GraphQL Security in Production with Automated Allow Lists

Hasura
4 min readJan 19, 2023

In some cases, you might want to restrict your Hasura application to a limited number of GraphQL operations (queries/mutations/subscriptions). The reason for doing it might be to avoid excessive data exposure, API scraping and to protect your application & data.

Hasura allows you to restrict the number and type of available operations with the “Allow List” feature. The “Allow List” represents a list of allowed GraphQL Operations that can be executed in your application. So the Hasura GraphQL Engine only runs the operations specified in the “Allow List”.

Moreover, there is a way to generate an Allow List based on your front-end code automatically. This way, the allow list and your front-end code are always in sync!

The article presents 3 ways to generate allow lists in Hasura, with the last one being fully automated.

Enable “Allow List”

The “Allow List” feature is disabled by default. You need to navigate to your project settings and enable it.

Set the HASURA_GRAPHQL_ENABLE_ALLOWLIST environment variable to true, as shown in the figure.

Allow List of operations in Hasura

Let’s use the following Hasura application as an example. It’s a simple application that stores users. Each user has an id and a name.

Navigate to the API tab and click on the Allow List at the top of the page (right-hand side).

That opens the “Allow List” manager. This is where you can add, modify and remove operations in your “Allow List”.

Clicking on the Add Operation button opens a new modal where you can add an allowed operation. There are 3 ways to add an operation:

  1. write it manually
  2. upload a file with the operation/operations
  3. pick it from the Quick Add dropdown (it displays the latest operation executed)

After you add the operation, you can see it on the “Allow List” page.

Another way to create an AllowList

There’s another way you can manage your “Allow List”. Navigate to the MONITORING tab and click on the Allow Lists option.

If you navigate to the NEW OPERATIONS page, you can see the operations you executed that are not in the "Allow List" yet. That means Hasura Cloud allows you to choose from a list of operations you executed previously and add the ones you want to the "Allow List".

Instead of manually writing the operations, you can select the ones you want to add to the “Allow List” and click the Add to Allowlist button.

After that, you should see them on the ALLOWED OPERATIONS page.

Automatically Generate an AllowList

Creating an AllowList manually is fine, especially when the application is not large. However, once the application grows, it can become time-consuming to manually add operations to the AllowList. Keeping the list in sync with your front-end code can also be tedious.

Thankfully, there is a way to automate that with the GraphQL Code Generator library. The GraphQL Code Generator automatically generates code from your GraphQL schema and operations. It also has a plugin @graphql-codegen/hasura-allow-list that automates the creation of the “AllowList” based on the GraphQL Queries found in your front-end code.

After you set up @graphql-codegen in your project, add the following to your codegen file:

import type { CodegenConfig } from '@graphql-codegen/cli';

const config: CodegenConfig = {
generates: {
'path/to/metadata/allow_list.yaml': {
plugins: ['hasura-allow-list']
}
}
}

export default config;Now that the process of creating the “AllowList” is fully automated, the “AllowList” and your front-end code are always in sync.

Now that the process of creating the “AllowList” is fully automated, the “AllowList” and your front-end code are always in sync.

Note: The plugin only works in the JavaScript ecosystem.

It’s important to mention that this is a community plugin, and not the official Hasura solution.

Additional resources:

Originally published at https://hasura.io on January 19, 2023.

--

--

Hasura

⚡️ Instant realtime GraphQL APIs! Connect Hasura to your database & data sources (GraphQL, REST & 3rd party API) and get a unified data access layer instantly.