0

I am trying to disable GraphQL Introspection in my project and not having much luck with specific framework I am using. Some articles say it can be done in CcodeRegistry module but that is a decompiled source which is read only. Has anyone achieved this with the GraphQL-java-kickstart framework ?

Below are the dependencies in my pom file:

        <dependency>
            <groupId>com.graphql-java</groupId>
            <artifactId>graphql-java</artifactId>
            <version>${graphql.java.version}</version>
        </dependency>
        <dependency>
            <groupId>com.graphql-java-kickstart</groupId>
            <artifactId>graphql-java-tools</artifactId>
            <version>${graphql.java.tools.version}</version>
        </dependency>
        <dependency>
            <groupId>com.graphql-java</groupId>
            <artifactId>graphql-java-extended-validation</artifactId>
            <version>0.0.3</version>
        </dependency>
Ali Bigdeli
  • 1,286
  • 3
  • 17
  • 35
harvij
  • 23
  • 2
  • 6

1 Answers1

1

Graphql-java

With graphql-java, you build a GraphQLSchema using a GraphQLSchema.Builder. You need to set the builder visibility for the introspection field before building to disable the introspection query.

GraphQLSchema.Builder builder = GraphQLSchema.newSchema()
                                     .query(query)
                                     .mutation(mutation)
                                     .subscription(subscription)
                                     .additionalTypes(dictionary);

builder.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);

GraphQLSchema = builder.build();

You can use the graphql-java-tools implementation as a reference.

Graphql-java-tools

With graphql-java-tools, you build a SchemaParser using a SchemaParserBuilder. The SchemaParserBuilder needs a SchemaParserOptions object. When building the SchemaParserOptions, you can enable or disable the introspection query. Here is a very simplified implementation.

SchemaParserBuilder builder = new SchemaParserBuilder();
final SchemaParserOptions.Builder optionsBuilder = newOptions();
optionsBuilder.introspectionEnabled(introspectionEnabled);
return builder.options(optionsBuilder.build()).build();

You can use the graphql-spring-boot implementation as a reference.

Graphql-spring-boot

If you are using graphql-spring-boot, according to the graphql-java-tools README, you can disable the introspection query by setting the graphql.tools.introspection-enabled property to false in your application.properties or application.yml file.

graphql:
    tools:
        schema-location-pattern: "**/*.graphqls"
        # Enable or disable the introspection query. Disabling it puts your server in contravention of the GraphQL
        # specification and expectations of most clients, so use this option with caution
        introspection-enabled: false

Graphql-spqr

With Graphql-spqr, the idea is the same as in graphql-java: the setting the builder field visibility. See my answer to this question for how to implement it.

AllirionX
  • 1,073
  • 6
  • 13
  • the issue is that I am not using springboot, the project is based on Google Dagger 2, so has to be done through code. – harvij Nov 18 '20 at 07:41
  • Sorry I misread your dependencies. I updated my answer to cover graphql-java and graphql-java-tools. – AllirionX Nov 18 '20 at 21:45
  • @AllirionX Which version for spring boot made it worked because I upgraded to 5.4.1 from 4.0.0 and still it did not work with the given property mentioned. The only change with respect to your answer I have in my code is I use properties file instead of yml – Jalaj Chawla Jul 27 '21 at 11:34
  • @JalajChawla Sorry I don't have a graphql project running. According to my pom.xml file I was using graphql-spring-boot-starter 5.10.0 – AllirionX Jul 28 '21 at 12:08
  • Thanks @AllirionX i just figured it out with a new project and it works in a spring boot graphql project for 5.4.1 . The one I tested as an example https://github.com/abhijaykumar/graphql-spring-boot-api – Jalaj Chawla Jul 28 '21 at 13:18