Changes GraphQL service to run query depth limit validation on all requests (previously running just for un-authenticated requests). Ups the depth limit as our Web UI requires deeper queries. The default limit is about double what the Web UI needs – one could conceive of queries in GraphIQL that exceed this limit.
Also introduces notion of mandatory GraphQL validation that can't be skipped with a parameter. The depth limit validation doesn't conflict with the reason for allowing validation to be skipped outlined here https://github.com/sensu/sensu-go/pull/3379
In the future, we could group built-in GraphQL validators into skippable and not https://pkg.go.dev/github.com/graphql-go/graphql#SpecifiedRules. However, changes to federation in future Sensu versions could make this unnecessary as skipping validation won't be necessary
Why is this change necessary?
Security team request to extend this validation to authenticated requests
What is this change?
Changes GraphQL service to run query depth limit validation on all requests (previously running just for un-authenticated requests). Ups the depth limit as our Web UI requires deeper queries. The default limit is about double what the Web UI needs – one could conceive of queries in GraphIQL that exceed this limit.
Also introduces notion of mandatory GraphQL validation that can't be skipped with a parameter. The depth limit validation doesn't conflict with the reason for allowing validation to be skipped outlined here https://github.com/sensu/sensu-go/pull/3379
In the future, we could group built-in GraphQL validators into skippable and not https://pkg.go.dev/github.com/graphql-go/graphql#SpecifiedRules. However, changes to federation in future Sensu versions could make this unnecessary as skipping validation won't be necessary
Why is this change necessary?
Security team request to extend this validation to authenticated requests