how to Disable Schema Introspection in graphql-spqr-spring-boot-starter

问题

I have integrated my spring boot application with graphql-spqr-spring-boot-starter https://github.com/leangen/graphql-spqr-spring-boot-starter , I need to find a way on how to disable graphql schema introspection since its a security issue for production.

回答1:

I am using graphql-spqr 0.9.9 and graphql-spqr-spring-boot-starter 0.0.4, but the code base changed for graphql-spqr 0.10. I'll try to cover both cases, but keep in mind you might have to tweak the code snippets a bit.

In Graphql-spqr-spring-boot starter, GraphQLSchemaGenerator is a bean used to generate the GraphQSchema. It is defined in io.leangen.graphql.spqr.spring.autoconfigure.BaseAutoConfiguration (v0.10) or io.leangen.graphql.spqr.spring.autoconfigure.SpqrAutoConfiguration (v0.9).

You need to provide your own GraphQLSchemaGenerator bean that will set the GraphqlFieldVisibility for the introspection query. According to this issue (cached by google: https://webcache.googleusercontent.com/search?q=cache:8VV29F3ovZsJ:https://github.com/leangen/graphql-spqr/issues/305), there are two different ways to set the field visibility:

Graphql-spqr 0.9

@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
  GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();

  schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> 
  {
      schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
      return schemaBuilder;
  });

  //Other GraphQLSchemaGenerator configuration
}

Graphql-spqr 0.10

@Bean
public GraphQLSchemaGenerator graphQLSchemaGenerator(SpqrProperties spqrProperties) {
  GraphQLSchemaGenerator schemaGenerator = new GraphQLSchemaGenerator();

  schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> 
  {
    buildContext.codeRegistry.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);
    return schemaBuilder;
  });

  //Other GraphQLSchemaGenerator configuration
}

You can get inspiration from the default implementation to set the GraphQLGenerator properly.

回答2:

This seems to work, there is a bean in SpqrAutoConfiguration class to generateGraphql schema from the generator object

@Bean
public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) ->
{
 schemaBuilder.fieldVisibility(new NoIntrospectionGraphqlFieldVisibility());
 return schemaBuilder;
});
   return schemaGenerator.generate();
}

回答3:

schemaBuilder.fieldVisibility is Deprecated.

Graphql-spqr 0.10

    @Bean
    public GraphQLSchema graphQLSchema(GraphQLSchemaGenerator schemaGenerator) {
        schemaGenerator.withSchemaProcessors((schemaBuilder, buildContext) -> {
            schemaBuilder.codeRegistry(
                    buildContext
                            .codeRegistry
                            .fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY)
                            .build()
            );
            return schemaBuilder;
        });
        return schemaGenerator.generate();
    }

来源：https://stackoverflow.com/questions/64520366/how-to-disable-schema-introspection-in-graphql-spqr-spring-boot-starter

标签

spring-boot

graphql-java

graphql-spqr

graphql-spqr-spring-boot-starter