LatchQL: customizable security measures for GraphQL API’s
What is GraphQL?
GraphQL is quickly becoming one of the most popular tools for developers for building an API, replacing the idea of using RESTful APIs. GraphQL has gained popularity because it is a query language that allows a developer to fetch multiple data points and respond with specific data as opposed to REST API where each query returns all of the nested data. It allows a higher level customizability in creating queries which ultimately benefits the developer especially when it comes to avoiding overfetching and underfetching data.
Problems with GraphQL
Data retrieval with GraphQL allows for major advantages specific to query efficiency as opposed to traditional REST architecture. However, there are significant drawbacks that compromise the security of the API.
This is the problem that LatchQL intends to address. LatchQL is a free-to-use, lightweight middleware package that adds additional layers of security to applications. It incorporates various technologies to account for vulnerabilities presented when running GraphQL queries.
Inconsistent Authorization Protocols
GraphQL allows for proper data validation, but leaves API developers to implement authentication and authorization methods on their own. Meaning that if you, as the developer, allow for requests to your API from the general public, malicious bots and bad actors will see this as an invitation to exploit your data. Just like with REST endpoints, authentication and authorization protocols are integral means to protecting your users’ experience.
Malicious Cyclic Queries and Bad Actors
One of the main motivations for developers to integrate GraphQL as opposed to old school RESTful APIs is that it allows for users to shape and request exactly the data that they ask for: users are able to query from relational table to table without joining collections. You can already depict what and from where the downfalls of this fantastic feature may manifest. If users request specific data from one tableA and then to tableB then back to tableA, this creates a big loop in the request which rapidly eats up computational resources and can render your API unresponsive.
Mo Depth = Mo Cost = Mo Problems
Your backend server should have limitations on how many requests it can process within a given time frame as well. We live in a world where technology is accessible to all types of people including those with malicious intent who, with access to your API, can spam your endpoint and rapidfire requests with bots which will undoubtedly slow down your server and completely crash it. Again, this makes requests expensive and susceptible to brute force attacks — a trial and error method to crack passwords of users on your site.
Enter: LatchQL
To mitigate these risks, we’ve partnered with OSLabs to bring you LatchQL, an npm package that adds additional layers of security with customizable configuration for role-based authorization into your GraphQL application. With a simple set up, LatchQL seamlessly integrates into your new or pre-existing project and protects your database through the validation of queries using our user-specific cost, depth, and rate limiting algorithms.
Cost Limiting
LatchQL’s cost limiting is essential for securing your GraphQL endpoint. The “cost” of a query is determined with a proprietary algorithm which factors in depth and size of the return data. By putting a limit on the cost of a single GraphQL transaction, you can prevent resource overload by blocking excessively expensive requests. Users have the ability to define the maximum cost on specific users. If the incoming request exceeds the limit, an error will be provided as seen in the image below.
Depth Limiting
LatchQL’s depth limiting is vital for protecting the server against malicious query attacks. This limit is commonly used for never ending query loops that expose the endpoint to potential attacks. By using the depth limiter, you can validate the depth of incoming queries on a user’s permission level and prevent execution if it exceeds the limit.
Rate Limiting
LatchQL’s rate limiting is a strategy used for limiting network traffic and strain on the server. It’s mainly used to prevent bot activity, brute force, DoS, DDoS, and web scraping attacks. By using the rate limiter, users are allocated a maximum of sum X cost for every fixed size 1-minute time window. If they exceed the limit, the user must wait until the time is expired to successfully execute any future queries.
Customizability
LatchQL allows you to tailor levels of access and tie them to your user database. Create different levels of access in the latch_config file and give each one unique limits. No one-size-fits-all is needed. Use LatchQL’s provided Express middleware after your own login process to save a secure JWT for users which LatchQL can read on every query. Running a public API that needs to grant access to users without login credentials? No problem, customize levels of access for the ‘Non-user’ tier in exactly the same way.
Using the Playground
Furthermore, you can use the downloadable playground tool to test your authorization levels as well as your schema and resolvers. LatchQL sets up a specialized endpoint under the hood which allows queries from the playground to be submitted at any level specified in the config file. The playground will also provide valuable insights into metrics for speed and cpu usage on queries, as well as allow you to preview the depth and cost analysis of your query before submitting it to the API. Save variables and fragments while you test to save time and speed up your process.
When you are finished testing, close the playground and your API will work in exactly the same way. Queries from the playground bypass authentication to allow for querying at any of the provided levels.
What’s next for LatchQL
While the playground could provide the test of the authorization levels, in future iterations we hope to have more features on our playground. Here are some possible features for the playground:
- Storing a history of queries
- Editing user’s permission level and customize individual limiters from the playground
Get Involved
LatchQL is an open-source product supported by the tech accelerator OSLabs. We welcome you to try out LatchQL, leave feedback, and open issues for us.
Please check out our
[LinkedIn]
[GitHub]