search

prisma-labs / graphql-framework-experiment

Code-First Type-Safe GraphQL Framework
https://nexusjs.org
MIT License
673 stars 66 forks source link

Support HTTPS servers #679

Open crimson-med opened 4 years ago

crimson-med commented 4 years ago

Before I was using Nexus Schema and had the following configuration:

let options: any = {
    cors: {
        credentials: true,
        origin: ["https://localhost:3000", "https://127.0.0.1:3000", "http://127.0.0.1:4000", "http://localhost:4000"],
        methods: ['GET', 'PUT', 'POST', 'OPTIONS']
    },
    https: {
        key: fs.readFileSync("./../local.cert/localhost+1-key.pem"),
        cert: fs.readFileSync("./../local.cert/localhost+1.pem")
      }
}

new GraphQLServer({ schema, context: createContext }).start(options, () =>
    console.log(
        `🚀 Server ready at: https://localhost:4000\n⭐️ See sample queries: http://pris.ly/e/ts/graphql#5-using-the-graphql-api`,
    ),
)

I Have tried modifying the express settings to integrate the options but this had no success:

let options: any = {
    cors: {
        credentials: true,
        origin: ["https://localhost:3000", "https://127.0.0.1:3000", "http://127.0.0.1:4000", "http://localhost:4000"]
        methods: ['GET', 'PUT', 'POST', 'OPTIONS']
    },
    https: {
        key: fs.readFileSync("./../local.cert/localhost+1-key.pem"),
        cert: fs.readFileSync("./../local.cert/localhost+1.pem")
      }
}
server.express.settings(options);
settings.change({
    logger: {
      level: 'trace',
    },
    server: {
        playground: true,
        host: "https://localhost",
      startMessage: info => {
        settings.original.server.startMessage(info)
        log.warn('piggy back message!')
      },
    },
  })

I have also tried removing host: "https://localhost", with no success.

crimson-med commented 4 years ago

From what I can see in here the express server that is created is http only. in `nexus/src/runtime/server.ts

function setupExpress(express: Express, settings: SettingsInput): BaseServer {
  const http = HTTP.createServer()
  const settingsMerged = { ...defaultExtraSettingsInput, ...settings }
  http.on('request', express)

What about adding a possible setting in server for instance:

settings.change({
    server: {
        playground: true,
        host: "https://localhost",
       https: true,
       httpsCert: {key: '/path/to/key.pem', cert: '/path/to/cert.crt' }
      startMessage: info => {
        settings.original.server.startMessage(info)
        log.warn('piggy back message!')
      },
    },
  })

And then have something like the following (pseudo code): 

function setupExpress(express: Express, settings: SettingsInput): BaseServer {
  let serv = HTTP.createServer()
  if (setting?.server?.https) {
    serv = HTTPS.createServer(settings.server.httpsCert);
  }
  const settingsMerged = { ...defaultExtraSettingsInput, ...settings }
  serv.on('request', express)

I think this should be an important implementation or have default support as deploying apps without https (ssl / tls) is a big security issue.

jasonkuhrt commented 4 years ago

We don't have cors bundled right now. See #380.

I've renamed your issue to what the rest seems to be about.

crimson-med commented 4 years ago

@jasonkuhrt Do you guys accept PR? If I have time over this weekend I might try to make a PR for this as supporting HTTPS is basis to secured client to server data protection.

jasonkuhrt commented 4 years ago

as supporting HTTPS is basis to secured client to server data protection.

I think most people will have their cloud provider or deployment platform deal with HTTPS termination. It is often an ops concern, involves security policies at a company, low level, not a core responsibility of the app developer.

Anyways, Nexus should not be blocking this one way or another. I'm just saying that I don't think its a mainstream use-case.

Do you guys accept PR?

I think @Weakky and I need to decide on the API design first.

crimson-med commented 4 years ago

@jasonkuhrt I'm not sure what you meant by https but since Nexus Server is the server its need to be configured to use https if you want any interaction between client and server. For example a React client connected to the nexus server can't use https as of now.

jasonkuhrt commented 4 years ago

Deploy Nexus to e.g. heroku, your client can get HTTPS without Nexus needing to launch an HTTPS server.

crimson-med commented 4 years ago

We can't use Heroku as we are working directly with a ec2 environment on amazon. For now we are still using Yoga which lets you curstomize cors and https with the graphql server. But this means a lot of double defining using older version

jasonkuhrt commented 4 years ago

working directly with a ec2 environment on amazon

Yeah, but you could still put reverse proxies in front e.g. API Gateway. Not saying you can specifically in your case, but many users could.

My point was never that Nexus doesn't need to not-block HTTPS, just that I don't think its going to be very common.

We'll get to this soonish!

hassaantariq50 commented 4 years ago

We can't use Heroku as we are working directly with a ec2 environment on amazon. For now we are still using Yoga which lets you curstomize cors and https with the graphql server. But this means a lot of double defining using older version

can you guide me how to setup HTTPS server with graphql?

crimson-med commented 4 years ago

We can't use Heroku as we are working directly with a ec2 environment on amazon. For now we are still using Yoga which lets you curstomize cors and https with the graphql server. But this means a lot of double defining using older version

can you guide me how to setup HTTPS server with graphql?

We haven't migrated to the new version yet as this is not yet implemented we can't move the whole architecture.

hassaantariq50 commented 4 years ago

We can't use Heroku as we are working directly with a ec2 environment on amazon. For now we are still using Yoga which lets you curstomize cors and https with the graphql server. But this means a lot of double defining using older version

can you guide me how to setup HTTPS server with graphql?

We haven't migrated to the new version yet as this is not yet implemented we can't move the whole architecture.

so is there any way to setup HTTPS on graphQL?

crimson-med commented 4 years ago

We can't use Heroku as we are working directly with a ec2 environment on amazon. For now we are still using Yoga which lets you curstomize cors and https with the graphql server. But this means a lot of double defining using older version

can you guide me how to setup HTTPS server with graphql?

We haven't migrated to the new version yet as this is not yet implemented we can't move the whole architecture.

so is there any way to setup HTTPS on graphQL?

Please use google. There are already many resources explaining that. you can also use stackoverflow. This is for reporting bugs or asking features.