apollo-server-plugin-conditional-introspection
Advanced tools
apollo-server-plugin-conditional-introspection
This plugin allows you to conditionally enable or disable introspection queries in Apollo Server. This can be turned on and off only globally, by default - the plugin allows you to enable or disable introspection queries based on the incoming request.
The use case would be e.g. requiring authentication, an API key, an IP address, or whatever else, allowing you to have introspection in production without enabling it for everyone.
Why disable it at all? https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/
Inspired by conversations in https://github.com/apollographql/apollo-server/issues/1933 and https://github.com/graphql/graphql-js/issues/113, which got close but didn't do exactly what I wanted.
Make sure you have the plugin installed:
npm install apollo-server-plugin-conditional-introspection
You also need graphql (>= 16.6) and apollo server (4) installed:
npm install graphql apollo-server
Then, in your Apollo Server config, add the plugin:
import { ApolloServer } from '@apollo/server';
import { ApolloServerPluginConditionalIntrospection } from 'apollo-server-plugin-conditional-introspection';
...
const server = new ApolloServer<YourContextType>({
...,
introspection: true,
plugins: [
...,
createConditionalIntrospectionPlugin<YourContextType>({
allowIntrospectionForRequest: (requestContext: GraphQLRequestContextResponseForOperation<YourContextType>) => {
// You can use the request to decide whether to allow introspection
// For example, you could require an API key, or authentication, or an IP address
return true;
},
})
]
});
The plugin takes an options object with the following properties:
allowIntrospectionForRequest: A function that returns a boolean indicating whether introspection is allowed, for a given request, receiving in the request context. If this function returns true, introspection is allowed. If it returns false, introspection is not allowed.introspectionDisabledStatusCode: What status code to return when introspection is not allowed, defaulting to allowing apollo to decide (usually 200)introspectionDisabledHeaders: What headers to return when introspection is not allowed, defaulting to no headersintrospectionDisabledError: A GraphQLError to return when introspection is not allowed - defaults to message = "Introspection is not allowed" and code = "INTROSPECTION_NOT_ALLOWED".yarn install
yarn test
# Fix issues
yarn format
# Check for issues
yarn lint
# Compile source
yarn build
# Review bundle
npm pack
FAQs
apollo-server-plugin-conditional-introspection
The npm package apollo-server-plugin-conditional-introspection receives a total of 819 weekly downloads. As such, apollo-server-plugin-conditional-introspection popularity was classified as not popular.
We found that apollo-server-plugin-conditional-introspection demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
GitHub account BufferZoneCorp published sleeper packages that later added credential theft, GitHub Actions tampering, fake go wrappers, and SSH persistence.
Research
/Security News
Socket found a malicious Intercom PHP package on Packagist using Composer plugin execution to steal credentials and spread across ecosystems.
Research
/Security News
Compromised intercom-client@7.0.4 npm package is tied to the ongoing Mini Shai-Hulud worm attack targeting developer and CI/CD secrets.