search

mozilla / pontoon

Mozilla's Localization Platform
https://pontoon.mozilla.org
BSD 3-Clause "New" or "Revised" License
1.46k stars 528 forks source link

Enable GraphiQL IDE on production #2101

Open bugzilla-to-github opened 7 years ago

bugzilla-to-github commented 7 years ago

This issue was created automatically by a script.

Bug 1407192

Bug Reporter: @stasm CC: @adngdb, @mathjazz, @jotes Blocker for: Bug 1395273

The GraphiQL IDE is currently only available at /graphql in local deployments. Let's use this bug to track what's needed to enable it on production.

bugzilla-to-github commented 7 years ago

Comment Author: @mathjazz

Yesss!

bugzilla-to-github commented 7 years ago

Comment Author: @jotes

brilliant!

bugzilla-to-github commented 7 years ago

Comment Author: @stasm

I love the enthusiasm :) Adrian, can you advise what the best way to proceed here is? I suspect we will need a security sign-off for GraphiQL.

Here's the GraphiQL repo:

https://github.com/graphql/graphiql/

And the template used by graphene-django:

https://github.com/graphql-python/graphene-django/blob/master/graphene_django/templates/graphene/graphiql.html
bugzilla-to-github commented 7 years ago

Comment Author: @Pike

I guess one point is to harden CSP and CSRF. CSRF seems to be somewhat dealt with in the template, why did we end up disabling it completely?

Also, https://github.com/ctrlplusb/react-universally/issues/253 has some interesting ramblings on CSP, http://django-csp.readthedocs.io/en/latest/decorators.html#csp-update might be helpful.

bugzilla-to-github commented 7 years ago

Comment Author: @adngdb

I'm not too much of a security expert. The way I see it, GraphiQL doesn't allow users to do anything more than what the API allows. This means that, if our API is secure, so should be any usage of graphiql. It is merely a tool that would make it easier for attackers to find out flaws in the API, but that shouldn't be a blocking factor.

However, I do not know if the front-end has been reviewed for security. It is a bit of external code that will be executed on a domain where people have cookies and sessions, and permissions, and stuff. So there might be some risks. I would be in favor of asking the security team for opinions and/or a review of graphiql and its graphene implementation.

One thing I've notived in that graphene template that I don't like is the usage of a CDN. I generally dislike them, as I consider them external sources of failure and they can be used to track our users. However, that is a personal opinion and Mozilla's policy on CDNs might be different.

Hope that helps! Having graphiql on prod would indeed be super useful, it makes using the API so much easier.

bugzilla-to-github commented 7 years ago

Comment Author: @stasm

Thanks, Adrian. I'll reach out to the security team.

FWIW, GitHub deployed GraphiQL at https://developer.github.com/v4/explorer/

bugzilla-to-github commented 7 years ago

Comment Author: @stasm

Actually, they deployed it at https://graphql-explorer.githubapp.com which is then embedded as an iframe at https://developer.github.com/v4/explorer.