Add the healtcheck checks on the end server.

* Disable startup headers.

* Add banning / unbanning of specific user.

Makefile

@@ -11,7 +11,7 @@ help:  ## display this help
 
 .PHONY: run
 run: build ## run application
-	@LOG_LEVEL=debug BLOCK_SCHEMA_INTROSPECTION=false JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/ ./graphql-proxy
+	@LOG_LEVEL=debug BLOCK_SCHEMA_INTROSPECTION=false CACHE_TTL=10 JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/ HEALTHCHECK_GRAPHQL_URL=https://hasura8.lan/v1/graphql ./graphql-proxy
 
 .PHONY: build
 build: ## build the binary

README.md

@@ -8,6 +8,25 @@ This project is in active use by [telegram-bot.app](https://telegram-bot.app), a
 
 You can find the example of the Kubernetes manifest in the [example deployment](static/kubernetes-deployment.yaml) file.
 
+- [graphql monitoring proxy](#graphql-monitoring-proxy)
+  - [Why this project exists](#why-this-project-exists)
+  - [Endpoints](#endpoints)
+  - [Features](#features)
+  - [Configuration](#configuration)
+  - [Speed](#speed)
+    - [Caching](#caching)
+  - [Security](#security)
+    - [Role-based rate limiting](#role-based-rate-limiting)
+    - [Read-only mode](#read-only-mode)
+    - [Allowing access to listed URLs](#allowing-access-to-listed-urls)
+    - [Blocking introspection](#blocking-introspection)
+  - [API endpoints](#api-endpoints)
+    - [Ban or unban the user](#ban-or-unban-the-user)
+  - [General](#general)
+    - [Healthcheck](#healthcheck)
+    - [Monitoring endpoint](#monitoring-endpoint)
+
+
 ### Why this project exists
 
 I wanted to monitor the queries and responses of our graphql endpoint. Still, we didn't want to pay the price of the graphql server itself ( and I will not point fingers at a particular well-known project), as monitoring and basic security features should be a standard, free functionality.
@@ -17,6 +36,8 @@ I wanted to monitor the queries and responses of our graphql endpoint. Still, we
 * `:8080/*` - the graphql passthrough endpoint
 * `:9393/metrics` - the prometheus metrics endpoint
 * `:8080/healthz` - the healthcheck endpoint
+* `:8080/livez` - the liveness probe endpoint
+* `:9090/api/*` - the monitoring proxy API endpoint
 
 ### Features
 
@@ -31,6 +52,7 @@ I wanted to monitor the queries and responses of our graphql endpoint. Still, we
 | security   | Rate limiting queries based on user role                              |
 | security   | Blocking mutations in read-only mode                                  |
 | security   | Allow access only to listed URLs                                      |
+| security   | Ban / unban specific user from accessing the application              |
 
 
 ### Configuration
@@ -40,20 +62,26 @@ I wanted to monitor the queries and responses of our graphql endpoint. Still, we
 | `MONITORING_PORT`         | The port to expose the metrics endpoint  | `9393`                     |
 | `PORT_GRAPHQL`            | The port to expose the graphql endpoint  | `8080`                     |
 | `HOST_GRAPHQL`            | The host to proxy the graphql endpoint   | `http://localhost/` |
+| `HEALTHCHECK_GRAPHQL_URL` | The URL to check the health of the graphql endpoint | `` |
 | `JWT_USER_CLAIM_PATH`     | Path to the user claim in the JWT token  | ``                         |
 | `JWT_ROLE_CLAIM_PATH`     | Path to the role claim in the JWT token  | ``                         |
-| `JWT_ROLE_FROM_HEADER`    | Header name to extract the role from     | ``                         |
+| `ROLE_FROM_HEADER`        | Header name to extract the role from     | ``                         |
 | `ROLE_RATE_LIMIT`         | Enable request rate limiting based on role| `false`                   |
 | `ENABLE_GLOBAL_CACHE`     | Enable the cache                        | `false`                    |
 | `CACHE_TTL`               | The cache TTL                           | `60`                       |
 | `LOG_LEVEL`               | The log level                           | `info`                     |
 | `BLOCK_SCHEMA_INTROSPECTION`| Blocks the schema introspection       | `false`                    |
+| `ALLOWED_INTROSPECTION`  | Allow only certain queries in introspection | ``                  |
 | `ENABLE_ACCESS_LOG`       | Enable the access log                   | `false`                    |
 | `READ_ONLY_MODE`          | Enable the read only mode               | `false`                    |
 | `ALLOWED_URLS`              | Allow access only to certain URLs       | `/v1/graphql,/v1/version`  |
+| `ENABLE_API`              | Enable the monitoring API               | `false`                    |
+| `API_PORT`                | The port to expose the monitoring API   | `9090`                     |
+| `BANNED_USERS_FILE`       | The path to the file with banned users  | `/go/src/app/banned_users.json`   |
 
+### Speed
 
-### Caching
+#### Caching
 
 The cache engine is enabled in the background by default, using no additional resources.
 You can then start using the cache by setting the `ENABLE_GLOBAL_CACHE` environment variable to `true` - which will enable the cache for all queries without introspection. You can leave the global cache disabled and enable the cache for specific queries by adding the `@cached` directive to the query.
@@ -61,7 +89,9 @@ You can then start using the cache by setting the `ENABLE_GLOBAL_CACHE` environm
 In the case of the `@cached` you can add additional parameters to the directive which will set the cache for specific queries to the provided time.
 For example, `query MyCachedQuery @cached(ttl: 90) ....` will set the cache for the query to 90 seconds.
 
-### Role-based rate limiting
+### Security
+
+#### Role-based rate limiting
 
 You can rate limit requests using the `ROLE_RATE_LIMIT` environment variable. If enabled, the proxy will rate limit the requests based on the role claim in the JWT token. You can then provide the JSON file in the following format to specify the limits.
 The default interval is `second`, but you can use other values as well. If you want to disable the rate limiting for a specific role, you can set the `req` to `0`.
@@ -99,16 +129,60 @@ Remember to include the `-` role, which is used for unauthenticated users or whe
 If rate limit has been reached - the proxy will return `429 Too Many Requests` error.
 
 
-### Read-only mode
+#### Read-only mode
 
 You can enable the read-only mode by setting the `READ_ONLY_MODE` environment variable to `true` - which will block all the `mutation` queries.
 
-### Allowing access to listed URLs
+#### Allowing access to listed URLs
 
 You can allow access only to certain URLs by setting the `ALLOWED_URLS` environment variable to a comma-separated list of URLs. If enabled - other URLs will return `403 Forbidden` error and request will **not** reach the proxied service.
 
+#### Blocking introspection
 
-### Monitoring endpoint
+You can block the schema introspection by setting the `BLOCK_SCHEMA_INTROSPECTION` environment variable to `true` - which will block all the queries with introspection parts, like:
+
+`__schema`, `__type`, `__typename`, `__directive`, `__directivelocation`, `__field`, `__inputvalue`, `__enumvalue`, `__typekind`, `__fieldtype`, `__inputobjecttype`, `__enumtype`, `__uniontype`, `__scalars`, `__objects`, `__interfaces`, `__unions`, `__enums`, `__inputobjects`, `__directives`
+
+If you'd like to keep blocking of the schema introspection on but allow one or more of from the list of above for any reason, you can use the `ALLOWED_INTROSPECTION` environment variable to specify the list of allowed queries.
+
+`ALLOWED_INTROSPECTION="__typename,__type"`
+
+### API endpoints
+
+#### Ban or unban the user
+
+Your monitoring system can detect user misbehaving, for example trying to extract / scrap the data. To prevent user from doing so you can use the simple API to ban the user from accessing the application.
+
+To do so - you need to enable the api by setting env variable `ENABLE_API=true` which will expose the API on the port `API_PORT=9090`. Nedless to say - keep it secure and don't expose it outside of your cluster.
+
+ Then you can use the following endpoints:
+
+* `POST /api/user-ban` - ban the user from accessing the application
+* `POST /api/user-unban` - unban the user from accessing the application
+
+Both endpoints require the `user_id` parameter to be present in the request body and allow you to provide the reason for the ban.
+
+Example request:
+
+```bash
+curl -X POST \
+  http://localhost:9090/api/user-ban \
+  -H 'Content-Type: application/json' \
+  -d '{
+      "user_id": "1337",
+      "reason": "Scraping data"
+    }'
+```
+
+Ban details will be stored in the `banned_users.json` file, which you can mount as a file or configmap to the `/go/src/app/banned_users.json` path ( or use `BANNED_USERS_FILE` environment variable to specify the path to the file). The file operation is important if you have multiple instances of the proxy running, as it will allow you to ban the user from accessing the application on all instances.
+
+### General
+
+#### Healthcheck
+
+If you'd like the `/healthz` endpoint to perform actual check for the connectivity to the graphql endpoint - set the `HEALTHCHECK_GRAPHQL_URL` environment variable to the exact URL of the graphql endpoint. The query executed will be `query { __typename }` and if the response is not `200 OK` - the healthcheck will fail.
+
+#### Monitoring endpoint
 
 Example metrics produced by the proxy:
 
@@ -125,4 +199,4 @@ graphql_proxy_executed_query{user_id="-",op_type="query",op_name="checkIfSpamAIR
 graphql_proxy_requests_failed 324
 graphql_proxy_requests_skipped 0
 graphql_proxy_requests_succesful 454823
-```
+```

api.go

@@ -0,0 +1,133 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	fiber "github.com/gofiber/fiber/v2"
+	"github.com/gofrs/flock"
+	libpack_config "github.com/lukaszraczylo/graphql-monitoring-proxy/config"
+)
+
+var bannedUsersIDs map[string]string = make(map[string]string)
+
+func enableApi() {
+	if cfg.Server.EnableApi {
+		apiserver := fiber.New(fiber.Config{
+			DisableStartupMessage: true,
+			AppName:               fmt.Sprintf("GraphQL Monitoring Proxy - %s v%s", libpack_config.PKG_NAME, libpack_config.PKG_VERSION),
+		})
+
+		api := apiserver.Group("/api")
+		api.Post("/user-ban", apiBanUser)
+		api.Post("/user-unban", apiUnbanUser)
+
+		go periodicallyReloadBannedUsers()
+		err := apiserver.Listen(fmt.Sprintf(":%d", cfg.Server.ApiPort))
+		if err != nil {
+			cfg.Logger.Critical("Can't start the service", map[string]interface{}{"error": err.Error()})
+		}
+	}
+}
+
+func periodicallyReloadBannedUsers() {
+	for {
+		loadBannedUsers()
+		cfg.Logger.Debug("Banned users reloaded", map[string]interface{}{"users": bannedUsersIDs})
+		<-time.After(10 * time.Second)
+	}
+}
+
+func checkIfUserIsBanned(c *fiber.Ctx, userID string) bool {
+	_, found := bannedUsersIDs[userID]
+	cfg.Logger.Debug("Checking if user is banned", map[string]interface{}{"user_id": userID, "found": found})
+	if found {
+		cfg.Logger.Info("User is banned", map[string]interface{}{"user_id": userID})
+		c.Status(403).SendString("User is banned")
+	}
+	return found
+}
+
+type apiBanUserRequest struct {
+	UserID string `json:"user_id"`
+	Reason string `json:"reason"`
+}
+
+func apiBanUser(c *fiber.Ctx) error {
+	var req apiBanUserRequest
+	err := c.BodyParser(&req)
+	if err != nil {
+		cfg.Logger.Error("Can't parse the ban user request", map[string]interface{}{"error": err.Error()})
+		return err
+	}
+	bannedUsersIDs[req.UserID] = req.Reason
+	cfg.Logger.Info("Banned user", map[string]interface{}{"user_id": req.UserID, "reason": req.Reason})
+	storeBannedUsers()
+	c.Status(200).SendString("OK: user banned")
+	return nil
+}
+
+func apiUnbanUser(c *fiber.Ctx) error {
+	var req apiBanUserRequest
+	err := c.BodyParser(&req)
+	if err != nil {
+		cfg.Logger.Error("Can't parse the unban user request", map[string]interface{}{"error": err.Error()})
+		return err
+	}
+	delete(bannedUsersIDs, req.UserID)
+	cfg.Logger.Info("Unbanned user", map[string]interface{}{"user_id": req.UserID})
+	storeBannedUsers()
+	c.Status(200).SendString("OK: user unbanned")
+	return nil
+}
+
+func storeBannedUsers() {
+	fileLock := flock.New(fmt.Sprintf("%s.lock", cfg.Api.BannedUsersFile))
+	err := fileLock.Lock()
+	if err != nil {
+		cfg.Logger.Error("Can't lock the file", map[string]interface{}{"error": err.Error()})
+		return
+	}
+	defer fileLock.Unlock()
+	data, err := json.Marshal(bannedUsersIDs)
+	if err != nil {
+		cfg.Logger.Error("Can't marshal banned users", map[string]interface{}{"error": err.Error()})
+		return
+	}
+	err = os.WriteFile(cfg.Api.BannedUsersFile, data, 0644)
+	if err != nil {
+		cfg.Logger.Error("Can't write banned users to file", map[string]interface{}{"error": err.Error()})
+		return
+	}
+}
+
+func loadBannedUsers() {
+	if _, err := os.Stat(cfg.Api.BannedUsersFile); os.IsNotExist(err) {
+		cfg.Logger.Info("Banned users file doesn't exist - creating it", map[string]interface{}{"file": cfg.Api.BannedUsersFile})
+		_, err := os.Create(cfg.Api.BannedUsersFile)
+		if err != nil {
+			cfg.Logger.Error("Can't create the file", map[string]interface{}{"error": err.Error()})
+			return
+		}
+	}
+
+	fileLock := flock.New(fmt.Sprintf("%s.lock", cfg.Api.BannedUsersFile))
+	err := fileLock.RLock() // Use RLock for read lock
+	if err != nil {
+		cfg.Logger.Error("Can't lock the file [load]", map[string]interface{}{"error": err.Error()})
+		return
+	}
+	defer fileLock.Unlock()
+
+	data, err := os.ReadFile(cfg.Api.BannedUsersFile)
+	if err != nil {
+		cfg.Logger.Error("Can't read banned users from file", map[string]interface{}{"error": err.Error()})
+		return
+	}
+	err = json.Unmarshal(data, &bannedUsersIDs)
+	if err != nil {
+		cfg.Logger.Error("Can't unmarshal banned users", map[string]interface{}{"error": err.Error()})
+		return
+	}
+}

cache.go

@@ -1,33 +1,25 @@
 package main
 
 import (
-	"fmt"
 	"time"
 
-	"github.com/akyoto/cache"
 	fiber "github.com/gofiber/fiber/v2"
 	"github.com/gookit/goutil/strutil"
+	libpack_cache "github.com/lukaszraczylo/graphql-monitoring-proxy/cache"
 )
 
 func calculateHash(c *fiber.Ctx) string {
-	return strutil.Md5(fmt.Sprintf("%s", c.Body()))
+	return strutil.Md5(c.Body())
 }
 
 func enableCache() {
-	var err error
-	cfg.Cache.CacheClient = cache.New(time.Duration(cfg.Cache.CacheTTL) * time.Second * 2)
-	if err != nil {
-		cfg.Logger.Critical("Can't create cache client", map[string]interface{}{"error": err.Error()})
-		panic(err)
-	}
+	cfg.Cache.CacheClient = libpack_cache.New(time.Duration(cfg.Cache.CacheTTL) * time.Second * 100)
 }
 
 func cacheLookup(hash string) []byte {
-	if cfg.Cache.CacheClient != nil {
-		obj, found := cfg.Cache.CacheClient.Get(hash)
-		if found {
-			return obj.([]byte)
-		}
+	obj, found := cfg.Cache.CacheClient.Get(hash)
+	if found {
+		return obj
 	}
 	return nil
 }

cache/cache.go

@@ -0,0 +1,112 @@
+package libpack_cache
+
+import (
+	"sync"
+	"time"
+)
+
+type CacheEntry struct {
+	Value     []byte
+	ExpiresAt time.Time
+}
+
+type Cache struct {
+	sync.RWMutex
+	entries   sync.Map
+	globalTTL time.Duration
+	bytePool  sync.Pool
+}
+
+func New(globalTTL time.Duration) *Cache {
+	cache := &Cache{
+		globalTTL: globalTTL,
+	}
+
+	// Initialize the byte pool.
+	cache.bytePool.New = func() interface{} {
+		return make([]byte, 0)
+	}
+
+	// Start the cache cleanup.
+	go cache.cleanupRoutine(globalTTL)
+	return cache
+}
+
+func (c *Cache) cleanupRoutine(globalTTL time.Duration) {
+	ticker := time.NewTicker(globalTTL / 2)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		c.CleanExpiredEntries()
+	}
+}
+
+func (c *Cache) Set(key string, value []byte, ttl time.Duration) {
+	c.Lock()
+	defer c.Unlock()
+	expiresAt := time.Now().Add(ttl)
+
+	// Get a byte slice from the pool and ensure it's properly sized.
+	b := c.bytePool.Get().([]byte)
+	if cap(b) < len(value) {
+		b = make([]byte, len(value))
+	} else {
+		b = b[:len(value)]
+	}
+
+	copy(b, value)
+
+	entry := CacheEntry{
+		Value:     b,
+		ExpiresAt: expiresAt,
+	}
+	c.entries.Store(key, entry)
+}
+
+func (c *Cache) Get(key string) ([]byte, bool) {
+	c.RLock()
+	defer c.RUnlock()
+
+	entry, ok := c.entries.Load(key)
+	if !ok || entry.(CacheEntry).ExpiresAt.Before(time.Now()) {
+		return nil, false
+	}
+
+	// Copy the value from the byte slice.
+	value := make([]byte, len(entry.(CacheEntry).Value))
+	copy(value, entry.(CacheEntry).Value)
+	return value, true
+}
+
+func (c *Cache) Delete(key string) {
+	c.Lock()
+	defer c.Unlock()
+
+	entry, ok := c.entries.Load(key)
+	if !ok {
+		return
+	}
+
+	// Return the byte slice to the pool.
+	c.bytePool.Put(entry.(CacheEntry).Value)
+
+	// Delete the entry from the cache.
+	c.entries.Delete(key)
+}
+
+func (c *Cache) CleanExpiredEntries() {
+	now := time.Now()
+	c.entries.Range(func(key, value interface{}) bool {
+		entry := value.(CacheEntry)
+		if entry.ExpiresAt.Before(now) {
+			// Return the byte slice to the pool.
+			c.bytePool.Put(entry.Value)
+
+			// Delete the entry from the cache.
+			c.entries.Delete(key)
+		}
+
+		// Return true to continue iterating over the map.
+		return true
+	})
+}

cache_test.go

@@ -27,7 +27,7 @@ func (suite *Tests) Test_cacheLookup() {
 		{
 			name: "test_existent",
 			args: args{
-				hash: "00000000000000000000000000000000000001",
+				hash: "00000000000000000000000000000000001337",
 			},
 			want: []byte("it's fine."),
 			addCache: struct {
@@ -40,7 +40,7 @@ func (suite *Tests) Test_cacheLookup() {
 	for _, tt := range tests {
 		suite.T().Run(tt.name, func(t *testing.T) {
 			if tt.addCache.data != nil {
-				cfg.Cache.CacheClient.Set(tt.args.hash, tt.addCache.data, time.Duration(1)*time.Second)
+				cfg.Cache.CacheClient.Set(tt.args.hash, tt.addCache.data, time.Duration(90*time.Second))
 			}
 			got := cacheLookup(tt.args.hash)
 			assert.Equal(tt.want, got, "Unexpected cache lookup result")

go.mod

@@ -4,30 +4,30 @@ go 1.21
 
 require (
 	github.com/VictoriaMetrics/metrics v1.24.0
-	github.com/akyoto/cache v1.0.6
 	github.com/buger/jsonparser v1.1.1
-	github.com/gofiber/fiber/v2 v2.49.2
-	github.com/gookit/goutil v0.6.12
+	github.com/gofiber/fiber/v2 v2.50.0
+	github.com/gofrs/flock v0.8.1
+	github.com/gookit/goutil v0.6.14
 	github.com/graphql-go/graphql v0.8.1
 	github.com/json-iterator/go v1.1.12
 	github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415
 	github.com/lukaszraczylo/go-ratecounter v0.1.8
-	github.com/lukaszraczylo/go-simple-graphql v1.1.32
+	github.com/lukaszraczylo/go-simple-graphql v1.1.35
 	github.com/rs/zerolog v1.31.0
 	github.com/stretchr/testify v1.8.4
 	github.com/valyala/fasthttp v1.50.0
 )
 
 require (
-	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/avast/retry-go/v4 v4.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/klauspost/compress v1.17.0 // indirect
+	github.com/klauspost/compress v1.17.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect

go.sum

@@ -1,9 +1,7 @@
 github.com/VictoriaMetrics/metrics v1.24.0 h1:ILavebReOjYctAGY5QU2F9X0MYvkcrG3aEn2RKa1Zkw=
 github.com/VictoriaMetrics/metrics v1.24.0/go.mod h1:eFT25kvsTidQFHb6U0oa0rTrDRdz4xTYjpL8+UPohys=
-github.com/akyoto/cache v1.0.6 h1:5XGVVYoi2i+DZLLPuVIXtsNIJ/qaAM16XT0LaBaXd2k=
-github.com/akyoto/cache v1.0.6/go.mod h1:WfxTRqKhfgAG71Xh6E3WLpjhBtZI37O53G4h5s+3iM4=
-github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
-github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
+github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/avast/retry-go/v4 v4.5.0 h1:QoRAZZ90cj5oni2Lsgl2GW8mNTnUCnmpx/iKpwVisHg=
 github.com/avast/retry-go/v4 v4.5.0/go.mod h1:7hLEXp0oku2Nir2xBAsg0PTphp9z71bN5Aq1fboC3+I=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
@@ -14,21 +12,23 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofiber/fiber/v2 v2.49.2 h1:ONEN3/Vc+dUCxxDgZZwpqvhISgHqb+bu+isBiEyKEQs=
-github.com/gofiber/fiber/v2 v2.49.2/go.mod h1:gNsKnyrmfEWFpJxQAV0qvW6l70K1dZGno12oLtukcts=
+github.com/gofiber/fiber/v2 v2.50.0 h1:ia0JaB+uw3GpNSCR5nvC5dsaxXjRU5OEu36aytx+zGw=
+github.com/gofiber/fiber/v2 v2.50.0/go.mod h1:21eytvay9Is7S6z+OgPi7c7n4++tnClWmhpimVHMimw=
+github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
+github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
-github.com/gookit/goutil v0.6.12 h1:73vPUcTtVGXbhSzBOFcnSB1aJl7Jq9np3RAE50yIDZc=
-github.com/gookit/goutil v0.6.12/go.mod h1:g6krlFib8xSe3G1h02IETowOtrUGpAmetT8IevDpvpM=
+github.com/gookit/goutil v0.6.14 h1:96elyOG4BvVoDaiT7vx1vHPrVyEtFfYlPPBODR0/FGQ=
+github.com/gookit/goutil v0.6.14/go.mod h1:YyDBddefmjS+mU2PDPgCcjVzTDM5WgExiDv5ZA/b8I8=
 github.com/graphql-go/graphql v0.8.1 h1:p7/Ou/WpmulocJeEx7wjQy611rtXGQaAcXGqanuMMgc=
 github.com/graphql-go/graphql v0.8.1/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
-github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.17.1 h1:NE3C767s2ak2bweCZo3+rdP4U/HoyVXLv/X9f2gPS5g=
+github.com/klauspost/compress v1.17.1/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -40,13 +40,14 @@ github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415 h1:lvI8Wlbg4PxkR
 github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415/go.mod h1:M+UVdyqZs++xtEPrascaVmZdOMhCnxjZ2SgH+xHpR0c=
 github.com/lukaszraczylo/go-ratecounter v0.1.8 h1:ZYm6Wkn58ZAlFWRmC7PaD4oAYHWcu8/0MUDWGe3PnJQ=
 github.com/lukaszraczylo/go-ratecounter v0.1.8/go.mod h1:TqXEOCtFJStk1i0tkipprv1kiDHGon1MVUisjSTBSKM=
-github.com/lukaszraczylo/go-simple-graphql v1.1.32 h1:udiz2hnLNO2b/hc9Z0xcjYt+HcFbChQQuIY4HZmky80=
-github.com/lukaszraczylo/go-simple-graphql v1.1.32/go.mod h1:c1nN/qtjsvpqpkBFsnBCYCDLdLMuWzy/zxeJzTjm5qg=
+github.com/lukaszraczylo/go-simple-graphql v1.1.35 h1:51agVc1C5p9VxiZuvk8TwsEAWU+ieNXnmAgRdRXuqFk=
+github.com/lukaszraczylo/go-simple-graphql v1.1.35/go.mod h1:YWMelAXnFs8uknj3Pv2gO8Svzv5k4cAL940MI0n/R0k=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

graphql.go

@@ -96,7 +96,15 @@ func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cache
 			if cfg.Security.BlockIntrospection {
 				for _, s := range oper.SelectionSet.Selections {
 					for _, s2 := range s.GetSelectionSet().Selections {
-						if _, exists := retrospectionQuerySet[s2.(*ast.Field).Name.Value]; exists {
+						if _, exists := retrospectionQuerySet[strings.ToLower(s2.(*ast.Field).Name.Value)]; exists {
+							if len(cfg.Security.IntrospectionAllowed) > 0 {
+								for _, introspectionQueryAllowed := range cfg.Security.IntrospectionAllowed {
+									if strings.EqualFold(strings.ToLower(introspectionQueryAllowed), strings.ToLower(s2.(*ast.Field).Name.Value)) {
+										cfg.Logger.Debug("Introspection query allowed, passing through", m)
+										return
+									}
+								}
+							}
 							cfg.Logger.Warning("Introspection query blocked", m)
 							cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
 							c.Status(403).SendString("Introspection queries are not allowed")

main.go

@@ -30,9 +30,17 @@ func parseConfig() {
 	c.Cache.CacheEnable = envutil.GetBool("ENABLE_GLOBAL_CACHE", false)
 	c.Cache.CacheTTL = envutil.GetInt("CACHE_TTL", 60)
 	c.Security.BlockIntrospection = envutil.GetBool("BLOCK_SCHEMA_INTROSPECTION", false)
+	c.Security.IntrospectionAllowed = func() []string {
+		urls := envutil.Getenv("ALLOWED_INTROSPECTION", "")
+		if urls == "" {
+			return nil
+		}
+		return strings.Split(urls, ",")
+	}()
 	c.Logger = libpack_logging.NewLogger()
+	c.Server.HealthcheckGraphQL = envutil.Getenv("HEALTHCHECK_GRAPHQL_URL", "")
 	c.Client.GQLClient = graphql.NewConnection()
-	c.Client.GQLClient.SetEndpoint(c.Server.HostGraphQL)
+	c.Client.GQLClient.SetEndpoint(c.Server.HealthcheckGraphQL)
 	c.Server.AccessLog = envutil.GetBool("ENABLE_ACCESS_LOG", false)
 	c.Server.ReadOnlyMode = envutil.GetBool("READ_ONLY_MODE", false)
 	c.Server.AllowURLs = func() []string {
@@ -43,9 +51,13 @@ func parseConfig() {
 		return strings.Split(urls, ",")
 	}()
 	c.Client.FastProxyClient = createFasthttpClient()
+	c.Server.EnableApi = envutil.GetBool("ENABLE_API", false)
+	c.Server.ApiPort = envutil.GetInt("API_PORT", 9090)
+	c.Api.BannedUsersFile = envutil.Getenv("BANNED_USERS_FILE", "/go/src/app/banned_users.json")
 	cfg = &c
 	enableCache() // takes close to no resources, but can be used with dynamic query cache
 	loadRatelimitConfig()
+	enableApi()
 }
 
 func main() {

main_test.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"fmt"
 	"testing"
 
 	assertions "github.com/stretchr/testify/assert"
@@ -21,14 +20,13 @@ func (suite *Tests) SetupTest() {
 }
 
 func (suite *Tests) BeforeTest(suiteName, testName string) {
-	fmt.Println("BeforeTest")
-	cfg = &config{}
-	parseConfig()
-	StartMonitoringServer()
 }
 
 // func (suite *Tests) AfterTest(suiteName, testName string) {)
 
 func TestSuite(t *testing.T) {
+	cfg = &config{}
+	parseConfig()
+	StartMonitoringServer()
 	suite.Run(t, new(Tests))
 }

monitoring/monitoring.go

@@ -10,6 +10,7 @@ import (
 	"github.com/VictoriaMetrics/metrics"
 	"github.com/gofiber/fiber/v2"
 	"github.com/gookit/goutil/envutil"
+	libpack_config "github.com/lukaszraczylo/graphql-monitoring-proxy/config"
 	logging "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
 )
 
@@ -31,7 +32,10 @@ func NewMonitoring() *MetricsSetup {
 }
 
 func (ms *MetricsSetup) startPrometheusEndpoint() {
-	app := fiber.New()
+	app := fiber.New(fiber.Config{
+		DisableStartupMessage: true,
+		AppName:               fmt.Sprintf("GraphQL Monitoring Proxy - %s v%s", libpack_config.PKG_NAME, libpack_config.PKG_VERSION),
+	})
 	app.Get("/metrics", ms.metricsEndpoint)
 	err := app.Listen(fmt.Sprintf(":%d", envutil.GetInt("MONITORING_PORT", 9393)))
 	if err != nil {
@@ -46,7 +50,6 @@ func (ms *MetricsSetup) metricsEndpoint(c *fiber.Ctx) error {
 
 func (ms *MetricsSetup) AddMetricsPrefix(prefix string) {
 	ms.metrics_prefix = prefix
-	return
 }
 
 func (ms *MetricsSetup) ListActiveMetrics() []string {

proxy.go

@@ -33,20 +33,20 @@ func proxyTheRequest(c *fiber.Ctx) error {
 		c.Status(403).SendString("Request blocked - not allowed URL")
 		return nil
 	}
-
+	c.Request().Header.DisableNormalizing()
 	c.Request().Header.Add("X-Real-IP", c.IP())
 	c.Request().Header.Add(fiber.HeaderXForwardedFor, string(c.Request().Header.Peek("X-Forwarded-For")))
 
 	proxy.WithClient(cfg.Client.FastProxyClient)
 
-	cfg.Logger.Debug("Proxying the request", map[string]interface{}{"path": c.Path(), "body": string(c.Request().Body())})
+	cfg.Logger.Debug("Proxying the request", map[string]interface{}{"path": c.Path(), "body": string(c.Request().Body()), "headers": c.GetReqHeaders()})
 	err := proxy.DoRedirects(c, cfg.Server.HostGraphQL+c.Path(), 3)
 	if err != nil {
 		cfg.Logger.Error("Can't proxy the request", map[string]interface{}{"error": err.Error()})
 		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
 		return err
 	}
-	cfg.Logger.Debug("Received proxied response", map[string]interface{}{"path": c.Path(), "response_body": string(c.Response().Body()), "response_code": c.Response().StatusCode()})
+	cfg.Logger.Debug("Received proxied response", map[string]interface{}{"path": c.Path(), "response_body": string(c.Response().Body()), "response_code": c.Response().StatusCode(), "headers": c.GetRespHeaders()})
 
 	if c.Response().StatusCode() != 200 {
 		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)

server.go

@@ -8,6 +8,7 @@ import (
 	"github.com/gofiber/fiber/v2/middleware/cors"
 
 	jsoniter "github.com/json-iterator/go"
+	libpack_config "github.com/lukaszraczylo/graphql-monitoring-proxy/config"
 	libpack_monitoring "github.com/lukaszraczylo/graphql-monitoring-proxy/monitoring"
 )
 
@@ -15,16 +16,22 @@ var json = jsoniter.ConfigCompatibleWithStandardLibrary
 
 // StartHTTPProxy starts the HTTP and points it to the GraphQL server.
 func StartHTTPProxy() {
-	server := fiber.New()
+	server := fiber.New(fiber.Config{
+		DisableStartupMessage: true,
+		AppName:               fmt.Sprintf("GraphQL Monitoring Proxy - %s v%s", libpack_config.PKG_NAME, libpack_config.PKG_VERSION),
+	})
 
 	server.Use(cors.New(cors.Config{
 		AllowOrigins: "*",
 	}))
 
+	server.Get("/healthz", healthCheck)
+	server.Get("/livez", healthCheck)
+
 	server.Post("/*", processGraphQLRequest)
 	server.Get("/*", proxyTheRequest)
 
-	server.Get("/healthz", healthCheck)
+	cfg.Logger.Info("GraphQL query proxy started", map[string]interface{}{"port": cfg.Server.PortGraphQL})
 	err := server.Listen(fmt.Sprintf(":%d", cfg.Server.PortGraphQL))
 	if err != nil {
 		cfg.Logger.Critical("Can't start the service", map[string]interface{}{"error": err.Error()})
@@ -44,14 +51,20 @@ func checkAllowedURLs(c *fiber.Ctx) bool {
 }
 
 func healthCheck(c *fiber.Ctx) error {
-	// query := `{ __typename }`
-	// _, err := cfg.Client.GQLClient.Query(query, nil, nil)
-	// if err != nil {
-	// 	cfg.Logger.Error("Can't reach the GraphQL server", map[string]interface{}{"error": err.Error()})
-	// 	cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-	// 	return c.SendStatus(500)
-	// }
-	return c.SendStatus(200)
+	if len(cfg.Server.HealthcheckGraphQL) > 0 {
+		cfg.Logger.Debug("Health check enabled", map[string]interface{}{"url": cfg.Server.HealthcheckGraphQL})
+		query := `{ __typename }`
+		_, err := cfg.Client.GQLClient.Query(query, nil, nil)
+		if err != nil {
+			cfg.Logger.Error("Can't reach the GraphQL server", map[string]interface{}{"error": err.Error()})
+			cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+			c.Status(500).SendString("Can't reach the GraphQL server with {__typename} query")
+			return err
+		}
+	}
+	cfg.Logger.Debug("Health check returning OK")
+	c.Status(200).SendString("Health check OK")
+	return nil
 }
 
 func processGraphQLRequest(c *fiber.Ctx) error {
@@ -67,6 +80,10 @@ func processGraphQLRequest(c *fiber.Ctx) error {
 		extractedUserID, extractedRoleName = extractClaimsFromJWTHeader(string(authorization))
 	}
 
+	if checkIfUserIsBanned(c, extractedUserID) {
+		return nil
+	}
+
 	if len(cfg.Client.RoleFromHeader) > 0 {
 		extractedRoleName = string(c.Request().Header.Peek(cfg.Client.RoleFromHeader))
 		if extractedRoleName == "" {

struct_config.go

@@ -1,8 +1,8 @@
 package main
 
 import (
-	"github.com/akyoto/cache"
 	graphql "github.com/lukaszraczylo/go-simple-graphql"
+	libpack_cache "github.com/lukaszraczylo/graphql-monitoring-proxy/cache"
 	libpack_logging "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
 	libpack_monitoring "github.com/lukaszraczylo/graphql-monitoring-proxy/monitoring"
 	"github.com/valyala/fasthttp"
@@ -15,12 +15,15 @@ type config struct {
 
 	// Server holds the configuration of the server _ONLY_.
 	Server struct {
-		PortGraphQL    int
-		PortMonitoring int
-		HostGraphQL    string
-		AccessLog      bool
-		ReadOnlyMode   bool
-		AllowURLs      []string
+		PortGraphQL        int
+		PortMonitoring     int
+		HostGraphQL        string
+		HealthcheckGraphQL string
+		AccessLog          bool
+		ReadOnlyMode       bool
+		AllowURLs          []string
+		EnableApi          bool
+		ApiPort            int
 	}
 
 	Client struct {
@@ -36,10 +39,15 @@ type config struct {
 	Cache struct {
 		CacheEnable bool
 		CacheTTL    int
-		CacheClient *cache.Cache
+		CacheClient *libpack_cache.Cache
+	}
+
+	Api struct {
+		BannedUsersFile string
 	}
 
 	Security struct {
-		BlockIntrospection bool
+		BlockIntrospection   bool
+		IntrospectionAllowed []string
 	}
 }