It would be helpful if the library included a validation rule that would throw when an introspection field is requested. Something like what Apollo Server already uses:
const NoIntrospection = (context: ValidationContext) => ({
Field(node: FieldDefinitionNode) {
if (node.name.value === '__schema' || node.name.value === '__type') {
context.reportError(
new GraphQLError(
'GraphQL introspection is not allowed by Apollo Server, but the query contained __schema or __type. To enable introspection, pass introspection: true to ApolloServer in production',
[node],
),
);
}
},
});
The validation rule could then be optionally added when using libraries like express-graphql to effectively disable introspection.
It would be helpful if the library included a validation rule that would throw when an introspection field is requested. Something like what Apollo Server already uses:
The validation rule could then be optionally added when using libraries like
express-graphqlto effectively disable introspection.