doc/development/spam_protection_and_captcha/graphql_api.md
If the model can be modified via the GraphQL API, you must also add support to all of the
relevant GraphQL mutations which may modify spammable or spam-related attributes. This
definitely includes the Create and Update mutations, but may also include others, such as those
related to changing a model's confidential/public flag.
The main steps are:
Use include Mutations::SpamProtection in your mutation.
Pass perform_spam_check: true to the Update Service class constructor.
It is set to true by default in the Create Service.
After you create or update the Spammable model instance, call #check_spam_action_response!
and pass it the model instance. This call:
GraphQL::ExecutionError exception.extensions: parameter.
For more details on these fields, refer to the section in the GraphQL API documentation on
Resolve mutations detected as spam.[!note] If you use the standard ApolloLink or Axios interceptor CAPTCHA support described above, you can ignore the field details, because they are handled automatically. They become relevant if you attempt to use the GraphQL API directly to process a failed check for potential spam, and resubmit the request with a solved CAPTCHA response.
For example:
module Mutations
module Widgets
class Create < BaseMutation
include Mutations::SpamProtection
def resolve(args)
service_response = ::Widgets::CreateService.new(
project: project,
current_user: current_user,
params: args
).execute
widget = service_response.payload[:widget]
check_spam_action_response!(widget)
# If possible spam was detected, an exception would have been thrown by
# `#check_spam_action_response!`, so the normal resolve return logic can follow below.
end
end
end
end
Refer to the Exploratory Testing section for instructions on how to test CAPTCHA behavior in the GraphQL API.