A validationRules
array is part of the ExpressGraphQL API, and can accept pretty much any validation function you can think of.
The graphql-introspection-whitelist
package lets you pass an array of whitelisted introspection __type
queries to your GraphQL server.
You might find this useful if you wish to guard your full schema, but still want to expose specific enums or other types as a query response on your production application.
All __schema
and __type
queries are disabled by default if you do not pass anything into the validation function.
npm install graphql-introspection-whitelist
Typically __type
queries are disallowed on a production GraphQL server, to prevent an attacker from mapping-out your full schema, type by type.
Let's say you have an enum in your schema:
enum Status {
SLEEPING
WORKING
EATING
}
Perhaps you need to query this type directly, to get a list of all Status
es:
{
__type(name: "Status") {
name
enumValues {
name
}
}
}
Enter our query whitelist. This will let you name specific __type
queries to be exposed in your production application, while still blocking the others from prying eyes.
import introspectionWhitelist from 'graphql-introspection-whitelist';
const server = new ApolloServer({
typeDefs,
resolvers,
// override default setting here, and rely on whitelist instead
introspection: true,
validationRules: [introspectionWhiteList(['Status'])]
});
Returns Function
https://github.com/helfer/graphql-disable-introspection @helfer for a basis on which to work from.