Rack middleware for the dashboard

[mroach]

The GraphQL dashboard is great. Nice for getting an overview of how your system is being used.

In our release environments, routes to such internal applications are protected by ingress configuration to ensure a user is authenticated at the ingress level (the Google Identity-Aware Proxy). This allows staff to access it, authenticated by our Google accounts, and the public has no access. Great.

For belt-and-suspenders though, we have Rack middleware that verifies that the user is actually authenticated. We don't want our applications trusting that the auth proxy is actually working. (When the auth proxy works, it adds a request header with hashes we can verify with public keys, etc etc).

Sidekiq has first-class support for this with Sidekiq.use
In our Sidekiq initializer then we can register our middleware that ensures the user has been authenticated. Now if we accidentally disabled our proxy, hitting the Sidekiq dashboard URL would fail with an error that the user isn't authenticated.

Sidekiq::Web.use(Security::Middleware::GoogleIapAuth)

The idea here though is of course more generic. It allows great flexibility for developers to customise a third party request handler. Our middleware can handle our custom needs without needing any support from third party libraries.

Is this something that would be feasible for GraphQL Pro? Something like:

GraphQL::Pro::Dashboard.use(MyCustomMiddleware)

[rmosolgo]

Hey, thanks for the write-up and suggestion. There's not something like this in GraphQL-Pro right now, but here are a couple of other options:

• Add a Rails routing constraint to the mount call, for example:

  mount MySchema.dashboard, at: "/graphql/dashboard", constraints: Security::Middleware::GoogleIapAuth::RoutingConstraint.new

  (This requires defining the ...RoutingConstraint class referenced above to use the same logic as your existing middleware)

• Merge your existing middleware and the dashboard into a new Rack app using Rack::Builder, for example:

  iap_dashboard = Rack::Builder.app do 
    use Security::Middleware::GoogleIapAuth
    run MySchema.dashboard
  end
  
  mount iap_dashboard, at: "/graphql/dashboard" 

What do you think about trying one of those approaches?

[mroach]

I didn't know either of those approaches were possible, but I like them both! The routing constraint is great since I can apply it to our whole scope :_internal and not have to worry about it on a per-app basis. I'll give that a shot. That keeps things even more generic. Thanks for the tips!

[mroach]

My currently stable solution that allows me to use my existing middleware as-is, which I want so the response is still a 401 and not a routing error. Thanks for the inspiration, @rmosolgo

(There is certainly room to make this cleaner, but this achieves the basics of what I wanted. Auth isn't enabled for local dev where the IAP isn't available.)

scope :_internal do
  internal_app = ->(next_app) do
    Rack::Builder.new do
      if ENV.fetch("SECURE_INTERNAL_ROUTES", "on") == "on"
        use(Security::Middleware::GoogleIapAuth)
      end

      run(next_app)
    end
  end

  mount internal_app.(Sidekiq::Web), at: "/sidekiq"
  mount internal_app.(graphql_frontend_lazy_routes.dashboard), at: "/graphql/frontend/dashboard"
end

Edit: I decided the route constraint is better since it will return a 404 which doesn't leak the presence of a valid endpoint.

scope :_internal do
  constraints(lambda do |request|
    next true if ENV.fetch("SECURE_INTERNAL_ROUTES", "on") == "off"

    Security::Middleware::GoogleIapAuth::RouteConstraint.new.matches?(request)
  end) do
    mount Sidekiq::Web, at: "/sidekiq"
    mount graphql_frontend_lazy_routes.dashboard, at: "/graphql/frontend/dashboard"
  end
end