How can I use CSRF tokens with Apollo-Server?

Question

We are currently developing a global content / e-commerce platform for a customer.

The website runs on Next.js and has an Apollo Server as API Gateway which runs integrated with Next.js on the same server.

I have a few questions about security as we don't have any security experts in our team who could clarify our needs for us.

1. In order to secure the Apollo Server it only binds to localhost and only allows server - server requests, secured by a shared secret.
2. In order to prevent most of the requests made from clients other than our frontend we secure our BFF APIs with CSRF tokens which needs to be present in the cookie and the header of the request.

Because of this we need to proxy requests through Next.js BFF which happens over REST. e.g. Client <-- REST --> BFF <-- GraphQL --> Apollo Server.

I dislike that we can't use GraphQL from the Client to talk directly with our Apollo Server. On the other hand it seems it introduces a whole layer of complexity to open up the Apollo Server to the public internet, but I presume it could be configured to block any requests which don't contain valid CSRF cookies + headers.

What are your opinions on this? Do we throw away the benefits of GraphQL by using REST to communicate with the BFF? Should we open up Apollo Server to the internet and allow the Frontend to directly talk to it? Can we omit the BFF REST API entirely?

Does our current approach even make sense?

Answer 1

You could simply add a csrf token to the header of requests sent to Apollo Server and then reject any request which fails that check. Next isn't adding any particular security benefit that Apollo can't provide directly.

This checking needs to happen in the context function you define on the server. That function can throw a 401 if the csrf token is missing or invalid.

You may find this security checklist helpful.