Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Trusted Documents/Persisted Operations #35

Open
JoviDeCroock opened this issue Dec 2, 2023 · 0 comments
Open

RFC: Trusted Documents/Persisted Operations #35

JoviDeCroock opened this issue Dec 2, 2023 · 0 comments
Labels
RFC A discussion about a future feature

Comments

@JoviDeCroock
Copy link
Contributor

Summary

We do not want to expose all of our GraphQL API to our users, we already do a decent chunk of obfuscation in production by disabling introspection, masking errors and disabling field suggestions. That however doesn't stop anyone from deriving this out of the calls the front-end makes, Persisted Operations are currently being specced out however they are a pretty established concept already in Relay/...

In doing so we will send a hash of the operation to the server rather than the complete document which makes for further obfuscation of the available GraphQL API and reduces the attack surface as we can embed pagination parameters like limit into the hash so it can't be increased to an unreasonable amount.

Proposed Solution

We enable the GraphQL Code Generator plugin to generate this by default, our server can pick up the generated file and store it so it's aware of all persisted-operations and the last part would be adding the persisted-exchange.

This however does leave a few problems on the table, what if our user is multi-client, their mobile app might have slightly different operations that need to be combined with the web-application. We need to take this into consideration when building the solution so we can for instance...

  • support multiple stores of operations
  • allow combinations of files
@JoviDeCroock JoviDeCroock added the RFC A discussion about a future feature label Dec 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
RFC A discussion about a future feature
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant