Spring Boot - Graphql - Access Headers from arbitrary resolver code - spring-boot

I'm using GraphQL (Spring Boot, Kotlin), and I have a specific issue with headers.
We need the client to send three pieces of information that we combine to retrieve internal sensitive data. That data is then used inside resolver codes.
Getting the headers from rest is as easy as #RequestHeader, but in GraphQL it has proved quite challenging. Is there a way I can save the headers to check for the three pieces of information I need?
I looked closely at spring security, but I can't figure out how to get a custom method to work in my method chain, much less save the headers in a way that I can access them from the domain layer.
I could always simply request the auth as a GraphQL type, but that puts a fairly high burden on the client and complicates the schema.
Any and all feedback is welcome.

GraphQL has a FetchDataEnvironment. You can use it by passing FetchDataEnvironment as the last variable in any resolver/query. Then, just call
environment.getContext<GraphQLEnvironentClass>().getHttpServletRequest.headers()
To anyone in the future - I'm sorry this code isn't exact, but your strong typing in your IDE will show you what I mean.

Related

Spring-WS: Route a SOAP request through two different endpoints

I have a SOAP endpoint which processes XML requests by identifying the unmarshalled object and then using appropriate handlers. Now, I am trying to make a new endpoint and handler method which would handle the same request differently. From what I understand, Spring-Webservices (or SOAP for that matter) doesn't have a RESTful-kind of routing for requests.
Can I route a SOAP request through two different endpoints with a URL suffix or something in the API path (kind-of RESTful) ? The namespace, localpart, etc all being same. If not, is there a way ?
SO doesn't seem to have working answers on this topic, tried this:
How can i have two separate web services with identical name space and local name requests be routed to different end points?
Multiple SOAP endpoints with one namespace & localpart
Any approach/ideas are appreciated.
As far as I understood, you need to execute different business logic methods depending on the flag value. Well, the most straightforward approach is to use an if statement directly inside the endpoint. If you want to call different API (controllers) methods, you can take a look at Spring Functional Endpoints. Though I'm not sure they are integrated with SOAP
The mentioned approaches in the question didn't work for me, so I used a mixed approach - made a RESTful api for the new endpoint with a different suffix in the url. I read the payload as a string and used marshallers to validate.

Should a Get-Ajax request change data on the server?

I read documents online. They say that
A GET-Ajax request is used for getting data from the server.
A POST-Ajax request is used for change data on the server.
But why is it?
A Get-Ajax request can change the data on the server TOO, right?
Why should only the POST-Ajax request change the data?
Is it because of a security reason or something? Please explain to me
GET and POST are different methods for web requests that provide different features/describe different intentions for programmers and APIs. You are correct that, technically speaking, if you want to do some other CRUD operation on the server when using a GET request, you can. Most would probably argue that this is not a good idea, in part for security/performance features that either method provides. Example: GET requests can be cached, POST cannot.
More on that here: https://www.w3schools.com/tags/ref_httpmethods.asp

JSON injection in RESTful

I'm new to web applications and haven't got much info. in google for JSON Injection.
Can you please provide some insight to the below questions.
What is JSON Injection?
Is JSON Injection is client-side or server-side attack?
How can you handle JSON Injection security aspects in terms of RESTful Application?
What is JSON Injection?
It's an attack that utilize some vulnerability about how the server read the JSON informations.
Is JSON Injection is client-side or server-side attack?
I can't say how creative an attack could be. Mostly is considered a server-side attack, because the main objective is manipulate the JSON sent to the server to see if the server handle this JSON in a unexpected way, producing the desired effect for the malicious user or showing some sensible information that can be used for him.
How can you handle JSON Injection security aspects in terms of RESTful
Application?
Security is really a complex subject, even involving JSON. But I'm sure that you can take some basic actions to prevent the most obvious problems.
Some basic actions:
Make your system handle all kind of exceptions. Always show a nice message for the user without any sensitive detail about your system. This prevents that some stacktrace error revels some information that can be useful for the malicious user.
Declare charset when outputting the content type for JSON responses. Most frameworks to this already.
Try not use sequencial numbers for resource identifiers. Use UUID/GUID instead.
Avoid reading/building JSON by hand, use the framework.
And read the OWASP document about AJAX. They show some good advices related with JSON.

JSON-RPC with apiblueprint

Apiary provides a clean interface for declaring URI parameters allowing for easy experimentation via thier console with a nice fill in the blank interface.
Is this possible to do for json-rpc or any http body parameter? If not, this would be incredibly useful.
This is not possible yet, but it will be soon via message body description.
However, this is for arbitrary body parameters. I am not sure JSON-RPC is going to work well for API blueprint as it is modelled more around resources; as RPC "overloads" a single resource, the result is probably not going to look very nice.

Preventing bad data insertion in Node with NoSQL Database

Let's say we have a simple node JS backend, paired with a standard NoSQL document store such as CouchDB. Since our database is just a document key-store with no schema, anything can get inserted. And since our server is built on JSON as well, ultimately POST requests that come in from the client with JSON payloads end up getting stored directly into our data store.
This of course is very convenient and makes for a lightweight application. I've been wondering, though, short of writing code for every possible insertion endpoint to verify that each POST or PUT request is well-formed, is there anything to prevent an attacker from firing up their developer console and spoofing POST/PUT requests, allowing them to insert any kind of junk data they wish into our datastore? It would not be too difficult to wreck an application's data this way.
Clearly token-based authentication can ensure that only authenticated users can access these service endpoints, but that doesn't prevent them from spoofing these request with the same HTTP headers that valid requests have. This is all quite simple with today's browser developer tools.
In a traditional server language like Java, JSON PUTs and POSTs are marshalled to a highly-structured class-based Object. Requests whose payloads do NOT match these formats are rejected with HTTP errors.
Does anyone know of tools or paradigms for node which ensures that requests like this meet some basic structure criteria?

Resources