The Apollo Server File Upload Best Practices say that for proof-of-concept implementations multipart/form-data is best (it comes with security problems though as mentioned in the same article at the very top), for production signed URL uploads are to be preferred, and for maximum control a custom file upload/serving system.
With multipart/form-data signing the mutation may be problematic because the URL of the file must also be signed so it should probably first be uploaded and then the URL used as part of a subsequent mutation with signed input.
With signed URL uploads people first request a URL, upload the file to that URL,(requesting a URL first seems unnecessary) upload a file, receive a URL where the file name is its SHA-256 hash, sign and send a GraphQL mutation of a component's data with the URL.
Use Presigned Upload URLs as suggested by HotChocolate (and Apollo Server File Upload Best Practices). Maybe we'll need a message broker like RabbitMQ. My old thoughts on this can be read about below.
See https://gitlab.itc-engineering.com/scope/dbe-data-schema-for-building-envelopes/-/issues/30#note_261064 and https://gitlab.itc-engineering.com/scope/dbe-data-schema-for-building-envelopes/-/issues/31#note_261057
Possible protocols are v* Five Secure File Transfer Alternatives to FTP: The contenders are SFTP, FTPS, AS2, HTTPS, and MFT.
For ease of use, I would prefer HTTPS with media type
multipart/form-data
to upload files (this is what plain old HTML forms with file input use; see also How Does HTTP file upload work?). Ideally, the upload would be done in GraphQL with the GraphQL multipart request specification which hasnot yet been implemented in HotChocolatebeen implemented in HotChocolate by now and can be read about on Upload Scalar.The Apollo Server File Upload Best Practices say that for proof-of-concept implementations
multipart/form-data
is best (it comes with security problems though as mentioned in the same article at the very top), for production signed URL uploads are to be preferred, and for maximum control a custom file upload/serving system.multipart/form-data
signing the mutation may be problematic because the URL of the file must also be signed so it should probably first be uploaded and then the URL used as part of a subsequent mutation with signed input.request a URL, upload the file to that URL,(requesting a URL first seems unnecessary) upload a file, receive a URL where the file name is its SHA-256 hash, sign and send a GraphQL mutation of a component's data with the URL.Walk-through on how to upload files in ASP.NET Core with security considerations through HTML forms.