GraphQL Unauthenticated Mutation Detected
Description
This vulnerability occurs when a GraphQL API endpoint allows mutation operations to execute without requiring authentication. Mutations are GraphQL operations designed to modify server-side data, such as creating, updating, or deleting records. When these operations can be performed by unauthenticated users, attackers can manipulate application data without proving their identity. This represents a critical security gap, as mutations should be protected to ensure only authorized users can make changes to your system.
Remediation
Implement authentication and authorization controls for all GraphQL mutations using the following approach:
1. Require Authentication for All Mutations:
Ensure every mutation validates user authentication before execution. Implement middleware or resolver-level checks:
// Example: Node.js with Apollo Server
const resolvers = {
Mutation: {
updateUser: async (parent, args, context) => {
// Verify authentication
if (!context.user) {
throw new AuthenticationError('You must be logged in');
}
// Proceed with mutation
return updateUserInDatabase(args);
}
}
};2. Implement Role-Based Access Control (RBAC):
Apply granular permissions to restrict mutations based on user roles:
// Example: Role-based authorization
if (!context.user.hasPermission('UPDATE_USER')) {
throw new ForbiddenError('Insufficient permissions');
}3. Use Authentication Middleware:
Apply authentication checks globally to all mutation operations rather than implementing them individually.
4. Validate Tokens and Sessions:
Verify JWT tokens, session cookies, or API keys on every request and ensure they haven't expired or been revoked.
5. Regular Security Audits:
Periodically review your GraphQL schema to identify any mutations that may lack proper authentication or authorization controls.