chore(gateway): Expose GraphQL API

[HamadaSalhab]

PR Type

Enhancement, Configuration changes

---

Description

• Added support for Hasura GraphQL API integration.

• Updated environment variables and configurations for Hasura.

• Enhanced traefik.yml.template with Hasura routing and service definitions.

• Updated docker-compose.yml for Hasura service setup.

---

Changes walkthrough 📝

	Relevant files
Configuration changes	entrypoint.sh Add `HASURA_URL` environment variable to entrypoint script gateway/entrypoint.sh Introduced HASURA_URL environment variable with default value. Ensured HASURA_URL is included in the script's environment setup. +1/-0      .env.example Add `HASURA_URL` to example environment file                          .env.example Added HASURA_URL example configuration. Updated HASURA_CLAIMS_MAP for Hasura claims mapping. +1/-0      docker-compose.yml Update Docker Compose for Hasura integration                          gateway/docker-compose.yml Added HASURA_URL to the gateway service environment variables. Ensured compatibility with Hasura service in Docker Compose. +1/-0      docker-compose.yml Update Hasura Docker Compose configuration                              hasura/docker-compose.yml Added HASURA_GRAPHQL_SERVER_PORT environment variable. Updated Hasura service configuration for multi-tenant setup. +1/-0
Enhancement	traefik.yml.template Add Hasura routing and service in Traefik configuration    gateway/traefik.yml.template Added routing for Hasura GraphQL API under /v1/graphql. Defined service-hasura with load balancer and server URL. Configured middleware for Hasura service. +15/-0

---

Need help?

Type /help how to ... in the comments thread for any questions about Qodo Merge usage.

Check out the documentation for more information.

[qodo-merge-pro-for-open-source]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Authentication concerns: The PR exposes a GraphQL API endpoint at /v1/graphql with CORS headers allowing all methods, but doesn't explicitly show authentication middleware being applied to this route. While the Hasura service has an admin secret configured, the traefik configuration doesn't show JWT or other authentication being applied to the GraphQL endpoint. This could potentially allow unauthorized access to the GraphQL API if authentication is not properly enforced elsewhere.

⚡ Recommended focus areas for review Security Configuration The GraphQL endpoint is exposed with CORS headers allowing all methods but doesn't appear to have authentication middleware applied. Verify if JWT authentication should be applied to the Hasura GraphQL endpoint. hasura: entryPoints: - web rule: PathPrefix(`/v1/graphql`) middlewares: - corsHeaders service: service-hasura priority: 3

[qodo-merge-pro-for-open-source]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Add JWT authentication Add JWT authentication configuration to Hasura to secure the GraphQL endpoint. Without proper JWT configuration, the GraphQL API will be accessible without authentication. hasura/docker-compose.yml [10-16] environment: HASURA_GRAPHQL_DATABASE_URL: ${PG_DSN:-postgres://postgres:postgres@memory-store:5432/postgres?sslmode=disable} HASURA_GRAPHQL_SERVER_PORT: 8080 HASURA_GRAPHQL_ENABLE_CONSOLE: "true" HASURA_GRAPHQL_DEV_MODE: "true" HASURA_GRAPHQL_ENABLED_LOG_TYPES: startup, http-log, webhook-log, websocket-log, query-log HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_ADMIN_SECRET:-hasura} + HASURA_GRAPHQL_JWT_SECRET: '{"type":"HS256", "key": "${JWT_SHARED_KEY}"}' + HASURA_GRAPHQL_UNAUTHORIZED_ROLE: "anonymous" Apply this suggestion Suggestion importance[1-10]: 9 __ Why: This suggestion addresses a critical security concern by adding JWT authentication configuration to Hasura. Without this, the GraphQL endpoint would be accessible without proper authentication, creating a significant security vulnerability in the system.	High
More

[ellipsis-dev]

❌ Changes requested. Reviewed everything up to 78fd7d5 in 2 minutes and 6 seconds

More details

• Looked at 80 lines of code in 5 files
• Skipped 0 files when reviewing.
• Skipped posting 9 drafted comments based on config settings.

1. .env.example:140

• Draft comment:
  This environment variable with the same default value is already defined in the gateway service configuration.

• HASURA_URL environment variable (docker-compose.yml)

• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50%
  Having the same environment variable defined in multiple places with the same default value could potentially cause confusion or maintenance issues. However, .env.example is meant to be a reference for all possible environment variables, so having it listed there is actually correct and useful. The docker-compose.yml file using the same default is not a problem - it's a complementary configuration.
  Maybe having consistent documentation of environment variables is actually important for developers setting up the system? The .env.example file serves as central documentation.
  Yes, exactly - .env.example should list ALL possible environment variables, even if they have defaults elsewhere. This helps developers understand what variables are available.
  The comment should be deleted. Having HASURA_URL in .env.example is correct and useful as documentation, even if it has a default value in docker-compose.yml.

2. .env.example:140

• Draft comment:
  Consider adding a comment for HASURA_URL to indicate its purpose, similar to other GraphQL vars.
• Reason this comment was not posted:
  Confidence changes required: 20% <= threshold 50%
  None

3. gateway/docker-compose.yml:11

• Draft comment:
  Ensure HASURA_URL value (http://hasura:8080) matches the internal network and hasura container setup in Docker.
• Reason this comment was not posted:
  Confidence changes required: 20% <= threshold 50%
  None

4. gateway/entrypoint.sh:8

• Draft comment:
  Verify if HASURA_URL should be required like JWT_SHARED_KEY and AGENTS_API_KEY, or if a default suffices.
• Reason this comment was not posted:
  Confidence changes required: 30% <= threshold 50%
  None

5. gateway/traefik.yml.template:88

• Draft comment:
  New router for Hasura GraphQL looks correct; ensure its priority (3) doesn't conflict with other services.
• Reason this comment was not posted:
  Confidence changes required: 20% <= threshold 50%
  None

6. hasura/docker-compose.yml:12

• Draft comment:
  Explicitly setting HASURA_GRAPHQL_SERVER_PORT to 8080 is good; verify port mappings align with traefik routing.
• Reason this comment was not posted:
  Confidence changes required: 20% <= threshold 50%
  None

7. .env.example:137

• Draft comment:
  Consider adding an inline comment explaining HASURA_URL (e.g., 'Hasura GraphQL API endpoint') for clarity.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50%
  None

8. gateway/traefik.yml.template:162

• Draft comment:
  Verify that 'passHostHeader: false' for service-hasura is intentional to avoid forwarding client headers.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50%
  None

9. hasura/docker-compose.yml:12

• Draft comment:
  Explicitly setting HASURA_GRAPHQL_SERVER_PORT (8080) helps ensure consistency with the gateway routing.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50%
  None

Workflow ID: wflow_ulxkHP2ii6XFfMst

---

Want Ellipsis to fix these issues? Tag @ellipsis-dev in a comment. You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.