Closed zetlen closed 5 years ago
real34
commented
5 years ago This is also an important feature to support to allow remote systems to do schema stitching with Magento’s schema (see introspection query used by GraphQL Tools: https://github.com/apollographql/graphql-tools/blob/dacfd83566b6d8a9bee61ee1b5cda373b2b531a7/src/stitching/introspectSchema.ts#L2).
paliarush
commented
5 years ago When we enable introspection by default, there should be an option for system integrator to disable it if not needed to reduce security risks.
If not possible to restrict production introspection to the "standard query" only, it should be ok to disable introspection restrictions completely since we have query complexity and nesting level limiting in place.
Summary (*)
GraphQL tools for query validation and schema discovery rely on introspection features. While some tools perform many types of introspection query, or add introspection fields to arbitrary queries, the vast majority of tools perform a single, invariant schema introspection query, described in the reference implementation as sufficient to download the entire type system.
All these tools utilize the same introspection query:
However, Production instances of Magento 2.3 do not allow any introspection, including the standard query. This disables the tools for any user who does not have access to an instance of Magento 2 in developer mode. It's an obstacle to usability by new developers and community developers who are reliant on cloud instances.
Examples (*)
Most public GraphQL APIs I could find permit the use of this standard introspection query:
Production instances of Magento 2.3 return an error when running this query.
Proposed solution
The standard introspection query is invariant, so it should be easy to cache its results. The GraphQL schema can only change when a new module is enabled or disabled, or when a new deploy occurs. That might require an on-demand refresh of the introspection query result, but it's still very safe to cache. Arbitrary introspection can still be disabled in production--but this common, standard query should be supported so that common, popular tools can download the schema and docs.