0.2.0 • Published 5 years ago

graphql-introspection-whitelist v0.2.0

Weekly downloads
3
License
MIT
Repository
github
Last release
5 years ago

graphql-introspection-whitelist

Lets you pass an array of whitelisted introspection __type queries to your GraphQL server.

You might find this useful if you wish to guard your full schema, but still want to expose specific enums or other types as a query response on your production application.

All __schema and __type queries are disabled by default if you do not pass anything into the validation function.

Usage

npm install graphql-introspection-whitelist

Typically __type queries are disallowed on a production GraphQL server, to prevent an attacker from mapping-out your full schema, type by type.

Let's say you have an enum in your schema:

enum Status {
  SLEEPING
  WORKING
  EATING
}

Perhaps you need to query this type directly, to get a list of all Statuses:

{
  __type(name: "Status") {
    name
    enumValues {
      name
    }
  }
}

Enter our query whitelist. This will let you name specific __type queries to be exposed in your production application, while still blocking the others from prying eyes.

Setup

import introspectionWhitelist from 'graphql-introspection-whitelist';

const server = new ApolloServer({
  typeDefs,
  resolvers,

  // override default setting here, and rely on whitelist instead
  introspection: true,
  validationRules: [introspectionWhiteList(['Status'])]
});

introspectionWhitelist(whitelist: Array<string>) ⇒ function

API

Table of Contents

IntrospectionWhiteList

Parameters

  • whitelist Array<String> , query names to be whitelisted

Returns Function

Thanks

https://github.com/helfer/graphql-disable-introspection @helfer for a basis on which to work from.

graphqlapolloqueryintrospectionwhitelistwhitelistvalidation
@everything-registry/sub-chunk-1785@infinitebrahmanuniverse/nolb-graphql-i
0.2.0

5 years ago

0.1.0

5 years ago