hexpreview

README.md

<div align="center">
  <img src="https://github.com/mirego/absinthe_security/assets/11348/3814bf39-6a9d-4e72-9029-8e66b0b9f761" width="700" />
  <p><br /><code>AbsintheSecurity</code> provides utilities to improve the security posture of APIs built with <a href="https://absinthe-graphql.org/">Absinthe GraphQL</a>.</p>
  <a href="https://github.com/mirego/absinthe_security/actions/workflows/ci.yaml?branch=main"><img src="https://github.com/mirego/absinthe_security/actions/workflows/ci.yaml/badge.svg?branch=main" /></a>
  <a href="https://hex.pm/packages/absinthe_security"><img src="https://img.shields.io/hexpm/v/absinthe_security.svg" /></a>
</div>

## Installation

Add `absinthe_security` to the `deps` function in your project’s `mix.exs` file:

```elixir
defp deps do
  [
    {:absinthe_security, "~> 0.1"}
  ]
end
```

Then run `mix do deps.get, deps.compile` inside your project’s directory.

## Usage

First, initialize `Absinthe.Plug` with a custom configuration:

```elixir
forward("/graphql",
  to: Absinthe.Plug,
  init_opts: MyAppGraphQL.configuration()
)
```

Your custom configuration (with all of `AbsintheSecurity`’s checks) might look like this:

```elixir
defmodule MyAppGraphQL do
  def configuration do
    [schema: MyAppGraphQL.Schema, pipeline: {__MODULE__, :absinthe_pipeline}]
  end

  def absinthe_pipeline(config, options) do
    config
    |> Absinthe.Plug.default_pipeline(options)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.IntrospectionCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, AbsintheSecurity.Phase.FieldSuggestionsCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxAliasesCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDepthCheck)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDirectivesCheck)
  end
end
```

### `AbsintheSecurity.Phase.IntrospectionCheck`

Disable schema introspection queries at runtime.

```elixir
config :absinthe_security, AbsintheSecurity.Phase.IntrospectionCheck,
  enable_introspection: System.get_env("GRAPHQL_ENABLE_INTROSPECTION")
```

```elixir
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.IntrospectionCheck)
```

### `AbsintheSecurity.Phase.DisableFieldSuggestions`

Disable field suggestions in responses at runtime.

```elixir
config :absinthe_security, AbsintheSecurity.Phase.FieldSuggestionsCheck,
  enable_field_suggestions: System.get_env("GRAPHQL_ENABLE_FIELD_SUGGESTIONS")
```

```elixir
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, AbsintheSecurity.Phase.FieldSuggestionsCheck)
```

### `AbsintheSecurity.Phase.MaxAliasesCheck`

Restrict the number of aliases that can be used in queries.

```elixir
config :absinthe_security, AbsintheSecurity.Phase.MaxAliasesCheck,
  max_alias_count: 100
```

```elixir
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxAliasesCheck)
```

### `AbsintheSecurity.Phase.MaxDepthCheck`

Restrict the depth level that can be used in queries.

```elixir
config :absinthe_security, AbsintheSecurity.Phase.MaxDepthCheck,
  max_depth_count: 100
```

```elixir
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDepthCheck)
```

### `AbsintheSecurity.Phase.MaxDirectivesCheck`

Restrict the number of directives that can be used in queries.

```elixir
config :absinthe_security, AbsintheSecurity.Phase.MaxDirectivesCheck,
  max_directive_count: 100
```

```elixir
|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, AbsintheSecurity.Phase.MaxDirectivesCheck)
```

## License

`AbsintheSecurity` is © 2023 [Mirego](https://www.mirego.com) and may be freely distributed under the [New BSD license](http://opensource.org/licenses/BSD-3-Clause). See the [`LICENSE.md`](https://github.com/mirego/absinthe_security/blob/main/LICENSE.md) file.

## About Mirego

[Mirego](https://www.mirego.com) is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of [talented people](https://life.mirego.com) who imagine and build beautiful Web and mobile applications. We come together to share ideas and [change the world](http://www.mirego.org).

We also [love open-source software](https://open.mirego.com) and we try to give back to the community as much as we can.