pull down to refresh
102 sats \ 13 replies \ @k00b 21h \ parent \ on: Stacker Saloon
Sweet logo!
TY! I did have a quick question:
In the manifest file I had to get permission to call the graphql api
"host_permissions": [
"https://stacker.news/api/graphql"
],
but because of the way graphql works I can't restrict it to only read-only access. I could make the tool open source and you can always check the code but at any time I could update it and start calling mutations on your behalf. Do you have any good ideas for locking it down better so it can only read data and not also call mutations?
reply
If they give you permission, I’m not sure how we’d gate it on our end.
reply
I was thinking of adding a "read-only" version of the endpoint or even just an optional "read-only" query-string parameter. That way you could use a url like
"https://stacker.news/api/read-only-graphql" or "https://stacker.news/api/graphql?readOnly=true" so then you could be sure it couldn't run a mutationreply
I do think we can actually just allow queries and block mutations, by making the endpoint aware that we don't want to use mutations.
This requires more thinking and testing than just my sentence above. I know that we can do stuff to the GraphQL middleware.
If you don't mind the wait, I'll explore more about it in the coming days ^^
reply
yeah with the host permissions my background can break CORS and send whatever it wants. I need to check but I think it's making the requests with the logged in users credentials. This says https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#host-permissions
Access cookies with the chrome.cookies API.reply
Ah, you are right, it mentions that host permissions allow cross-site requests here:
Host permissions are specified as match patterns, and each pattern identifies a group of URLs for which the extension is requesting extra privileges. For example, a host permission could be"*://developer.mozilla.org/*".The extra privileges include:
- XMLHttpRequest and fetch access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2).
I did not know that (I don't know anything about extensions), that is cool and scary haha
reply
I want to make one with a page action that is for submitting any url you may be on but this one is to help arbitrage links between HN and Stacker. You don't want to submit a duplicate so it needs to call the dup check for all the HN post urls. Right now its doing it in batches of 5. Heres my current graphql query
query UrlBatch($url0: String!, $url1: String!, $url2: String!, $url3: String!, $url4: String!) {
url0: dupes(url: $url0) { ...DupeInfo }
url1: dupes(url: $url1) { ...DupeInfo }
url2: dupes(url: $url2) { ...DupeInfo }
url3: dupes(url: $url3) { ...DupeInfo }
url4: dupes(url: $url4) { ...DupeInfo }
}
fragment DupeInfo on Item {
createdAt
commentSats
commentCredits
credits
id
ncomments
sub { name }
sats
title
updatedAt
upvotes
url
user { name id }
}
It shows a loading icon while its waiting for the batches of graphql queries to finish
Then if it has results is shows you info about the territory it was submitted to and how many sats its gotten
reply