Rearchitect to cater for querying both protected and unprotected SPARQL endpoints

[edmondchuc]

We are currently using the free tiers of Anzograph and GraphDB and since Anzograph provides better performance for simultaneous queries, we are using it for most of our analytical queries. However, by default, Anzograph's SPARQL endpoints have basic auth enabled for both SPARQL 1.1 and SPARQL Update 1.1. This was the original reason why we duplicated the data in GraphDB as well so that public-facing applications can query the data via an unprotected SPARQL endpoint.

Since we now control the server that makes requests to the data store, we can cater for queries to the Anzograph SPARQL endpoint by fetching the basic auth details in linkeddata-api for SPARQL 1.1 queries.

There are security concerns relating to SPARQL injection attacks. Anzograph unfortunately does not differentiate endpoints for SPARQL 1.1 and SPARQL Update 1.1, meaning it is possible for malicious actors to inject harmful queries. To prevent these queries, we will need to escape certain characters as suggested in https://stackoverflow.com/questions/29601839/standard-regex-to-prevent-sparql-injection.

[edmondchuc]

For the viewer, the only value that gets interpolated into the SPARQL query is the resource URI. This means we just need to check whether a valid URI was passed or not. Since we are already using RDFLib, we can use the function rdflib.term._is_valid_uri as illustrated here RDFLib/rdflib#1469 (comment).

Otherwise, we can look to using regex to determine if a URI is valid or not. See https://www.w3.org/TR/n-triples/#grammar-production-IRIREF.