Security News
OpenJS: “XZ Utils Cyberattack Likely Not an Isolated Incident”
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
latchql
Advanced tools
Weekly downloads
Readme
An open-source, free-to-use, lightweight middleware package that adds additional layers of security to authenticate/authorize and provide permissions for users to have different levels of access to a database through graphQL queries.
Cost limiting is essential for securing your GraphQL endpoint. By putting a limit on the cost of a single GraphQL transaction, you can prevent resource overload by blocking excessively expensive requests.
Depth limiting is vital for protecting the server against malicious query attacks. This limit is commonly used for never ending query loops that expose the endpoint to potential attacks. By using the depth limiter, you can validate the depth of imcoming queries on a user's permission level and prevent execution if it exceeds the limit.
Rate limiting is a strategy used for limiting network traffic and strain on the server. It's mainly used to prevent bot activity, brute force, DoS, DDoS, and web scraping attacks. By using the rate limiter, users are allocated a maximum of n operations for every fixed size 1-minute time window. Once the client has performed n operations, they must wait.
In your terminal:
npm install LatchQL
latch_config.json
in your project's root directory to assign and store your limiters.{
"Admin": {
"depthLimit": "100",
"rateLimit": "100",
"costLimit": "100"
},
"Gary": {
"depthLimit": "10",
"rateLimit": "25",
"costLimit": "10"
},
"Non-User": {
"depthLimit": "0",
"rateLimit": "0",
"costLimit": "0"
}
}
SECRET_KEY=MYSECRETKEY
brew update
brew install redis
redis-server
killall redis-server
and then repeat step 5.
import cors from "cors";
import express from "express";
import { readFile } from "fs/promises";
import { resolvers } from "./test-db/resolvers.js";
import { LatchQL, jwtController } from "latchql";
const app = express();
const port = 8080; // default port to listen
app.use(cors());
app.use(express.json());
//helper middleware function for testing JwtController
function authSet(req, res, next) {
res.locals.authLevel = "user";
res.locals.userName = "Ray";
next();
}
// test route for jwtController
app.post("/login", authSet, jwtController.setJwt, (req, res) => {
return res.status(200).send("YES RESPONSE");
});
const typeDefs = await readFile("./schema.graphql", "utf-8");
let latch = new LatchQL(typeDefs, resolvers);
// start the Express server
app.listen(port, () => {
console.log(`server started at http://localhost:${port}`);
console.log(`GraphQL endpoint: http://localhost:${port}/graphql`);
});
latch.startLatch(app, port);
Import LatchQL and jwtController from latchql
import { LatchQL, jwtController } from "latchql";
Implment jwtController.setJwt middleware in your authentication step. You will need to pass the username and the selected authorization level of a given user to the jwtController.setJwt middleware via res.locals.username and res.locals.authLevel
app.post("/login", authSet, jwtController.setJwt, (req, res) => {
return res.status(200).send("YES RESPONSE");
});
Create a new instance of LatchQL passing in your schema and resolvers
let latch = new LatchQL(typeDefs, resolvers);
Lastly, invoke startLatch passing in your express server and port to access endpoints
latch.startLatch(app, port);
Included in the NPM-MODULE directory is a dummy folder which includes an already built-out mock express server which you can use to test the LatchQL authentication and middleware package. Clone the repo, navigate to the dummy directory, install dependencies and run the command npm start
to spin up the server.
The LatchQL Playground is an optional, built-in playground for testing your GraphQL endpoint.
Install LatchQL npm package.
Clone the playground.
Install its dependencies:
npm install --force
Build the playground:
npm run dev
Select the right permission level
Preview Cost/Depth of the current query
Depth Limiter
Cost Limiter
Rate Limiter
Alex McPhail: GitHub | LinkedIn
Celine Leung: GitHub | LinkedIn
Hannah Bernstein: GitHub | LinkedIn
Johnjered Tolentino: GitHub | LinkedIn
Raymond Kim: GitHub | LinkedIn
If you would like to contribute in improving the functionality of LatchQL, please submit your ideas and/or bug fixes to our team by forking the repo and submitting your changes via a pull request.
Visit the LatchQL Website
Read the LatchQL Medium article
Distributed under the MIT License. See LICENSE for more information.
FAQs
A one stop shop for securing a graphQL API with customizable secure authorization levels
The npm package latchql receives a total of 0 weekly downloads. As such, latchql popularity was classified as not popular.
We found that latchql demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Company News
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.
Security News
OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.