Add GraphQL GET support for subgraph endpoints

[raugfer]

Do you want to request a feature or report a bug?

I understanding it as bug, since GET requests should be supported by GraphQL compatible services.

https://graphql.org/learn/serving-over-http/#http-methods-headers-and-body

What is the current behavior?

Currently when accessing a subgraph URL using a GET request one gets redirected to /graphql (which is expected), however the /graphql handler does not work as expected.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

Here is an example:

curl \
  --data '{"query":"query{signals(where:{id:\"0xb855e1847f49326ea13daeb454707faf4577604828827a780a81620000c4c2cf\"}){timestamp}}"}' \
  'https://api.thegraph.com/subgraphs/id/QmXe1SyxVqha6ipb8d3hht4WZaVzy43MUVXLoqXvYrb9dX'

Returns:

{"data":{"signals":[{"timestamp":"1632414153"}]}}

The same is expected to but is not returned by:

curl \
  'https://api.thegraph.com/subgraphs/id/QmXe1SyxVqha6ipb8d3hht4WZaVzy43MUVXLoqXvYrb9dX/graphql?query=query%7Bsignals(where:%7Bid:%220xb855e1847f49326ea13daeb454707faf4577604828827a780a81620000c4c2cf%22%7D)%7Btimestamp%7D%7D'

Here is a sample GraphQL URL that supports both modes:

POST

curl \
  -H "Content-Type: application/json" \
  --data '{"query":"{movies{name,genre}}"}' \
  'https://n7b67.sse.codesandbox.io/graphql'

GET

curl \
  'https://n7b67.sse.codesandbox.io/graphql?query=%7Bmovies%7Bname,genre%7D%7D'

What is the expected behavior?

GET requests should return the same results as POST requests. The difference is that the payload is passed in the URL's query string of the GET request, instead of the POST body.

[schmidsi]

I like this. That would be the first step of using The Graph as the endpoint for ERC721s tokenURI.

[azf20]

Thanks @raugfer! Will take away and review, need to verify what implementation would look like in Graph Node

[AStox]

Ahh looks like @schmidsi and I are on the same page here. Would love to to be generating dynamic SVG tokenURIs on the fly with a subgraph endpoint someday. Watching this thread 👀

[dotansimha]

Regarding GET requests, it is worth considering that tools like https://github.com/dolevf/graphql-cop consider GET calls as a vulnerability, due to CSRF (https://github.com/dolevf/graphql-cop/blob/20bf34fa249feefdd48c7176bb663f52e9a7466d/lib/tests/info_get_method_support.py#L7-L14).

Also worth mentioning that if at some point we'll implement SSE as a transport for GraphQL Subscriptions, we can use the GET calls as the base for EventSource protocol

[azf20]

Interesting - I think CSRF for read operations on a subgraph is low risk, what do you think @dotansimha ?

[dotansimha]

Interesting - I think CSRF for read operations on a subgraph is low risk, what do you think @dotansimha ?

Yeah, agree on that, especially because it's read-only, and variables are always specific to the Subgraph (so no secrets or anything passed there).