Security: Avoid exposing credentials used in the query
Unless our GraphQL API is not publicly exposed (such as when building a static site), we must be careful for the GraphQL query to not expose private data:
- In the response of the query
- In the output when an error happens
- In the logs
For instance, the following query that uses field _env
(provided by module Environment Fields):
...will directly print the credentials in the response:
We can use several features in the plugin to make the GraphQL query secure:
- Field to Input to inject the environment value into another field via a dynamic variable
- @remove Directive to avoid printing the environment variable's value on the output
- Send HTTP Request Fields to directly connect to an external service already from within the GraphQL query
For instance, the following query connects to the GitHub REST API using a private access token:
In this query, fields githubAccessToken
and authorizationHeader
(which contain sensitive data) are both removed from the output, and field gitHubArtifactData
will already print the results of the API call, without leaking any of its inputs (eg: an error will print the string "$__authorizationHeader"
instead of the variable's value).