graphql-introspection-whitelist

A validationRules array is part of the ExpressGraphQL API, and can accept pretty much any validation function you can think of.

The graphql-introspection-whitelist package lets you pass an array of whitelisted introspection __type queries to your GraphQL server.

You might find this useful if you wish to guard your full schema, but still want to expose specific enums or other types as a query response on your production application.

All __schema and __type queries are disabled by default if you do not pass anything into the validation function.

Usage

npm install graphql-introspection-whitelist

Typically __type queries are disallowed on a production GraphQL server, to prevent an attacker from mapping-out your full schema, type by type.

Let's say you have an enum in your schema:

enum Status {
  SLEEPING
  WORKING
  EATING
}

Perhaps you need to query this type directly, to get a list of all Statuses:

{
  __type(name: "Status") {
    name
    enumValues {
      name
    }
  }
}

Enter our query whitelist. This will let you name specific __type queries to be exposed in your production application, while still blocking the others from prying eyes.

Setup

import introspectionWhitelist from 'graphql-introspection-whitelist';

const server = new ApolloServer({
  typeDefs,
  resolvers,

  // override default setting here, and rely on whitelist instead
  introspection: true,
  validationRules: [introspectionWhiteList(['Status'])]
});

introspectionWhitelist(whitelist: Array<string>) ⇒ function

API

Table of Contents

• IntrospectionWhiteList
  • Parameters

IntrospectionWhiteList

Parameters

• whitelist Array<String> , query names to be whitelisted

Returns Function

Thanks

https://github.com/helfer/graphql-disable-introspection @helfer for a basis on which to work from.