task(gql): Record metrics for 403s from GqlAllowList

2025-12-13 20:36:41 +01:00 · 2025-12-03 12:00:06 -08:00
parent 3983ce6355
commit 5795710a45
2 changed files with 5 additions and 2 deletions
--- a/packages/fxa-graphql-api/src/main.ts
+++ b/packages/fxa-graphql-api/src/main.ts
@@ -10,6 +10,7 @@ import bodyParser from 'body-parser';
 import { Request, Response } from 'express';
 import { allowlistGqlQueries } from 'fxa-shared/nestjs/gql/gql-allowlist';
 import { SentryInterceptor } from '@fxa/shared/sentry';
+import { StatsDService } from '@fxa/shared/metrics/statsd';
 import helmet from 'helmet';

 import { NestApplicationOptions } from '@nestjs/common';
@@ -33,7 +34,7 @@ async function bootstrap() {

  // Configure allowlisting of gql queries
  app.use(bodyParser.json());
-  app.use(allowlistGqlQueries(appConfig.gql));
+  app.use(allowlistGqlQueries(appConfig.gql, app.get(StatsDService)));

  if (appConfig.hstsEnabled) {
    const maxAge = appConfig.hstsMaxAge;
--- a/packages/fxa-shared/nestjs/gql/gql-allowlist.ts
+++ b/packages/fxa-shared/nestjs/gql/gql-allowlist.ts
@@ -3,6 +3,7 @@
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 import { readFileSync } from 'fs';
 import { Request, Response, NextFunction } from 'express';
+import { StatsD } from 'hot-shots';

 /**
 * Configuration options for GqlGuard
@@ -64,12 +65,13 @@ export class GqlAllowlist {
 * @param config
 * @returns
 */
-export function allowlistGqlQueries(config: Config) {
+export function allowlistGqlQueries(config: Config, statsd?: StatsD) {
  const guard = new GqlAllowlist(config);
  return (req: Request, res: Response, next: NextFunction) => {
    if (guard.allowed(req)) {
      next();
    } else {
+      statsd?.increment('gql.unsanctioned_query');
      res
        .status(403)
        .send({ statusCode: 403, message: 'Unsanctioned Graphql Query' });