feat: intropsection and custom validation

Signed-off-by: QuentinN42 <quentin@lieumont.fr>
2024-11-29 13:03:56 +03:00 · 2023-03-16 14:27:31 -07:00 · 2023-03-16 14:27:31 -07:00 · f07d6a29c5
commit f07d6a29c5
parent 84c5559ded
4 changed files with 96 additions and 83 deletions
--- a/docs/security/customvalidation.rst
+++ b/docs/security/customvalidation.rst
@ -0,0 +1,42 @@
+Implementing custom validators
+==============================
+
+GraphQL uses query validators to check if Query AST is valid and can be executed. Every GraphQL server implements
+standard query validators. For example, there is an validator that tests if queried field exists on queried type, that
+makes query fail with "Cannot query field on type" error if it doesn't.
+
+If you need more complex validation than presented before, you can implement your own query validators. All custom query
+validators should extend the `ValidationRule`_ base class importable from the ``graphql.validation.rules`` module. Query
+validators are visitor classes. They are instantiated at the time of query validation with one required argument
+(context: ASTValidationContext). In order to perform validation, your validator class should define one or more of
+``enter_*`` and ``leave_*`` methods. For possible enter/leave items as well as details on function documentation, please
+see contents of the visitor module. To make validation fail, you should call validator's report_error method with the
+instance of GraphQLError describing failure reason.
+
+Implementing your custom validators
+-----------------------------------
+
+Here is an example query validator that only allows queries fields with a name of even length.
+
+.. code:: python
+
+    from graphql import GraphQLError
+    from graphql.language import FieldNode
+    from graphql.validation import ValidationRule
+
+
+    class MyCustomValidationRule(ValidationRule):
+        def enter_field(self, node: FieldNode, *_args):
+            if len(node.name.value) % 2 == 0:
+                # Here the query length is even, so we allow it.
+                return
+            else:
+                # Here the query length is odd, so we don't want to allow it.
+                # Calling self.report_error will make the query fail with the error message.
+                self.report_error(
+                    GraphQLError(
+                        f"Cannot query '{field_name}': length is odd.", node,
+                    )
+                )
+
+.. _ValidationRule: https://github.com/graphql-python/graphql-core/blob/v3.0.5/src/graphql/validation/rules/__init__.py#L37
--- a/docs/security/index.rst
+++ b/docs/security/index.rst
@ -17,7 +17,8 @@ the `Django documentation`_ on how to secure your API.
   :maxdepth: 1

   maxdepth
-   queryvalidation
+   introspection
+   customvalidation

 We have seen the most efficient way to secure your GraphQL API.

--- a/docs/security/introspection.rst
+++ b/docs/security/introspection.rst
@ -0,0 +1,52 @@
+Disable Introspection
+=====================
+
+What is the introspection ?
+---------------------------
+
+The introspection query is a query that allows you to ask the server what queries and mutations are supported. If you
+comes from REST, you can view it as a openapi or swagger schema.
+
+Disabling it or not ?
+---------------------
+
+Depending if you are building a private or a public API, you might want to disable introspection or not. If you are
+building a public API, the introspection allows consumers (developers) to know what they can do with your API. If you
+disable it, it will be harder for them to use your API. But if you are building a private API, the only consumers of
+your API will be your own developers. In this case, you might want to keep the introspection open in staging
+environments but close it in production to reduce the attack surface.
+
+Keep in mind that disabling introspection does not prevent hackers to send queries to your API. It just makes it harder
+to know what they can do with it.
+
+Implementation
+--------------
+
+Graphene provides a validation rule to disable introspection. It ensures that your schema cannot be introspected. You
+just need to import the ``DisableIntrospection`` class from ``graphene.validation``.
+
+
+Here is a code example of how you can disable introspection for your schema.
+
+.. code:: python
+
+    from graphql import validate, parse
+    from graphene import ObjectType, Schema, String
+    from graphene.validation import DisableIntrospection
+
+
+    class MyQuery(ObjectType):
+        name = String(required=True)
+
+
+    schema = Schema(query=MyQuery)
+
+    # introspection queries will not be executed.
+
+    validation_errors = validate(
+        schema=schema.graphql_schema,
+        document_ast=parse('THE QUERY'),
+        rules=(
+            DisableIntrospection,
+        )
+    )
--- a/docs/security/queryvalidation.rst
+++ b/docs/security/queryvalidation.rst
@ -1,82 +0,0 @@
-Query Validation
-================
-GraphQL uses query validators to check if Query AST is valid and can be executed. Every GraphQL server implements
-standard query validators. For example, there is an validator that tests if queried field exists on queried type, that
-makes query fail with "Cannot query field on type" error if it doesn't.
-
-To help with common use cases, graphene provides a few validation rules out of the box.
-
-
-Disable Introspection
---------------------
-the disable introspection validation rule ensures that your schema cannot be introspected.
-This is a useful security measure in production environments.
-
-Usage
-----
-
-Here is how you would disable introspection for your schema.
-
-.. code:: python
-
-    from graphql import validate, parse
-    from graphene import ObjectType, Schema, String
-    from graphene.validation import DisableIntrospection
-
-
-    class MyQuery(ObjectType):
-        name = String(required=True)
-
-
-    schema = Schema(query=MyQuery)
-
-    # introspection queries will not be executed.
-
-    validation_errors = validate(
-        schema=schema.graphql_schema,
-        document_ast=parse('THE QUERY'),
-        rules=(
-            DisableIntrospection,
-        )
-    )
-
-
-Implementing custom validators
------------------------------
-All custom query validators should extend the `ValidationRule <https://github.com/graphql-python/graphql-core/blob/v3.0.5/src/graphql/validation/rules/__init__.py#L37>`_
-base class importable from the graphql.validation.rules module. Query validators are visitor classes. They are
-instantiated at the time of query validation with one required argument (context: ASTValidationContext). In order to
-perform validation, your validator class should define one or more of enter_* and leave_* methods. For possible
-enter/leave items as well as details on function documentation, please see contents of the visitor module. To make
-validation fail, you should call validator's report_error method with the instance of GraphQLError describing failure
-reason. Here is an example query validator that visits field definitions in GraphQL query and fails query validation
-if any of those fields are blacklisted:
-
-.. code:: python
-
-    from graphql import GraphQLError
-    from graphql.language import FieldNode
-    from graphql.validation import ValidationRule
-
-
-    my_blacklist = (
-        "disallowed_field",
-    )
-
-
-    def is_blacklisted_field(field_name: str):
-        return field_name.lower() in my_blacklist
-
-
-    class BlackListRule(ValidationRule):
-        def enter_field(self, node: FieldNode, *_args):
-            field_name = node.name.value
-            if not is_blacklisted_field(field_name):
-                return
-
-            self.report_error(
-                GraphQLError(
-                    f"Cannot query '{field_name}': field is blacklisted.", node,
-                )
-            )
-