Product
Introducing SSO
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
latchql
Advanced tools
Readme
An open-source, free-to-use, lightweight middleware package that adds additional layers of security to authenticate/authorize and provide permissions for users to have different levels of access to a database through graphQL queries.
Cost limiting is essential for securing your GraphQL endpoint. By putting a limit on the cost of a single GraphQL transaction, you can prevent resource overload by blocking excessively expensive requests.
Depth limiting is vital for protecting the server against malicious query attacks. This limit is commonly used for never ending query loops that expose the endpoint to potential attacks. By using the depth limiter, you can validate the depth of imcoming queries on a user's permission level and prevent execution if it exceeds the limit.
Rate limiting is a strategy used for limiting network traffic and strain on the server. It's mainly used to prevent bot activity, brute force, DoS, DDoS, and web scraping attacks. By using the rate limiter, users are allocated a maximum of n operations for every fixed size 1-minute time window. Once the client has performed n operations, they must wait.
In your terminal:
npm install LatchQL
latch_config.json
in your project's root directory to assign and store your limiters.{
"Admin": {
"depthLimit": "100",
"rateLimit": "100",
"costLimit": "100"
},
"Gary": {
"depthLimit": "10",
"rateLimit": "25",
"costLimit": "10"
},
"Non-User": {
"depthLimit": "0",
"rateLimit": "0",
"costLimit": "0"
}
}
SECRET_KEY=MYSECRETKEY
brew update
brew install redis
redis-server
killall redis-server
and then repeat step 5.
import cors from "cors";
import express from "express";
import { readFile } from "fs/promises";
import { resolvers } from "./test-db/resolvers.js";
import { LatchQL, jwtController } from "latchql";
const app = express();
const port = 8080; // default port to listen
app.use(cors());
app.use(express.json());
//helper middleware function for testing JwtController
function authSet(req, res, next) {
res.locals.authLevel = "user";
res.locals.userName = "Ray";
next();
}
// test route for jwtController
app.post("/login", authSet, jwtController.setJwt, (req, res) => {
return res.status(200).send("YES RESPONSE");
});
const typeDefs = await readFile("./schema.graphql", "utf-8");
let latch = new LatchQL(typeDefs, resolvers);
// start the Express server
app.listen(port, () => {
console.log(`server started at http://localhost:${port}`);
console.log(`GraphQL endpoint: http://localhost:${port}/graphql`);
});
latch.startLatch(app, port);
Import LatchQL and jwtController from latchql
import { LatchQL, jwtController } from "latchql";
Implment jwtController.setJwt middleware in your authentication step. You will need to pass the username and the selected authorization level of a given user to the jwtController.setJwt middleware via res.locals.username and res.locals.authLevel
app.post("/login", authSet, jwtController.setJwt, (req, res) => {
return res.status(200).send("YES RESPONSE");
});
Create a new instance of LatchQL passing in your schema and resolvers
let latch = new LatchQL(typeDefs, resolvers);
Lastly, invoke startLatch passing in your express server and port to access endpoints
latch.startLatch(app, port);
Included in the NPM-MODULE directory is a dummy folder which includes an already built-out mock express server which you can use to test the LatchQL authentication and middleware package. Clone the repo, navigate to the dummy directory, install dependencies and run the command npm start
to spin up the server.
The LatchQL Playground is an optional, built-in playground for testing your GraphQL endpoint.
Install LatchQL npm package.
Clone the playground.
Install its dependencies:
npm install --force
Build the playground:
npm run dev
Select the right permission level
Preview Cost/Depth of the current query
Depth Limiter
Cost Limiter
Rate Limiter
Alex McPhail: GitHub | LinkedIn
Celine Leung: GitHub | LinkedIn
Hannah Bernstein: GitHub | LinkedIn
Johnjered Tolentino: GitHub | LinkedIn
Raymond Kim: GitHub | LinkedIn
If you would like to contribute in improving the functionality of LatchQL, please submit your ideas and/or bug fixes to our team by forking the repo and submitting your changes via a pull request.
Visit the LatchQL Website
Read the LatchQL Medium article
Distributed under the MIT License. See LICENSE for more information.
FAQs
A one stop shop for securing a graphQL API with customizable secure authorization levels
The npm package latchql receives a total of 0 weekly downloads. As such, latchql popularity was classified as not popular.
We found that latchql demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.