feat(graphql): allow to disable the introspection query (api-platform#5711)

epourail · web-flow · commit 92a81f024541 · 2023-08-08T15:41:42.000+02:00
diff --git a/src/GraphQl/Executor.php b/src/GraphQl/Executor.php
@@ -16,6 +16,8 @@
 use GraphQL\Executor\ExecutionResult;
 use GraphQL\GraphQL;
 use GraphQL\Type\Schema;
+use GraphQL\Validator\DocumentValidator;
+use GraphQL\Validator\Rules\DisableIntrospection;
 
 /**
  * Wrapper for the GraphQL facade.
@@ -24,6 +26,15 @@
  */
 final class Executor implements ExecutorInterface
 {
+    public function __construct(private readonly bool $graphQlIntrospectionEnabled = true)
+    {
+        DocumentValidator::addRule(
+            new DisableIntrospection(
+                $this->graphQlIntrospectionEnabled ? DisableIntrospection::DISABLED : DisableIntrospection::ENABLED
+            )
+        );
+    }
+
     /**
      * {@inheritdoc}
      */
diff --git a/src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php b/src/Symfony/Bundle/DependencyInjection/ApiPlatformExtension.php
@@ -499,13 +499,16 @@ private function registerGraphQlConfiguration(ContainerBuilder $container, array
     {
         $enabled = $this->isConfigEnabled($container, $config['graphql']);
 
+        $graphqlIntrospectionEnabled = $enabled && $this->isConfigEnabled($container, $config['graphql']['introspection']);
+
         $graphiqlEnabled = $enabled && $this->isConfigEnabled($container, $config['graphql']['graphiql']);
         $graphqlPlayGroundEnabled = $enabled && $this->isConfigEnabled($container, $config['graphql']['graphql_playground']);
         if ($graphqlPlayGroundEnabled) {
             trigger_deprecation('api-platform/core', '3.1', 'GraphQL Playground is deprecated and will be removed in API Platform 4.0. Only GraphiQL will be available in the future. Set api_platform.graphql.graphql_playground to false in the configuration to remove this deprecation.');
         }
 
         $container->setParameter('api_platform.graphql.enabled', $enabled);
+        $container->setParameter('api_platform.graphql.introspection.enabled', $graphqlIntrospectionEnabled);
         $container->setParameter('api_platform.graphql.graphiql.enabled', $graphiqlEnabled);
         $container->setParameter('api_platform.graphql.graphql_playground.enabled', $graphqlPlayGroundEnabled);
         $container->setParameter('api_platform.graphql.collection.pagination', $config['graphql']['collection']['pagination']);
diff --git a/src/Symfony/Bundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/DependencyInjection/Configuration.php
@@ -236,6 +236,9 @@ private function addGraphQlSection(ArrayNodeDefinition $rootNode): void
                         ->arrayNode('graphql_playground')
                             ->{class_exists(GraphQL::class) && class_exists(TwigBundle::class) ? 'canBeDisabled' : 'canBeEnabled'}()
                         ->end()
+                        ->arrayNode('introspection')
+                            ->canBeDisabled()
+                        ->end()
                         ->scalarNode('nesting_separator')->defaultValue('_')->info('The separator to use to filter nested fields.')->end()
                         ->arrayNode('collection')
                             ->addDefaultsIfNotSet()
diff --git a/src/Symfony/Bundle/Resources/config/graphql.xml b/src/Symfony/Bundle/Resources/config/graphql.xml
@@ -5,7 +5,9 @@
            xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
     <services>
-        <service id="api_platform.graphql.executor" class="ApiPlatform\GraphQl\Executor" public="false" />
+        <service id="api_platform.graphql.executor" class="ApiPlatform\GraphQl\Executor" public="false">
+            <argument>%api_platform.graphql.introspection.enabled%</argument>
+        </service>
 
         <!-- Resolvers -->
 
diff --git a/tests/GraphQl/ExecutorTest.php b/tests/GraphQl/ExecutorTest.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\GraphQl;
+
+use ApiPlatform\GraphQl\Executor;
+use GraphQL\Validator\DocumentValidator;
+use GraphQL\Validator\Rules\DisableIntrospection;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @author Julien Verger <julien.verger@gmail.com>
+ */
+class ExecutorTest extends TestCase
+{
+    public function testEnableIntrospectionQuery(): void
+    {
+        $executor = new Executor(true);
+
+        $expected = new DisableIntrospection(DisableIntrospection::DISABLED);
+        $this->assertEquals($expected, DocumentValidator::getRule(DisableIntrospection::class));
+    }
+
+    public function testDisableIntrospectionQuery(): void
+    {
+        $executor = new Executor(false);
+
+        $expected = new DisableIntrospection(DisableIntrospection::ENABLED);
+        $this->assertEquals($expected, DocumentValidator::getRule(DisableIntrospection::class));
+    }
+}
diff --git a/tests/Symfony/Bundle/DependencyInjection/ConfigurationTest.php b/tests/Symfony/Bundle/DependencyInjection/ConfigurationTest.php
@@ -121,6 +121,9 @@ private function runDefaultConfigTests(array $doctrineIntegrationsToLoad = ['orm
                 'graphiql' => [
                     'enabled' => true,
                 ],
+                'introspection' => [
+                    'enabled' => true,
+                ],
                 'nesting_separator' => '_',
                 'collection' => [
                     'pagination' => [
