Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Requiring auth header for introspection queries

See original GitHub issue

I’m wondering if there’s a way to allow introspection queries only when a valid authorization header is passed.

I have introspection disabled outside development, but our client app needs to fetch the schema to be used in code generation for the iOS Apollo client as described here: https://www.apollographql.com/docs/ios/downloading-schema.html

Currently it looks like I can only enable or disable configuration via a boolean introspection option passed in the config to the ApolloServer constructor.

I’d like to allow the client developer access to that introspection query if they include a valid internal token in the auth header. Is that possible?

Issue Analytics

State:
Created 5 years ago
Reactions:18
Comments:19 (3 by maintainers)

Top GitHub Comments

18reactions

the-noobcommented, Nov 21, 2018

It is not possible at the moment but I’m also looking for something similar. Ideally introspection should be changed to be a bool or function that receives the request as contextand returnstrue/false`.

9reactions

danielmahoncommented, Jan 30, 2020

@nether-cat Would this be a valid way of protecting JUST the introspection query? I still want certain unauthorized queries to pass, like a login.

This plugin is currently checking for 3 things:

If the query includes __schema.
If the query includes __type.
Requires an authorization header if __schema or __type is found in the query.

Am I missing any obvious loopholes? Is there a better way to do this now?

NOTE: Invalid authorization headers may pass this check but are caught in my context middleware, where if there is an authorization header, it is validated.

const secureIntrospection = {
  requestDidStart: ({ request, context }) => {
    if (
      (request.query.includes('__schema') ||
        request.query.includes('__type')) &&
      !context.req.get('authorization')
    ) {
      throw new AuthenticationError('GraphQL introspection not authorized!');
    }
  },
};

const graphQLServer = new ApolloServer({
  schema: schemaWithMiddleware,
  context: contextMiddleware,
  engine: { apiKey: CONFIG.ENGINE_API_KEY },
  subscriptions: { path: '/' },
  plugins: [secureIntrospection],
  introspection: true,
  // Development only
  playground: CONFIG.IS_DEVELOPMENT,
  debug: CONFIG.IS_DEVELOPMENT,
  tracing: CONFIG.IS_DEVELOPMENT,
});

Top Results From Across the Web

Authentication and authorization - Apollo GraphQL Docs

There are many patterns for providing authentication credentials, including HTTP headers and JSON web tokens. The example below extracts a user token from...

How to remove authentication for introspection query in Graphql

I am using node index.js to start the app. So, the app is expecting Authorization header (JWT token) to be present all the...

9 Ways to Secure Your Graph - Khalil Stemmler

Slow or failing queries? Manage public schema access? Handling deprecations safely? Malicious actors? Well-known GraphQL exploits?

OpenID Connect & OAuth 2.0 API - Okta Developer

scope, openid is required for authentication requests. ... you must include the client_id as a query parameter when calling the /introspect endpoint.

Introspection - Hot Chocolate - ChilliCream GraphQL Platform

Introspection is what enables GraphQL's rich tooling ecosystem as well ... While clients can still issue introspection queries, ... Headers.