GraphQL Introspection can't be disabled

[JulianAtTheFrontend]

Link to reproduction

No response

Describe the Bug

Currently there is no way to disable GraphQL introspection and I'd rather call it a bug than a feature request as it exposes the complete schema without any restrictions. Ideally I'd even like to apply an access rule e.g. to still fetch it for development of a headless frontend.

To Reproduce

Just enable graphQL and try to retreive the schema with @graphql-codegen/cli

// codegen.ts
// https://the-guild.dev/graphql/codegen/plugins/other/schema-ast
import type { CodegenConfig } from '@graphql-codegen/cli';

const config: CodegenConfig = {
  overwrite: true,
  generates: {
    './src/types/payloadSchema.graphql': {
      schema: 'https://<PAYLOAD_URL>/api/graphql',
      plugins: ['schema-ast'],
    },
  }
};

export default config;

Payload Version

2.0.11

Adapters and Plugins

No response

[jmikrut]

Hey @JulianAtTheFrontend — while disabling GraphQL introspection does indeed expose the full schema, you can get it via a variety of other ways even if introspection is disabled. Take a look here:

https://escape.tech/blog/should-i-disable-introspection-in-graphql/

But I would agree that we could enable a flag to restrict introspection. It looks to me like this package could work:

https://www.npmjs.com/package/graphql-disable-introspection

So I think maybe the move is to just allow for custom validationRules where then the developer could inject this package if they'd like to.

What do you think about this? In the end, I don't think this is truly a bug though - so I'll switch it over to our roadmap.