search

apollographql / router

A configurable, high-performance routing runtime for Apollo Federation 🚀
https://www.apollographql.com/docs/router/
Other
807 stars 272 forks source link

Disable coprocessor for introspection queries #4606

Open smyrick opened 8 months ago

smyrick commented 8 months ago

Is your feature request related to a problem? Please describe. I want to keep introspection on in my lower environments but also enable the RouterRequest and RouterResponse stage in my coprocessor. If I then open up Apollo Explorer, my coprocessor is flooded with a bunch of requests that I just ignore. It would be ideal if the Router did not call out to the coprocessor at all for these operations and waste the HTTP call and processing time.

Describe the solution you'd like A configurable option in the Router coprocessor stage to disable using it for IntrospectionQueries

coprocessor:
  url: http://localhost:3000
  router:
    use_on_introspection: false
    request:
      body: true
    response:
      body: true

Another option could be to allow Rhai script to control when a coprocessor is called or not with some metadata in the context and let users figure it out

Describe alternatives you've considered I could not use the Router stage as other stages like Supergraph are not invoked for Introspection operations, but I want to operate at the very front of the request cycle.

Additional context How we for sure know that it is an introspection query will have to be validated. We don't want to allow malicous actors to be able to get around a coprocessor by just naming their operation IntrospectionQuery or including some hidden fields like __schema along side real data fields

Geal commented 8 months ago

Could you clarify some things here? At the router service plugin level, the only thing the router sees is a stream of bytes, the query has not been parsed yet, so it would not be the right place to recognize an introspection query. I do not see either why the coprocessor at the supergraph service level would not be called for introspection queries. All valid queries will reach the supergraph service

smyrick commented 8 months ago

Hmm, you bring up a good point. I suppose that the RouterRequest does not parse any bytes and we just forward the request on, so maybe we should not do anything here. However, the coprocessor is definitely called for the SupergraphRequest phase and we could parse the operation name and body here to understand if it is the default introspection query with no changes. I have a small example here:

https://github.com/apollosolutions/router-playground

Screenshot 2024-02-15 at 2 04 01 PM