Closed Bug 1407192 Opened 4 years ago Closed 15 days ago

[API] Enable GraphiQL IDE on production

Categories

(Webtools Graveyard :: Pontoon, enhancement, P3)

enhancement

Tracking

(Not tracked)

RESOLVED MOVED

People

(Reporter: stas, Unassigned)

References

Details

The GraphiQL IDE is currently only available at /graphql in local deployments. Let's use this bug to track what's needed to enable it on production.
Yesss!
brilliant!
I love the enthusiasm :) Adrian, can you advise what the best way to proceed here is? I suspect we will need a security sign-off for GraphiQL.

Here's the GraphiQL repo:

    https://github.com/graphql/graphiql/

And the template used by graphene-django:

    https://github.com/graphql-python/graphene-django/blob/master/graphene_django/templates/graphene/graphiql.html
Flags: needinfo?(adrian)
I guess one point is to harden CSP and CSRF. CSRF seems to be somewhat dealt with in the template, why did we end up disabling it completely?

Also, https://github.com/ctrlplusb/react-universally/issues/253 has some interesting ramblings on CSP, http://django-csp.readthedocs.io/en/latest/decorators.html#csp-update might be helpful.
I'm not too much of a security expert. The way I see it, GraphiQL doesn't allow users to do anything more than what the API allows. This means that, if our API is secure, so should be any usage of graphiql. It is merely a tool that would make it easier for attackers to find out flaws in the API, but that shouldn't be a blocking factor. 

However, I do not know if the front-end has been reviewed for security. It is a bit of external code that will be executed on a domain where people have cookies and sessions, and permissions, and stuff. So there might be some risks. I would be in favor of asking the security team for opinions and/or a review of graphiql and its graphene implementation. 

One thing I've notived in that graphene template that I don't like is the usage of a CDN. I generally dislike them, as I consider them external sources of failure and they can be used to track our users. However, that is a personal opinion and Mozilla's policy on CDNs might be different. 

Hope that helps! Having graphiql on prod would indeed be super useful, it makes using the API so much easier.
Flags: needinfo?(adrian)
Summary: Enable GraphiQL IDE on production → [API] Enable GraphiQL IDE on production
Thanks, Adrian. I'll reach out to the security team.

FWIW, GitHub deployed GraphiQL at https://developer.github.com/v4/explorer/
Actually, they deployed it at https://graphql-explorer.githubapp.com which is then embedded as an iframe at https://developer.github.com/v4/explorer.
Priority: -- → P3
*This bug has been moved to GitHub.*

*Please check it out on https://github.com/mozilla/pontoon/issues.*
Status: NEW → RESOLVED
Closed: 15 days ago
Resolution: --- → MOVED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.