Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introspection: require authorization #1257

Open
mfulton26 opened this issue Jul 12, 2022 · 1 comment
Open

Introspection: require authorization #1257

mfulton26 opened this issue Jul 12, 2022 · 1 comment

Comments

@mfulton26
Copy link

Authorization | GraphQL talks about delegating authorization logic to the business logic layer. This makes sense to me for most things. One thing I'm not sure on though is how can I lock down introspection if I want to have a tool in production where most people can't use it (for security reasons) but software engineers, product managers, operators, and possibly others who I configure can use introspection so that tools they use (e.g. a hosted GraphiQL or GraphQL Playground app to make queries and even some mutations) will work out of the boxy without needing a schema registry or anything.

Is there a straight forward way to hook into the out-of-the-box introspection tooling in graphql-js to run introspection like normal if my user is authorized to do so but return error(s) otherwise?

@mfulton26
Copy link
Author

I can ask this elsewhere instead (e.g. https://github.com/graphql/graphql-js/discussions) but I was thinking that some documentation for this might be helpful as authorization handled in the business layer makes perfect sense to me but with introspection protection as an exception that many folks might be interested in doing rather than completely disabling introspection in production (which many people are a fan of doing but this cripples tooling for the select few who might need/want it).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants