New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extracted query list should include a hash that is compatible with apollo-link-persisted-queries #1117
Comments
Any feedback on this issue ? @martijnwalraven @shadaj @jbaxleyiii @abernix @JakeDawkins @evans It is really blocking us. I would be very happy to work on this if you don't have time. |
@abumalick I passed this around internally for others to take a look. I think it's something we should address, I just want someone with a little more context to validate the approach! |
@abumalick Persisted queries (setup guide found here) don't necessitate this list of operations; this operation manifest is intended to be used with the operation registry. I don't want to suggest that there's no need for what you're saying, but I don't understand the use-case since persisted queries should only require installing the |
Thank you @JakeDawkins ! @abernix We are trying to implement persisted queries, it is not the same than automatic persisted queries. We want to whitelist the operations. I think that automatic persisted queries does not support whitelisting, does it ? Operations are not sent to the server at build time. The process is explained here: https://blog.apollographql.com/persisted-graphql-queries-with-apollo-client-119fd7e6bba5 but we want to attach the hash to the query list as it is explained here: https://kevinjalbert.com/graphql-persisted-queries-with-http-caching-part-2/ . We want to:
We are not currently using Apollo server, I don't know if we can implement an operation registry in our current backend. Our backend use graphene and we are implementing a separate proxy to handle persisted queries (matches the hash with the query). Is there a better way to implement persisted queries with whitelisting support ? |
any news on this @abernix @JakeDawkins I would be very api to work on that if you would accept a PR. |
I really appreciate your offer to help, but persisted queries and safe-listing are, in our minds, currently two separate features: Persisted queries is for performance and safe-listing is for security. While there might be some overlap in the approaches, we're not certain that combining these is the correct approach and we can see some concrete divergence in terms of implementation of the two, particularly for public versus private APIs but also in terms of management of the operation manifest over several generations of a client's codebase. e.g. Even though version 2 of a mobile app introduces different operations, it doesn't mean that the operations from version 1 should stop working. The Most importantly though, in terms of the technical implementation, the SHA-256 hash (i.e // fragments.js
const ImageFragment = gql`
fragment ImageFragment on Image {
width
height
}
`;
export const MySharedProductFragment = gql`
fragment MySharedProductFragment on Products {
name
image {
...ImageFragment
}
${ImageFragment}
}
`; // component.jsx
import { MySharedProductFragment } from "../shared/fragments";
// ...
const query = gql`
query myQuery {
products {
...MySharedProductFragment
}
}
${MySharedProductFragment}
`; Trying to statically generate the exact same hash for the above For this, and many other reasons, I'm afraid that you're ultimately asking to add what is not going to be a stable hash for many cases or doesn't match up with the best-practices we see developing. Right now, if we added this as you're proposing it, I think we'd have a high rate of operations that would fail to execute in production. We don't want to steer implementors wrong, particularly in regards to a security feature, and we think decoupling APQ from the operation registry has benefits. We will continue to evaluate how to provide this functionality in the future, however for now, there are a number of reasons which I think support not including this. With the above warnings, you're of course welcome to use the community |
Thank you a lot for your detailed response @abernix . I really appreciate the time and informations that you have put into your answer. It actually helped me a lot understanding what is your recommended way of implementing safe-listing and your reasons of doing it this way. Now I understand the benefits of normalizing the operations. As I wish to use your tooling, I think our options for implementing safe-listing are very clear now:
Thank you again for your explanation, it was very interesting. |
Description of the problem
I am trying to implement persisted queries in our app. To accomplish this I need two things:
We can generate the query list with
apollo client:extract
. And we can useapollo-link-persisted-queries
to send the hash with apollo-client.The problem is that the hash generated by
apollo client:extract
don't match the hash generated byapollo-link-persisted-queries
.It seems that apollo cli modifies the query before generating the hash (it removes new lines characters and add
__typename
to every nodes), I think it is the reason why the hashes differs.Here is a repository that reproduces the problem:
https://github.com/abumalick/persisted-queries-showcase
An overview of the suggested solution
My proposition is to enhance apollo cli to include a hash of the original query (before modification) and add it in the final output. Something like:
I can try to work on a PR if you are interested by this change.
Is there a workaround ?
I tried hard to find a workaround, and I couldn't find any.
The best way I found is to use the nearly deprecated persistgraphql, and made some modifications that created a hash that matched the hash of
apollo-link-persisted-queries
. obytes/persistgraphql@3132aae#diff-2f052981d7b286ebc10c6833040e3242R177The problem with this solution, is that it does not add the(edit: I just found out__typename
to the queries, and apollo-client won't work if __typename is not present in the api response.--add_typename
option) Also I was disappointed to use a nearly deprecated package.ref apollographql/apollo-link-persisted-queries#28
The text was updated successfully, but these errors were encountered: