Using directives and plugins in Apollo Server 4 to customize the introspection query output. Once you have created your first schema and your GraphQL server is up and running, it makes sense to implement precautions to prevent it from being compromised by bad actors. By Florian Fuchs·
This article will explore excluding fields from an introspection request without disabling the server’s discoverability feature by completely turning off the introspection queries. You will then learn:
- The result of hiding parts of the schema on introspection
- Taking a look at GraphQL schema introspection
- Directives in Graphql can apply custom logic
- Formalizing the @hidden directive
- Why does the directive alone not work?
- Plugins in Apollo server allow you to hook into the request life cycle
- An implementation tells more than 1000 words!
First, this is, by no means, a safeguard for your server. Even if we omit certain fields and types from the introspection response, they are still part of the schema and will be available normally. Secondly, you must ensure that any reference to other definitions you have made must also be hidden. Always double-check if you are not breaking other tools that are relying on your schema by carelessly using the hidden directive 🙌 Good read!
[Read More]