Authorized introspections

[mfulton26]

Is there a way to enable introspection but only for select users?

[glasser]

The mechanism used to disable introspection is an additional validation rule, which is awkward to support this (validation rules are supposed to only depend on the operation and the schema so that we can cache the successful result of validation, not on other aspects of the request). We could change that implementation so that there's a special introspection validation phase though. Note that graphql-js is considering having direct support for disabling introspection (including also disabling "did you mean?" suggestions) which would be nice though we'd still have to hook into it somehow.

For example, we could allow you to pass a function (which would take GraphQLRequestContext) for introspection instead of a boolean. I'd definitely be interested in seeing a PR implementing this...

[EmirBoyaci]

See how I configured to only allow public access to IntrospectionQuery: MichalLytek/type-graphql#1308 (comment)

If you do your custom logic in if statement req.body.operationName === "IntrospectionQuery" inside context, you will be fine for doing authorization for IntrospectionQuery. If you decide to reject IntrospectionQuery (i.e. user is not allowed to fetch IntrospectionQuery) you should throw an error like as in my reply above.

[glasser]

I don't think matching on operation name is what you want to do. Clients can set operation names arbitrarily. Apollo Server's implementation blocks attempts to query fields named __schema or __type.

[EmirBoyaci]

Actually I didn't know that clients can set IntrospectionQuery operation name, I thought that it is defined in somewhere.. However, in my scenario (when I was trying to fetch schema without Authorization header in Apollo Studio) it worked perfectly 😄

[glasser]

Yeah, it just happens to be the name that some clients choose for their introspection query. (Including the one returned from graphql-js's getIntrospectionQuery() function.

[EmirBoyaci]

Is there a way to make sure operation is introspection then?

[glasser]

An introspection is an operation that uses introspection fields such as Query.__schema or Query.__type.