Skip to content
This repository has been archived by the owner on Dec 26, 2023. It is now read-only.

Apollo Server Plugin to enable introspection on a per-request basis (rather than totally on or off)

License

Notifications You must be signed in to change notification settings

AaronMoat/apollo-server-plugin-conditional-introspection

Repository files navigation

apollo-server-plugin-conditional-introspection

GitHub Release GitHub Validate npm package

This plugin allows you to conditionally enable or disable introspection queries in Apollo Server. This can be turned on and off only globally, by default - the plugin allows you to enable or disable introspection queries based on the incoming request.

The use case would be e.g. requiring authentication, an API key, an IP address, or whatever else, allowing you to have introspection in production without enabling it for everyone.

Why disable it at all? https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

Inspired by conversations in apollographql/apollo-server#1933 and graphql/graphql-js#113, which got close but didn't do exactly what I wanted.

Usage

Make sure you have the plugin installed:

npm install apollo-server-plugin-conditional-introspection

You also need graphql (>= 16.6) and apollo server (4) installed:

npm install graphql apollo-server

Then, in your Apollo Server config, add the plugin:

import { ApolloServer } from '@apollo/server';
import { createConditionalIntrospectionPlugin } from 'apollo-server-plugin-conditional-introspection';

...

const server = new ApolloServer<YourContextType>({
  ...,
  introspection: true,
  plugins: [
    ...,
    createConditionalIntrospectionPlugin<YourContextType>({
      allowIntrospectionForRequest: (requestContext: GraphQLRequestContextResponseForOperation<YourContextType>) => {
        // You can use the request to decide whether to allow introspection
        // For example, you could require an API key, or authentication, or an IP address
        return true;
      },
    })
  ]
});

Options

The plugin takes an options object with the following properties:

  • allowIntrospectionForRequest: A function that returns a boolean indicating whether introspection is allowed, for a given request, receiving in the request context. If this function returns true, introspection is allowed. If it returns false, introspection is not allowed.
  • introspectionDisabledStatusCode: What status code to return when introspection is not allowed, defaulting to allowing apollo to decide (usually 200)
  • introspectionDisabledHeaders: What headers to return when introspection is not allowed, defaulting to no headers
  • introspectionDisabledError: A GraphQLError to return when introspection is not allowed - defaults to message = "Introspection is not allowed" and code = "INTROSPECTION_NOT_ALLOWED".

Development

Prerequisites

  • Node.js LTS
  • Yarn 1.x
yarn install

Test

yarn test

Lint

# Fix issues
yarn format

# Check for issues
yarn lint

Package

# Compile source
yarn build

# Review bundle
npm pack

About

Apollo Server Plugin to enable introspection on a per-request basis (rather than totally on or off)

Resources

License

Stars

Watchers

Forks

Packages

No packages published