从 "github.com/graphql-go/graphql" 中的请求中获取查询名称
Get the query name from the request in "github.com/graphql-go/graphql"
我正在用 golang 创建一个 graphql api
使用
"github.com/gin-gonic/gin"
"github.com/graphql-go/graphql"
为了保护我的 api,我将使用 jwt 令牌,并且我想让我的 api 完全是 graphql(唯一允许的路径是 localhost:9000/graphql)
有没有办法从请求中获取查询名称,所以我只会对除 login
之外的所有其他查询进行 jwtparsing
我的句柄文件
package graphql
import (
"fmt"
"log"
"*****/graphql/mutations"
"*****/graphql/queries"
"github.com/gin-gonic/gin"
"github.com/graphql-go/graphql"
"github.com/graphql-go/handler"
)
func Handler() gin.HandlerFunc {
schema, err := graphql.NewSchema(graphql.SchemaConfig{
Query: graphql.NewObject(
graphql.ObjectConfig{Name: "QueryType", Fields: graphql.Fields{
"book": queries.BookQuery,
"books": queries.GetAllBooks,
"login": queries.Login,
}},
),
Mutation: graphql.NewObject(
graphql.ObjectConfig{Name: "MutationType", Fields: graphql.Fields{
"insertOneBook": mutations.InsertOneBook,
"updateOneBook": mutations.UpdateOneBook,
"deleteOneBook": mutations.DeleteOneBook,
}},
),
})
if err != nil {
log.Fatal("error Parsing")
}
h := handler.New(&handler.Config{
Schema: &schema,
Pretty: true,
GraphiQL: true,
Playground: true,
})
return func(c *gin.Context) {
// Get the header authorisation
// fmt.Println(c.Request.Header)
// authHeader := c.GetHeader("Authorization")
// Get the token by removing the "Bearer" string
// tokenString := strings.SplitN(authHeader, " ", -1)
// fmt.Println("this is token string", tokenString)
// if len(tokenString) < 2 {
// c.AbortWithStatus(http.StatusUnauthorized)
// } else {
// authState := utils.JwtValidate(tokenString[1])
// if authState != http.StatusAccepted {
// c.AbortWithStatus(authState)
// } else {
// h.ServeHTTP(c.Writer, c.Request)
// }
// }
h.ServeHTTP(c.Writer, c.Request)
// Check is tokens validity
}
}
它是 json - 你可以检查 [string] 是否包含 login
...
...但这是关于安全的...您正在绕过...
- 检查请求是否包含仅登录查询,没有其他注入(没有side/parallel查询)...(去除新的lines/white字符... regex) ... 精确短语 - 也必须完全等于预定义模板,长度 !!!
- 并提供了所需的变量
我正在用 golang 创建一个 graphql api 使用 "github.com/gin-gonic/gin" "github.com/graphql-go/graphql" 为了保护我的 api,我将使用 jwt 令牌,并且我想让我的 api 完全是 graphql(唯一允许的路径是 localhost:9000/graphql) 有没有办法从请求中获取查询名称,所以我只会对除 login
之外的所有其他查询进行 jwtparsing我的句柄文件
package graphql
import (
"fmt"
"log"
"*****/graphql/mutations"
"*****/graphql/queries"
"github.com/gin-gonic/gin"
"github.com/graphql-go/graphql"
"github.com/graphql-go/handler"
)
func Handler() gin.HandlerFunc {
schema, err := graphql.NewSchema(graphql.SchemaConfig{
Query: graphql.NewObject(
graphql.ObjectConfig{Name: "QueryType", Fields: graphql.Fields{
"book": queries.BookQuery,
"books": queries.GetAllBooks,
"login": queries.Login,
}},
),
Mutation: graphql.NewObject(
graphql.ObjectConfig{Name: "MutationType", Fields: graphql.Fields{
"insertOneBook": mutations.InsertOneBook,
"updateOneBook": mutations.UpdateOneBook,
"deleteOneBook": mutations.DeleteOneBook,
}},
),
})
if err != nil {
log.Fatal("error Parsing")
}
h := handler.New(&handler.Config{
Schema: &schema,
Pretty: true,
GraphiQL: true,
Playground: true,
})
return func(c *gin.Context) {
// Get the header authorisation
// fmt.Println(c.Request.Header)
// authHeader := c.GetHeader("Authorization")
// Get the token by removing the "Bearer" string
// tokenString := strings.SplitN(authHeader, " ", -1)
// fmt.Println("this is token string", tokenString)
// if len(tokenString) < 2 {
// c.AbortWithStatus(http.StatusUnauthorized)
// } else {
// authState := utils.JwtValidate(tokenString[1])
// if authState != http.StatusAccepted {
// c.AbortWithStatus(authState)
// } else {
// h.ServeHTTP(c.Writer, c.Request)
// }
// }
h.ServeHTTP(c.Writer, c.Request)
// Check is tokens validity
}
}
它是 json - 你可以检查 [string] 是否包含 login
...
...但这是关于安全的...您正在绕过...
- 检查请求是否包含仅登录查询,没有其他注入(没有side/parallel查询)...(去除新的lines/white字符... regex) ... 精确短语 - 也必须完全等于预定义模板,长度 !!!
- 并提供了所需的变量