Last active
January 7, 2021 09:28
-
-
Save brendanmckenzie/0e2005ffa9cab3a7ccf89e98f9ecbef0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import { PostGraphilePlugin } from "postgraphile"; | |
import * as graphql from "graphql"; | |
const DisableIntrospection: PostGraphilePlugin = { | |
["postgraphile:validationRules:static"](args, _context) { | |
if (process.env.ALLOW_INTROSPECTION) { | |
return [args]; | |
} | |
return [ | |
...args, | |
(context: graphql.ValidationContext) => { | |
return { | |
Field(node) { | |
if ( | |
node.name.value === "__schema" || | |
node.name.value === "__type" | |
) { | |
context.reportError( | |
new graphql.GraphQLError( | |
"GraphQL introspection is not allowed, but the query contained __schema or __type", | |
[node] | |
) | |
); | |
} | |
}, | |
}; | |
}, | |
]; | |
}, | |
}; | |
export default DisableIntrospection; |
Thanks Benjie!
Gist updated.
On line 7 you need to return the args too
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This snippet is dangerous; you disabled all the built in GraphQL validations and only enabled your one, that's a major security issue.
The
_args
you're ignoring is the other validation rules, you must include those as part of the result; so you should return[..._args, /* your new validation rule here */]
.