Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GraphQL endpoints are not protected by the global Guards. #3116

Closed
2 of 4 tasks
lucassith opened this issue Jan 25, 2024 · 2 comments
Closed
2 of 4 tasks

GraphQL endpoints are not protected by the global Guards. #3116

lucassith opened this issue Jan 25, 2024 · 2 comments
Labels
bug needs triage

Comments

@lucassith
Copy link

lucassith commented Jan 25, 2024
edited

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

When you register GraphQL module with ApolloServer, Guards are not launched against Playground endpoints.

Minimum reproduction code

https://github.com/nestjs/nest/tree/master/sample/12-graphql-schema-first

Steps to reproduce

You can use your own code from samples.

  1. npm install --force
  2. Change main.js to (add dummy guard):
import { ValidationPipe } from '@nestjs/common';
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import {
  CanActivate,
  ExecutionContext,
  Injectable,
  Logger,
} from '@nestjs/common';
import { GqlExecutionContext } from '@nestjs/graphql';


@Injectable()
export class TestGuard implements CanActivate {
  public canActivate(context: ExecutionContext): boolean {
    const ctx = GqlExecutionContext.create(context);
    Logger.verbose('guard text');
    return true;
  }
}

async function bootstrap() {
  const app = await NestFactory.create(AppModule);
  app.useGlobalGuards(new TestGuard());
  app.useGlobalPipes(new ValidationPipe());

  await app.listen(3000);
  console.log(`Application is running on: ${await app.getUrl()}`);
}
bootstrap();
  1. npm start
  2. Run localhost:3000/graphql

There will be no 'guard text' printed when you enter Playground nor when you call query.

Expected behavior

The playground endpoint is really secondary problem, the worst case here is that the endpoint for requesting the whole data is not guarded at all.

So you can POST /graphql with any query without any authorization.

Package version

12.0.9

Graphql version

graphql: 16.8.1
"@apollo/server": "^4.9.4",
"@nestjs/apollo": "^12.0.11",

NestJS version

16.8.1

Node.js version

10.3.1

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

Tried to get some help on Discord:
(https://discord.com/channels/520622812742811698/1025199348096700476/threads/1199825254697148457)
@lucassith
Copy link
Author

lucassith commented Jan 25, 2024
edited

Tried the same with middlewares and interceptors.

Middlewares do work as intended.
Interceptors are not called though.

I guess these requests to /graphql are omitting NestJS logic.

@lucassith lucassith mentioned this issue Jan 25, 2024
Closed
15 tasks
@kamilmysliwiec
Copy link
Member

nestjs/nest#13098 (comment)

@nestjs nestjs locked and limited conversation to collaborators Jan 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucassith @kamilmysliwiec