Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Block schema introspection based on a HTTP request header

See original GitHub issue

Summary

Block schema introspection based on a HTTP request header value without running the IFieldMiddleware for every single field.

Relevant information

Hello there! It’s me again. I’d like to block schema introspection based on a HTTP request header value (we only want to allow introspection to IP’s from certain IP ranges). At the moment we have built a middleware class which implements the IFieldMiddleware interface and which checks the header value for matching values. The ‘problem’ we have with this approach though is that it does the check for every single field in the request. We’re worried that this might hurt the performance of our API and before deploying this I would like to check with you guys if there possibly is a better approach to implement logic like this?

Environment (if relevant)

version 4.8.0

Issue Analytics

State:
Created a year ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

Shane32commented, May 3, 2022

Inject IHttpContextAccessor via DI and use that to pull the http context and from that the headers (or client IP address).

Look at the source code of the repo, and go to the tag (under branches) for a 4.x version. Then look under src GraphQL Validation Rules to see a whole bunch of validation rule examples for 4.x

1reaction

Shane32commented, Apr 29, 2022

If you want it to ** only ** block introspection requests, and not all requests, then you have to leave it as a validation rule. You can enhance performance by checking the IP address once during the validation rule setup, and then either returning null if allowed or a rule if not:

    public class IntrospectionValidationRule : IValidationRule
    {
        public ValueTask<INodeVisitor> ValidateAsync(ValidationContext context)
        {
            if (ValidateIpAddress(context))
                return null; // no need for validation rule at all if it's a valid ip

            // otherwise need a validation rule to ensure no introspection requests
            return new ValueTask<INodeVisitor>(new MatchingNodeVisitor<GraphQLField>(
                (field, context2) =>
                {
                    if (field.Name.Value == "__schema" || field.Name.Value == "__type")
                        context2.ReportError(new ValidationError("Cannot request introspection query."))
                }));
        }
    }