graphql / graphql.github.io

GraphQL Documentation at graphql.org
https://graphql.org
MIT License
837 stars 1.43k forks source link

Introspection: require authorization #1257

Open mfulton26 opened 2 years ago

mfulton26 commented 2 years ago

Authorization | GraphQL talks about delegating authorization logic to the business logic layer. This makes sense to me for most things. One thing I'm not sure on though is how can I lock down introspection if I want to have a tool in production where most people can't use it (for security reasons) but software engineers, product managers, operators, and possibly others who I configure can use introspection so that tools they use (e.g. a hosted GraphiQL or GraphQL Playground app to make queries and even some mutations) will work out of the boxy without needing a schema registry or anything.

Is there a straight forward way to hook into the out-of-the-box introspection tooling in graphql-js to run introspection like normal if my user is authorized to do so but return error(s) otherwise?

mfulton26 commented 2 years ago

I can ask this elsewhere instead (e.g. https://github.com/graphql/graphql-js/discussions) but I was thinking that some documentation for this might be helpful as authorization handled in the business layer makes perfect sense to me but with introspection protection as an exception that many folks might be interested in doing rather than completely disabling introspection in production (which many people are a fan of doing but this cripples tooling for the select few who might need/want it).