AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.

Installation

Add absinthe_security to the deps function in your project’s mix.exs file:

defp deps do
  [
    {:absinthe_security, "~> 0.1"}
  ]
end

Then run mix do deps.get, deps.compile inside your project’s directory.

Usage

First, initialize Absinthe.Plug with a custom configuration:

forward("/graphql",
  to: Absinthe.Plug,
  init_opts: MyAppGraphQL.configuration()
)

Your custom configuration (with all of AbsintheSecurity’s checks) might look like this:

defmodule MyAppGraphQL do
  def configuration do
    [schema: MyAppGraphQL.Schema, pipeline: {__MODULE__, :absinthe_pipeline}]
  end

  def absinthe_pipeline(config, options) do
    config
    |> Absinthe.Plug.default_pipeline(options)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.IntrospectionCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, AbsintheSecurity.Phase.FieldSuggestionsCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxAliasesCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDepthCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDirectivesCheck)
  end
end

AbsintheSecurity.Phase.IntrospectionCheck

Disable schema introspection queries at runtime.

config :absinthe_security, AbsintheSecurity.Phase.IntrospectionCheck,
  enable_introspection: System.get_env("GRAPHQL_ENABLE_INTROSPECTION")

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.IntrospectionCheck)

AbsintheSecurity.Phase.DisableFieldSuggestions

Disable field suggestions in responses at runtime.

config :absinthe_security, AbsintheSecurity.Phase.FieldSuggestionsCheck,
  enable_field_suggestions: System.get_env("GRAPHQL_ENABLE_FIELD_SUGGESTIONS")

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, AbsintheSecurity.Phase.FieldSuggestionsCheck)

AbsintheSecurity.Phase.MaxAliasesCheck

Restrict the number of aliases that can be used in queries.

config :absinthe_security, AbsintheSecurity.Phase.MaxAliasesCheck,
  max_alias_count: 100

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxAliasesCheck)

AbsintheSecurity.Phase.MaxDepthCheck

Restrict the depth level that can be used in queries.

config :absinthe_security, AbsintheSecurity.Phase.MaxDepthCheck,
  max_depth_count: 100

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDepthCheck)

AbsintheSecurity.Phase.MaxDirectivesCheck

Restrict the number of directives that can be used in queries.

config :absinthe_security, AbsintheSecurity.Phase.MaxDirectivesCheck,
  max_directive_count: 100

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDirectivesCheck)

License

AbsintheSecurity is © 2023 Mirego and may be freely distributed under the New BSD license. See the LICENSE.md file.

About Mirego

Mirego is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of talented people who imagine and build beautiful Web and mobile applications. We come together to share ideas and change the world.

We also love open-source software and we try to give back to the community as much as we can.