GraphQL deployed to production reveals hints to other types when one not found

[cannikin]

Given the following SDL:

export const schema = gql`
  type Account {
    id: String!
    address: String!
    createdAt: DateTime!
  }

  input CreateAccountInput {
    address: String!
  }

  type Mutation {
    account(input: CreateAccountInput!): Account @requireAuth
  }
`

If you make a mutation request for a type that does not exist (there is no createAccount type):

mutation CreateAccountMutation($input: String!) {
  createAccount(input: $input) {
    id
  }
}

The response contains suggestions for other endpoints which do exist:

{
	"errors": [
		{
			"message": "Cannot query field \"createAccount\" on type \"Mutation\". Did you mean \"account\"?",
			"locations": [
				{
					"line": 2,
					"column": 3
				}
			]
		}
	]
}

This response is great in development. But, since we disable introspection in production to be default-secure, this feels like a security risk as it gives away other endpoints to start probing.

[cannikin]

/cc @dthyresson

[dthyresson]

Looking at the useMaskedError envelop plugin, my hypothesis is that error masking only happens in the execution phase and these errors happen in either the parse or maybe validate phase and as such are not masked, but I will need to check with @dotansimha and @n1ru4l to confirm this.

[dthyresson]

I should clarify:

https://github.com/dotansimha/envelop/blob/a685d98ea09e1870e980ce5ce2eea2b3bac7d98f/packages/core/src/plugins/use-masked-errors.ts#L73

Masking looks to be done at the execute and subscribe phases.