DisableAllowList in production mode

[andybar2]

Hi @dosco , how are you?

We would like to use the DisableAllowList config option in production mode, but seems that it is not possible to do that at this moment.

Would it be possible to change this line https://github.com/dosco/graphjin/blob/master/core/api.go#L316 to be if !gj.conf.DisableAllowList { so that the only thing that dictates the usage of the allow list is the DisableAllowList flag, and give the flexibility to disable it in production in that way?

Thanks,
Andres

[dosco]

Not aginst a fix here to help you but would it be possible for you to share a bit more on the usecase as if this is allowed then any user sent query would be executed. Trying to understand your usecase so i can come-up with a fix without creating a user experience issue where folks open up their db mistake. Would you be ok with a DisableProdSecurity flag which does this so folks are clear about what they are doing.

[andybar2]

Hi @dosco,

Thanks for the quick response. In our case we are implementing all the controls using roles and permissions of those roles over each table. And we want to give flexibility to the frontend team to query whatever they need without having to add those queries to the backend to allow them. That being said, I think the DisableProdSecurity flag that you propose would be fine as well.

Thanks,
Andres

[dosco]

Sorry for the questions just trying to understand the usecase better so I can have it in mind when building new features, etc. I thought about this a little more seems like it would not work for you since in production mode all queries are compiled only once and then locked in. You can do what you want by disabling production mode production: false and also setting disable_allow_list: true this will achieve what you need.

[andybar2]

Well, we were using production: false and disable_allow_list: true, but we changed to production: true in order to take advantage of the new feature to get the graphql schema from a file instead of letting graphjin auto discover it from the db, which made our setup run much faster in a lambda function.

[dosco]

Thanks this larger picture helps me understand your position better. In short you need the allow list disabled and compiling to always happen in production mode (and you're fully aware of the security issues). Got it will give it a bit more thought and have a fix for you later today.

[dosco]

new config param disable_production_security: true will disable the allow list and enable compiling everytime in production it will also allow introspection queries which will help with generating client and autocomplete in case your devs are using a ui / ide that has support. 960048f

[andybar2]

Great, I'm going to test it and will let you know how it works. Thanks!

[andybar2]

Hey @dosco ! I've just tested the new flag and it works perfectly fine for our case. Thank you very much!