Consider added Auth rules enabling Public/Private Access. (it exists in Amplify, but really belongs in Appsync :-) ) Or allowing one Appsync to trigger subscriptions on another Appsync.

dkkehokr commented 3 years ago

We need this :)

SergiuTalnaci commented 3 years ago

@vlekakis Would you like to update us on this issue? We need this for a new project we are developing.

blazinaj commented 2 years ago

This has come up before as a High finding in a Web App Test. They seemed pretty triggered by it. I see a lot of arguments that it's not really an issue but a configuration for disabling the introspection query seems like an intuitive option regardless.

ghost commented 11 months ago

can somebody please share an example of how to deny AppSync schema introspection in case it is used not directly, but via AWS Amplify?