Skip to content

Commit 711dd4a

Browse files
enisdenjoenisdenjo
authored
Document allowing introspection with JWT authentication in Hive Gateway (#6861)
1 parent 848806a commit 711dd4a

File tree

1 file changed

+43
-1
lines changed

1 file changed

+43
-1
lines changed

packages/web/docs/src/content/gateway/authorization-authentication.mdx

Lines changed: 43 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,7 @@ export const gatewayConfig = defineConfig({
236236
},
237237
plugins: () => [
238238
useOperationFieldPermissions({
239-
getPermissions: async context => {
239+
getPermissions: context => {
240240
const { jwt } = context
241241

242242
// Check based on identity / user-id.
@@ -257,6 +257,48 @@ export const gatewayConfig = defineConfig({
257257
})
258258
```
259259

260+
### Allowing Introspection
261+
262+
If you want to allow introspection queries to be executed without a JWT token, you can use the
263+
operation field permissions plugin to allow only introspection queries when no JWT token ispresent.
264+
This way, you can still introspect the schema and explore the API without a token, while protecting
265+
the rest of the API with JWT authentication.
266+
267+
<Callout>
268+
Be careful with this approach, as it allows anyone to introspect your schema without a token. We
269+
always advise using [Persisted Documents](/docs/gateway/persisted-documents) to fully secure your
270+
GraphQL API.
271+
</Callout>
272+
273+
```ts filename="gateway.config.ts"
274+
import { useOperationFieldPermissions } from '@envelop/operation-field-permissions'
275+
import { defineConfig } from '@graphql-hive/gateway'
276+
277+
export const gatewayConfig = defineConfig({
278+
jwt: {
279+
...options,
280+
reject: {
281+
// allow requests with missing token to introspect the schema
282+
missingToken: false
283+
}
284+
},
285+
plugins: () => [
286+
useOperationFieldPermissions({
287+
getPermissions: context => {
288+
const { jwt } = context
289+
if (!jwt) {
290+
// allow only introspection if no token is present
291+
return new Set(['Query.__schema', 'Query.__type', 'Query.__typename'])
292+
}
293+
// allow everything when token is present, or you can return a different
294+
// set of permissions based on the token like in the previous example
295+
return '*'
296+
}
297+
})
298+
]
299+
})
300+
```
301+
260302
### In upstream GraphQL subgraphs
261303

262304
<Tabs items={['GraphQL-Yoga', 'Apollo Server', 'Other GraphQL servers']}>

0 commit comments

Comments
 (0)