DEV Community: CRUD5th-273- The latest articles on DEV Community by CRUD5th-273- (@crud5th-273-). https://dev.to/crud5th-273- https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2910174%2F63fbee5e-afa8-46c9-9cb7-f514510b12b5.jpg DEV Community: CRUD5th-273- https://dev.to/crud5th-273- en Building a Live RBAC Explorer for GraphQL: Visualize Access by Role in Real-Time CRUD5th-273- Sun, 30 Mar 2025 12:55:15 +0000 https://dev.to/crud5th-273-/building-a-live-rbac-explorer-for-graphql-visualize-access-by-role-in-real-time-4hk6 https://dev.to/crud5th-273-/building-a-live-rbac-explorer-for-graphql-visualize-access-by-role-in-real-time-4hk6 <p>“Who can access this field?” is the most frequent — and least answered — question in GraphQL security.</p> <p>This article introduces the concept and architecture of a <strong>Live RBAC Explorer GUI</strong>,<br><br> a visual tool that allows teams to <strong>interactively explore access permissions per role</strong> in a GraphQL schema.</p> <h2> 1. Objective: Role-Based GraphQL Access Visualization </h2> <p>Users should be able to:</p> <p>✅ Select a role (<code>admin</code>, <code>user</code>, <code>guest</code>, etc.)<br><br> ✅ View query/mutation types and their fields<br><br> ✅ See which fields are <strong>accessible</strong>, <strong>denied</strong>, or <strong>conditionally filtered</strong><br><br> ✅ Live-query the API with the role context</p> <h2> 2. Use Case Scenarios </h2> <ul> <li>🔍 Security auditing for permission overreach </li> <li>🤝 Developer understanding of RBAC in collaborative teams </li> <li>✅ Pre-release validation of new roles or schema changes </li> <li>🧪 QA testing to confirm access boundaries</li> </ul> <h2> 3. Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+--------------------------+ | RBAC Explorer GUI | ← Vue / React SPA +--------------------------+ ↓ Role Selector (UI) ↓ JWT Generator (per role) ↓ GraphQL Introspection ↓ Live Field Access Check ↓ Color-coded Explorer View </code></pre> </div> <h2> 4. Tech Stack </h2> <ul> <li> <strong>Frontend</strong>: React + Apollo Client or Vue + urql </li> <li> <strong>Auth</strong>: Static JWT per role or dynamic generator </li> <li> <strong>Backend</strong>: Hasura or Apollo with RBAC enabled </li> <li> <strong>Optional</strong>: Express or Netlify Functions for token handling</li> </ul> <h2> 5. Field Access Status Legend </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symbol</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>🟢</td> <td>Full access (allow)</td> </tr> <tr> <td>🟡</td> <td>Conditional (filter)</td> </tr> <tr> <td>🔴</td> <td>No access (deny)</td> </tr> </tbody> </table></div> <p>Use color or icon overlays directly in the schema explorer.</p> <h2> 6. Implementation Strategy </h2> <h3> ✅ Step 1: JWT Generation per Role </h3> <p>Use hardcoded secret or JWT signer (e.g. Firebase):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getJWT</span><span class="p">(</span><span class="nx">role</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="dl">'</span><span class="s1">https://hasura.io/jwt/claims</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">x-hasura-default-role</span><span class="dl">'</span><span class="p">:</span> <span class="nx">role</span><span class="p">,</span> <span class="dl">'</span><span class="s1">x-hasura-allowed-roles</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="nx">role</span><span class="p">],</span> <span class="dl">'</span><span class="s1">x-hasura-user-id</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">123</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> ✅ Step 2: Introspect with JWT </h3> <p>Use Apollo Client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloClient</span><span class="p">({</span> <span class="na">uri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-api/graphql</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="n">__type</span><span class="p">(</span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="s2">"User"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Compare introspection results per role.</p> <h3> ✅ Step 3: GUI Visualization </h3> <p>Build a tree viewer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- Query - me 🟢 - users 🔴 - Mutation - updateProfile 🟡 - deleteUser 🔴 </code></pre> </div> <p>Highlight field accessibility status per role using badges/icons.</p> <h3> ✅ Step 4: Live Try-it Panel (Optional) </h3> <p>Let users issue queries as a selected role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">me</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>→ Response shown with headers applied, or errors clearly marked.</p> <h2> 7. Enhancements </h2> <ul> <li>✅ Diff mode: compare 2 roles side by side </li> <li>📊 Export as PDF or HTML snapshot for audits </li> <li>📈 Track % of schema exposed per role </li> <li>🔄 Integrate with Hasura metadata to infer row-level filters</li> </ul> <h2> Final Thoughts </h2> <p>RBAC is code. It deserves a UI.<br><br> Live Explorer brings visibility to what was previously hidden — the <em>true access graph</em> behind your GraphQL API.</p> <p>In the next evolution:</p> <ul> <li>GitHub integration to preview PR RBAC impact </li> <li>Role simulator with live input filters </li> <li>Visual RBAC policy editor</li> </ul> <p>Build the explorer. Expose the graph. Secure with insight.</p> Automating RBAC HTML Reports to PR Comments: Review-Driven Security in GitHub Actions CRUD5th-273- Sun, 30 Mar 2025 12:53:35 +0000 https://dev.to/crud5th-273-/automating-rbac-html-reports-to-pr-comments-review-driven-security-in-github-actions-44kp https://dev.to/crud5th-273-/automating-rbac-html-reports-to-pr-comments-review-driven-security-in-github-actions-44kp <p>Keeping track of access control changes is hard — unless your CI does it for you.</p> <p>This guide shows how to:</p> <ul> <li>Generate a Role × Field matrix in HTML</li> <li>Detect diffs between <code>dev</code> and <code>prod</code> RBAC</li> <li>Auto-post a visual report as a comment on the related GitHub Pull Request</li> </ul> <p>No more guessing who can access what — reviewers get it <strong>inline and real-time</strong>.</p> <h2> 1. Output Format: HTML Report </h2> <p>Use your <code>rbac-matrix.js</code> or similar script to generate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node rbac-matrix.js metadata-dev/ <span class="o">&gt;</span> rbac-dev.csv node rbac-matrix.js metadata-prod/ <span class="o">&gt;</span> rbac-prod.csv node diff-rbac.js rbac-dev.csv rbac-prod.csv <span class="o">&gt;</span> rbac-diff.html </code></pre> </div> <p>Example table (simplified):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;table&gt;</span> <span class="nt">&lt;thead&gt;&lt;tr&gt;&lt;th&gt;</span>Role<span class="nt">&lt;/th&gt;&lt;th&gt;</span>Table<span class="nt">&lt;/th&gt;&lt;th&gt;</span>Field<span class="nt">&lt;/th&gt;&lt;th&gt;</span>Diff<span class="nt">&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;</span> <span class="nt">&lt;tbody&gt;</span> <span class="nt">&lt;tr&gt;&lt;td&gt;</span>user<span class="nt">&lt;/td&gt;&lt;td&gt;</span>invoices<span class="nt">&lt;/td&gt;&lt;td&gt;</span>amount<span class="nt">&lt;/td&gt;&lt;td</span> <span class="na">style=</span><span class="s">"color: red;"</span><span class="nt">&gt;</span>SELECT: Removed<span class="nt">&lt;/td&gt;&lt;/tr&gt;</span> <span class="nt">&lt;tr&gt;&lt;td&gt;</span>admin<span class="nt">&lt;/td&gt;&lt;td&gt;</span>logs<span class="nt">&lt;/td&gt;&lt;td&gt;</span>ip_address<span class="nt">&lt;/td&gt;&lt;td</span> <span class="na">style=</span><span class="s">"color: green;"</span><span class="nt">&gt;</span>INSERT: Added<span class="nt">&lt;/td&gt;&lt;/tr&gt;</span> <span class="nt">&lt;/tbody&gt;</span> <span class="nt">&lt;/table&gt;</span> </code></pre> </div> <p>Wrap this with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;details&gt;&lt;summary&gt;</span>RBAC Drift Report<span class="nt">&lt;/summary&gt;</span> ...table here... <span class="nt">&lt;/details&gt;</span> </code></pre> </div> <h2> 2. GitHub Actions Workflow </h2> <h3> Step 1: Prepare workflow file <code>.github/workflows/rbac-report.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">RBAC Diff and PR Comment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">metadata/**'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">rbac-diff</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">18'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Deps</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate RBAC Diff Report</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">node rbac-matrix.js metadata-dev/ &gt; rbac-dev.csv</span> <span class="s">node rbac-matrix.js metadata-prod/ &gt; rbac-prod.csv</span> <span class="s">node diff-rbac.js rbac-dev.csv rbac-prod.csv &gt; rbac-diff.html</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Post Comment</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">peter-evans/create-or-update-comment@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">issue-number</span><span class="pi">:</span> <span class="s">${{ github.event.pull_request.number }}</span> <span class="na">body-path</span><span class="pi">:</span> <span class="s">./rbac-diff.html</span> <span class="na">edit-mode</span><span class="pi">:</span> <span class="s">replace</span> </code></pre> </div> <blockquote> <p>💡 Tip: <code>edit-mode: replace</code> ensures one comment is reused, not spammed on every run.</p> </blockquote> <h2> 3. Optional: Format HTML as Markdown for Better PR UX </h2> <p>Instead of full HTML table, convert to GitHub-flavored Markdown table in <code>diff-rbac.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>| Role | Table | Field | Diff | |------|-------|--------|------| | user | invoices | amount | ~~SELECT~~ ❌ | | admin | logs | ip_address | ✅ INSERT | </code></pre> </div> <p>Then use <code>body-path: rbac-diff.md</code></p> <h2> 4. Result in PR </h2> <p>When a contributor changes Hasura metadata in a PR:</p> <p>✅ RBAC diff is generated<br><br> ✅ Visual diff table is posted as PR comment<br><br> ✅ Reviewers can approve/reject RBAC changes inline</p> <h2> Final Thoughts </h2> <p>RBAC is infrastructure. Treat it like code.<br><br> When security drifts silently, CI must speak loudly.</p> <p>With RBAC visual bots in place, your team never misses a permission gap again.</p> <p>Next:</p> <ul> <li>Slack alerts on critical diffs</li> <li>Diff severity heatmaps</li> <li>RBAC policy-as-code enforcement gate</li> </ul> <p>Comment the matrix. Review the diff. Secure the graph.</p> Detecting RBAC Drift Between Dev and Prod: A CI-Driven Matrix Diff System CRUD5th-273- Sun, 30 Mar 2025 12:53:09 +0000 https://dev.to/crud5th-273-/detecting-rbac-drift-between-dev-and-prod-a-ci-driven-matrix-diff-system-3ffg https://dev.to/crud5th-273-/detecting-rbac-drift-between-dev-and-prod-a-ci-driven-matrix-diff-system-3ffg <p>You push to staging. It works.<br><br> You deploy to prod. And suddenly, users can write to <code>audit_logs</code>.</p> <p>The problem?<br><br> RBAC drift between environments — subtle, silent, and security-critical.</p> <p>This guide walks through detecting RBAC differences between <strong>dev</strong> and <strong>prod</strong> Hasura metadata by comparing generated <strong>Role × Field matrices</strong>.</p> <h2> 1. Assumptions </h2> <ul> <li>You export Hasura metadata from both environments: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> hasura metadata export --endpoint https://dev-api.example.com --output metadata-dev/ hasura metadata export --endpoint https://prod-api.example.com --output metadata-prod/ </code></pre> </div> <ul> <li>You have a matrix generator like <code>rbac-matrix.js</code> (see previous article) that produces: <ul> <li><code>rbac-dev.csv</code></li> <li><code>rbac-prod.csv</code></li> </ul> </li> </ul> <h2> 2. Diff Goals </h2> <p>We want to detect:</p> <p>✅ Added/removed access<br><br> ✅ Role gaining new permissions<br><br> ✅ Field-level permission divergence<br><br> ✅ Action type mismatches (e.g. <code>SELECT</code> allowed in dev, denied in prod)</p> <h2> 3. Matrix Normalization </h2> <p>Ensure both <code>rbac-dev.csv</code> and <code>rbac-prod.csv</code> are:</p> <ul> <li>Sorted by <code>Role, Table, Field</code> </li> <li>Have the same headers: <code>Role,Table,Field,SELECT,INSERT,UPDATE,DELETE</code> </li> </ul> <h2> 4. Diff Script (TypeScript / Node.js) </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">parse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">csv-parse/sync</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">dev</span> <span class="o">=</span> <span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">rbac-dev.csv</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">columns</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">prod</span> <span class="o">=</span> <span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">rbac-prod.csv</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">columns</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="p">(</span><span class="nx">row</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`</span><span class="p">${</span><span class="nx">row</span><span class="p">.</span><span class="nx">Role</span><span class="p">}</span><span class="s2">::</span><span class="p">${</span><span class="nx">row</span><span class="p">.</span><span class="nx">Table</span><span class="p">}</span><span class="s2">::</span><span class="p">${</span><span class="nx">row</span><span class="p">.</span><span class="nx">Field</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">mapDev</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">(</span><span class="nx">dev</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">row</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="nf">key</span><span class="p">(</span><span class="nx">row</span><span class="p">),</span> <span class="nx">row</span><span class="p">]));</span> <span class="kd">const</span> <span class="nx">mapProd</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">(</span><span class="nx">prod</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">row</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="nf">key</span><span class="p">(</span><span class="nx">row</span><span class="p">),</span> <span class="nx">row</span><span class="p">]));</span> <span class="kd">const</span> <span class="nx">allKeys</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([...</span><span class="nx">mapDev</span><span class="p">.</span><span class="nf">keys</span><span class="p">(),</span> <span class="p">...</span><span class="nx">mapProd</span><span class="p">.</span><span class="nf">keys</span><span class="p">()]);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">k</span> <span class="k">of</span> <span class="nx">allKeys</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">d</span> <span class="o">=</span> <span class="nx">mapDev</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">k</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nx">mapProd</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">k</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">d</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`🟢 Added in PROD: </span><span class="p">${</span><span class="nx">k</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">p</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`🔴 Missing in PROD: </span><span class="p">${</span><span class="nx">k</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="dl">'</span><span class="s1">SELECT</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">INSERT</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">UPDATE</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">].</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">op</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">((</span><span class="nx">d</span><span class="p">[</span><span class="nx">op</span><span class="p">]</span> <span class="o">||</span> <span class="dl">''</span><span class="p">)</span> <span class="o">!==</span> <span class="p">(</span><span class="nx">p</span><span class="p">[</span><span class="nx">op</span><span class="p">]</span> <span class="o">||</span> <span class="dl">''</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`⚠️ Diff in </span><span class="p">${</span><span class="nx">k</span><span class="p">}</span><span class="s2"> → </span><span class="p">${</span><span class="nx">op</span><span class="p">}</span><span class="s2">: DEV=</span><span class="p">${</span><span class="nx">d</span><span class="p">[</span><span class="nx">op</span><span class="p">]}</span><span class="s2"> PROD=</span><span class="p">${</span><span class="nx">p</span><span class="p">[</span><span class="nx">op</span><span class="p">]}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> 5. CI Integration </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate RBAC Matrices</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">node rbac-matrix.js metadata-dev/ &gt; rbac-dev.csv</span> <span class="s">node rbac-matrix.js metadata-prod/ &gt; rbac-prod.csv</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Detect RBAC Drift</span> <span class="na">run</span><span class="pi">:</span> <span class="s">node diff-rbac.js</span> </code></pre> </div> <p>Use <code>exitCode = 1</code> if drift is critical.</p> <h2> 6. Optional Enhancements </h2> <ul> <li>Export to Markdown table for PR comments</li> <li>Group diffs by role or table</li> <li>Visual HTML diff viewer with color-coded deltas</li> <li>Auto-approve deploy only if diff is "approved"</li> </ul> <h2> Final Thoughts </h2> <p>Your app changes often.<br><br> Your schema changes faster.<br><br> Your permissions? They <em>must</em> stay in sync — or you're inviting trouble.</p> <p>With matrix diffing in place, RBAC drift becomes an explicit, testable signal — not an incident waiting to happen.</p> <p>Next:</p> <ul> <li>PR Bot to annotate diffs</li> <li>Approval workflow with policy-as-code</li> <li>Field-level explainers for detected mismatches</li> </ul> <p>Track the access. Visualize the change. Secure the drift.</p> Visualizing Role Field Access in GraphQL: Generating and Auditing RBAC Matrix CRUD5th-273- Sun, 30 Mar 2025 12:49:39 +0000 https://dev.to/crud5th-273-/visualizing-role-x-field-access-in-graphql-generating-and-auditing-rbac-matrix-2c6a https://dev.to/crud5th-273-/visualizing-role-x-field-access-in-graphql-generating-and-auditing-rbac-matrix-2c6a <p>When debugging or auditing GraphQL APIs — especially in Hasura —<br><br> the key question is often: </p> <blockquote> <p>“Which roles can access which fields on which types?”</p> </blockquote> <p>Answering this by hand is slow, error-prone, and unscalable.</p> <p>This guide shows how to <strong>auto-generate a Role × Field access matrix</strong>, export it as CSV/HTML, and visualize it interactively.</p> <h2> 1. Objective: Matrix Output </h2> <p>Example table:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Role</th> <th>Table</th> <th>Field</th> <th>SELECT</th> <th>INSERT</th> <th>UPDATE</th> <th>DELETE</th> </tr> </thead> <tbody> <tr> <td>user</td> <td>users</td> <td>id</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>user</td> <td>users</td> <td>email</td> <td>✅</td> <td>❌</td> <td>✅</td> <td>❌</td> </tr> <tr> <td>public</td> <td>posts</td> <td>title</td> <td>✅</td> <td>✅</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>admin</td> <td>users</td> <td>password_hash</td> <td>✅</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> </tbody> </table></div> <h2> 2. Data Source: Hasura Metadata </h2> <p>Permissions live in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>metadata/ ├── tables/ │ ├── users.yaml │ ├── posts.yaml </code></pre> </div> <p>Each file contains permissions by role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">select_permissions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">user</span> <span class="na">permission</span><span class="pi">:</span> <span class="na">columns</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">id</span><span class="pi">,</span> <span class="nv">email</span><span class="pi">]</span> <span class="na">filter</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">id</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">_eq</span><span class="pi">:</span> <span class="nv">X-Hasura-User-Id</span> <span class="pi">}</span> <span class="pi">}</span> <span class="na">insert_permissions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">public</span> <span class="na">permission</span><span class="pi">:</span> <span class="na">columns</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">title</span><span class="pi">,</span> <span class="nv">content</span><span class="pi">]</span> </code></pre> </div> <h2> 3. CLI Generator Script (Node.js) </h2> <p>Install dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>yaml glob chalk fs </code></pre> </div> <p>Script outline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// rbac-matrix.js</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">yaml</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">yaml</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">glob</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">glob</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">matrix</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="nx">glob</span><span class="p">.</span><span class="nf">sync</span><span class="p">(</span><span class="dl">'</span><span class="s1">./metadata/tables/*.yaml</span><span class="dl">'</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">file</span> <span class="k">of</span> <span class="nx">files</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">table</span> <span class="o">=</span> <span class="nx">file</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">).</span><span class="nf">pop</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">.yaml</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">doc</span> <span class="o">=</span> <span class="nx">yaml</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">file</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">));</span> <span class="p">[</span><span class="dl">'</span><span class="s1">select</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">insert</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">delete</span><span class="dl">'</span><span class="p">].</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">action</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">perms</span> <span class="o">=</span> <span class="nx">doc</span><span class="p">[</span><span class="s2">`</span><span class="p">${</span><span class="nx">action</span><span class="p">}</span><span class="s2">_permissions`</span><span class="p">]</span> <span class="o">||</span> <span class="p">[];</span> <span class="nx">perms</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">role</span> <span class="o">=</span> <span class="nx">p</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cols</span> <span class="o">=</span> <span class="nx">p</span><span class="p">.</span><span class="nx">permission</span><span class="p">?.</span><span class="nx">columns</span> <span class="o">||</span> <span class="p">[];</span> <span class="nx">cols</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">col</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">row</span> <span class="o">=</span> <span class="nx">matrix</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="nx">role</span> <span class="o">&amp;&amp;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">table</span> <span class="o">===</span> <span class="nx">table</span> <span class="o">&amp;&amp;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">field</span> <span class="o">===</span> <span class="nx">col</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">row</span><span class="p">)</span> <span class="p">{</span> <span class="nx">row</span><span class="p">[</span><span class="nx">action</span><span class="p">.</span><span class="nf">toUpperCase</span><span class="p">()]</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">✅</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">matrix</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">table</span><span class="p">,</span> <span class="na">field</span><span class="p">:</span> <span class="nx">col</span><span class="p">,</span> <span class="na">SELECT</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">INSERT</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">UPDATE</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">DELETE</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">[</span><span class="nx">action</span><span class="p">.</span><span class="nf">toUpperCase</span><span class="p">()]:</span> <span class="dl">'</span><span class="s1">✅</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">csv</span> <span class="o">=</span> <span class="p">[</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Role</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Table</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Field</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SELECT</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">INSERT</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">UPDATE</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">],</span> <span class="p">...</span><span class="nx">matrix</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="nx">r</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">table</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">field</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">SELECT</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">INSERT</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">UPDATE</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">DELETE</span><span class="p">])</span> <span class="p">].</span><span class="nf">map</span><span class="p">(</span><span class="nx">row</span> <span class="o">=&gt;</span> <span class="nx">row</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)).</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">rbac-matrix.csv</span><span class="dl">'</span><span class="p">,</span> <span class="nx">csv</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">✅ RBAC matrix written to rbac-matrix.csv</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> 4. Optional: HTML Table Renderer </h2> <p>Convert CSV → HTML table with filters (use DataTables.js or React):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;table</span> <span class="na">id=</span><span class="s">"rbac"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- insert rows here --&gt;</span> <span class="nt">&lt;/table&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nf">$</span><span class="p">(</span><span class="dl">'</span><span class="s1">#rbac</span><span class="dl">'</span><span class="p">).</span><span class="nc">DataTable</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>Use for:</p> <ul> <li>Visual review by security teams</li> <li>Review in PRs or audit sessions</li> </ul> <h2> 5. CI Integration </h2> <p>Add as a script in <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rbac:matrix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node rbac-matrix.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then include in CI for drift detection / snapshot comparison.</p> <h2> Final Thoughts </h2> <p>Field-level RBAC is a security asset — but only if it’s <strong>visible</strong>.</p> <p>This matrix gives devs, security, and auditors a <strong>shared source of truth</strong>.<br><br> What’s visible becomes improvable.</p> <p>In future posts:</p> <ul> <li>Visual diff between dev/prod RBAC matrices </li> <li>Mapping role → field → query impact </li> <li>Live explorer for GraphQL access previews</li> </ul> <p>Render the matrix. Detect the drift. Own the access graph.</p> Integrating GraphQL Schema Diffing with RBAC Validation: Detecting Access Drift in CI CRUD5th-273- Sun, 30 Mar 2025 12:49:05 +0000 https://dev.to/crud5th-273-/integrating-graphql-schema-diffing-with-rbac-validation-detecting-access-drift-in-ci-4ed3 https://dev.to/crud5th-273-/integrating-graphql-schema-diffing-with-rbac-validation-detecting-access-drift-in-ci-4ed3 <p>GraphQL schema evolves fast — and sometimes, too fast.<br><br> A single field addition can open up sensitive access if RBAC is not updated accordingly.</p> <p>This guide shows how to combine <strong>GraphQL schema diffing</strong> with <strong>RBAC static validation</strong> to detect <strong>access control drift</strong> before it reaches production.</p> <h2> 1. Why Combine Schema Diff with RBAC Checks? </h2> <p><strong>Problem</strong>:<br><br> A developer adds <code>User.passwordHash</code> to the schema, but forgets to restrict it in Hasura’s <code>select_permissions</code>.<br><br> Boom — exposed in prod.</p> <p><strong>Solution</strong>:<br><br> Detect schema additions → cross-reference with RBAC rules → flag violations.</p> <h2> 2. Tools Required </h2> <ul> <li> <a href="https://github.com/kamilkisiela/graphql-inspector" rel="noopener noreferrer"><code>graphql-inspector</code></a>: detects schema diffs</li> <li>Custom RBAC linter (see previous article)</li> <li>GitHub Actions or GitLab CI</li> </ul> <h2> 3. Step 1: Detect Schema Diff </h2> <p>Add this to your workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx graphql-inspector diff old-schema.graphql new-schema.graphql </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gi">+ type User { + passwordHash: String + } </span></code></pre> </div> <p>Save this diff JSON for later processing.</p> <h2> 4. Step 2: Extract Sensitive Additions </h2> <p>Build a matcher script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">sensitiveFields</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">key</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hash</span><span class="dl">'</span><span class="p">];</span> <span class="kd">function</span> <span class="nf">isSensitive</span><span class="p">(</span><span class="nx">fieldName</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">sensitiveFields</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">keyword</span> <span class="o">=&gt;</span> <span class="nx">fieldName</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">includes</span><span class="p">(</span><span class="nx">keyword</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Filter diff for new fields on sensitive types (e.g., <code>User</code>, <code>Session</code>, <code>AdminAuditLog</code>).</p> <h2> 5. Step 3: Check Against Hasura Metadata </h2> <p>Use the RBAC CLI from previous article to:</p> <ul> <li>Load metadata from <code>metadata/tables/*.yaml</code> </li> <li>For each added field, check: <ul> <li>Is it exposed to any role?</li> <li>Is it restricted by column-level allowlist?</li> </ul> </li> </ul> <p>Throw error if:</p> <ul> <li>New sensitive field is publicly accessible</li> <li>Added field exists but role <code>user</code> has <code>columns: '*'</code> </li> </ul> <h2> 6. CI Pipeline Example (GitHub Actions) </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check GraphQL Schema Diff</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx graphql-inspector diff old.graphql new.graphql &gt; diff.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run RBAC Diff Validator</span> <span class="na">run</span><span class="pi">:</span> <span class="s">node check-rbac-diff.js diff.json metadata/</span> </code></pre> </div> <p><code>check-rbac-diff.js</code> combines:</p> <ul> <li> <code>graphql-inspector</code> output</li> <li>YAML metadata parsing</li> <li>Sensitive field check</li> <li>Role × Column validation</li> </ul> <h2> 7. Optional: Break Only on Sensitive Mismatch </h2> <p>Allow normal schema additions, but fail only if:</p> <ul> <li>Field matches sensitive pattern</li> <li>RBAC does not explicitly filter it</li> </ul> <p>This avoids false positives while enforcing access discipline.</p> <h2> Final Thoughts </h2> <p>CI isn’t just for code — it’s for trust.<br><br> Combining schema diffing with permission validation lets you catch high-risk mistakes <em>before</em> the merge button is clicked.</p> <p>Next:</p> <ul> <li>Auto-comment PRs with detected issues</li> <li>Slack alerting on security-drift</li> <li>Terraform-style plan/apply workflows for GraphQL security</li> </ul> <p>Graph the delta. Validate the access. Prevent silent leaks.</p> Static RBAC Validation from Hasura Metadata: Build Your Own CLI Guardrail CRUD5th-273- Sun, 30 Mar 2025 12:48:28 +0000 https://dev.to/crud5th-273-/static-rbac-validation-from-hasura-metadata-build-your-own-cli-guardrail-5e7o https://dev.to/crud5th-273-/static-rbac-validation-from-hasura-metadata-build-your-own-cli-guardrail-5e7o <p>Hasura's declarative RBAC is powerful — but dangerously quiet when misconfigured.<br><br> You might think <code>guest</code> has no write access… until a policy-less table says otherwise.</p> <p>This guide walks you through building a <strong>CLI tool</strong> that parses Hasura metadata and verifies RBAC rules <strong>statically</strong>, before deployment.</p> <h2> 1. Why Static Validation? </h2> <p>Hasura permissions live in <code>metadata/</code> as YAML or JSON.<br><br> You can validate them without running the server — ideal for CI pipelines.</p> <p>Use cases:</p> <ul> <li>Detect tables with no <code>select</code> restrictions</li> <li>Ensure <code>public</code> role can’t write</li> <li>Enforce field-level allowlists</li> <li>Audit policy completeness per role</li> </ul> <h2> 2. Directory Structure (exported via Hasura CLI) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>metadata/ ├── tables/ │ ├── user.yaml │ ├── invoice.yaml ├── actions/ ├── sources.yaml ├── version.yaml </code></pre> </div> <p>Each <code>*.yaml</code> under <code>tables/</code> contains permissions by role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">select_permissions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">user</span> <span class="na">permission</span><span class="pi">:</span> <span class="na">columns</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">id</span><span class="pi">,</span> <span class="nv">email</span><span class="pi">]</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">_eq</span><span class="pi">:</span> <span class="nv">X-Hasura-User-Id</span> <span class="pi">}</span> </code></pre> </div> <h2> 3. CLI Tool Overview </h2> <p>We'll build a Node.js script that:</p> <ul> <li>Loads all <code>tables/*.yaml</code> </li> <li>Parses permissions per role</li> <li>Applies validation rules</li> <li>Outputs audit results or fails with nonzero exit code</li> </ul> <h2> 4. Install Dependencies </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init <span class="nt">-y</span> npm <span class="nb">install </span>yaml fs glob chalk </code></pre> </div> <h2> 5. Example CLI Logic </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">yaml</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">yaml</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">glob</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">glob</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">chalk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">chalk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">PERMIT_ROLES</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">metadataPath</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">./metadata/tables</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="nx">glob</span><span class="p">.</span><span class="nf">sync</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">metadataPath</span><span class="p">}</span><span class="s2">/*.yaml`</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">file</span> <span class="k">of</span> <span class="nx">files</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">file</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">doc</span> <span class="o">=</span> <span class="nx">yaml</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">content</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">table</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">doc</span><span class="p">.</span><span class="nx">table</span><span class="p">.</span><span class="nx">schema</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">doc</span><span class="p">.</span><span class="nx">table</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Check for public access</span> <span class="kd">const</span> <span class="nx">publicInsert</span> <span class="o">=</span> <span class="nx">doc</span><span class="p">.</span><span class="nx">insert_permissions</span><span class="p">?.</span><span class="nf">find</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">publicInsert</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">chalk</span><span class="p">.</span><span class="nf">red</span><span class="p">(</span><span class="s2">`❌ PUBLIC role has insert access on </span><span class="p">${</span><span class="nx">table</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> <span class="nx">process</span><span class="p">.</span><span class="nx">exitCode</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check for missing filters</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">role</span> <span class="k">of</span> <span class="nx">PERMIT_ROLES</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sel</span> <span class="o">=</span> <span class="nx">doc</span><span class="p">.</span><span class="nx">select_permissions</span><span class="p">?.</span><span class="nf">find</span><span class="p">(</span><span class="nx">p</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="nx">role</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">sel</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">!</span><span class="nx">sel</span><span class="p">.</span><span class="nx">permission</span><span class="p">.</span><span class="nx">filter</span> <span class="o">||</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">sel</span><span class="p">.</span><span class="nx">permission</span><span class="p">.</span><span class="nx">filter</span><span class="p">).</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">chalk</span><span class="p">.</span><span class="nf">yellow</span><span class="p">(</span><span class="s2">`⚠️ Role </span><span class="p">${</span><span class="nx">role</span><span class="p">}</span><span class="s2"> has unfiltered SELECT on </span><span class="p">${</span><span class="nx">table</span><span class="p">}</span><span class="s2">`</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 6. Run It in CI </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"validate:rbac"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node rbac-check.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then add to <code>.github/workflows/ci.yml</code> or GitLab CI pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Validate Hasura RBAC</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run validate:rbac</span> </code></pre> </div> <h2> 7. Extending the Ruleset </h2> <ul> <li>🔒 Block full-field exposure (<code>columns: '*'</code>)</li> <li>🧪 Verify insert/update/delete have field filters</li> <li>📊 Export role × table permission matrix</li> <li>🧬 Compare across environments (dev vs prod metadata)</li> </ul> <h2> Final Thoughts </h2> <p>Hasura metadata is auditable. You just need to look.</p> <p>By statically verifying your RBAC before deployment,<br><br> you eliminate entire classes of silent misconfiguration bugs — before they hit production.</p> <p>Next:</p> <ul> <li>Generate HTML or CSV access matrix</li> <li>Integrate with Slack alerting</li> <li>Build a VSCode plugin for live feedback on permission diffs</li> </ul> <p>Fail fast. Trust static. Secure declaratively.</p> Automating GraphQL Authorization Diff Testing: CI-Driven Access Verification CRUD5th-273- Sun, 30 Mar 2025 12:45:37 +0000 https://dev.to/crud5th-273-/automating-graphql-authorization-diff-testing-ci-driven-access-verification-4jaf https://dev.to/crud5th-273-/automating-graphql-authorization-diff-testing-ci-driven-access-verification-4jaf <p>Manual validation of GraphQL access control is tedious, error-prone, and unscalable.<br><br> When RBAC rules evolve, it’s easy to introduce permission drift — granting unintended access or revoking legitimate ones.</p> <p>This article shows how to <strong>automate authorization difference testing</strong> to ensure only the right roles access the right resources.</p> <h2> 1. Problem: RBAC Drift in GraphQL APIs </h2> <p>When field-level or object-level rules change, it’s difficult to answer:</p> <ul> <li>“Can a <code>USER</code> still read <code>email</code>?”</li> <li>“Did we accidentally give <code>GUEST</code> access to <code>adminStats</code>?”</li> <li>“Are <code>ADMIN</code> and <code>SUPERADMIN</code> aligned across environments?”</li> </ul> <h2> 2. Solution Overview </h2> <p>We define:</p> <ul> <li>A set of <strong>test queries</strong> that represent core permissions</li> <li>A matrix of <strong>roles &amp; tokens</strong> </li> <li>Expected <code>allow</code> / <code>deny</code> outcomes</li> <li>A CI test that verifies these expectations per role</li> </ul> <h2> 3. Setup: Roles and Test Matrix </h2> <p>Example roles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">GUEST</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">USER</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ADMIN</span><span class="dl">'</span><span class="p">];</span> </code></pre> </div> <p>Test cases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">tests</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user can read their own profile</span><span class="dl">'</span><span class="p">,</span> <span class="na">query</span><span class="p">:</span> <span class="s2">`{ me { id email } }`</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USER</span><span class="dl">'</span><span class="p">,</span> <span class="na">expectAccess</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">guest cannot access stats</span><span class="dl">'</span><span class="p">,</span> <span class="na">query</span><span class="p">:</span> <span class="s2">`{ adminStats { userCount } }`</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GUEST</span><span class="dl">'</span><span class="p">,</span> <span class="na">expectAccess</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">];</span> </code></pre> </div> <h2> 4. Token Generator </h2> <p>Use pre-signed JWTs or mock tokens per role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getTokenForRole</span><span class="p">(</span><span class="nx">role</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">role</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">123</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">SECRET</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 5. Execution Logic </h2> <p>Use <code>graphql-request</code> or <code>apollo-client</code> to send queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">request</span><span class="p">,</span> <span class="nx">gql</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-request</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">runTest</span><span class="p">({</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">role</span><span class="p">,</span> <span class="nx">expectAccess</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">getTokenForRole</span><span class="p">(</span><span class="nx">role</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:4000/graphql</span><span class="dl">'</span><span class="p">,</span> <span class="na">document</span><span class="p">:</span> <span class="nx">gql</span><span class="s2">`</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">requestHeaders</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">expectAccess</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Expected denial but got data</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">expectAccess</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Expected data but got denied</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 6. CI Integration </h2> <p>Run tests via <code>jest</code>, <code>vitest</code>, or plain <code>node</code> script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node test-permissions.js </code></pre> </div> <p>Add to GitHub Actions, GitLab CI, or any CI/CD runner to verify RBAC on every push.</p> <h2> 7. Bonus: Diff Snapshot Testing </h2> <p>Store expected output snapshots per role using <code>jest-snapshot</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">).</span><span class="nf">toMatchSnapshot</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">role</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">queryName</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> </code></pre> </div> <p>Detect subtle API shape drifts, even across environments.</p> <h2> Final Thoughts </h2> <p>Authorization is dynamic. Regression is silent.<br><br> With RBAC diff testing in place, you get early warning before a misconfigured permission becomes an incident.</p> <p>Next:</p> <ul> <li>Visual matrix reports (role × query coverage)</li> <li>Field-level permission map generators</li> <li>Integration with Hasura metadata or Apollo schema diff tools</li> </ul> <p>Declare the rules. Prove the intent. Automate the boundary.</p> Building RBAC with Apollo Server and GraphQL Shield: A Secure Access Control Guide CRUD5th-273- Sun, 30 Mar 2025 12:44:56 +0000 https://dev.to/crud5th-273-/building-rbac-with-apollo-server-and-graphql-shield-a-secure-access-control-guide-72a https://dev.to/crud5th-273-/building-rbac-with-apollo-server-and-graphql-shield-a-secure-access-control-guide-72a <p>In code-first GraphQL servers like Apollo, authorization is often ad-hoc and scattered.<br><br> To centralize and harden your access control logic, <strong>graphql-shield</strong> provides a declarative, composable way to define <strong>RBAC</strong> at the schema level.</p> <p>This post outlines how to build a secure and maintainable RBAC system using <strong>Apollo Server + graphql-shield</strong>.</p> <h2> 1. Install Dependencies </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>graphql graphql-shield apollo-server </code></pre> </div> <h2> 2. Define Roles and Permissions </h2> <p>Example roles: <code>ADMIN</code>, <code>USER</code>, <code>GUEST</code></p> <p>We'll use a context object to propagate identity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">Context</span> <span class="p">{</span> <span class="nl">user</span><span class="p">?:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ADMIN</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">USER</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">GUEST</span><span class="dl">'</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> 3. Define Your Schema </h2> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">type</span><span class="w"> </span><span class="n">Query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">me</span><span class="p">:</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="n">adminStats</span><span class="p">:</span><span class="w"> </span><span class="n">Stats</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">Mutation</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">updateUser</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="nb">ID</span><span class="p">!,</span><span class="w"> </span><span class="n">input</span><span class="p">:</span><span class="w"> </span><span class="n">UserInput</span><span class="p">):</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="nb">ID</span><span class="p">!</span><span class="w"> </span><span class="n">email</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!</span><span class="w"> </span><span class="n">role</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">Stats</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">userCount</span><span class="p">:</span><span class="w"> </span><span class="nb">Int</span><span class="w"> </span><span class="n">revenue</span><span class="p">:</span><span class="w"> </span><span class="nb">Float</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 4. Create Permission Rules with graphql-shield </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">rule</span><span class="p">,</span> <span class="nx">shield</span><span class="p">,</span> <span class="nx">and</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-shield</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Base rules</span> <span class="kd">const</span> <span class="nx">isAuthenticated</span> <span class="o">=</span> <span class="nf">rule</span><span class="p">()(</span><span class="k">async </span><span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">:</span> <span class="nx">Context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="o">!!</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="nf">rule</span><span class="p">()(</span><span class="k">async </span><span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">:</span> <span class="nx">Context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ADMIN</span><span class="dl">'</span><span class="p">;</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">isSelf</span> <span class="o">=</span> <span class="nf">rule</span><span class="p">()(</span><span class="k">async </span><span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">},</span> <span class="nx">ctx</span><span class="p">:</span> <span class="nx">Context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <h2> 5. Map Rules to Schema with Permissions Object </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="nf">shield</span><span class="p">({</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">me</span><span class="p">:</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="na">adminStats</span><span class="p">:</span> <span class="nx">isAdmin</span><span class="p">,</span> <span class="p">},</span> <span class="na">Mutation</span><span class="p">:</span> <span class="p">{</span> <span class="na">updateUser</span><span class="p">:</span> <span class="nf">and</span><span class="p">(</span><span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">isSelf</span><span class="p">),</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>This enforces:</p> <ul> <li>Only authenticated users can access <code>me</code> </li> <li>Only admins can see <code>adminStats</code> </li> <li>Users can only update <em>their own</em> profile</li> </ul> <h2> 6. Integrate with Apollo Server </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ApolloServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">apollo-server</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">applyMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-middleware</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="na">schema</span><span class="p">:</span> <span class="nf">applyMiddleware</span><span class="p">(</span><span class="nx">schema</span><span class="p">,</span> <span class="nx">permissions</span><span class="p">),</span> <span class="na">context</span><span class="p">:</span> <span class="p">({</span> <span class="nx">req</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">decodeJWT</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// your JWT decoder</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">};</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h2> 7. Tips for Secure Scaling </h2> <ul> <li>Use role constants or enums to avoid typos</li> <li>Chain rules with <code>and</code>, <code>or</code>, <code>not</code> for complex logic</li> <li>Log access decisions for auditability</li> <li>Version control permission definitions alongside schema</li> </ul> <h2> Final Thoughts </h2> <p>RBAC in Apollo isn't optional — it's your last line of defense.<br><br> With graphql-shield, you gain clarity, modularity, and enforceability across your GraphQL API.</p> <p>Next: add field-level restrictions, dynamic tenant scoping, and automated tests for auth rules.</p> <p>Control the graph. Declare the rules. Trust only what you verify.</p> Deploying Hasura in a Zero Trust Architecture: Hardened Configuration Blueprint CRUD5th-273- Sun, 30 Mar 2025 12:44:16 +0000 https://dev.to/crud5th-273-/deploying-hasura-in-a-zero-trust-architecture-hardened-configuration-blueprint-2gf4 https://dev.to/crud5th-273-/deploying-hasura-in-a-zero-trust-architecture-hardened-configuration-blueprint-2gf4 <p>Hasura is powerful — and dangerously open by default.<br><br> To run it safely in production, especially in regulated or hostile environments,<br><br> a <strong>Zero Trust Architecture</strong> is not optional — it’s essential.</p> <p>This post presents a <strong>layered, hardened deployment model</strong> for Hasura under zero trust principles.</p> <h2> 1. Design Philosophy </h2> <blockquote> <p>"Never trust the network. Never trust the client. Always verify, at every layer."</p> </blockquote> <p>We enforce:</p> <ul> <li> <strong>No public surface</strong> without authentication</li> <li><strong>Strict identity propagation via JWT</strong></li> <li> <strong>Micro-segmentation</strong> for roles and routes</li> <li><strong>Immutable permissions</strong></li> <li><strong>Audit everything</strong></li> </ul> <h2> 2. High-Level Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Client] → [API Gateway] → [Auth Proxy] → [Hasura] → [PostgreSQL] ↘︎ [OPA / Authz] ↘︎ [JWT Signer] </code></pre> </div> <ul> <li>All traffic goes through <strong>gateway</strong> </li> <li> <strong>Auth proxy (e.g. Firebase Auth / custom)</strong> issues JWTs</li> <li> <strong>OPA or equivalent</strong> enforces external authorization</li> <li>Hasura trusts <strong>only verified JWTs</strong> via <code>x-hasura-*</code> claims</li> </ul> <h2> 3. JWT Configuration in Hasura </h2> <p>Set the following environment vars:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">HASURA_GRAPHQL_JWT_SECRET</span><span class="o">=</span><span class="s1">'{ "type": "HS256", "key": "&lt;secure-key&gt;", "claims_namespace_path": "$.hasura" }'</span> <span class="nv">HASURA_GRAPHQL_AUTH_HOOK</span><span class="o">=</span>https://opa.example.com/authorize <span class="nv">HASURA_GRAPHQL_ADMIN_SECRET</span><span class="o">=</span>disable_this_in_zero_trust </code></pre> </div> <h3> 🔥 Best Practice: </h3> <ul> <li><strong>DO NOT use admin secret in production</strong></li> <li><strong>DO NOT expose <code>/v1/graphql</code> directly to the internet</strong></li> <li><strong>DO NOT allow unauthenticated roles unless locked-down</strong></li> </ul> <h2> 4. Permissions via Roles </h2> <p>Define strict roles with field and row-level filters.</p> <p>Example: <code>user</code> role for table <code>invoices</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">select</span><span class="pi">:</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">owner_id</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">_eq</span><span class="pi">:</span> <span class="nv">X-Hasura-User-Id</span> <span class="pi">}</span> <span class="na">columns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">id</span> <span class="pi">-</span> <span class="s">amount</span> <span class="pi">-</span> <span class="s">status</span> </code></pre> </div> <p>Use Hasura Console or metadata YAML to version-control permission rules.</p> <h2> 5. API Gateway Layer </h2> <p>Use <strong>Envoy / Traefik / Kong / AWS API Gateway</strong> to:</p> <ul> <li>Enforce HTTPS only</li> <li>Strip any client-supplied <code>x-hasura-*</code> headers</li> <li>Inject clean, signed JWTs</li> <li>Rate-limit per role/IP/token</li> <li>Block unknown routes (<code>/_console</code>, <code>/v2/query</code>, <code>/v1alpha1</code>)</li> </ul> <h2> 6. Open Policy Agent (OPA) Integration </h2> <p>Add a <strong>sidecar or external OPA</strong> for dynamic policy checks:</p> <ul> <li>Time-based access control</li> <li>IP allowlists per tenant</li> <li>Data-driven deny rules</li> </ul> <p>OPA can inject headers like <code>x-hasura-allowed: true</code>,<br><br> which Hasura can read via custom auth hook logic.</p> <h2> 7. Monitoring and Auditing </h2> <p>Use:</p> <ul> <li> <strong>Hasura Events / Webhooks</strong> to log high-value actions</li> <li> <strong>PostgreSQL log_statement</strong> for backend visibility</li> <li> <strong>GraphQL depth/complexity limits</strong> to avoid DoS</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HASURA_GRAPHQL_ENABLE_TELEMETRY=false HASURA_GRAPHQL_ENABLE_CONSOLE=false HASURA_GRAPHQL_ENABLED_LOG_TYPES=startup,http-log,webhook-log </code></pre> </div> <p>Push all logs to ELK / Loki / CloudWatch for long-term review.</p> <h2> Final Hardening Tips </h2> <ul> <li>🛡 <strong>Remove public role entirely</strong> </li> <li>🔒 <strong>Disable console and metadata APIs</strong> </li> <li>🧠 <strong>Review permissions via CI on every schema change</strong> </li> <li>📶 <strong>Lock network ingress via security group / VPC firewall</strong> </li> <li>🎯 <strong>Adopt a deny-by-default policy — then allow per role</strong> </li> </ul> <h2> Final Thoughts </h2> <p>Hasura is GraphQL at hyperspeed — but that velocity cuts both ways.</p> <p>If you're not running Zero Trust, you're trusting too much.</p> <p>In upcoming articles:</p> <ul> <li>Build a JWT issuing system for Hasura with short-lived tokens</li> <li>Policy versioning for field-level access</li> <li>Shadow mode attack detection via telemetry signals</li> </ul> <p>Trust no one. Authorize everything. Harden by design.</p> Apollo vs Hasura: Attack Surface and Security Configuration Compared CRUD5th-273- Sun, 30 Mar 2025 12:42:40 +0000 https://dev.to/crud5th-273-/apollo-vs-hasura-attack-surface-and-security-configuration-compared-1p0l https://dev.to/crud5th-273-/apollo-vs-hasura-attack-surface-and-security-configuration-compared-1p0l <p>GraphQL has matured into a production-ready API layer — but its security posture heavily depends on the implementation.</p> <p>This article compares <strong>Apollo Server</strong> and <strong>Hasura</strong>, two of the most popular GraphQL engines,<br><br> with a focus on their <strong>attack surface</strong>, <strong>default exposure</strong>, and <strong>hardening strategies</strong>.</p> <h2> 1. Philosophy &amp; Stack Differences </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Apollo Server</th> <th>Hasura</th> </tr> </thead> <tbody> <tr> <td>Type</td> <td>Code-first (Node.js)</td> <td>Config-driven (Haskell/PostgreSQL)</td> </tr> <tr> <td>Auth Model</td> <td>Custom middleware</td> <td>Declarative rules / JWT claims</td> </tr> <tr> <td>Extensibility</td> <td>Full JS logic per resolver</td> <td>Remote schemas, Actions</td> </tr> <tr> <td>Default State</td> <td>Open dev tools, introspection on</td> <td>Admin mode exposes everything</td> </tr> </tbody> </table></div> <h2> 2. Introspection Exposure </h2> <ul> <li> <strong>Apollo</strong>: Introspection enabled by default in dev; should be disabled via: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="na">introspection</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <ul> <li> <strong>Hasura</strong>: Introspection is always available unless behind auth proxy. Schema exposed entirely in admin mode (via <code>x-hasura-admin-secret</code>)</li> </ul> <h3> 🔥 Attack Note: </h3> <p>If Hasura is deployed without an admin secret or behind a proxy that leaks headers,<br><br> an attacker can access full schema and permissions.</p> <h2> 3. Authentication &amp; Authorization </h2> <h3> Apollo: </h3> <ul> <li>Fully custom logic in resolver or middleware</li> <li>Requires discipline and testing</li> <li>Can use libraries like <code>graphql-shield</code>, <code>graphql-middleware</code> </li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">isAdmin</span> <span class="o">=</span> <span class="p">(</span><span class="nx">context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">context</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <h3> Hasura: </h3> <ul> <li>JWT-based declarative access rules</li> <li>Field-level auth with roles and row-level policies</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">x</span><span class="o">-</span><span class="n">hasura</span><span class="o">-</span><span class="k">role</span><span class="p">:</span> <span class="k">user</span> <span class="n">x</span><span class="o">-</span><span class="n">hasura</span><span class="o">-</span><span class="k">user</span><span class="o">-</span><span class="n">id</span><span class="p">:</span> <span class="mi">123</span> </code></pre> </div> <p>Permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">select</span><span class="pi">:</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">_eq</span><span class="pi">:</span> <span class="nv">X-Hasura-User-Id</span> <span class="pi">}</span> </code></pre> </div> <h3> 🔥 Attack Note: </h3> <p>Apollo is vulnerable to inconsistent auth if resolvers lack guardrails.<br><br> Hasura is vulnerable if JWT claims are forgeable or misvalidated.</p> <h2> 4. Mutation Risk Surface </h2> <p>Apollo:</p> <ul> <li>Custom-defined resolvers → safer if reviewed</li> <li>RCE risk only if eval/dangerous logic is present</li> </ul> <p>Hasura:</p> <ul> <li>Exposes <strong>Insert / Update / Delete</strong> by default</li> <li>Can be dangerous if permissions are not tightly scoped</li> </ul> <h3> 🛡 Best Practice: </h3> <ul> <li>In Hasura: <strong>Disable public role</strong>, enforce permissions per table</li> <li>In Apollo: <strong>Never trust args blindly</strong>, validate all input manually</li> </ul> <h2> 5. Metadata &amp; Admin Interface Exposure </h2> <ul> <li> <strong>Apollo</strong>: No built-in admin panel → safer by default</li> <li> <strong>Hasura</strong>: Admin console on <code>/</code> or <code>/console</code> </li> </ul> <h3> 🔥 Risk: </h3> <p>Leaving Hasura console open (unauthenticated) exposes schema, mutations, JWT settings.</p> <p>Harden via:</p> <ul> <li>Admin secret</li> <li>IP whitelisting</li> <li>Console disabled in production</li> </ul> <h2> 6. Defense-in-Depth Recommendations </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Apollo</th> <th>Hasura</th> </tr> </thead> <tbody> <tr> <td>Introspection</td> <td>Disable in prod</td> <td>Restrict via header firewall</td> </tr> <tr> <td>Field Auth</td> <td>graphql-shield / custom logic</td> <td>Role-based field filtering</td> </tr> <tr> <td>Rate Limiting</td> <td>Third-party middleware</td> <td>External reverse proxy (e.g. NGINX)</td> </tr> <tr> <td>Query Limiting</td> <td> <code>graphql-depth-limit</code>, <code>cost</code> libs</td> <td>Built-in depth and cost analysis</td> </tr> <tr> <td>Logging</td> <td>Custom logging hook</td> <td>Built-in event triggers</td> </tr> </tbody> </table></div> <h2> Final Thoughts </h2> <p>Apollo gives you freedom — and risk.<br><br> Hasura gives you power — and sharp edges.</p> <p>Whichever stack you choose, the key principle remains:</p> <blockquote> <p>Schema is not security.<br><br> Implement, enforce, and audit your rules like you're under attack.</p> </blockquote> <p>In the next article: building a secure GraphQL gateway in front of Hasura using Envoy + OPA.</p> Authorization Bypass in GraphQL: Reproduction and Detection Techniques CRUD5th-273- Sun, 30 Mar 2025 12:41:42 +0000 https://dev.to/crud5th-273-/authorization-bypass-in-graphql-reproduction-and-detection-techniques-893 https://dev.to/crud5th-273-/authorization-bypass-in-graphql-reproduction-and-detection-techniques-893 <p>Authentication tells the API <em>who you are</em>.<br><br> Authorization defines <em>what you’re allowed to do</em>.<br><br> And in GraphQL, that second layer is frequently neglected — especially at the field and object level.</p> <p>This post demonstrates how to reproduce and detect <strong>authorization bypass vulnerabilities</strong> in GraphQL APIs.</p> <h2> 1. What Makes GraphQL Authorization Fragile? </h2> <p>Unlike REST, GraphQL allows a single request to query multiple resources and fields.<br><br> If the server doesn’t enforce per-field or per-object authorization checks, attackers can craft queries like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">isAdmin</span><span class="w"> </span><span class="n">passwordHash</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Even if the endpoint is authenticated, the <strong>lack of granular access control</strong> leads to overexposure.</p> <h2> 2. Reproducing Bypass Scenarios </h2> <h3> Scenario A: Horizontal Privilege Escalation </h3> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getUser</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">billingInfo</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now try:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="err">getUser(id:</span><span class="w"> </span><span class="err">"1235")</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Not</span><span class="w"> </span><span class="err">your</span><span class="w"> </span><span class="err">own</span><span class="w"> </span><span class="err">account</span><span class="w"> </span></code></pre> </div> <p>If the server returns the data: authorization check is missing.</p> <h3> Scenario B: Role-Based Bypass </h3> <p>Send request <strong>as a low-privilege user</strong>, but attempt to access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">mutation</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">createAdminUser</span><span class="p">(</span><span class="n">input</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">username</span><span class="p">:</span><span class="w"> </span><span class="s2">"attacker"</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234"</span><span class="w"> </span><span class="p">})</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If no RBAC is applied to that resolver → direct privilege escalation.</p> <h2> 3. Field-Level Exposure </h2> <p>Common mistake: <strong>exposing sensitive fields on shared objects</strong> without role checks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">me</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">jwtToken</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="n">should</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">hidden</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Also common: fields only used for internal admin dashboards being exposed to regular users.</p> <h2> 4. Detection Techniques </h2> <h3> Manual Recon with Introspection </h3> <p>Use introspection to enumerate fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">__type</span><span class="p">(</span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="s2">"User"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">kind</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Look for suspicious fields:</p> <ul> <li> <code>isRoot</code>, <code>paymentToken</code>, <code>sessionSecret</code>, <code>logs</code> </li> </ul> <h3> Fuzzing with Burp GraphQL Raider or Intruder </h3> <p>Automate the injection of:</p> <ul> <li>Other user IDs</li> <li>Unauthorized mutations</li> <li>Role-altering fields</li> </ul> <p>Track response differences:</p> <ul> <li>Status codes</li> <li>Length variations</li> <li>Leaked values</li> </ul> <h3> Differential Testing </h3> <p>Compare same query results:</p> <ul> <li>As normal user vs admin</li> <li>As user A vs user B</li> </ul> <p>If response differences are inconsistent with roles, authZ is flawed.</p> <h2> 5. Logging + Rate Observability (Defensive Tip) </h2> <p>If you’re defending a GraphQL API:</p> <ul> <li>Instrument resolvers with audit logs per field</li> <li>Use contextual authZ: <code>if (user.id !== targetUser.id) { deny }</code> </li> <li>Reject introspection in production unless whitelisted</li> <li>Define schema-based access policies (e.g., with Hasura, GraphQL Shield)</li> </ul> <h2> Final Thoughts </h2> <p>GraphQL makes it easy to over-fetch.<br><br> Without strict per-resolver authorization, <strong>attackers will explore beyond their boundary</strong> — and often succeed.</p> <p>In the next article, we’ll demonstrate:</p> <ul> <li>Using GraphQL Shield to enforce RBAC</li> <li>Mock exploit labs for field-level overreach</li> </ul> <p>Test the edges. Validate the rules. Never trust the schema alone.</p> Exploiting GraphQL Introspection: Mapping the API Like an Insider CRUD5th-273- Sun, 30 Mar 2025 12:40:49 +0000 https://dev.to/crud5th-273-/exploiting-graphql-introspection-mapping-the-api-like-an-insider-2i0k https://dev.to/crud5th-273-/exploiting-graphql-introspection-mapping-the-api-like-an-insider-2i0k <p><strong>Introspection</strong> is a powerful feature in GraphQL, designed to expose the full schema to clients for convenience and tooling.<br><br> But when left enabled in production, it offers attackers a blueprint of your internal API design — often more revealing than source code.</p> <p>In this post, we’ll walk through how to weaponize GraphQL introspection for offensive security assessments.</p> <h2> 1. What Is Introspection? </h2> <p>It allows querying the GraphQL server for its own schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">__schema</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">types</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">fields</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Response reveals:</p> <ul> <li>All available queries and mutations</li> <li>Field names, input types, return types</li> <li>Relationships, enum values, descriptions</li> </ul> <h2> 2. Why It Matters in Offensive Security </h2> <p>When enabled, introspection turns <strong>black-box APIs into white-box targets</strong>.<br><br> Benefits for attackers:</p> <ul> <li>Discover hidden functionality (admin-only queries, debug fields)</li> <li>Reveal sensitive data models (user roles, permissions, payment tokens)</li> <li>Map internal microservices via field names</li> <li>Automate attack surface expansion</li> </ul> <h2> 3. Extracting the Full Schema </h2> <h3> Option A: Manual Querying </h3> <p>Use Burp Repeater or Postman:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{ __schema { types { name fields { name type { name kind } } } } }"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Option B: Tooling </h3> <h4> <a href="https://github.com/APIs-guru/graphql-voyager" rel="noopener noreferrer">GraphQL Voyager</a> </h4> <ul> <li>Converts introspection result into an interactive graph</li> </ul> <h4> <a href="https://github.com/doyensec/inql" rel="noopener noreferrer">InQL Scanner (Burp)</a> </h4> <ul> <li>Burp extension that maps and enumerates endpoints</li> <li>Sends fuzz payloads to known fields automatically</li> </ul> <h4> <a href="https://github.com/skevy/graphql-introspection-cli" rel="noopener noreferrer">graphql-introspection-cli</a> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>graphql-introspection https://target.com/graphql <span class="o">&gt;</span> schema.json </code></pre> </div> <h2> 4. What to Look For </h2> <h3> 🧠 Field Hints </h3> <p>Look for names like:</p> <ul> <li> <code>debugLog</code>, <code>adminUsers</code>, <code>resetPasswordToken</code>, <code>configSettings</code> </li> </ul> <h3> 🔐 Unintended Exposure </h3> <ul> <li>Private fields that bypass access control</li> <li>Mutation endpoints that change state (<code>deleteUser</code>, <code>upgradeAccount</code>)</li> <li>Enum values that define internal roles (<code>SUPERADMIN</code>, <code>STAFF_INTERNAL</code>)</li> </ul> <h3> 💥 Chaining Targets </h3> <ul> <li>Input types that accept <code>file</code>, <code>url</code>, or <code>command</code> parameters</li> <li>Fields with high nesting depth → DoS</li> <li>Connections between types that enable overreach</li> </ul> <h2> 5. Real-World Exploitation Flow </h2> <ol> <li>Confirm introspection is enabled</li> <li>Extract and analyze full schema</li> <li>Identify high-value fields</li> <li>Send crafted queries via Burp Repeater or GraphQL Raider</li> <li>Validate behavior, escalate to abuse</li> </ol> <h2> 6. How to Defend </h2> <ul> <li> <strong>Disable introspection in production</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nl">introspection</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Use schema whitelisting and RBAC per field</li> <li>Monitor introspection attempts — they often signal reconnaissance</li> <li>Rate-limit large or deeply nested queries</li> </ul> <h2> Final Thoughts </h2> <p>Introspection isn’t just metadata — it’s <strong>attack surface amplification</strong>.<br><br> Leaving it exposed in production is equivalent to handing out internal API docs to strangers.</p> <p>In the hands of a skilled operator, introspection turns uncertainty into a surgical strike plan.</p> <p>Next: abusing field-level access misconfigurations discovered via introspection.</p> <p>Map the schema. Decode the logic. Strike with context.</p>