v0.17.56
v0.17.56 v0.17.55 v0.17.54 v0.17.53 v0.17.52 v0.17.51 v0.17.50 v0.17.49 v0.17.48 v0.17.47 v0.17.46 v0.17.45 v0.17.44 v0.17.43 v0.17.42 v0.17.41 v0.17.40 v0.17.39 v0.17.38 v0.17.37 master

Introspection

Disabling introspection
[edit]

One of the best features of GraphQL is it’s powerful discoverability and its is automatically included when using NewDefaultServer.

Disable introspection for the whole server

To opt out of introspection globally you should build your own server with only the features you use. For example a simple server that only does POST, and only has introspection in dev could look like:

srv := handler.New(es)

srv.AddTransport(transport.Options{})
srv.AddTransport(transport.POST{})

if os.Getenv("ENVIRONMENT") == "development" {
    srv.Use(extension.Introspection{})
}

Disabling introspection based on authentication

Introspection can also be enabled on a per-request context basis. For example, you could modify it in a middleware based on user authentication:

srv := handler.NewDefaultServer(es)
srv.AroundOperations(func(ctx context.Context, next graphql.OperationHandler) graphql.ResponseHandler {
    if !userForContext(ctx).IsAdmin {
        graphql.GetOperationContext(ctx).DisableIntrospection = true
    }

    return next(ctx)
})