marcin

marcin

How to disable Absinthe GraphQL introspection

Hi!
How can I disable introspection in Absinthe/GraphQL?
I would like the GraphQL API to respond only to defined queries and mutations, but not allow client to list schema and types, because of security reasons (Wheter it makes sense or is security through obscurity is another issue, the requirement is not my idea).

I understand that for introspection, also GraphQL is used on fields __schema and __type.
It seems that I should be able to filter them with middleware (return :error??), but I am not sure how to add a middleware a top-level / built in queries like these.

Perhaps there is a different approach to achieve this?

Marked As Solved

fuelen

fuelen

Yes, just String.contains?(query, "__schema")

Yes and no.
Yes if parameters are inlined into query. No if parameters are passed separately.

Also Liked

fuelen

fuelen

We resolved this by middleware on a Plug level. If parameter query contains "__schema" on production servers then we reply with 403.
About 6 months ago I’ve asked this question in Slack and I saved the discussion :slight_smile:

shanesveller [6:27 PM]
now that you have the “how” it might be a good time to talk about the “why”, and how a lot of folks feel that it is counterproductive to deny introspection requests
dpehrson [6:27 PM]
I’ve yet to understand why so many people want to hide their introspection.
shanesveller [6:27 PM]
particularly if it is part of an effort to improve security
dpehrson [6:27 PM]
But it seems pretty popular.
[6:28 PM] If you’re trying to hide the API, it seems like you should just put it behind some sort of secondary auth.
[6:28 PM] Like one credential just to access the endpoint, and separate credentials for client auth.
Today
aspett [12:35 AM]
Plenty of companies do not publish documentation for their APIs and endpoints, or at least put it behind their authentication - without relying on this for security. I don’t see why GraphQL should be any different.
shanesveller [12:37 AM]
documentation is an overlapping but separate idea from introspection, though - a lot of client libs rely on the latter for codegen or at runtime, and some of those latter can’t be satisfied by a local dev environment
aspett [12:39 AM]
So? If someone wants to totally hide introspection, then that’s the tradeoff they make.
shanesveller [12:39 AM]
feels like missing the point a bit. ¯_(ツ)_/¯
[12:39 AM] not that you are, but that someone who desires to ignore that aspect is
aspett [12:40 AM]
I hope that most people are actually asking because they want to put it behind auth, rather than totally turning it off - we might consider doing that for our graphs.
benwilson512 [12:42 AM]
people are asking to have it pruned from the schema entirely
aspett [12:43 AM]
:man-shrugging: Oh well. That’s weird, but we should be explaining the reasoning and tradeoff rather than so harshly telling people they’re wrong which I’ve seen in past
benwilson512 [1:13 AM]
@aspett I think the issue is that introspection is built into the spec
[1:13 AM] it is, as far as I can tell, not considered optional
dpehrson [1:39 AM]
My feeling is that they are reaching for the wrong solution to something that likely isn’t actually a problem.
[1:39 AM] But, at the end of the day, everyone gets to chart their own course.
aspett [1:44 AM]
There are plenty of people doing it on other frameworks quite easily, so despite introspection being in the spec and disabling it probably being the wrong solution, it seems not uncommon to do so. Again, I agree with you both :smile: but people are gonna do it anyway, so it’s best we try educate rather than block.
benwilson512 [2:01 AM]
@aspett worth noting that Absinthe’s stance was never to block people, it just wasn’t really possible to do anything about it until recently (edited)
[2:01 AM] Absinthe 1.5 allows people to, amongst other things, edit the built in types
[2:02 AM] and so now I’m happy to educate and discuss, but previously there wasn’t a ton that could be done
aspett [2:02 AM]
:+1: Sorry, I mean in terms of communication
benwilson512 [2:02 AM]
yup. I think we’re on the same page at this point

fuelen [5:27 PM]
we use absinthe for private api, developers don’t work on production servers during development, so they can grab schema from other servers and codegen is not an issue. Infosec said to hide graphiql and ability to inspect schema using other clients and I’m looking for easy way to do this. That’s all
aspett
:man-shrugging: Oh well. That’s weird, but we should be explaining the reasoning and tradeoff rather than so harshly telling people they’re wrong which I’ve seen in past
dpehrson [5:28 PM]
As a person who cares about infosec greatly, that still makes no sense to me.
[5:28 PM] ¯_(ツ)_/¯
[5:29 PM] It’s not wrong, it’s just….odd.
[5:31 PM] From pure game theory, any information leak is technically bad, but practically, if exposing the types/fields of an API schema is a security risk, there seem to be much bigger problems at play. (edited)
[5:31 PM] At that point, the endpoint should be fully protected from unrecognized clients.

Ahmad

Ahmad

I went with a similar approach to @fuelen to disable introspection completely or based on some context (e.g an authorized client, codegen tool, etc), this is a simple solution using an Absinthe plugin: Disable GraphQL schema introspection in Elixir Absinthe · GitHub

Where Next?

Popular in Questions Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

Other popular topics Top

New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36128 110
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement