feat: disable introspection by default (#335)

thommymo · thommym · web-flow · commit d3ad3b49ec4b · 2025-08-18T10:39:30.000+02:00
Co-authored-by: thommym &lt;thomas@smartive.ch&gt;
diff --git a/src/api/execute.ts b/src/api/execute.ts
@@ -1,15 +1,18 @@
 import { makeExecutableSchema } from '@graphql-tools/schema';
 import { IResolvers } from '@graphql-tools/utils';
-import { GraphQLResolveInfo, Source, execute as graphqlExecute, parse } from 'graphql';
+import { GraphQLResolveInfo, Source, execute as graphqlExecute, parse, specifiedRules, validate } from 'graphql';
 import merge from 'lodash/merge';
 import { Context, generate, get, getResolvers } from '..';
+import { noIntrospection } from '../utils/rules';
 
 export const execute = async ({
   additionalResolvers,
   body,
+  introspection = false,
   ...ctx
 }: {
   additionalResolvers?: IResolvers<any, any>;
+  introspection?: boolean;
   body: any;
 } & Omit<Context, 'document'>) => {
   const document = generate(ctx.models);
@@ -21,14 +24,26 @@ export const execute = async ({
     resolvers: merge(generatedResolvers, additionalResolvers),
   });
 
+  const parsedDocument = parse(new Source(body.query, 'GraphQL request'));
+
+  const validationErrors = validate(
+    schema,
+    parsedDocument,
+    introspection ? specifiedRules : [...specifiedRules, noIntrospection],
+  );
+
+  if (validationErrors.length > 0) {
+    return { errors: validationErrors };
+  }
+
   const contextValue: Context = {
     document,
     ...ctx,
   };
 
   const result = await graphqlExecute({
     schema,
-    document: parse(new Source(body.query, 'GraphQL request')),
+    document: parsedDocument,
     contextValue,
     variableValues: body.variables,
     operationName: body.operationName,
diff --git a/src/utils/rules.ts b/src/utils/rules.ts
@@ -0,0 +1,11 @@
+import { ValidationContext } from 'graphql';
+import { ForbiddenError } from '../errors';
+
+export const noIntrospection = (context: ValidationContext) => ({
+  Field(node) {
+    const name = node.name.value;
+    if (name === '__schema' || name === '__type') {
+      context.reportError(new ForbiddenError('GraphQL introspection is disabled'));
+    }
+  },
+});
