Hey, as in the title, is there any configuration flag that allows to disable GraphQL introspection or restrict access to the graphql endpoint to authorized requests only?
Hi! Set
graphQL: {disable: true}
in your payload.config.ts file to totally disable graphQL
https://payloadcms.com/docs/graphql/overview
Hmm, but as far as I understood it disables GraphQL completly. I still want to use it, just don’t want to make it accessible without authorization. My only idea for now was to use the Express middleware but maybe there is an easier way?
I secured it with express.postMiddleware, I'm not sure if this is the best approach, but it seems to work well:
export const secureGraphQLIntrospection = (req: PayloadRequest, res: Response, next: NextFunction) => {
const isGqlPath = req.path === '/graphql';
if (isGqlPath) {
const query = isObject(req.body) ? req.body.query : null;
const isIntrospectionQuery = typeof query === 'string' && query.includes('__schema');
if (isIntrospectionQuery && !req.user) {
return res.status(403).json({ error: 'Introspection queries are not allowed' });
}
}
next();
};
Star
Discord
online
Get dedicated engineering support directly from the Payload team..