Apollo-server: Ability to disable introspection
Hi Guys - awesome project!
For developers that want to use graphql-server for private APIs that are exposed publicly (e.g. for mobile app APIs, etc). It would be good to be able to disable the __schema query endpoint in production.
Would you consider adding a disableIntrospection option?
dupski
All 3 comments
Hey @dupski, I think for such APIs it would be better to allow only a specific whitelist of queries rather than blacklisting only the introspection query. However, if you do want to blacklist the introspection query, you could write a new GraphQL validation rule that checks if a query contains the __schema or __type field and then pass that as an additional validation rule. How does that sound?
helfer
on 10 Apr 2017
@dupski @TimMikeladze @scalder27 I thought what sounds super-easy to me might not seem as easy to people who don't work on GraphQL stuff every day, so I quickly wrote an npm package that contains that validation rule. It's called graphql-disable-introspection. I hope it helps!
PS: I wrote a bunch of tests for it so I'm fairly confident it works, but I can't guarantee it, so make sure to check that it actually works for you before putting it in production anywhere.
helfer
on 10 Apr 2017
Sweet, thanks a lot @helfer, will check it out :)
dupski
on 10 Apr 2017
Related issues
dobesv
路
3Comments
deathg0d
路
3Comments
nevyn-lookback
路
3Comments
veeramarni
路
3Comments
stevezau
路
3Comments
Most helpful comment
@dupski @TimMikeladze @scalder27 I thought what sounds super-easy to me might not seem as easy to people who don't work on GraphQL stuff every day, so I quickly wrote an npm package that contains that validation rule. It's called graphql-disable-introspection. I hope it helps!
PS: I wrote a bunch of tests for it so I'm fairly confident it works, but I can't guarantee it, so make sure to check that it actually works for you before putting it in production anywhere.