GraphQL输入授权与字段级访问控制最佳实践

一、风险与目标风险：越权字段访问、过度抓取与复杂查询导致资源耗尽、输入污染。目标：字段级Scope授权、统一深度与复杂度上限、操作名与持久化查询强制。二、字段Scope映射与授权type Token = { sub: string; scope: string[] } const fieldScope: Record<string, string> = { 'email': 'read:email', 'ssn': 'read:ssn', 'balance': 'read:balance' } function hasScope(tok: Token, need: string): boolean { return tok.scope.includes(need) } function authorizeFields(tok: Token, fields: string[]): boolean { for (const f of fields) { const need = fieldScope[f] if (need && !hasScope(tok, need)) return false } return true } 三、查询深度与复杂度限制function maxDepth(query: string): number { let depth = 0 let max = 0 for (const ch of query) { if (ch === '{') { depth++; if (depth > max) max = depth } else if (ch === '}') { depth = Math.max(0, depth - 1) } } return max } function estimateComplexity(query: string): number { const m = query.match(/[a-zA-Z_][a-zA-Z0-9_]*/g) || [] const ignore = new Set(['query','mutation','subscription','fragment','on','true','false']) let count = 0 for (const w of m) if (!ignore.has(w)) count++ return count } 四、字段提取与校验function extractFields(query: string, allow: string[]): string[] { const out: string[] = [] for (const f of allow) { const re = new RegExp(`\\b${f}\\b`) if (re.test(query)) out.push(f) } return out } 五、持久化查询与操作名type Persisted = { id: string; text: string } function requireOperationName(name: string | undefined): boolean { return typeof name === 'string' && name.length >= 3 && name.length <= 64 } function matchPersisted(text: string, db: Record<string, Persisted>, id: string | undefined): boolean { if (!id) return false const item = db[id] if (!item) return false return item.text === text } 六、统一拦截示例type Req = { body: { query: string; operationName?: string; persistedId?: string }; token: Token } type Res = { status: (n: number) => Res; end: (b?: string) => void } function guardGraphQL(req: Req, res: Res, persisted: Record<string, { id: string; text: string }>) { const q = req.body.query || '' const name = req.body.operationName const id = req.body.persistedId if (!requireOperationName(name)) return res.status(400).end('invalid_operation') const depth = maxDepth(q) if (depth > 8) return res.status(400).end('depth_exceeded') const complexity = estimateComplexity(q) if (complexity > 100) return res.status(400).end('complexity_exceeded') if (!matchPersisted(q, persisted, id)) return res.status(400).end('unknown_query') const fields = extractFields(q, Object.keys(fieldScope)) if (!authorizeFields(req.token, fields)) return res.status(403).end('forbidden') } 七、验收清单深度≤8与复杂度≤100；操作名长度3-64；只接受持久化查询。字段级Scope映射生效，未授权字段拒绝访问；输入不含非法标识符。输出与执行路径可审计并关联操作名与持久化查询ID。