Graphql-engine: Query whitelisting

@Maxpain177 The biggest problem with whitelisted queries is that there is no accepted spec. persistgraphql seems to be abandoned in favor of https://github.com/apollographql/apollo-link-persisted-queries which is not about whitelisted queries that you get with persistgraphql.

@Maxpain177 This is on the roadmap for us and we'll be looking at it soon!

The problem is exactly what @0x777 said and our current thought is to implement this using names of the queries/mutations/subscriptions so that the implementation needs no client-side configuration, minimal hasura-side configuration and remains generic across clients and not tied into just apollo.

@theshire-io @cj @arpitjacob FYI

Adding production use-cases from @theshire-io so we can document them when this feature's available:

A list of would-be-great-to-have features for production use, via flags:

Denial of service attack prevention:

• Query depth limit.
• Transparently enforce pagination via limit on all queries.
• Query cost analysis - if a query is too expensive, block it.

The last one superceeds the other but I suppose is much more complex to implement.

Limiting information disclosure:

- Disable introspection.

My use case is:

'users' table contains public info about users in the system. Primary key is a uuid.

I want users to be able to query this table with a 'where id = uuid' but not otherwise be able to query the table, i.e. to prevent bulk data extraction. I can limit the rows returned to '1' but data could still be extracted, just with a lot of queries.

This is the same use case as raised by andrewklau in the discord on 12/12/2018.

This is the same use case as raised by andrewklau in the discord on 12/12/2018.

Hasura Discord:

andrewklau12/12/2018
Is there a way to allow select lookups but not lists?

Vamshi Surabhi12/12/2018
@andrewklau Can you elaborate?

andrewklau12/12/2018
if I have a "users" table, I want to be able to select by uuid but not allow to list all the users

Vamshi Surabhi12/12/2018
@andrewklau Hmm. Interesting. Would whitelisting queries solve this for you? You would whitelist such a query and only the user_id will be allowed to change.

query q ($user_id: uuid!) {
  user(where: {uuid: {_eq: $user_id}}) {
    id
  }
}

https://github.com/hasura/graphql-engine/issues/989

andrewklau12/12/2018
@Vamshi Surabhi hmm, yeh that would. I did see there was an option to limit the number of rows returned. I guess that would solve the same thing (ie. limit rows to 1)

Vamshi Surabhi12/12/2018
@andrewklau Oh yeah. That should also work.

shahidhk12/12/2018
@andrewklau If you've defined permissions based on user id, even a select on user table (without where clause) will return only 1 row, i.e the matching ones only. Just FYI, not sure about your use case here

Is there any forecast of when query whitelisting will be available?

@campie @evert-smit @elgordino @Maxpain177 This feature is now available in v1.0.0-beta.1. Here are the docs: https://docs.hasura.io/1.0/graphql/manual/deployment/allow-list.html