how to Disable Schema Introspection in graphql-spqr-spring-boot-starter

自闭症网瘾萝莉.ら 提交于 2021-01-05 07:40:31

问题


I have integrated my spring boot application with graphql-spqr-spring-boot-starter https://github.com/leangen/graphql-spqr-spring-boot-starter , I need to find a way on how to disable graphql schema introspection since its a security issue for production.


回答1:


I am using graphql-spqr 0.9.9 and graphql-spqr-spring-boot-starter 0.0.4, but the code base changed for graphql-spqr 0.10. I'll try to cover both cases, but keep in mind you might have to tweak the code snippets a bit.

In Graphql-spqr-spring-boot starter, GraphQLSchemaGenerator is a bean used to generate the GraphQSchema. It is defined in io.leangen.graphql.spqr.spring.autoconfigure.BaseAutoConfiguration (v0.10) or io.leangen.graphql.spqr.spring.autoconfigure.SpqrAutoConfiguration (v0.9).

You need to provide your own GraphQLSchemaGenerator bean that will set the GraphqlFieldVisibility for the introspection query. According to this issue (cached by google: https://webcache.googleusercontent.com/search?q=cache:8VV29F3ovZsJ:https://github.com/leangen/graphql-spqr/issues/305), there are two different ways to set the field visibility:

Graphql-spqr 0.9

@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
  GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();

  schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> 
  {
      schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
      return schemaBuilder;
  });

  //Other GraphQLSchemaGenerator configuration
}

Graphql-spqr 0.10

@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
  GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();

  schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> 
  {
    buildContext.codeRegistry.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);
    return schemaBuilder;
  });

  //Other GraphQLSchemaGenerator configuration
}

You can get inspiration from the default implementation to set the GraphQLGenerator properly.




回答2:


This seems to work, there is a bean in SpqrAutoConfiguration class to generateGraphql schema from the generator object

@Bean
public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) ->
{
 schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
 return schemaBuilder;
});
   return schemaGenerator.generate();
}



回答3:


schemaBuilder.fieldVisibility is Deprecated.

Graphql-spqr 0.10

    @Bean
    public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
        schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> {
            schemaBuilder.codeRegistry(
                    buildContext
                            .codeRegistry
                            .fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY)
                            .build()
            );
            return schemaBuilder;
        });
        return schemaGenerator.generate();
    }


来源:https://stackoverflow.com/questions/64520366/how-to-disable-schema-introspection-in-graphql-spqr-spring-boot-starter

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!