Proxy Server for enforcing GraphQL Policies
GraphQL Proxy for TIBCO Cloud™ API Management is a Node.js application that is deployed on TIBCO Cloud™ Integration (TCI) and invoked as a preprocessor from TIBCO Cloud™ API Management. This application can help enforce below policies -
- Max Query Depth - Specify the maximum allowed depth for the graphQL query
- Allow Introspection - Option to allow/restrict introspection queries
- Allow Mutation - Option to allow/restrict mutation queries
- Restricted Objects - Control and restrict access to top-level objects
❗ DISCLAIMER: The application provided in this repository is intended as an accelerator and should therefore be tested and verified independently prior to deployment into any production usage.
- Overview
- Building the Application
- Configuring Application on TCI
- Configuring TIBCO Cloud API Management
- Demo
- Known Limitations
The inline-proxy orchestrator capability of TIBCO Cloud™ API Management enables users to invoke any TCI application to pre- or post-process an API request. The tcapim-graphql-proxy application leverages the pre-processor functionality to validate the incoming graphql query. API Product Managers can define the graphql policies at Package Keys in TIBCO Cloud™ API Management. These policies are sourced to the Inline-proxy pre-processor for validation.
The requests that fail to pass the validation rules are rejected by the Inline-proxy orchestrator, thus safeguarding the GraphQL backend from receiving any invalid queries.
This section describes the steps for building the application.
Prerequisites: GraphQL Schema
Application needs a schema of the graphql backend to validate the graphql query. This repository includes a Countries schema for a quick setup and can be used to test against the graphql service available at https://countries.trevorblades.com/graphql
- Clone this repository -
git clone https://github.com/TIBCOSoftware/tcapim-graphql-proxy.git - Rename your GraphQL Schema to schema.graphql
- Move schema.graphql to
/package/src/config/ - Create the deployable package by executing -
zip -r tcapim-graphql-proxy.zip package -x package/node_modules/\* - Update the text
tcapim-graphql-proxyin manifest.json to change the application and service name on TCI
This creates tcapim-graphql-proxy.zip artifacts needed for deployment along with the updated manifest.json
A short clip showing the above configurations -
todo-graphql-proxy.mp4
This section describes the steps to deploy and configure the application on TIBCO Cloud Integration.
- Login to cloud.tibco.com and navigate to integration capability
- Use Create/Import option to create a new nodejs application
- Upload the tcapim-graphql-proxy.zip and manifest.json files
- Once the application is created, you can rename it or change the description as required
- Scale the application to bring it in Running State
- Update endpoint visibility to TIBCO Cloud™ Mesh. This ensures that the application can be discovered by TIBCO Cloud API Management
Configuring TIBCO Cloud™ API Management for using the GraphQL Proxy application and configuring EAVs.
❗ These configurations can be performed only by a TIBCO administrator. Please reach out to your Account Partner or Customer Success team to help with these configurations.
- Ensure that the area is enabled to use Inline-proxy Orchestrator
- Update the Package Keys Data Model to include the below EAVs
| Name | Label | Type | Description | Default Value |
|---|---|---|---|---|
| max_query_depth | Max Query Depth | int | Define Max Query Depth for Graphql endpoint. Set value as '0' to skip this validation. | 3 |
| allow_introspection | Allow Introspection | bool | Enable introspection queries to the graphql backend | false |
| allow_mutation | Allow Mutations | bool | Enable mutations to the graphql backend | false |
| restricted_objects | Restricted Objects | varchar | Restrict access to the Objects (Comma Separated) |
These configurations can be done by API Product Manager on the Endpoint exposing graphql backend. The high-level steps are -
- Configure the Pre-processor by discovering the inline-proxy orchestrator application
- Select headers & body in API Request Elements
- Configure EAVs to include max_query_depth, allow_introspection, allow_mutation and restricted_objects in Package Key fields
- Optionally update timeout settings
Below video demonstrates the configurations -
gql-proxy-configuration.mp4
Checkout this awesome demo that shows policies in action for the API requests from GraphQL playground!
gql-proxy-playground.mp4
Inline-proxy orchestrator supports payload size of 1 Mb. Requests containing more than 1 Mb payload will be rejected.
This repository is governed by the license specified in the license file.
This repository is a collaborative space for sharing samples for TIBCO Cloud API Management products. The samples provided here are maintained and supported by the user community. For raising any issues or questions related to the samples provided here please create a GitHub issue.
If you would like to contribute, please send us a note at tcapim-pm@tibco.com