The file api <https www graph cool docs reference graphql ap Prisma #prisma-whats-new

The file api (<https://www.graph.cool/docs/referen...

Christian Genco

03/28/2018, 7:09 PM

The file api (https://www.graph.cool/docs/reference/graphql-api/file-management-eer4wiang0/#uploading-files) is super cool, but if I'm reading this correctly I could hijack anyone's GraphQL account and use it as a free S3 account if I just have their

project_id

? ie: I can post a 300MB file to your

<https://api.graph.cool/file/v1/__PROJECT_ID__>

and get back a public URL to that file, and I can do that until you get your next graph.cool bill and delete my files

Fitch

03/28/2018, 7:10 PM

If they don't restrict their api with a bearer token .. yes .. always use a token kids

👍 1

Christian Genco

03/28/2018, 7:11 PM

Is that a configuration I'm supposed to do as a graph.cool user?

Fitch

03/28/2018, 7:12 PM

https://www.graph.cool/docs/reference/auth/authentication/authentication-tokens-eip7ahqu5o

Fitch

03/28/2018, 7:12 PM

https://www.graph.cool/docs/reference/auth/authorization/overview-iegoo0heez

Fitch

03/28/2018, 7:12 PM

You enable permissions on your CRUD operations

Christian Genco

03/28/2018, 7:13 PM

yeah, but: "File uploads using the File API are not governed by the permissions on the File type. As such, everyone can upload files to your project. Please reach out in the Forum or Slack if you have any questions about this." https://www.graph.cool/docs/reference/graphql-api/file-management-eer4wiang0

Christian Genco

03/28/2018, 7:15 PM

so I don't think authorization or authentication tokens can limit file uploads?

Fitch

03/28/2018, 7:16 PM

You can, you have to set it via the Schema as a UserRole

Copy code

enum UserRole {
  EDITOR,
  MODERATOR,
  ADMIN
}

Fitch

03/28/2018, 7:17 PM

If you haven't ejected the project to CLI , you can edit the roles permissions in the gui

Fitch

03/28/2018, 7:18 PM

We use granular roles in React

Copy code

isOwner(
type: String!
nodeId: ID!
): isOwnerPayload

Fitch

03/28/2018, 7:19 PM

it includes subfields like isPublished, isLEVEL, isRole

Christian Genco

03/28/2018, 7:27 PM

okay sure, but what am I adding a permission for?

operation: File.upload

Fitch

03/28/2018, 7:34 PM

Copy code

type File @model {
  contentType: String!
  createdAt: DateTime!
  id: ID! @isUnique
  name: String!
  secret: String! @isUnique
  size: Int!
  updatedAt: DateTime!
  url: String! @isUnique
}

Fitch

03/28/2018, 7:35 PM

If you dont' use Authentication required for User .. you can use a secret like this ^^

Fitch

03/28/2018, 7:37 PM

This is Prisma specific, but the same aws-sdk can be used in your script - https://medium.com/@maticzavadlal/graphcool-1-0-examples-series-file-api-3b16b4b8785f

Christian Genco

03/28/2018, 7:39 PM

That's the File model I'm using, and when I pretend to be a malicious user that only knows my app id I get the secret back in my curl request:

Copy code

curl -X POST '<https://api.graph.cool/file/v1/cjf9wgjgy0fad01911uz14rrs>' -F "data=@example.png;filename=test.png"                                          14:22:58

{
  "secret": "cjfbhuxtx09sb0146ryq88sq8",
  "name": "test.png",
  "size": 70991,
  "url": "<https://files.graph.cool/cjf9wgjgy0fad01911uz14rrs/cjfbhuxtx09sb0146ryq88sq8>",
  "id": "cjfbhuyn709sc0146rj6vwa4h",
  "contentType": "image/png"
}

Christian Genco

03/28/2018, 7:40 PM

and I don't have any permissions listed in graphcool.yml, which should mean that everything involving a File is unallowed by default, right?

Fitch

03/28/2018, 9:04 PM

Its the opposite.. everything is allowed to everyone by default

Fitch

03/28/2018, 9:04 PM

Which is why you include an app secret in the Type if you dont lock the permissions

Christian Genco

03/28/2018, 9:11 PM

...no? "In general, permissions follow a whitelist approach: no operation is permitted unless explicitely allowed" https://www.graph.cool/docs/reference/auth/authorization/overview-iegoo0heez

Fitch

03/28/2018, 9:28 PM

I wouldn't follow everything the docs say, try your own overhead operations. Literally spelling something differently will give you different results #opensource

Fitch

03/28/2018, 9:30 PM

This is what a default project looks like from the console view permissions wise:

Fitch

03/28/2018, 9:35 PM

https://s3-us-west-2.amazonaws.com/vyrl-assets/permissions.png▾

Christian Genco

03/29/2018, 12:07 AM

I updated my permissions to only allow authenticated actions on the File object for create, read, update, and delete (more strict than in your screenshot):

Copy code

- operation:        File.create
  authenticated:    true
- operation:        File.read
  authenticated:    true
- operation:        File.update
  authenticated:    true
- operation:        File.delete
  authenticated:    true

And I can still do this:

Copy code

$ curl -X POST '<https://api.graph.cool/file/v1/cjf9wgjgy0fad01911uz14rrs>' -F "data=@example.png;filename=test.png"
{
  "secret": "cjfbrdm8009xo014678l1snem",
  "name": "test.png",
  "size": 70991,
  "url": "<https://files.graph.cool/cjf9wgjgy0fad01911uz14rrs/cjfbrdm8009xo014678l1snem>",
  "id": "cjfbrdn3n09xp01469vf6vro8",
  "contentType": "image/png"
}

Fitch

03/29/2018, 12:40 AM

More strict? .. the screenshot shows default of almost no restriction

2 Views

Open in Slack

Previous Next