While I am almost certain it is not mentioned in the spec, it is positively a good thing to have natively in the framework. Please forgive me if there is already a mechanism to implement something like this, I still do not have a lot of familiarity with juniper.
Other frameworks allow the user to replace the schema with another one through middleware, e.g Python Graphene
We can find several security-oriented websites that recommend disabling introspection to make potential attackers have more trouble finding vulnerabilities, avoid leaking non-public types, and errors in general:
Here’s a short version of how I did it in a project where introspection must be disabled due to security requirements.
Ideally, juniper should have API for custom and third-party validation rules, and introspection disabling would be just one of. However, this requires some revamp of the validation machinery. So, with this PR we introduce a dead-simple implementation via an additional field on RootNode, and later, will remake via custom validation rules machinery, once it's there.
However, the check is still implemented as a validation rule.
Resolves #456
Synopsis
See https://github.com/graphql-rust/juniper/issues/456#issuecomment-706589900 for details:
Solution
From https://github.com/graphql-rust/juniper/issues/456#issuecomment-706589900:
and https://github.com/graphql-rust/juniper/issues/456#issuecomment-1639384982:
Ideally,
juniper
should have API for custom and third-party validation rules, and introspection disabling would be just one of. However, this requires some revamp of the validation machinery. So, with this PR we introduce a dead-simple implementation via an additional field onRootNode
, and later, will remake via custom validation rules machinery, once it's there.However, the check is still implemented as a validation rule.
Checklist