graphql-introspection-whitelist
v0.2.0
Published
Simple white listing for GraphQL introspection queries, based on types.
Downloads
3
Maintainers
Readme
graphql-introspection-whitelist
Lets you pass an array of whitelisted introspection __type
queries to your GraphQL server.
You might find this useful if you wish to guard your full schema, but still want to expose specific enums or other types as a query response on your production application.
All __schema
and __type
queries are disabled by default if you do not pass anything into the validation function.
Usage
npm install graphql-introspection-whitelist
Typically __type
queries are disallowed on a production GraphQL server, to prevent an attacker from mapping-out your full schema, type by type.
Let's say you have an enum in your schema:
enum Status {
SLEEPING
WORKING
EATING
}
Perhaps you need to query this type directly, to get a list of all Status
es:
{
__type(name: "Status") {
name
enumValues {
name
}
}
}
Enter our query whitelist. This will let you name specific __type
queries to be exposed in your production application, while still blocking the others from prying eyes.
Setup
import introspectionWhitelist from 'graphql-introspection-whitelist';
const server = new ApolloServer({
typeDefs,
resolvers,
// override default setting here, and rely on whitelist instead
introspection: true,
validationRules: [introspectionWhiteList(['Status'])]
});
introspectionWhitelist(whitelist: Array<string>
) ⇒ function
API
Table of Contents
IntrospectionWhiteList
Parameters
Returns Function
Thanks
https://github.com/helfer/graphql-disable-introspection @helfer for a basis on which to work from.