How to protect my GraphQL endpoint?

spacecat · January 2, 2024, 6:45pm

Hi Sebastian,

Stupid question maybe but how do I protect my GraphQL endpoint (https://www.mydomain.com/api/content/my-app/graphql) in Squidex?

I do not want it to be publicly accessible.

Only my front-end should be able to send requests to it.

How have you configured it in your hosted/managed Squidex service?

Sebastian · January 2, 2024, 8:27pm

Why is the graphql endpoint not protected? This would be a severe bug.

spacecat · January 3, 2024, 10:49am

Edit: I’m on Squidex 7.8.2

I did some testing and I found that if i open a new tab (blank page) in Chrome in incognito mode and paste in a fetch request in the dev tools console I get a:

POST https://mydomain.com/api/content/my-app/graphql net::ERR_FAILED
(anonymous) @ VM37:1
11:39:59.620 VM37:1 Fetch failed loading: POST “https://mydomain.com/api/content/my-app/graphql”.
(anonymous) @ VM37:1
11:39:59.622 VM37:2 Uncaught TypeError: Failed to fetch
at :1:24
(anonymous) @ VM37:1

But when I open a new tab and navigate to e.g. www.google.com and THEN trigger the same fetch request in the console the request is successful and I get my data back. Not the behavior I was expecting but it’s probably something built into Chrome that prevents you from executing certain JavaScript in that blank tab context

Here’s the snippet that I use if you want to try and reproduce; modify it to your schema and then just copy paste and execute it on your Chrome devtools console:

const response = await fetch(
      "https://mydomain.com/api/content/my-app/graphql",
      {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
        },
        body: JSON.stringify({
          query: `{
            queryBlogPostContents(filter: "data/slug/en_US eq 'a-cool-article'") {
              flatData {
                slug
                title
                content
              }
            }
          }
          `,
        }),
      },
    );


    const result = await response.json();
    console.log("result:", result.data.queryBlogPostContents);

Sebastian · January 3, 2024, 8:32pm

I get a 401 in chrome console and in postman

spacecat · January 4, 2024, 11:18am

I fixed it via Azure portal for my app service by properly configuring network settings.

But the endpoint is indeed open to the public by default.

You should probably make it so that it’s not publicly available by default.

Sebastian · January 4, 2024, 12:19pm

As i said: I cannot reproduce it.

spacecat · January 4, 2024, 1:22pm

hmm okay, strange. I don’t know what else it could be

Sebastian · January 4, 2024, 8:02pm

Are you sure you do not have an anonymous client?

spacecat · January 5, 2024, 8:32am

Hmm i checked clients but it never struck me those were also related to the graphql endpoint since graphql was added at a later stage and i dont think neither the ui or docs mention graphql in clients section. But will have a look again.

spacecat · January 5, 2024, 6:42pm

okay so it turned out to be one of my clients that I had at the bottom of the list. It had anonymous turned on. But I never thought that would impact the GraphQL endpoint, only the REST ones. Anyways now I know how it’s all related and also it forced me to check my access restriction settings in Azure that I had totally ignored for a while

Thanks for pointing me into the right direction, Sebastian. You can close this one now.