GraphQL Security in Production with Automated Allow Lists
In some cases, you might want to restrict your Hasura application to a limited number of GraphQL operations (queries/mutations/subscriptions). The reason for doing it might be to avoid excessive data exposure, API scraping and to protect your application & data.
Hasura allows you to restrict the number and type of available operations with the "Allow List" feature. The "Allow List" represents a list of allowed GraphQL Operations that can be executed in your application. So the Hasura GraphQL Engine only runs the operations specified in the "Allow List".
Moreover, there is a way to generate an Allow List based on your front-end code automatically. This way, the allow list and your front-end code are always in sync!
The article presents 3 ways to generate allow lists in Hasura, with the last one being fully automated.
Enable "Allow List"
The "Allow List" feature is disabled by default. You need to navigate to your project settings and enable it.
Set the HASURA_GRAPHQL_ENABLE_ALLOWLIST
environment variable to true
, as shown in the figure.
Allow List of operations in Hasura
Let's use the following Hasura application as an example. It's a simple application that stores users. Each user has an id and a name.
Navigate to the API
tab and click on the Allow List
at the top of the page (right-hand side).
That opens the "Allow List" manager. This is where you can add, modify and remove operations in your "Allow List".
Clicking on the Add Operation
button opens a new modal where you can add an allowed operation. There are 3 ways to add an operation:
- write it manually
- upload a file with the operation/operations
- pick it from the
Quick Add
dropdown (it displays the latest operation executed)
After you add the operation, you can see it on the "Allow List" page.
Another way to create an AllowList
There's another way you can manage your "Allow List". Navigate to the MONITORING
tab and click on the Allow Lists
option.
If you navigate to the NEW OPERATIONS
page, you can see the operations you executed that are not in the "Allow List" yet. That means Hasura Cloud allows you to choose from a list of operations you executed previously and add the ones you want to the "Allow List".
Instead of manually writing the operations, you can select the ones you want to add to the "Allow List" and click the Add to Allowlist
button.
After that, you should see them on the ALLOWED OPERATIONS
page.
Automatically Generate an AllowList
Creating an AllowList manually is fine, especially when the application is not large. However, once the application grows, it can become time-consuming to manually add operations to the AllowList. Keeping the list in sync with your front-end code can also be tedious.
Thankfully, there is a way to automate that with the GraphQL Code Generator library. The GraphQL Code Generator automatically generates code from your GraphQL schema and operations. It also has a plugin @graphql-codegen/hasura-allow-list that automates the creation of the "AllowList" based on the GraphQL Queries found in your front-end code.
After you set up @graphql-codegen
in your project, add the following to your codegen
file:
import type { CodegenConfig } from '@graphql-codegen/cli';
const config: CodegenConfig = {
generates: {
'path/to/metadata/allow_list.yaml': {
plugins: ['hasura-allow-list']
}
}
}
export default config;
Now that the process of creating the "AllowList" is fully automated, the "AllowList" and your front-end code are always in sync.
Note: The plugin only works in the JavaScript ecosystem.
It's important to mention that this is a community plugin, and not the official Hasura solution.
Additional resources: