Closed
Bug 1407192
Opened 7 years ago
Closed 3 years ago
[API] Enable GraphiQL IDE on production
Categories
(Webtools Graveyard :: Pontoon, enhancement, P3)
Webtools Graveyard
Pontoon
Tracking
(Not tracked)
RESOLVED
MOVED
People
(Reporter: stas, Unassigned)
References
Details
The GraphiQL IDE is currently only available at /graphql in local deployments. Let's use this bug to track what's needed to enable it on production.
|
||
Comment 1•7 years ago
|
||
Yesss!
|
||
Comment 2•7 years ago
|
||
brilliant!
|
Reporter | |
Comment 3•7 years ago
|
||
I love the enthusiasm :) Adrian, can you advise what the best way to proceed here is? I suspect we will need a security sign-off for GraphiQL.
Here's the GraphiQL repo:
https://github.com/graphql/graphiql/
And the template used by graphene-django:
https://github.com/graphql-python/graphene-django/blob/master/graphene_django/templates/graphene/graphiql.htmlFlags: needinfo?(adrian)
|
||
Comment 4•7 years ago
|
||
I guess one point is to harden CSP and CSRF. CSRF seems to be somewhat dealt with in the template, why did we end up disabling it completely? Also, https://github.com/ctrlplusb/react-universally/issues/253 has some interesting ramblings on CSP, http://django-csp.readthedocs.io/en/latest/decorators.html#csp-update might be helpful.
|
||
Comment 5•7 years ago
|
||
I'm not too much of a security expert. The way I see it, GraphiQL doesn't allow users to do anything more than what the API allows. This means that, if our API is secure, so should be any usage of graphiql. It is merely a tool that would make it easier for attackers to find out flaws in the API, but that shouldn't be a blocking factor. However, I do not know if the front-end has been reviewed for security. It is a bit of external code that will be executed on a domain where people have cookies and sessions, and permissions, and stuff. So there might be some risks. I would be in favor of asking the security team for opinions and/or a review of graphiql and its graphene implementation. One thing I've notived in that graphene template that I don't like is the usage of a CDN. I generally dislike them, as I consider them external sources of failure and they can be used to track our users. However, that is a personal opinion and Mozilla's policy on CDNs might be different. Hope that helps! Having graphiql on prod would indeed be super useful, it makes using the API so much easier.
|
|
||
Updated•7 years ago
|
Flags: needinfo?(adrian)
|
|
Reporter | |
Updated•7 years ago
|
Summary: Enable GraphiQL IDE on production → [API] Enable GraphiQL IDE on production
|
|
Reporter | |
Comment 6•7 years ago
|
||
Thanks, Adrian. I'll reach out to the security team. FWIW, GitHub deployed GraphiQL at https://developer.github.com/v4/explorer/
|
|
Reporter | |
Comment 7•7 years ago
|
||
Actually, they deployed it at https://graphql-explorer.githubapp.com which is then embedded as an iframe at https://developer.github.com/v4/explorer.
|
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 8•3 years ago
|
||
*This bug has been moved to GitHub.* *Please check it out on https://github.com/mozilla/pontoon/issues.*
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → MOVED
|
|
||
Updated•3 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•