时间戳

首页 > 解决方案 > 如何保护部署到heroku的prisma端点

heroku - 如何保护部署到heroku的prisma端点

问题描述

我将 prisma PostgreSQL 和瑜伽服务器部署到 heroku,

但是 graphql 端点是公共的,任何人都可以从中变异。

有没有像 hasura 那样直接的方法: https ://docs.hasura.io/1.0/graphql/manual/deployment/securing-graphql-endpoint.html

PS:我没有使用docker来部署它,我通过prisma向导部署了所有东西:prisma console

标签: herokugraphqlprisma

解决方案

You need a Prisma "secret" to protect your endpoint so that only you and your applications can access/mutate the data. Prisma calls this a managementApiSecret (see here).

I'm not very familiar with the Prisma console, but if you deploy your Prisma server to Heroku with something like a prisma.yml file then you can specify a secret: line like this: secret: ${env: PRISMA_SECRET}. You can then set a Config Var in the settings for your Prisma server on Heroku where the key is PRISMA_SECRET and the value is a random string. I believe you want to do the same thing when using the prisma deploy command. So you're prisma.yml should look something like this:

endpoint: ${env:PRISMA_ENDPOINT_PROD}
datamodel: datamodel.graphql
secret: ${env:PRISMA_SECRET}
hooks:
  post-deploy:
      - graphql get-schema -p prisma

Then you'll need to specify that same secret in your Yoga server so that it can access the Prisma server. It's hard to help you with this without seeing your code for the Yoga server, but mine uses the prisma-binding package like this:

const { Prisma } = require('prisma-binding');

const db = new Prisma({
    typeDefs: 'src/generated/prisma.graphql',
    endpoint: process.env.PRISMA_ENDPOINT_PROD,
    secret: process.env.PRISMA_SECRET,
    debug: false, // Turn on to console.log queries and mutations
});

module.exports = db;

You can see that the Yoga server connects to the Prisma database with the secret specified. The Yoga server is deployed on Heroku and I've specified the PRISMA_SECRET environment variable in the Heroku settings for the Yoga server.

This setup though will prevent you from going to your Prisma endpoint in your browser and manually querying and mutating the data in your database through the GraphQL playground. There may be a way around this but I'm not sure how. Also note that this won't give you the nice login interface that Hasura appears to give you.

If you want more code to follow you can view this GitHub repo by Wes Bos, which is what he uses for his course called "Fullstack Advanced React & GraphQL".

推荐阅读