CR Parser

Airlock Microgateway Engine parses the request body before applying filters (deny rules, limits, OpenAPI, GraphQL) to a request's content. The parser selection is based on the Content-Type header. The CR Parser can be used to customize the built-in default parser selection logic.

  • Built-in parsers can be enabled/disabled individually (e.g., JSON and URL-encoded form parsers).
  • The built-in logic parses requests with Content-Type headers matching the corresponding mediaTypePattern pattern. The default pattern can be adjusted to trigger parsing on other content-type patterns.
  • Multipart parsing is enabled by default in the CR Parser. The Engines deny rules are applied to the parsed parameters as configured.
  • For requests without a Content-Type header, the parser logic adds a content-type header with the value configured in defaultContentType. However, the default can be customized using the option. The added Content-Type header is also used to select the correct parser as described above.

This CR needs to be referenced in the CR ContentSecurity.

The parser configuration is a crucial setting and influences the behavior of other filters. For example, disabling the JSON parser or set a less restrictive value causes that deny rules, limits, or OpenAPI specification validation are not applied at all. The same is true for other parsers.

GraphQL query parsing

The parser can identify and parse GraphQL queries from different types of requests.

  • JSON bodies (with content type application/json). Note that the JSON parser must be enabled.
  • HTTP requests with query parameters

The parameter names/JSON keys are "query", "variables" and "operationName", where the former is required for GraphQL query identification.

The key "operationName" is used as an identifier for logging if present.