Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
@jortizsao/persistgraphql
Advanced tools
persistgraphql
is a simple build tool that enables query whitelisting and persisted queries for GraphQL projects that use statically analyze-able GraphQL queries.
It scans a code directory and extracts GraphQL query documents from .graphql
files. It then assigns these queries ID values/hashes and produces a JSON file which maps from queries to hashes/IDs. This map can then be used by the client and server to perform query whitelisting, query lookups (i.e. client only sends the hash/id, the server just looks up the corresponding query), etc.
The npm package also provides a network interface for Apollo Client that manages the query lookups in persistgraphql/lib/browser
. To see how to extract the queries on the server, see the code snippets below.
For only the CLI tool:
npm install -g persistgraphql
As a dependency (for Apollo Client network interface):
npm install --save persistgraphql
The build tool binary is called persistgraphql
. Running it with no other arguments should give:
Usage: persistgraphql input_file [output file] [--add_typename]
It can be called on a file containing GraphQL query definitions with extension .graphql
:
persistgraphql queries.graphql
It can also be called on a directory, which it will step through recursively:
persistgraphql src/
By default, the output will be placed in extracted_queries.json
. An output file can be specified as the second argument:
persistgraphql index.ts output.json
It can also take the --add_typename
flag which will apply a query transformation to the query documents, adding the __typename
field at every level of the query. You must pass this option if your client code uses this query transformation.
persistgraphql src/ --add_typename
To extract GraphQL queries from TypeScript files, use --js --extension=ts
.
persistgraphql src/index.js --js --extension=ts
It is also possible to extract GraphQL queries from JavaScript files using --extension=js --js
.
persistgraphql src/index.js --js --extension=js
By default, the IDs for the queries will be set in sequential order by when they are found. If you want to use something other than this, a few options are available by using --hash=[type]
. These include:
sequential
(default) creates a numberical id for each query
md5
creates a hash based on the query that is found in the file
sha1
identical to md5, except uses the sha1 hashing algorithm
sha256
identical to sha1, except uses the sha256 hashing algorithm
uuid
creates a uuidv4 for each query
This package provides an implementation of an Apollo Client network interface that provides persisted query support. It serves as a drop-in replacement for the standard network interface and uses the query map given by persistgraphql
in order to send only query hashes/ids to the serverather than the query document.
This package also provides a way for you to alter any generic NetworkInterface to use persisted queries from a provided query map with the addPersistedQueries(networkInterface: NetworkInterface, queryMap: OutputMap)
function.
This overrides the query
member function of your network interface instance to replace your query with an id based on the query map provided.
See the implementation as well as some documentation for it within src/network_interface/ApolloNetworkInterface.ts
.
If you use the client network interface provided by this package, you can quickly roll your own middleware to get the GraphQL query instead of the query ID that the network interface sends. Here's an example with Express using the lodash
invert
method:
import queryMap from ‘../extracted_queries.json’;
import { invert } from 'lodash';
app.use(
'/graphql',
(req, resp, next) => {
if (config.persistedQueries) {
const invertedMap = invert(queryMap);
req.body.query = invertedMap[req.body.id];
}
next();
},
);
Here's an example with a Hapi server extension using the lodash
invert
method:
import queryMap from ‘../extracted_queries.json’;
import { invert } from 'lodash';
server.ext('onPreHandler', (req: Request, reply) => {
if (config.persistedQueries && req.url.path.indexOf('/graphql') >= 0 && req.payload.id) {
const invertedMap = invert(queryMap);
req.payload.query = invertedMap[req.payload.id]
}
return reply.continue();
});
FAQs
A build tool for GraphQL projects.
The npm package @jortizsao/persistgraphql receives a total of 2 weekly downloads. As such, @jortizsao/persistgraphql popularity was classified as not popular.
We found that @jortizsao/persistgraphql demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.