3. Safelisting
15m

Overview

In this module, we'll cover how to enable and safelisting to ensure only approved are executed by the .

⚠️ Note on resetting the module to its final state: whilst it is possible to reset the module to its final state, there is still some manual work that needs to happen in Studio. We strongly suggest you follow the steps in the module to ensure you understand the changes made, even if you do choose to reset the module to its final state.

Persisted queries and safelisting

We want to lock down what type of queries can be executed against our so that only pre-approved queries can be run. To enable this, we need to turn on with safelisting. Safelisting will allow us to provide a predefined list of allowed queries and then block any queries that are not on that list.

The current state

  1. Jump over to Explorer in Studio and build a few queries. Use some of the examples we had in the previous modules.

  2. As long as the is valid and has the correct input parameters, we should get data back. This is because our currently accepts any .

Now, let's enable with safelisting and observe how this behavior changes.

Configure the router

  1. Open up the router/router.yaml file in GitHub and click the ✏️ pencil icon in the upper right to edit the file.

  2. Add the following configuration:

    router/router.yaml
    persisted_queries:
      enabled: true
      safelist:
        enabled: true
        require_id: false
    apq:
      enabled: false

    Let's go through what these changes to router.yaml are doing. The first few lines are fairly straight-forward: we enable and then we enable safelisting.

    require_id is a property that lets us decide if we need to send the with the hash ID used in the list. The will not accept any request that is sent with a body. In this case, that option is disabled.

    The final piece is to disable (apq). You can learn more about this feature in the Apollo documentation.

  3. Commit your changes.

    https://github.com

    GitHub view with router.yaml file and pencil highlighted

Make sure the CI/CD pipeline runs successfully before continuing on.

Task!

Configure persisted queries in the graph

We've got a few more configurations to do in the itself.

  1. Navigate to Studio and open up ➡️ Settings view ➡️ This Graph ➡️ Configure Persisted Queries.

    https://studio.apollographql.com

    Studio screenshot with highlights on where to configure persisted queries

  2. We can see that we already have a loaded. To link that to our current , click on the dropdown menu on the right-hand side and select the "Link and Unlink Variants" option.

    https://studio.apollographql.com

    Studio screenshot with Link to variants item highlighted

  3. In the Link and Unlink Variants modal, select to link the "current" and hit Save.

    https://studio.apollographql.com

    Studio screenshot of current variant highlighted

  4. Now, back on the PQ page, it should show that the current is linked.

  5. Click on the "pq_list" to explore the list.

    https://studio.apollographql.com

    Screenshot of the only operation found in the PQ list

    We can see that our is quite small; we only have one for users.

Task!

Check your work

Let's test out some queries to see how our responds.

  1. Head to Explorer to build out a simple of your choice, and try to run that query. Your request should be denied, with an error similar to this:

    {
      "errors": [
        {
          "message": "The operation body was not found in the persisted query safelist",
          "extensions": {
            "code": "QUERY_NOT_IN_SAFELIST"
          }
        }
      ]
    }

    We can see that random queries not on our PQ list are now denied!

  2. Now let's run a that is in our PQ list. Copy the Users and run it:

    A query configured in our safelist
    query Users {
      users {
        firstName
        lastName
        email
        activeCart {
          items {
            colorway
            price
            size
            id
          }
        }
      }
    }
    https://studio.apollographql.com

    Studio screenshot with the successful Users query

    This should succeed, and we can see that we have now locked down our so only pre-approved queries can be executed.

Reverting changes

For demo and testing purposes, to revert those changes, simply disable safelisting or remove the safelisting configuration from the router.yaml file. Alternatively, you can just reset the module to the initial state with a GitHub workflow - see the details at the top of the page.

  1. In GitHub, open the router/router.yaml file and click the ✏️ pencil icon in the upper right corner.

  2. Remove the safelisting option or set the enabled flag for safelist to false.

    router/router.yaml
    persisted_queries:
      enabled: true
      safelist:
        enabled: false
        require_id: false
    apq:
      enabled: false
Task!

Up next

In this module, we've covered how we can protect our from unapproved queries using and safelisting.

Now that we feel comfortable adding a layer of security to our , it's time to enable authentication and authorization.

Previous