Hey, as in the title, is there any configuration flag that allows to disable GraphQL introspection or restrict access to the graphql endpoint to authorized requests only?

zsazsagabonklast year
Hi! Set
graphQL: {disable: true}
in your payload.config.ts file to totally disable graphQL

https://payloadcms.com/docs/graphql/overview

svn__last year

Hmm, but as far as I understood it disables GraphQL completly. I still want to use it, just don’t want to make it accessible without authorization. My only idea for now was to use the Express middleware but maybe there is an easier way?

I secured it with express.postMiddleware, I'm not sure if this is the best approach, but it seems to work well:

export const secureGraphQLIntrospection = (req: PayloadRequest, res: Response, next: NextFunction) => {
  const isGqlPath = req.path === '/graphql';

  if (isGqlPath) {
    const query = isObject(req.body) ? req.body.query : null;
    const isIntrospectionQuery = typeof query === 'string' && query.includes('__schema');
    if (isIntrospectionQuery && !req.user) {
      return res.status(403).json({ error: 'Introspection queries are not allowed' });
    }
  }

  next();
};

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.