There's no security #3
Comments
|
Good report, thanks. Re: hidden sections, this is definitely on the roadmap. Right now you have to auth with a user token to access the GraphQL service. The thought is that you would be able to query any sections you have access to. Re: users, I haven't given this much thought yet. I'm open to ideas on how to lock this down. Right now you can make tokens that are read or read/write. I could extend that with some concept of "scopes" that conditionally allows user access too… |
|
Something like this,
(working on it over in the |
Merged
|
This was fixed up with #4. Scopes are now implemented on a per-token basis. You can exclude specific types by either query or mutation. |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some websites have sections or entries which are not designed to be public. There needs to be a way to whitelist (preferably) or blacklist which sections or entry types can be accessed via this API.
I haven't tested, but I think the Users section should definitely be heavily guarded too so it cannot be queried unless specifically required.
The text was updated successfully, but these errors were encountered: