Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mirego/absinthe_security

AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.
https://github.com/mirego/absinthe_security

absinthe absinthe-graphql elixir elixir-lang security

Last synced: 6 months ago
JSON representation

AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.

Awesome Lists containing this project

README 

          


  

  

AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.


  

  




## Installation



Add `absinthe_security` to the `deps` function in your project’s `mix.exs` file:



```elixir

defp deps do

  [

    {:absinthe_security, "~> 0.1"}

  ]

end

```



Then run `mix do deps.get, deps.compile` inside your project’s directory.



## Usage



First, initialize `Absinthe.Plug` with a custom configuration:



```elixir

forward("/graphql",

  to: Absinthe.Plug,

  init_opts: MyAppGraphQL.configuration()

)

```



Your custom configuration (with all of `AbsintheSecurity`’s checks) might look like this:



```elixir

defmodule MyAppGraphQL do

  def configuration do

    [schema: MyAppGraphQL.Schema, pipeline: {__MODULE__, :absinthe_pipeline}]

  end



  def absinthe_pipeline(config, options) do

    options = Absinthe.Pipeline.options(options)



    config

    |> Absinthe.Plug.default_pipeline(options)

    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.IntrospectionCheck, options})

    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, {AbsintheSecurity.Phase.FieldSuggestionsCheck, options})

    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxAliasesCheck, options})

    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDepthCheck, options})

    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDirectivesCheck, options})

  end

end

```



### `AbsintheSecurity.Phase.IntrospectionCheck`



Disable schema introspection queries at runtime.



#### Configuration



```elixir

config :absinthe_security, AbsintheSecurity.Phase.IntrospectionCheck,

  enable_introspection: System.get_env("GRAPHQL_ENABLE_INTROSPECTION")

```



#### Pipeline



```elixir

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.IntrospectionCheck, options})

```



#### Reference



### `AbsintheSecurity.Phase.DisableFieldSuggestions`



Disable field suggestions in responses at runtime.



#### Configuration



```elixir

config :absinthe_security, AbsintheSecurity.Phase.FieldSuggestionsCheck,

  enable_field_suggestions: System.get_env("GRAPHQL_ENABLE_FIELD_SUGGESTIONS")

```



#### Pipeline



```elixir

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, {AbsintheSecurity.Phase.FieldSuggestionsCheck, options})

```



#### Reference



### `AbsintheSecurity.Phase.MaxAliasesCheck`



Restrict the number of aliases that can be used in queries.



#### Configuration



```elixir

config :absinthe_security, AbsintheSecurity.Phase.MaxAliasesCheck,

  max_alias_count: 100

```



#### Pipeline



```elixir

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxAliasesCheck, options})

```



#### Reference



### `AbsintheSecurity.Phase.MaxDepthCheck`



Restrict the depth level that can be used in queries.



#### Configuration



```elixir

config :absinthe_security, AbsintheSecurity.Phase.MaxDepthCheck,

  max_depth_count: 100

```



#### Pipeline



```elixir

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDepthCheck, options})

```



#### Reference



### `AbsintheSecurity.Phase.MaxDirectivesCheck`



Restrict the number of directives that can be used in queries.



#### Configuration



```elixir

config :absinthe_security, AbsintheSecurity.Phase.MaxDirectivesCheck,

  max_directive_count: 100

```



#### Pipeline



```elixir

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDirectivesCheck, options})

```



#### Reference



## License



`AbsintheSecurity` is © 2023 [Mirego](https://www.mirego.com) and may be freely distributed under the [New BSD license](http://opensource.org/licenses/BSD-3-Clause). See the [`LICENSE.md`](https://github.com/mirego/absinthe_security/blob/main/LICENSE.md) file.



## About Mirego



[Mirego](https://www.mirego.com) is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of [talented people](https://life.mirego.com) who imagine and build beautiful Web and mobile applications. We come together to share ideas and [change the world](http://www.mirego.org).



We also [love open-source software](https://open.mirego.com) and we try to give back to the community as much as we can.