request: secure introspection queries with authorization token

[jeffutter]

trafficstars

Component(s)

router

Is your feature request related to a problem? Please describe.

For security, in production, we will disable schema introspection. In staging environments, we would like to enable introspection but have some protection against crafty users who guess our staging URLs from having access to view the schema.

Describe the solution you'd like

We currently (with our hand-rolled stitching solution) accept an Authorization header with a specific value in staging to allow the introspection queries.

A similar solution seems simple and adequate.

Perhaps we could set the desired token value as an environment variable for the router or in the router config. If the same value is provided in the Authorization header (or perhaps some bespoke header) the introspection query would be executed, otherwise it would be rejected.

Describe alternatives you've considered

A lot could probably be done integrating with Oauth providers, but this would increase the complexity, both of implementation and use greatly.

We also considered if the authorization could be granted only to the playground. But this more general header-based solution allows introspection queries to be run by other tooling (i.e. library tooling used by client developers that uses the introspection query to generate libraries and types in various languages)

Additional context

No response

[github-actions[bot]]

WunderGraph commits fully to Open Source and we want to make sure that we can help you as fast as possible. The roadmap is driven by our customers and we have to prioritize issues that are important to them. You can influence the priority by becoming a customer. Please contact us here.