问题
I have integrated my spring boot application with graphql-spqr-spring-boot-starter https://github.com/leangen/graphql-spqr-spring-boot-starter , I need to find a way on how to disable graphql schema introspection since its a security issue for production.
回答1:
I am using graphql-spqr 0.9.9 and graphql-spqr-spring-boot-starter 0.0.4, but the code base changed for graphql-spqr 0.10. I'll try to cover both cases, but keep in mind you might have to tweak the code snippets a bit.
In Graphql-spqr-spring-boot starter, GraphQLSchemaGenerator
is a bean used to generate the GraphQSchema
. It is defined in io.leangen.graphql.spqr.spring.autoconfigure.BaseAutoConfiguration
(v0.10) or io.leangen.graphql.spqr.spring.autoconfigure.SpqrAutoConfiguration
(v0.9).
You need to provide your own GraphQLSchemaGenerator bean that will set the GraphqlFieldVisibility for the introspection query. According to this issue (cached by google: https://webcache.googleusercontent.com/search?q=cache:8VV29F3ovZsJ:https://github.com/leangen/graphql-spqr/issues/305), there are two different ways to set the field visibility:
Graphql-spqr 0.9
@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) ->
{
schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
return schemaBuilder;
});
//Other GraphQLSchemaGenerator configuration
}
Graphql-spqr 0.10
@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) ->
{
buildContext.codeRegistry.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);
return schemaBuilder;
});
//Other GraphQLSchemaGenerator configuration
}
You can get inspiration from the default implementation to set the GraphQLGenerator properly.
回答2:
This seems to work, there is a bean in SpqrAutoConfiguration class to generateGraphql schema from the generator object
@Bean
public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) ->
{
schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
return schemaBuilder;
});
return schemaGenerator.generate();
}
回答3:
schemaBuilder.fieldVisibility is Deprecated.
Graphql-spqr 0.10
@Bean
public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> {
schemaBuilder.codeRegistry(
buildContext
.codeRegistry
.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY)
.build()
);
return schemaBuilder;
});
return schemaGenerator.generate();
}
来源:https://stackoverflow.com/questions/64520366/how-to-disable-schema-introspection-in-graphql-spqr-spring-boot-starter