Merge pull request #32 from sqrl-planner/develop

 Disable GraphiQL and introspection on prod (#31)

Author: eamonma

config/settings.py

@@ -8,6 +8,8 @@
 SERVER_NAME = os.getenv(
     'SERVER_NAME', 'localhost:{0}'.format(os.getenv('PORT', '8000')))
 
+ENV = os.getenv('FLASK_ENV', 'production')
+
 # MongoDB configuration
 MONGODB_SETTINGS = {
     'db': os.getenv('MONGODB_DB', 'sqrl'),

sqrl/graphql/__init__.py

@@ -1,15 +1,20 @@
 from flask import Flask
 from graphql_server.flask import GraphQLView
-
+from graphql.validation.rules.custom.no_schema_introspection import NoSchemaIntrospectionCustomRule
+from graphql.validation.specified_rules import specified_rules
 from sqrl.graphql.schema import schema
 
 
 def init_app(app: Flask) -> None:
     """Initialise GraphQL with a flask app context."""
+    on_dev = app.config.get('ENV', 'production') == 'development'
+    prod_rules = specified_rules + tuple([NoSchemaIntrospectionCustomRule])
     app.add_url_rule(
         '/graphql',
         view_func=GraphQLView.as_view(
             'graphql',
             schema=schema.graphql_schema,
-            graphiql=True),
+            validation_rules=None if on_dev else prod_rules,
+            graphiql=on_dev,
+        )
     )