Prisma1: Add an option to disable playground

Created on 23 Aug 2018  路  2Comments  路  Source: prisma/prisma1

Is your feature request related to a problem? Please describe.
My prisma service is exposed on port 4466 because I need it to be reachable by an other service but it also expose playground which is fine in dev but in prod I don't want anyone to have access to the playground.

Describe the solution you'd like
Add an option in docker-compose PRISMA_CONFIG env var to disable the playground (e.g : enablePlayground: true|false).

kinquestion areplayground statustale
Source
picture WillyPoteloin

Most helpful comment

Hi @WillyPoteloin . I think you may have a misunderstanding. Typically, you would disable access to the entire Prisma service, not just playground. This is because anybody can point their own playground to your service just by typing in the URL.
So I can go to http://localhost:3000/playground and just type in the url of your Prisma service into the url bar and press the reload button and it will pull your schema and allow me to submit requests against your server.

You can require authentication on the entire Prisma service by adding this to your prisma.yml:

# If specified, the `secret` must be used to generate a JWT which is attached
# to the `Authorization` header of HTTP requests made against the Prisma API.
# Info: https://www.prisma.io/docs/reference/prisma-api/concepts-utee3eiquo#authentication
secret: ${env:PRISMA_SECRET}

then you can use prisma-binding like this:

new Prisma({
  endpoint: process.env.PRISMA_ENDPOINT, // the endpoint of the Prisma API (value set in `.env`)
  secret: process.env.PRISMA_SECRET, // only needed if specified in `database/prisma.yml` (value set in `.env`)
});

That gives you much more security than disabling playground. I don't think disabling your playground would really do much of anything for security.

picture mcmar on 24 Aug 2018
👍2

All 2 comments

Hi @WillyPoteloin . I think you may have a misunderstanding. Typically, you would disable access to the entire Prisma service, not just playground. This is because anybody can point their own playground to your service just by typing in the URL.
So I can go to http://localhost:3000/playground and just type in the url of your Prisma service into the url bar and press the reload button and it will pull your schema and allow me to submit requests against your server.

You can require authentication on the entire Prisma service by adding this to your prisma.yml:

# If specified, the `secret` must be used to generate a JWT which is attached
# to the `Authorization` header of HTTP requests made against the Prisma API.
# Info: https://www.prisma.io/docs/reference/prisma-api/concepts-utee3eiquo#authentication
secret: ${env:PRISMA_SECRET}

then you can use prisma-binding like this:

new Prisma({
  endpoint: process.env.PRISMA_ENDPOINT, // the endpoint of the Prisma API (value set in `.env`)
  secret: process.env.PRISMA_SECRET, // only needed if specified in `database/prisma.yml` (value set in `.env`)
});

That gives you much more security than disabling playground. I don't think disabling your playground would really do much of anything for security.

mcmar picture mcmar on 24 Aug 2018
👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 29 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sorenbs picture sorenbs  路  3Comments
MitkoTschimev picture MitkoTschimev  路  3Comments
marktani picture marktani  路  3Comments
schickling picture schickling  路  3Comments
Fi1osof picture Fi1osof  路  3Comments