TechQA.

how to Disable Schema Introspection in graphql-spqr-spring-boot-starter

1.7k views Asked by At

I have integrated my spring boot application with graphql-spqr-spring-boot-starter https://github.com/leangen/graphql-spqr-spring-boot-starter , I need to find a way on how to disable graphql schema introspection since its a security issue for production.

spring-boot graphql-java graphql-spqr graphql-spqr-spring-boot-starter
Original Q&A
3

There are 3 answers

2
AllirionX On

I am using graphql-spqr 0.9.9 and graphql-spqr-spring-boot-starter 0.0.4, but the code base changed for graphql-spqr 0.10. I'll try to cover both cases, but keep in mind you might have to tweak the code snippets a bit.

In Graphql-spqr-spring-boot starter, GraphQLSchemaGenerator is a bean used to generate the GraphQSchema. It is defined in io.leangen.graphql.spqr.spring.autoconfigure.BaseAutoConfiguration (v0.10) or io.leangen.graphql.spqr.spring.autoconfigure.SpqrAutoConfiguration (v0.9).

You need to provide your own GraphQLSchemaGenerator bean that will set the GraphqlFieldVisibility for the introspection query. According to this issue (cached by google: https://webcache.googleusercontent.com/search?q=cache:8VV29F3ovZsJ:https://github.com/leangen/graphql-spqr/issues/305), there are two different ways to set the field visibility:

Graphql-spqr 0.9

@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
  GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();

  schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> 
  {
      schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
      return schemaBuilder;
  });

  //Other GraphQLSchemaGenerator configuration
}

Graphql-spqr 0.10

@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
  GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();

  schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> 
  {
    buildContext.codeRegistry.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);
    return schemaBuilder;
  });

  //Other GraphQLSchemaGenerator configuration
}

You can get inspiration from the default implementation to set the GraphQLGenerator properly.

0
vishal sundararajan On

This seems to work, there is a bean in SpqrAutoConfiguration class to generateGraphql schema from the generator object

@Bean
public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) ->
{
 schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
 return schemaBuilder;
});
   return schemaGenerator.generate();
}
0
Rajesh Wankhede On

schemaBuilder.fieldVisibility is Deprecated.

Graphql-spqr 0.10

    @Bean
    public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
        schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> {
            schemaBuilder.codeRegistry(
                    buildContext
                            .codeRegistry
                            .fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY)
                            .build()
            );
            return schemaBuilder;
        });
        return schemaGenerator.generate();
    }

Related Questions in SPRING-BOOT

Related Questions in GRAPHQL-JAVA

Related Questions in GRAPHQL-SPQR

Related Questions in GRAPHQL-SPQR-SPRING-BOOT-STARTER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions