-
-
Notifications
You must be signed in to change notification settings - Fork 575
Disable GraphQL introspection
Install the graphql-disable-introspection package:
npm install graphql-disable-introspection
Add this as a server plugin to Postgraphile:
import {postgraphile, makePluginHook} from 'postgraphile';
import NoIntrospection from 'graphql-disable-introspection';
const DisableIntrospectionServerPlugin =
{
['postgraphile:validationRules:static'](rules)
{
return [...rules, NoIntrospection];
}
};
const app = express();
app.use(
postgraphile(
process.env.DATABASE_URL || "postgres://user:pass@host:5432/dbname",
"public",
{
pluginHook: makePluginHook([DisableIntrospectionServerPlugin])
}
)
);
app.listen(process.env.PORT || 3000);
I think that disabling introspection is virtually pointless; due to the way GraphQL works it's trivial to discover the fields that a client issues and from that you can build up an understanding of the GraphQL schema yourself, replicating most of what introspection gives you. It is at best security through obscurity, at worst it's a false sense of security.
If your goal is to prevent third parties issuing queries that you've not sanctioned then you should use persisted operations as an operation allow-list. (Do not confuse "persisted operations" with Apollo's "automatic persisted queries" which are not a suitable approach for this goal.) Read more here:
- https://www.graphile.org/postgraphile/production/#simple-query-allowlist-persisted-queries--persisted-operations
- https://github.com/graphile/persisted-operations
If your goal is to prevent your own developers (and third parties) from querying certain fields/using certain arguments/etc in your schema, then don't put those things in your schema! You can read about removing things from a PostGraphile schema here:
- https://www.graphile.org/postgraphile/smart-tags/#omit
- https://www.graphile.org/postgraphile/extending-raw/#removing-things-from-the-schema
Stay safe out there!