为什么头盔会挡住阿波罗 api
Why helmet blocks apollo api
你能告诉我为什么头盔会在 localhost:4000/api 挡住阿波罗 api 吗?当我评论头盔时,它像以前一样工作正常。
您似乎处于离线状态。 POST 到此端点以查询您的图表:
curl --请求POST
--header 'content-type: application/json'
--url ''
--data '{"query":"query { __typename }"}'
const { ApolloServer } = require ('apollo-server-express');
const { ApolloServerPluginDrainHttpServer } = require ('apollo-server-core');
const express= require ('express');
const http = require ('http');
const models = require('./models')
require ('dotenv').config();
const db = require('./db')
const DB_HOST = process.env.DB_HOST
const typeDefs = require('./schema')
const resolvers = require('./resolvers/index')
const jwt = require('jsonwebtoken');
const cors = require('cors')
const helmet = require('helmet')
db.connect(DB_HOST);
// get the user info from a JWT
const getUser = token => {
if (token) {
try {
// return the user information from the token
//console.log(jwt.verify(token, process.env.JWT_SECRET))
return jwt.verify(token, process.env.JWT_SECRET);
} catch (err) {
// if there's a problem with the token, throw an error
throw new Error('Session invalid');
}
}
};
async function startApolloServer(typeDefs, resolvers) {
const app = express();
app.use(cors())
//app.use(helmet())
const httpServer = http.createServer(app);
const server = new ApolloServer({
typeDefs,
resolvers,
context: ({ req }) => {
// get the user token from the headers
const token = req.headers.authorization;
// try to retrieve a user with the token
const user = getUser(token);
// for now, let's log the user to the console:
//console.log(user);
// add the db models and the user to the context
return { models, user };
},
plugins: [ApolloServerPluginDrainHttpServer({ httpServer })],
});
await server.start();
server.applyMiddleware({ app,path: '/api' });
await new Promise(resolve => httpServer.listen({ port: 4000 }, resolve));
console.log(` Apollo Server ready at http://localhost:4000${server.graphqlPath}`);
app.get('/', function (req, res) {
res.send('Welcome in note app.')
})
}
startApolloServer(typeDefs, resolvers)
app.use(helmet());
是以下对象的别名:
app.use(helmet.contentSecurityPolicy());
app.use(helmet.crossOriginEmbedderPolicy());
app.use(helmet.crossOriginOpenerPolicy());
app.use(helmet.crossOriginResourcePolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.originAgentCluster());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
我遇到了同样的问题,所以我换掉了别名以单独添加每一个。当我注释掉前两个(contentSecurityPolicy & crossOriginEmbedderPolicy)时,Apollo 复活了。
郑重声明,不建议在生产环境中注释掉这些政策,但它应该可以解除对卡在此处的任何人的封锁。
要详细说明@Kraken 的回答,这就是您想要做的:
const isDevelopment = appConfig.env === 'development'
app.use(
helmet({
crossOriginEmbedderPolicy: !isDevelopment,
contentSecurityPolicy: !isDevelopment,
}),
)
你能告诉我为什么头盔会在 localhost:4000/api 挡住阿波罗 api 吗?当我评论头盔时,它像以前一样工作正常。
您似乎处于离线状态。 POST 到此端点以查询您的图表:
curl --请求POST
--header 'content-type: application/json'
--url ''
--data '{"query":"query { __typename }"}'
const { ApolloServer } = require ('apollo-server-express');
const { ApolloServerPluginDrainHttpServer } = require ('apollo-server-core');
const express= require ('express');
const http = require ('http');
const models = require('./models')
require ('dotenv').config();
const db = require('./db')
const DB_HOST = process.env.DB_HOST
const typeDefs = require('./schema')
const resolvers = require('./resolvers/index')
const jwt = require('jsonwebtoken');
const cors = require('cors')
const helmet = require('helmet')
db.connect(DB_HOST);
// get the user info from a JWT
const getUser = token => {
if (token) {
try {
// return the user information from the token
//console.log(jwt.verify(token, process.env.JWT_SECRET))
return jwt.verify(token, process.env.JWT_SECRET);
} catch (err) {
// if there's a problem with the token, throw an error
throw new Error('Session invalid');
}
}
};
async function startApolloServer(typeDefs, resolvers) {
const app = express();
app.use(cors())
//app.use(helmet())
const httpServer = http.createServer(app);
const server = new ApolloServer({
typeDefs,
resolvers,
context: ({ req }) => {
// get the user token from the headers
const token = req.headers.authorization;
// try to retrieve a user with the token
const user = getUser(token);
// for now, let's log the user to the console:
//console.log(user);
// add the db models and the user to the context
return { models, user };
},
plugins: [ApolloServerPluginDrainHttpServer({ httpServer })],
});
await server.start();
server.applyMiddleware({ app,path: '/api' });
await new Promise(resolve => httpServer.listen({ port: 4000 }, resolve));
console.log(` Apollo Server ready at http://localhost:4000${server.graphqlPath}`);
app.get('/', function (req, res) {
res.send('Welcome in note app.')
})
}
startApolloServer(typeDefs, resolvers)
app.use(helmet());
是以下对象的别名:
app.use(helmet.contentSecurityPolicy());
app.use(helmet.crossOriginEmbedderPolicy());
app.use(helmet.crossOriginOpenerPolicy());
app.use(helmet.crossOriginResourcePolicy());
app.use(helmet.dnsPrefetchControl());
app.use(helmet.expectCt());
app.use(helmet.frameguard());
app.use(helmet.hidePoweredBy());
app.use(helmet.hsts());
app.use(helmet.ieNoOpen());
app.use(helmet.noSniff());
app.use(helmet.originAgentCluster());
app.use(helmet.permittedCrossDomainPolicies());
app.use(helmet.referrerPolicy());
app.use(helmet.xssFilter());
我遇到了同样的问题,所以我换掉了别名以单独添加每一个。当我注释掉前两个(contentSecurityPolicy & crossOriginEmbedderPolicy)时,Apollo 复活了。
郑重声明,不建议在生产环境中注释掉这些政策,但它应该可以解除对卡在此处的任何人的封锁。
要详细说明@Kraken 的回答,这就是您想要做的:
const isDevelopment = appConfig.env === 'development'
app.use(
helmet({
crossOriginEmbedderPolicy: !isDevelopment,
contentSecurityPolicy: !isDevelopment,
}),
)