Introduce built-in armor security features (#6630)

Author: enisdenjo

packages/web/docs/src/content/gateway/other-features/security/_meta.ts

@@ -4,7 +4,7 @@ export default {
   'csrf-prevention': 'CSRF Prevention',
   'rate-limiting': 'Rate Limiting',
   'demand-control': 'Demand Control',
-  'disable-introspection': 'Introspection',
+  'disable-introspection': 'Disable Introspection',
   https: 'HTTPS',
   'hmac-signature': 'HMAC Signature',
   'aws-sigv4': 'AWS Signature V4',

packages/web/docs/src/content/gateway/other-features/security/block-field-suggestions.mdx

@@ -7,21 +7,37 @@ import { Callout } from '@theguild/components'
 # Block Field Suggestions
 
 This is a feature that allows you to prevent **returning field suggestions** and **leaking your
-schema** to unauthorized actors provided by
-[GraphQL Armor](https://escape.tech/graphql-armor/docs/plugins/block-field-suggestions/)
+schema** to unauthorized actors. In production, this can lead to leaking schema information even if
+the introspection is disabled.
 
-In production, this can lead to Schema leak even if the introspection is disabled.
+## Basic Configuration
 
-## How to use?
+<Callout type="info">
+  Powered by [GraphQL
+  Armor](https://escape.tech/graphql-armor/docs/plugins/block-field-suggestions/).
+</Callout>
 
-Install the plugin:
+Hive Gateway ships with the basic "block field suggestion" security feature. You can enable it by
+setting the `blockFieldSuggestions` option to `true`.
+
+```ts filename="gateway.config.ts"
+import { defineConfig } from '@graphql-hive/gateway'
+
+export const gatewayConfig = defineConfig({
+  blockFieldSuggestions: true
+})
+```
+
+## Advanced Configuration
+
+The built-in configuration options are limited and should be enough for most use-cases. However, if
+you need more control, you can configure more by installing the
+[GraphQL Armor Block Field Suggestions plugin](https://escape.tech/graphql-armor/docs/plugins/block-field-suggestions/).
 
 ```sh npm2yarn
 npm install @escape.tech/graphql-armor-block-field-suggestions
 ```
 
-Then, add it to your plugins:
-
 ```ts filename="gateway.config.ts"
 import { blockFieldSuggestionsPlugin } from '@escape.tech/graphql-armor-block-field-suggestions'
 import { defineConfig } from '@graphql-hive/gateway'

packages/web/docs/src/content/gateway/other-features/security/character-limit.mdx

@@ -4,7 +4,7 @@ searchable: false
 
 import { Callout } from '@theguild/components'
 
-# Character Limit
+# Character Limit Plugin
 
 **Limit** number of **characters** in a GraphQL query document.
 

packages/web/docs/src/content/gateway/other-features/security/disable-introspection.mdx

@@ -6,7 +6,7 @@ searchable: false
 
 import { Callout } from '@theguild/components'
 
-# Introspection
+# Disable Introspection
 
 A powerful feature of GraphQL is schema introspection. This feature is used by GraphiQL for
 exploring the schema and also by tooling such as
@@ -16,15 +16,23 @@ client/frontend code.
 GraphQL schema introspection is also a feature that allows clients to ask a GraphQL server what
 GraphQL features it supports (e.g. defer/stream or subscriptions).
 
-## Disabling Introspection
+However, you may want to not expose your schema to the outside world. You can disable schema
+introspection with the `disableIntrospection` option.
 
-<Callout>
-  If your goal is to avoid unknown actors from reverse-engineering your GraphQL
-  schema and executing arbitrary operations, it is highly recommended to use
-  persisted operations.
+```ts filename="gateway.config.ts"
+import { defineConfig } from '@graphql-hive/gateway'
 
-[Learn more about persisted operations.](/docs/gateway/persisted-documents)
+export const gatewayConfig = defineConfig({
+  disableIntrospection: {
+    disableIf: () => true
+  }
+})
+```
 
+<Callout>
+  If your goal is to avoid unknown actors from reverse-engineering your GraphQL schema and executing
+  arbitrary operations, it is highly recommended to use [persisted
+  operations](/docs/gateway/persisted-documents).
 </Callout>
 
 ## Disable Introspection based on the GraphQL Request
@@ -33,7 +41,7 @@ Sometimes you want to allow introspectition for certain users. You can access th
 and determine based on that whether introspection should be enabled or not. E.g. you can check the
 headers.
 
-```ts filename="gateway.config.ts" {7}
+```ts filename="gateway.config.ts" {6}
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
@@ -45,45 +53,28 @@ export const gatewayConfig = defineConfig({
 })
 ```
 
-## Disabling Field Suggestions
-
-<Callout>
-  The [`graphql-armor`](https://github.com/Escape-Technologies/graphql-armor) plugin is a security layer that help you protect your GraphQL server from malicious queries.
-  It allows you to configure various security features such as character limit or blocking field suggestions.
-  For more information about `graphql-armor` features, you can refer to the [documentation for the plugin](/docs/gateway/other-features/security/block-field-suggestions).
-
-Here is an example of how to use `graphql-armor` to disable introspection and block field
-suggestions.
-
-</Callout>
+## Blocking Field Suggestions
 
 When executing invalid GraphQL operation the GraphQL engine will try to construct smart suggestions
 that hint typos in the executed GraphQL document. This can be considered a security issue, as it can
 leak information about the GraphQL schema, even if introspection is disabled.
 
-<Callout>
-  If your goal is to avoid unknown actors from reverse-engineering your GraphQL
-  schema and executing arbitrary operations, it is highly recommended to use
-  persisted operations.
-
-[Learn more about persisted operations.](/docs/gateway/persisted-documents)
+Tools like [Clairvoyance](https://github.com/nikitastupin/clairvoyance) can exploit the smart
+suggestions and brute-force obtaining the GraphQL schema even if the introspection has been
+disabled.
 
-</Callout>
+[Enabling the `blockFieldSuggestions` option](/docs/gateway/other-features/security/block-field-suggestions)
+will disable these smart suggestions and therefore prevent schema leaking.
 
-Disabling the "did you mean x" suggestion feature can be achieved via the
-`blockFieldSuggestionsPlugin` from
-[`graphql-armor`](https://github.com/Escape-Technologies/graphql-armor).
+Combined with the `disableIntrospection` option, you can make your schema more secure.
 
-```sh npm2yarn
-npm i @escape.tech/graphql-armor-block-field-suggestions
-```
-
-```ts filename="Disabling the 'did you mean x' suggestion feature with a plugin" {2, 7}
-import { blockFieldSuggestionsPlugin } from '@escape.tech/graphql-armor-block-field-suggestions'
-import { defineConfig, useDisableIntrospection } from '@graphql-hive/gateway'
+```ts filename="gateway.config.ts" {7}
+import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  disableIntrospection: true,
-  plugins: pluginCtx => [blockFieldSuggestionsPlugin()]
+  disableIntrospection: {
+    disableIf: () => true
+  },
+  blockFieldSuggestions: true
 })
 ```