Summary

We do not want to expose all of our GraphQL API to our users, we already do a decent chunk of obfuscation in production by disabling introspection, masking errors and disabling field suggestions. That however doesn't stop anyone from deriving this out of the calls the front-end makes, Persisted Operations are currently being specced out however they are a pretty established concept already in Relay/...

In doing so we will send a hash of the operation to the server rather than the complete document which makes for further obfuscation of the available GraphQL API and reduces the attack surface as we can embed pagination parameters like limit into the hash so it can't be increased to an unreasonable amount.

Proposed Solution

We enable the GraphQL Code Generator plugin to generate this by default, our server can pick up the generated file and store it so it's aware of all persisted-operations and the last part would be adding the persisted-exchange.

This however does leave a few problems on the table, what if our user is multi-client, their mobile app might have slightly different operations that need to be combined with the web-application. We need to take this into consideration when building the solution so we can for instance...

• support multiple stores of operations
• allow combinations of files