{"id":16410912,"url":"https://github.com/acro5piano/signed-graphql","last_synced_at":"2025-06-18T17:39:05.169Z","repository":{"id":53165072,"uuid":"144876772","full_name":"acro5piano/signed-graphql","owner":"acro5piano","description":"Make GraphQL queries signed with JWT to prevent malicious requests","archived":false,"fork":false,"pushed_at":"2021-04-07T15:28:08.000Z","size":133,"stargazers_count":7,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-07T23:23:09.776Z","etag":null,"topics":["graphql","graphql-server","jwt","sign-graphql"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/acro5piano.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-15T16:25:13.000Z","updated_at":"2024-03-10T05:24:46.000Z","dependencies_parsed_at":"2022-09-12T22:23:14.081Z","dependency_job_id":null,"html_url":"https://github.com/acro5piano/signed-graphql","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/acro5piano/signed-graphql","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acro5piano%2Fsigned-graphql","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acro5piano%2Fsigned-graphql/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acro5piano%2Fsigned-graphql/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acro5piano%2Fsigned-graphql/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/acro5piano","download_url":"https://codeload.github.com/acro5piano/signed-graphql/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acro5piano%2Fsigned-graphql/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260600449,"owners_count":23034713,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["graphql","graphql-server","jwt","sign-graphql"],"created_at":"2024-10-11T06:44:07.849Z","updated_at":"2025-06-18T17:39:00.160Z","avatar_url":"https://github.com/acro5piano.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![npm version](https://badge.fury.io/js/signed-graphql.svg)](https://badge.fury.io/js/signed-graphql.svg)\n\n# signed-graphql\n\nA cli tool to make GraphQL secure. Make a plain query into a JWT signed query.\n\nSign queries on build time, and verify them on runtime.\n\n# Why\n\nGraphQL is a great tool, but the schema is open to public by default. Of course, we should keep our GraphQL server secure by server-side authorization logic. However, it is possible to create a security hole on a GraphQL server and result in unexpected issues.\n\nWith signed-graphql, we can verify queries are signed using shared JWT secret.\n\n# Install\n\n```\nnpm install --save-dev signed-graphql\n```\n\nor if you use yarn:\n\n```\nyarn add -D signed-graphql\n```\n\n# Usage\n\n### Step 1. Write GraphQL as usual\n\nAssume `example-query.js` looks like this:\n\n```js\nconst gql = literals =\u003e literals[0]\n\nexport const getUsers = gql`\n  query getUsers {\n    id\n    name\n  }\n`\n```\n\nNote: do not use `graphql-tag`. Please use plain String.\n\n### Step 2. Sign GraphQL on build time\n\nRun the following command to sign the graphql queries:\n\n```sh\nnpm run signed-graphql --write --secret foo example-query.js\n```\n\nNote: `--secret` is required args. Please keep it secret.\n\nOnce you overrite your queries, you can bundle your code as usual. So the whole build step should be like this:\n\n```sh\nnpm run signed-graphql --write --secret foo src/**/*.js\nnpm run webpack\n```\n\n### Step 3. Verify your queries on runtime\n\nOn the server side, verify the query. Node.js (express) example:\n\n```js\nconst { verify } = require('jsonwebtoken')\n\n// assuming\n// req.body.query = 'eyJhbGciOiJIUzI1NiJ9.CiAgcXVlcnkgZ2V0VXNlcnMgewogICAgbmFtZQogICAgZW1haWwKICB9Cg.GRFoVNHpY12mX0UI1y_nCRwGqKST4UkAbx88hZ2Jccg'\n\napp.post('/graphql', (req, res) =\u003e {\n  const query = verify(req.body.query, 'foo')\n  // =\u003e '\\n  query getUsers {\\n    id\\n    name\\n  }\\n'\n})\n```\n\n# Comparison with Persisted Queries\n\nThere is a GraphQL technich called \"Persisted Queries\". The idea is to create pairs of a hash and a GraphQL query. The main purpose is to improve performance, because hashed string (32-64) is smaller than the actual GraphQL string.\n\nThe downside of persisted queries are the lack of flexibility. It requires server side to know the pair of hash/query ahead of time before.\n\nOn the other hand, signed-graphql keeps flexibility of front-end and server-side. Since JWT is stateless, we don't have to save anything (other than the JWT secret).\n\nThe downside of signed-graphql is performance. You need to verify JWT on every request, which means there is some additional cost on the runtime.\n\nRefereneces:\n\n- https://mercurius.dev/#/docs/persisted-queries\n- https://www.apollographql.com/docs/apollo-server/performance/apq/\n\n# Thanks\n\nOridinally inspired by: https://itnext.io/graphql-data-hiding-using-apollo-stack-ad1ea92fa85c\n\n# TODO\n\n- [x] add unit test\n- [ ] show console help\n- [ ] convert to plain for debug/convenience\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facro5piano%2Fsigned-graphql","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Facro5piano%2Fsigned-graphql","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facro5piano%2Fsigned-graphql/lists"}