Apollo-server: Can I exclude introspection query from processing in context function?

Created on 12 Oct 2018  ·  4Comments  ·  Source: apollographql/apollo-server

I'd like to disable authentication on introspection queries and enable it for other kinds of queries, so that I can see schema in GraphQL playground, even when no valid authorization header is present.
If I just throw exception when no valid authorization is present, playground fails to load schema because introspection query fails.

The only way to get around from this problem seems to be not throwing authentication errors at all if NODE_ENV is development. There is no way to check whether GraphQL query is introspection or not inside context function, isn't it?

const server = new ApolloServer({
    schema,
    context: () => {
        // throw authentication error if authorization header is not present or invalid
        throw new AuthenticationError("Invalid authorization header");
    }
});
⛲️ feature
Source
picture vroad
👍1

Most helpful comment

What would be the best approach for allowing introspection for our CI? I'd like to be able to use apollo-tooling to perform checks against the schema registry.

picture tsaiDavid on 8 Dec 2018
👍2

All 4 comments

@vroad , hey there!
My understanding is that, in this case, you should not validate user authentication on the context callback.
As per the docs:

We would want to do this only on very restrictive environments where there is no public access to the schema or any fields, like an internal tool or maybe an independent micro service that we don’t want exposed to the public.

Did you take a look on Resolver auth? Maybe it fits better with your case.

eberhara picture eberhara on 21 Oct 2018

Hi, @eberhara , Sorry for the late reply.

Is that only way? I'd like to handle authentication in a single place on an API gateway server. It already has executable GraphQL schema from underlying APIs, so I didn't want to duplicate resolvers/mutations at API gateway level.

vroad picture vroad on 11 Nov 2018
👍1

What would be the best approach for allowing introspection for our CI? I'd like to be able to use apollo-tooling to perform checks against the schema registry.

tsaiDavid picture tsaiDavid on 8 Dec 2018
👍2

👋 I'll close this since this doesn't appear to be a bug with Apollo Server, but rather a question about how to use it or one of its components.

Rather than asking it here in GitHub Issues — where efforts are focused on fixing bugs and adding new features — I'd ask that you take this question to the _Apollo Server_ channel within the Apollo community on Spectrum.chat where there are community members who might be able to relate to a similar problem, or might be able to help you out more interactively. Thanks for your understanding!

jbaxleyiii picture jbaxleyiii on 9 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jpcbarros picture jpcbarros  ·  3Comments
manuelfink picture manuelfink  ·  3Comments
deathg0d picture deathg0d  ·  3Comments
dupski picture dupski  ·  3Comments
veeramarni picture veeramarni  ·  3Comments