forked from artsy/metaphysics
-
Notifications
You must be signed in to change notification settings - Fork 0
/
noSchemaIntrospectionCustomRule.ts
41 lines (39 loc) · 1.16 KB
/
noSchemaIntrospectionCustomRule.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import {
ASTVisitor,
GraphQLError,
FieldNode,
ValidationContext,
getNamedType,
isIntrospectionType,
} from "graphql"
// Adapted from https://github.com/graphql/graphql-js/pull/2600.
// TODO: replace once using graphql >=15.2.0
/**
* Prohibit introspection queries
*
* A GraphQL document is only valid if all fields selected are not fields that
* return an introspection type.
*
* Note: This rule is optional and is not part of the Validation section of the
* GraphQL Specification. This rule effectively disables introspection, which
* does not reflect best practices and should only be done if absolutely necessary.
*/
export const NoSchemaIntrospectionCustomRule = (
context: ValidationContext
): ASTVisitor => {
return {
Field(node: FieldNode) {
const contextType = context.getType()
if (!contextType) return
const type = getNamedType(contextType)
if (type && isIntrospectionType(type)) {
context.reportError(
new GraphQLError(
`GraphQL introspection has been disabled, but the requested query contained the field "${node.name.value}".`,
node
)
)
}
},
}
}