Detecting introspection query on protected graphql apis

[Shahor]

This issue pertains to the following package(s):

• [ ] GraphQL Playground - Electron App
• [ ] GraphQL Playground HTML
• [ ] GraphQL Playground
• [X] GraphQL Playground Express Middleware
• [ ] GraphQL Playground Hapi Middleware
• [ ] GraphQL Playground Koa Middleware
• [ ] GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

OSX 10.13.3

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

1.5.7

What is the expected behavior?

I have a way to know when the introspection query is made.

What is the actual behavior?

When loading the playground interface it makes an introspection query to the graphql endpoint.

We would love to use graphql-playground as a self documenting tool for our graphql API, but this makes it hard because:

• My users need an access_token (oauth2) to authenticate themselves on my /graphql endpoint.
• The introspection query makes its query against that /graphql endpoint, without an access_token and is therefore forbidden from doing it.

I tried to poke around to find a good way to deal with this but I can't find anything that wouldn't open a breach in my API.

Just looking into the query searching for /^query IntrospectionQuery isn't enough because this:

query IntrospectionQuery {
    __schema {
      queryType { name }
    }

   # This should be protected by my auth middleware and therefore couldn't happen.
   myProtectedEndpoint {
     data
   }
}

is totally valid.

What would be the good way to deal with that problem according to you?

One thing that would help would be providing the graphql-playground-middleware-express method with the schema from the start so it doesn't have to use introspection.

Cheers 👋

[Shahor]

Now that I've written this I'm realizing that the best way would probably be to make the user authenticate before allowing him the access to this playground.