Graphql Introspection in Fiber with Hmac Signatures

GraphQL introspection is a query capability that allows an attacker to retrieve the full schema, including types, queries, and mutations, without prior knowledge of the API. In a Fiber-based service, if introspection is enabled and the endpoint is exposed publicly, an attacker can map the API surface even when Hmac Signatures are used for request authentication. Hmac Signatures typically protect against tampering and replay by requiring a client to sign requests with a shared secret, but they do not inherently disable introspection. The combination therefore creates a mismatch: authentication via Hmac can be correctly enforced, while the GraphQL schema remains fully discoverable to anyone who can reach the endpoint.

This exposure becomes critical when the Hmac implementation is incomplete or inconsistently applied. For example, if the signature verification middleware does not apply to introspection queries, an attacker can send a standard introspection request over HTTPS and receive the schema in response. Attack patterns observed in the wild (e.g., linked to OWASP API Top 10:2023 Broken Object Level Authorization) show that leaked schemas facilitate reconnaissance for IDOR, BOLA, and privilege escalation. In a black-box scan, middleBrick runs the LLM/AI Security checks and the Property Authorization checks in parallel, detecting whether introspection responses contain sensitive types or relations that should be restricted. Because the scanner tests the unauthenticated attack surface, it can identify an open introspection endpoint even when Hmac Signatures protect other operations.

Furthermore, if the server reflects query arguments improperly or includes debug information in error messages, an attacker can use introspection to probe for hidden fields or deprecated resolvers. The presence of Hmac Signatures may give a false sense of protection if the team assumes authentication alone limits schema exposure. middleBrick’s OpenAPI/Swagger spec analysis resolves $ref chains and cross-references runtime findings with spec definitions, highlighting discrepancies such as an introspection-allowing route that is not covered by Hmac validation. The scanner reports findings with severity and remediation guidance, emphasizing that introspection should be limited in production and never rely on obscurity through Hmac alone.

To secure a Fiber API while preserving Hmac Signatures, you should explicitly disable introspection for production routes and ensure signature verification applies uniformly. Below are concrete, syntactically correct examples using the Fiber framework with a middleware that validates Hmac signatures and a handler that disables introspection when not in development.

Hmac Signature Middleware in Fiber

// Hmac signature verification middleware for Fiber
const crypto = require('crypto');

function verifyHmac(req, res, next) {
  const signature = req.get('X-API-Signature');
  const timestamp = req.get('X-Request-Timestamp');
  const body = req.rawBody; // ensure raw body is captured before parsing
  const secret = process.env.API_SECRET;

  if (!signature || !timestamp) {
    return res.status(401).send({ error: 'Missing authentication headers' });
  }

  // Prevent replay attacks by allowing a small time window
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - parseInt(timestamp, 10)) > 300) {
    return res.status(401).send({ error: 'Request expired' });
  }

  const expected = crypto
    .createHmac('sha256', secret)
    .update(timestamp + body)
    .digest('hex');

  if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    return res.status(401).send({ error: 'Invalid signature' });
  }
  next();
}

Disable Introspection in Production

const { app } = require('@gomod/fiber'); // pseudo import for illustration
const fiber = require('express'); // using express-style pattern for clarity; adapt to Fiber idioms

const isProduction = process.env.NODE_ENV === 'production';

const graphqlEndpoint = app.post('/graphql', verifyHmac, (req, res) => {
  const { query, operationName } = req.body;

  // Reject introspection queries in production
  if (isProduction && query && query.trim().startsWith('__schema') || query.includes('__type')) {
    return res.status(403).send({ error: 'Introspection is disabled in production' });
  }

  // Normal execution path would resolve the query against your schema
  // executeGraphql(query, operationName).then(...).catch(...)
  res.send({ data: null });
});

These examples demonstrate how to integrate Hmac verification tightly with request handling while explicitly blocking introspection queries in production. middleBrick’s GitHub Action can be added to CI/CD pipelines to fail builds if a scan detects an accessible introspection endpoint, ensuring that such misconfigurations are caught before deployment. The Pro plan’s continuous monitoring can alert you if runtime behavior diverges from your intended security posture, and the MCP Server allows you to run scans directly from your AI coding assistant while you develop.