From 18a313b33c1e3b33ce662132bc0c9e41149a0470 Mon Sep 17 00:00:00 2001 From: Falk Date: Fri, 22 Dec 2023 17:51:02 +0100 Subject: [PATCH] feat: disable introspection via validation rules property Introduce a new setting to disable introspection. Introspection remains enabled in dev/test environments, but disabled in production. --- caluma/caluma_user/views.py | 4 ++++ caluma/settings/caluma.py | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/caluma/caluma_user/views.py b/caluma/caluma_user/views.py index 87d91cea5..3417cd04b 100644 --- a/caluma/caluma_user/views.py +++ b/caluma/caluma_user/views.py @@ -8,6 +8,7 @@ from django.http.response import HttpResponse from django.utils.encoding import force_bytes, smart_str from django.utils.module_loading import import_string +from graphene.validation import DisableIntrospection from graphene_django.views import GraphQLView, HttpError from rest_framework.authentication import get_authorization_header @@ -19,6 +20,9 @@ class HttpResponseUnauthorized(HttpResponse): class AuthenticationGraphQLView(GraphQLView): + if settings.DISABLE_INTROSPECTION: # pragma: no cover + validation_rules = (DisableIntrospection,) + def get_bearer_token(self, request): auth = get_authorization_header(request).split() header_prefix = "Bearer" diff --git a/caluma/settings/caluma.py b/caluma/settings/caluma.py index c063b95f0..564c427b2 100644 --- a/caluma/settings/caluma.py +++ b/caluma/settings/caluma.py @@ -52,6 +52,12 @@ def default(default_dev=env.NOTSET, default_prod=env.NOTSET): "RELAY_CONNECTION_MAX_LIMIT": None, } +# If you set DISABLE_INTROSPECTION to True, any GQL client will not be able to +# query the types and connections, making crafting queries much harder (but not +# impossible, and this is an Open Source product, so they can still go check +# the source). +DISABLE_INTROSPECTION = env.bool("DISABLE_INTROSPECTION", default=default(False, True)) + # OpenID connect OIDC_USERINFO_ENDPOINT = env.str("OIDC_USERINFO_ENDPOINT", default=None)