Skip to content

rubynor/graphql-ruby-training-ground

Repository files navigation

Table of Contents generated with DocToc

GRAPHQL-RUBY Training Ground

Simply working code, real examples

Wishlist

Test for yourself

bundle
cp config/database.yml.sample config/database.yml
rails db:setup
foreman s
#localhost:3000
# sign in with ole@example.com pwd dummy123

Examples

Data leak - Example

Implementation with query leaking data

query {
  companyLeak(id: "1") {
    id
    name
    transactionLogs {
      id
      companyId
      activityAt
    }
    accountants {
      id
      name
      transactionLogs {
        id
        companyId
        activityAt
      }
    }
  }
}

response

{
  "data": {
    "companyLeak": {
      "id": "1",
      "name": "AwesomeCo",
      "transactionLogs": [
        {
          "id": "1",
          "companyId": "1",
          "activityAt": "2019-10-12 14:44:21 UTC"
        }
      ],
      "accountants": [
        {
          "id": "1",
          "name": "Mr. Smith",
          "transactionLogs": [
            {
              "id": "1",
              "companyId": "1",
              "activityAt": "2019-10-12 14:44:21 UTC"
            },
            {
              "id": "2",
              "companyId": "2",
              "activityAt": "2019-10-11 14:44:21 UTC"
            }
          ]
        }
      ]
    }
  }
}

THE LEAK. "companyId": "2"

Transaction log of company 2 shouldn't show in the item of company 1...

The problem is that it's not doing the db query with company_id = 1.

The same happens if you do companies, one company listed will show transaction_log of other company

No Leak - Example

TO DO. https://stackoverflow.com/questions/58363666/graphql-ruby-scoping-in-habtm-data-leak-in-nested-query

No Leak - Example V1 by Ahmadali1

Solution provided by Ahmadali https://github.com/ahmadali1/graphql-ruby-training-ground

See code under graphql/types/example_no_leak_v1

query:

query {
  companiesNoLeakV1 {
    id
    name
    transactionLogs {
      id
      companyId
      activityAt
    }
    accountants {
      id
      name
      transactionLogs {
        id
        companyId
        activityAt
      }
    }
  }
}

response

{
  "data": {
    "companiesNoLeakV1": [
      {
        "id": "1",
        "name": "AwesomeCo",
        "transactionLogs": [
          {
            "id": "1",
            "companyId": "1",
            "activityAt": "2019-10-12 16:40:13 UTC"
          }
        ],
        "accountants": [
          {
            "id": "1",
            "name": "Mr. Smith",
            "transactionLogs": [
              {
                "id": "1",
                "companyId": "1",
                "activityAt": "2019-10-12 16:40:13 UTC"
              }
            ]
          }
        ]
      },
      {
        "id": "2",
        "name": "BoringCo",
        "transactionLogs": [
          {
            "id": "2",
            "companyId": "2",
            "activityAt": "2019-10-11 16:40:13 UTC"
          }
        ],
        "accountants": [
          {
            "id": "1",
            "name": "Mr. Smith",
            "transactionLogs": [
              {
                "id": "2",
                "companyId": "2",
                "activityAt": "2019-10-11 16:40:13 UTC"
              }
            ]
          }
        ]
      }
    ]
  }
}

DB-Optimization

TO DO. Need some good skillz here

Contribution

Create PR :-)

License

MIT license, not that you should be using this repo for anything beyond training :D

About Rubynor

We do startups. Ruby, Norway. http://rubynor.com Yep :-)

About

Examples of graphql-ruby usage with complex models

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published