5. Coprocessor
10m

Overview

In this module, we will cover how we can extend the security mechanisms using a coprocessor.

Coprocessor

The gives you the ability to customize the behavior of your request processing in many different ways:

  • YAML configuration
  • Rhai scripting
  • Custom Rust plugins

The most flexible way to modify the behavior of the and extend its functionality is with a coprocessor. Coprocessor are simple HTTP applications you can use to implement:

  • External authentication & authorization (for example, OPA)
  • Custom data governance rules (for example, data redaction and tokenization)
  • Custom analytics and performance monitoring

You can write a coprocessor in any programming language that has an HTTP library.

To register a coprocessor, you'll need to include the coprocessor endpoint in the 's YAML file.

Processing stages

There are four different processing stages that you can modify: RouterRequest, RouterResponse, SubgraphRequest, and SubgraphResponse.

For more information about each stage, check out the Apollo documentation.

The current state

We'll be utilizing a coprocessor to implement a data governance rule that ensures that no credit card data is exposed in our responses.

Let's retrieve the user's credit card information and see what happens without the coprocessor enabled.

  1. In the Explorer tab of Studio, copy the following :

    GetUserCreditCards
    query GetUserCreditCards($userId: ID!) {
      user(id: $userId) {
        paymentMethods {
          id
          cardNumber
        }
      }
    }

  2. In the Variables panel, add the following JSON:

    Variables for the above query
    {
      "userId": "1"
    }

  3. Run the . You should receive data containing the user's payment methods, with their credit card numbers revealed in plain view.

    https://studio.apollographql.com

    Studio view of Explorer with successful query result

As you can observe, the credit card number is visible, which is highly unsafe. Let's activate our coprocessor to mask or redact this information.

Using a coprocessor

To make things simple, we've already created a coprocessor for you. You can take a look at the coprocessor code in the GitHub page.

We've also deployed it to this URL: https://coprocessor-wn3vwa6nlq-ue.a.run.app.

Production tip: We recommend deploying a coprocessor as a sidecar container within a pod for maximum speed and minimal latency.

  1. Open up the router.yaml file in GitHub.

  2. Add the following configuration to the end of the file:

    router.yaml
    coprocessor:
      url: https://coprocessor-wn3vwa6nlq-ue.a.run.app
      timeout: 2s
      router:
        response:
          body: true

  3. Commit the change.

    https://github.com

    GitHub view of the products-schema.graphql file with Commit button highlighted

With this change, your is now connected to the coprocessor.

Check your work

Jumping back to the Explorer tab on Studio, let's run that GetUserCreditCards again.

GetUserCreditCards
query GetUserCreditCards($userId: ID!) {
  user(id: $userId) {
    paymentMethods {
      id
      cardNumber
    }
  }
}

In the Variables panel:

Variables for the above query
{
  "userId": "1"
}

You should now see that the credit card numbers on the response are masked, showing up as ****-*****-****.

https://studio.apollographql.com

Studio view of Explorer with successful query result

Success! We have now implemented a coprocessor to mask sensitive data in our responses 🎉🎊🥳!

Coprocessor checklist

Up next

In the next section, we'll learn how to optimize our collaboration schema workflow by using .

Previous