🐛 Whitelist all auto-generated Mutations/Queries

Created by: Tirokk

Authored by ulfgebhardt Apr 1, 2019 Closed Jun 14, 2019

Describe the bug Disable all Mutations/Queries via middleware and recheck which can be enabled under which circumstance.

We use neo4j-graphql-js as a query builder. None of the generated mutations/queries has authentication/authorization by default. Therefore we need to white-list only those mutations that we need and which are tested on security we before migrating our production server to the new nitro code base.

To Reproduce Steps to reproduce the behavior:

Go to 'http://localhost:4000'
Create e.g. a comment:

mutation {
  CreateComment(content: "I am a comment") {
    id
  }
}

Click submit
You just created a comment without an author.

Expected behavior No private data should be exposed, ie. emails of users. No disabled or deleted content should be visible. No data should be created without authorship of the current user.