zuplo 6.67.32 → 6.68.0

package/docs/policies/firebase-jwt-inbound/schema.json

@@ -0,0 +1,68 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Firebase JWT Auth",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Authenticate users using Firebase issued JWT tokens.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "FirebaseJwtInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "FirebaseJwtInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for this policy.",
+          "additionalProperties": false,
+          "required": ["projectId"],
+          "properties": {
+            "allowUnauthenticatedRequests": {
+              "type": "boolean",
+              "default": false,
+              "description": "Allow unauthenticated requests to proceed. This is use useful if you want to use multiple authentication policies or if you want to allow both authenticated and non-authenticated traffic."
+            },
+            "projectId": {
+              "type": "string",
+              "examples": ["my-project-id"],
+              "description": "Your Firebase Project ID."
+            },
+            "oAuthResourceMetadataEnabled": {
+              "type": "boolean",
+              "default": false,
+              "description": "Flag that determines whether OAuth protected resource metadata is enabled."
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "FirebaseJwtInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "allowUnauthenticatedRequests": false,
+            "oAuthResourceMetadataEnabled": false,
+            "projectId": "my-project-id"
+          }
+        }
+      ]
+    }
+  }
+}

package/docs/policies/formdata-to-json-inbound/schema.json

@@ -0,0 +1,60 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Form Data to JSON",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Converts form data in the incoming request to JSON.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "FormDataToJsonInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "FormDataToJsonInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for this policy.",
+          "additionalProperties": false,
+          "required": [],
+          "properties": {
+            "badRequestIfNotFormData": {
+              "type": "boolean",
+              "default": true,
+              "description": "Should the policy return an error if the request is not of the type form data."
+            },
+            "optionalHoneypotName": {
+              "type": "string",
+              "description": "The name of the honeypot field. Used to provide basic spam filtering."
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "FormDataToJsonInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "badRequestIfNotFormData": true
+          }
+        }
+      ]
+    }
+  }
+}

package/docs/policies/galileo-tracing-inbound/schema.json

@@ -0,0 +1,65 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Galileo Tracing",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["ai-gateway"],
+  "description": "Galileo Tracing Inbound Policy",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "GalileoTracingInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "Galileo Tracing",
+          "description": "Track AI Gateway requests and responses using Galileo's LLM observability platform.",
+          "type": "object",
+          "properties": {
+            "apiKey": {
+              "description": "The Galileo API key for authentication.",
+              "type": "string"
+            },
+            "projectId": {
+              "description": "The Galileo project ID (UUID) for organizing traces.",
+              "type": "string"
+            },
+            "logStreamId": {
+              "description": "The Galileo log stream ID (UUID) for organizing traces.",
+              "type": "string"
+            },
+            "baseUrl": {
+              "description": "The base URL for the Galileo API (optional, defaults to https://api.galileo.ai).",
+              "type": "string"
+            }
+          },
+          "required": ["apiKey", "projectId", "logStreamId"],
+          "additionalProperties": false
+        }
+      },
+      "examples": [
+        {
+          "export": "GalileoTracingInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {}
+        }
+      ]
+    }
+  }
+}

package/docs/policies/geo-filter-inbound/doc.md

@@ -0,0 +1,33 @@
+## Geo-location Filter Policy
+
+Specify an allow list or block list of:
+
+- **Countries** - Country of the incoming request. The
+  [two-letter country code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) in
+  the request, for example, "US".
+- **regionCodes** - If known, the
+  [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) code for the
+  first-level region associated with the IP address of the incoming request, for
+  example, "TX"
+- **ASNs** - ASN of the incoming request, for example, 395747.
+
+:::warning
+
+If you specify an allow and block list for the same location type (e.g.
+`country`) may have no effect or block all requests.
+
+```
+{
+  "allow" : {
+    "countries" : "US"
+  },
+  "block" : {
+    "countries" : "MC"
+  }
+}
+```
+
+The policy will only allow requests from US, so any request from MC would be
+automatically blocked.
+
+:::

package/docs/policies/geo-filter-inbound/schema.json

@@ -0,0 +1,108 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Geo-location filtering",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Block requests based on geo-location parameters: country, region code, and ASN",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "GeoFilterInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "GeoFilterInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for this policy.",
+          "additionalProperties": false,
+          "required": [],
+          "properties": {
+            "block": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "countries": {
+                  "type": "string",
+                  "examples": ["US, CA"],
+                  "description": "comma separated string of country codes to allow (e.g. \"US, CA\")."
+                },
+                "regionCodes": {
+                  "type": "string",
+                  "examples": ["TX, WA"],
+                  "description": "comma separated string of region codes to allow (e.g. \"TX, WA\")."
+                },
+                "asns": {
+                  "type": "string",
+                  "examples": ["395747, 28304"],
+                  "description": "comma separated string of ASNs to allow (e.g. \"395747, 28304\")."
+                }
+              }
+            },
+            "allow": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "countries": {
+                  "type": "string",
+                  "examples": ["US, CA"],
+                  "description": "comma separated string of country codes to allow (e.g. \"US, CA\")."
+                },
+                "regionCodes": {
+                  "type": "string",
+                  "examples": ["TX, WA"],
+                  "description": "comma separated string of region codes to allow (e.g. \"TX, WA\")."
+                },
+                "asns": {
+                  "type": "string",
+                  "examples": ["395747, 28304"],
+                  "description": "comma separated string of ASNs to allow (e.g. \"395747, 28304\")."
+                }
+              }
+            },
+            "ignoreUnknown": {
+              "type": "boolean",
+              "default": true,
+              "description": "Specifies whether unknown geo-location parameters should be ignored (allowed through)."
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "GeoFilterInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "allow": {
+              "asns": "395747, 28304",
+              "countries": "US, CA",
+              "regionCodes": "TX, WA"
+            },
+            "block": {
+              "asns": "395747, 28304",
+              "countries": "US, CA",
+              "regionCodes": "TX, WA"
+            },
+            "ignoreUnknown": true
+          }
+        }
+      ]
+    }
+  }
+}

package/docs/policies/graphql-complexity-limit-inbound/doc.md

@@ -0,0 +1,48 @@
+### Depth Limit
+
+Limit the depth a GraphQL query is allowed to query for.
+
+- **maxDepth** - Number of levels a GraphQL query is allowed to query for.
+
+This allows you to limit the depth of a GraphQL query. This is useful to prevent
+DoS attacks on your GraphQL server.
+
+```
+{
+  # Level 0
+  me {
+    # Level 1
+    name
+    friends {
+      # Level 2
+      name
+      friends {
+        # Level 3
+        name
+        # ...
+      }
+    }
+  }
+}
+```
+
+### Complexity Limit
+
+Example:
+
+- **maxComplexity** - Maximum complexity allowed for a query.
+
+```
+{
+  me {
+    name  # Complexity +1
+    age   # Complexity +1
+    email # Complexity +1
+    friends {
+      name   # Complexity +1
+      height # Complexity +1
+    }
+  }
+}
+# Total complexity = 5
+```

package/docs/policies/graphql-complexity-limit-inbound/intro.md

@@ -0,0 +1,2 @@
+This policy allows you to add a limit for the depth and a limit for the
+complexity of a GraphQL query.

package/docs/policies/graphql-complexity-limit-inbound/schema.json

@@ -0,0 +1,90 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "GraphQL Complexity Limit",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Policy that limits the complexity and depth of GraphQL queries to prevent abuse. Protects your GraphQL API from expensive queries that could cause performance issues or denial of service attacks.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "GraphQLComplexityLimitInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/graphql)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "type": "object",
+          "title": "GraphQLComplexityLimitInboundPolicyOptions",
+          "description": "The options for this policy.",
+          "required": ["useComplexityLimit", "useDepthLimit"],
+          "additionalProperties": false,
+          "properties": {
+            "useComplexityLimit": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": ["maxComplexity", "variables"],
+              "properties": {
+                "complexityLimit": {
+                  "type": "number",
+                  "examples": [10],
+                  "description": "The maximum complexity a query is allowed to have."
+                },
+                "endpointUrl": {
+                  "type": "string",
+                  "description": "The endpoint URL to use for the complexity calculation."
+                }
+              }
+            },
+            "useDepthLimit": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": ["maxDepth"],
+              "properties": {
+                "depthLimit": {
+                  "type": "number",
+                  "description": "The maximum depth a query is allowed to have."
+                },
+                "ignore": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  },
+                  "description": "The fields to ignore when calculating the depth of a query."
+                }
+              }
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "GraphQLComplexityLimitInboundPolicy",
+          "module": "$import(@zuplo/graphql)",
+          "options": {
+            "useComplexityLimit": {
+              "complexityLimit": 10
+            },
+            "useDepthLimit": {
+              "ignore": []
+            }
+          }
+        }
+      ]
+    }
+  }
+}

package/docs/policies/graphql-disable-introspection-inbound/doc.md

@@ -0,0 +1,66 @@
+This policy blocks GraphQL introspection queries, which are used to discover the
+schema structure of your GraphQL API. Introspection is a powerful feature in
+development but can expose sensitive information about your API in production
+environments.
+
+### How It Works
+
+The policy examines each GraphQL request and checks if it contains introspection
+queries by looking for the presence of `__schema` or `__type` fields in the
+query. If an introspection query is detected, the policy returns a
+`403 Forbidden` response with the message "Introspection queries are not
+allowed".
+
+### Policy Configuration
+
+This policy requires no configuration options. Simply add it to your route's
+inbound policies:
+
+```json
+{
+  "name": "disable-introspection",
+  "policyType": "graphql-disable-introspection-inbound",
+  "handler": {
+    "export": "GraphQLDisableIntrospectionInboundPolicy",
+    "module": "$import(@zuplo/graphql)"
+  }
+}
+```
+
+### Usage Examples
+
+#### Applying to a GraphQL Endpoint
+
+Add the policy to your GraphQL route:
+
+```json
+{
+  "paths": {
+    "/graphql": {
+      "post": {
+        "x-zuplo-route": {
+          "policies": {
+            "inbound": ["disable-introspection", "rate-limit"]
+          },
+          "handler": {
+            "export": "graphqlHandler",
+            "module": "$import(./handlers/graphql)"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### Security Considerations
+
+- It's recommended to disable introspection in production environments while
+  keeping it enabled in development for tooling support
+- This policy only blocks introspection queries that pass through Zuplo - you
+  can still keep introspection enabled for direct access to your GraphQL server
+  during development
+- Consider combining this policy with authentication policies to further secure
+  your GraphQL API
+- While this policy blocks standard introspection queries, it's still important
+  to implement proper authorization controls for your GraphQL resolvers

package/docs/policies/graphql-disable-introspection-inbound/intro.md

@@ -0,0 +1,15 @@
+Prevent GraphQL introspection queries on your API to enhance security in
+production environments. This policy blocks any attempt to discover your schema
+structure through introspection with a `403 Forbidden` response.
+
+With this policy, you'll benefit from:
+
+- **Enhanced API Security**: Hide your GraphQL schema structure from potential
+  attackers
+- **Selective Protection**: Block introspection only for requests passing
+  through Zuplo
+- **Production-Ready**: Implement security best practices for GraphQL in
+  production
+- **Zero Configuration**: Works immediately without any additional setup
+- **Development Flexibility**: Keep introspection enabled in development
+  environments

package/docs/policies/graphql-disable-introspection-inbound/schema.json

@@ -0,0 +1,48 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "GraphQL Disable Introspection",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Policy that disables GraphQL introspection queries in production. Introspection allows clients to discover the schema, which can be a security risk as it exposes your entire API structure.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "GraphQLDisableIntrospectionInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/graphql)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "GraphqlDisableIntrospectionInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for this policy.",
+          "required": [],
+          "additionalProperties": false,
+          "properties": {}
+        }
+      },
+      "examples": [
+        {
+          "export": "GraphQLDisableIntrospectionInboundPolicy",
+          "module": "$import(@zuplo/graphql)",
+          "options": {}
+        }
+      ]
+    }
+  }
+}