search

mathjazz / pontoon

In-place localization tool
https://pontoon.mozilla.org/
BSD 3-Clause "New" or "Revised" License
3 stars 1 forks source link

[API] Enable GraphiQL IDE on production #1111

Open mathjazz opened 6 years ago

mathjazz commented 6 years ago

This issue was created automatically by a script.

Bug 1407192

Bug Reporter: @stasm CC: @adngdb, @mathjazz, @jotes Blocker for: Bug 1395273

The GraphiQL IDE is currently only available at /graphql in local deployments. Let's use this bug to track what's needed to enable it on production.

mathjazz commented 6 years ago

Comment Author: @mathjazz

Yesss!

mathjazz commented 6 years ago

Comment Author: @jotes

brilliant!

mathjazz commented 6 years ago

Comment Author: @stasm

I love the enthusiasm :) Adrian, can you advise what the best way to proceed here is? I suspect we will need a security sign-off for GraphiQL.

Here's the GraphiQL repo:

https://github.com/graphql/graphiql/

And the template used by graphene-django:

https://github.com/graphql-python/graphene-django/blob/master/graphene_django/templates/graphene/graphiql.html
mathjazz commented 6 years ago

Comment Author: @Pike

I guess one point is to harden CSP and CSRF. CSRF seems to be somewhat dealt with in the template, why did we end up disabling it completely?

Also, https://github.com/ctrlplusb/react-universally/issues/253 has some interesting ramblings on CSP, http://django-csp.readthedocs.io/en/latest/decorators.html#csp-update might be helpful.

mathjazz commented 6 years ago

Comment Author: @adngdb

I'm not too much of a security expert. The way I see it, GraphiQL doesn't allow users to do anything more than what the API allows. This means that, if our API is secure, so should be any usage of graphiql. It is merely a tool that would make it easier for attackers to find out flaws in the API, but that shouldn't be a blocking factor.

However, I do not know if the front-end has been reviewed for security. It is a bit of external code that will be executed on a domain where people have cookies and sessions, and permissions, and stuff. So there might be some risks. I would be in favor of asking the security team for opinions and/or a review of graphiql and its graphene implementation.

One thing I've notived in that graphene template that I don't like is the usage of a CDN. I generally dislike them, as I consider them external sources of failure and they can be used to track our users. However, that is a personal opinion and Mozilla's policy on CDNs might be different.

Hope that helps! Having graphiql on prod would indeed be super useful, it makes using the API so much easier.

mathjazz commented 6 years ago

Comment Author: @stasm

Thanks, Adrian. I'll reach out to the security team.

FWIW, GitHub deployed GraphiQL at https://developer.github.com/v4/explorer/

mathjazz commented 6 years ago

Comment Author: @stasm

Actually, they deployed it at https://graphql-explorer.githubapp.com which is then embedded as an iframe at https://developer.github.com/v4/explorer.