Graphql-dotnet: Disable Introspection Query
Is there any way to disable the introspection query in an specific environment (production, in my case)?
question
wendelnascimento
All 3 comments
There is nothing build-in, but you could inspect the request to determine it is introspection and not allow it. Either by using a validation rule (probably the easiest) or you can build the Document yourself and inspect it.
var documentBuilder = new GraphQLDocumentBuilder();
var document = documentBuilder.Build(options.Query);
// loop through operations + fields and see if it is introspection
// pass Document to executor so it doesn't have to build it again
schema.Execute(_ =>
{
_.Query = options.Query;
_.Document = document;
});
Validation rules already loop through operations + fields for you.
public class IntrospectionNotAllowed : IValidationRule
{
public INodeVisitor Validate(ValidationContext context)
{
return new EnterLeaveListener(_ =>
{
var myContext = context.UserContext as MyGraphQLContext;
if(!myContext.IsProduction()) return;
_.Match<Field>(
enter: field =>
{
// don't recall the exact properties off-hand
if (field...)
{
var error = new ValidationError(
context.OriginalQuery,
"code1",
"Not allowed",
field);
context.ReportError(error);
}
});
});
}
}
joemcbride
on 2 Aug 2018
🎉2
Great! We've implemented the validation rule and it worked!
wendelnascimento
on 3 Aug 2018
👍1
@wendelnascimento: care to disclose how you tested for introspection?
rasmusskovdk
on 12 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
damithashyamantha
路
4Comments
VladimirAkopyan
路
4Comments
harsimranb
路
3Comments
Walid-Abdulrazik
路
3Comments
tcetin
路
3Comments
Most helpful comment
There is nothing build-in, but you could inspect the request to determine it is introspection and not allow it. Either by using a validation rule (probably the easiest) or you can build the
Documentyourself and inspect it.Validation rules already loop through operations + fields for you.