@escape.tech/graphql-armor

GraphQL Armor 🛡️

This project is young so there might be bugs but we are very reactive so feel free to open issues.

GraphQL Armor is a Dead-simple, yet highly customizable security middleware for Apollo GraphQL servers.

Contents

• GraphQL Armor 🛡️
  • Contents
  • Supported remediations
  • Installation
  • Getting Started
  • Getting Started with Configuration
  • Per plugin remediation
    • Character Limit
    • Cost Analysis
    • Field Suggestion
  • Contributing

Supported remediations

• Character Limit
• Limit Query Cost
• Disable Field Suggestion

Installation

# npm
npm install @escape.tech/graphql-armor

# yarn
yarn add @escape.tech/graphql-armor

Getting Started

import { ApolloArmor } from '@escape.tech/graphql-armor';
const armor = new ApolloArmor({
    // Config opts
});

const server = new ApolloServer({
  typeDefs,
  resolvers,
  // This will add a `validationRules` and a `plugins` property to the configuration object
  ...armor.protect()
});

// If you want to enhance an already existing plugins or validation rules list
const enhancements = armor.protect()

const server = new ApolloServer({
  typeDefs,
  resolvers,
  plugins: [...myPlugins, ...enhancements.plugins]
  validationRules: [...myValidationRules, ...enhancements.validationRules]
});

Getting Started with Configuration

GraphQL-Armor is fully configurable, scoped per plugin.

View the Per plugin remediation section for more information.

Refer to the Examples directory for specific implementation.

import { ApolloArmor } from '@escape.tech/graphql-armor';

const armor = new ApolloArmor({
    costAnalysis: {
        enabled: true,
        options: {
            maxCost: 1000,
        },
    }
});

Per plugin remediation

This section describes how to configure each plugin individually.

Character Limit

Character Limit plugin will enforce a character limit on your GraphQL queries.

(Note: The limit is not applied to whole HTTP body -, multipart form data / file upload will still works)

import { ApolloArmor } from '@escape.tech/graphql-armor';

const armor = new ApolloArmor({
    characterLimit: {
        enabled: true,
        options: {
            maxLength: 15000, // Default: 15000
        },
    }
});

Cost Analysis

Cost Analysis plugin analyze incoming GraphQL queries and apply cost analysis algorithm to prevent resource overload.

import { ApolloArmor } from '@escape.tech/graphql-armor';

const armor = new ApolloArmor({
    costAnalysis: {
        enabled: true,
        options: {
            maxCost: 5000,          // Default: 5000
            defaultComplexity: 1,   // Default: 1    | Complexity of GQL token
            maxDepth: 6,            // Default: 6
            maxAlias: 15,           // Default: 15
            maxDirectives: 50,      // Default: 50
        },
    }
});

Field Suggestion

Field Suggestion plugin will prevent suggesting fields of unprecise GraphQL queries.

import { ApolloArmor } from '@escape.tech/graphql-armor';

const armor = new ApolloArmor({
    fieldSuggestion: {
        enabled: true,
    }
});

Contributing

Ensure you have read the Contributing Guide before contributing.

To setup your project, make sure you run install-dev.sh script.

git clone git@github.com:Escape-Technologies/graphql-armor.git
cd graphql-armor
chmod +x ./install-dev.sh
./install-dev.sh

We are using yarn as our package manager. We do use the workspaces monorepo setup. Please read the associated documentation and feel free to open issues if you encounter problems when developing on our project!