GraphQL for Java with Spring Boot made easy.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
We are releasing a major version for DGS to address a CSRF vulnerability. This version adds a breaking change for callers that target the GraphQL Endpoint, /graphql
by default, and don't explicit set the content-type
to be one of either application/json
, application/graphql
, or multipart/form-data
, the latter use for file upload. If a client is using multipart/form-data
they will now need to include a preflight header that matches any of "x-apollo-operation-name", "apollo-require-preflight", or "graphql-require-preflight".
content-type
of application/json
, application/graphql
, and multipart/form-data
.content-type
is multipart/form-data
. Acceptable preflight headers are "x-apollo-operation-name", "apollo-require-preflight", or "graphql-require-preflight"Application developers should provide a sensible CORS policy, doing so is out of scope of the DGS framework but available via Spring Boot and Spring Security.
Although not recommended you can disable the preflight check by setting dgs.graphql.header.validation.enabled
to false
.
There could be a potential CSRF attacks that can leverage the execution of JS code attached to a content-type: multipart/form-data
, or other content-types which will not force the browsers to do a preflight check and enforce the CORS policy. Application developers should provide a sensible CORS policy as well as, if they use cookies, a sensible cookie SameSite policy.
DGS MVC supports the execution of GraphQL operations via HTTP POST requests with content-type: multipart/form-data
. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data
, they can be "simple requests" which are not preflighted by browsers.
Spring Boot applications using DGS that set SameSite=None
cookies for authentication are then open to JS code from any origin can that can cause browsers to send cookie-authenticated
Mutations to the GraphQL endpoint, this will then be executed without checking your CORS policy first. Although the attack won't be able to see the response to the mutation if your CORS policy is set up properly, the side effects of the mutation will still occur.
In addition, if the Spring Boot application using DGS relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a private network), then JS on any origin can cause browsers (which may be on a private network or have an allowed IP address) to send mutations to your GraphQL server, which will be executed without checking your CORS policy first. (This attack does not require your server to use cookies. It is in some cases prevented by some browsers such as Chrome.)
For additional context visit Apollo Server 2 graphql-upload CSRF Page.
⭐ Special thanks to the Apollo Server Team for identifying the CSRF. ⭐
Published by github-actions[bot] over 2 years ago
We are adopting Apollo Federation 2.0, please review Apollo Federation 2.0 Specification for further details.
Published by github-actions[bot] over 2 years ago
⭐ Special thanks to @gnoeley and @kilink for this release! ⭐
Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
Published by berngp over 2 years ago
We are adopting Graphql Java 18, this new version comes with a considerable number of improvements to the library.
We are looking forward to use the performance improvements on validation rules that available in this version.
Please review the GraphQL Java v18.0 Release Notes for further details
In order to keep the framework healthy we have decided to upgrade to Spring Boot 2.6, Spring 5.3 and Spring Cloud 2022.0.1.
If you are moving from Spring Boot 2.3 to Spring Boot 2.6 you might want to review the changes that happened between 2.3
and 2.4. You can review What is new in Spring Boot 2.4 by Phil Webb (@phillip_web).
Please review the Spring Boot 2.6 Release Notes if you are interested on the new features available.
collectionType
as part of the @InputArgument
annotation. (#977) @kilinkThe @InputArgument
annotation doesn't need the collectionType
anymore when you are mapping to a List, Map, or other collections.
To do this we are now leveraging the Spring Framework's ResolvableType
utilities directly.
We are upgrading to Kotlin 1.6.21, this shouldn't affect you unless you are using Kotlin as well in your project.
If you use Kotlin you will need to make sure you upgrade to at least 1.6.20.
To review what is new in Kotlin 1.6.20, please visit the official site.
DgsDataLoaderProvider
(#971) @kilinkdependencies.lock
files in diffs by default (#967) @jord1e.let
, use MediaType
(#972) @kilinkPublished by github-actions[bot] over 2 years ago
Published by berngp over 2 years ago
Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
We now support Apollo's Automated Persisted Queries or APQ.
To enable this feature you will have to set the dgs.graphql.apq.enabled
property to true
.
Property Name | Type | Default | Description |
---|---|---|---|
dgs.graphql.apq.enabled | boolean | false | Enables Apollo's APQ (as implemented in graphql-java) on the DGS Service |
dgs.graphql.apq.default-cache.enabled | boolean | true | Can be used to disable the default Caffeine Cache |
dgs.graphql.apq.default-cache.caffeine-spec | String | maximumSize=100,expireAfterWrite=1h,recordStats | Specifies the CaffeineSpec used by the default Caffeine Cache |
apqCaffeineCache
.The PersistedQueryCache
that backs the default implementation leverages a Caffeine Cache. You can provide your own PersistedQueryCache
if the default doesn't suffice, please review the PersistedQueryCaffeineCache
if you decide to do so. It is important that the cache can handle the case where the query text matches the value defined by the PersistedQuerySupport.PERSISTED_QUERY_MARKER
property.
The Caffeine Cache used by the default PersistedQueryCaffeineCache
is a named bean, apqCaffeineCache
, that can be replaced. You can also specify the Caffeine Spec, encoded as a String value, via the dgs.graphql.apq.cache.caffeine-spec
property. By default the dgs.graphql.apq.cache.caffeine-spec
has maximumSize=100,expireAfterWrite=1h,recordStats
but as mentioned you can define yours as needed.
Published by github-actions[bot] almost 3 years ago
Published by github-actions[bot] almost 3 years ago
Published by github-actions[bot] almost 3 years ago
The following dependencies were upgraded...
Published by berngp almost 3 years ago
Artifacts for 4.9.12 and 4.9.13 are unavailable in Maven Central, we are looking into it but It is unclear if we will be able to solve this problem in the next few days.
The following dependencies were upgraded...
Published by github-actions[bot] almost 3 years ago
The following dependencies were upgraded...