Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add NoSchemaIntrospectionCustomRule #2600

Merged
merged 1 commit into from
Jun 20, 2020

Conversation

danielrearden
Copy link
Contributor

@danielrearden danielrearden force-pushed the no-introspection-rule branch from a626231 to 78ce9cf Compare June 2, 2020 13:47
@IvanGoncharov IvanGoncharov added the PR: feature 🚀 requires increase of "minor" version number label Jun 2, 2020
@IvanGoncharov
Copy link
Member

@danielrearden Thanks, looks very tidy and match the style of other rules 👍

I give it more though and technically __typename is also introspection field so we can't call it NoIntrospectionFields 😞
Also, we have other fields that can leak similar info for example Apollo federation has _service that returns SDL.
So I more incline towards more generic rules like:

Also, I think in this case being able to customize error messages would be very helpful.

But I'm not sure if I'm overcomplicating it or not so I need more time to think.
Meanwhile, if you have time you can work on #2601 which is very similar to this one.

@IvanGoncharov
Copy link
Member

@danielrearden Actually scratch it this rule is very short so config for the more generic rule would be more longer that rule itself.
So back the initial question, __typename is also introspection field so we need to change rule name.
How about BanIntrospectionQueriesRule?

@danielrearden
Copy link
Contributor Author

How about BanIntrospectionQueriesRule?

@IvanGoncharov That makes sense. Would NoIntrospectionQueriesRule be more inline with the existing rule names?

@IvanGoncharov
Copy link
Member

Would NoIntrospectionQueriesRule be more inline with the existing rule names?

@danielrearden Generally, yes. But in this case, we forbid something that is totally valid and you ban it because of your own preference/requirements not even because it represents best practice.
Speaking of this can you please expand description with some strong wording asking not to use this rule unless it's absolutely necessary.

@danielrearden danielrearden force-pushed the no-introspection-rule branch from 78ce9cf to 7784367 Compare June 3, 2020 00:21
@danielrearden danielrearden changed the title Add NoIntrospectionFieldsRule Add ProhibitIntrospectionQueriesRule Jun 3, 2020
@danielrearden
Copy link
Contributor Author

@IvanGoncharov

  • Changed name to ProhibitIntrospectionQueriesRule
  • Updated rule logic to just check the field type
  • Moved rule to /rules/optional
  • Updated comment to include usage warning
  • Added test for non-standard introspection fields -- ended up using expectValidationRulesWithSchema anyway so I wouldn't have to touch the harness schema
  • Had to build schema programmatically since buildSchema doesn't support using introspection types for fields

The use of introspection types with user-defined fields is unconventional but I don't believe it's prohibited by the spec. Since the rule just tests the field's type, it's possible it would also throw in the event a non-standard introspection field like that was requested. I think that behavior lines up with the intent behind the rule.

@danielrearden danielrearden force-pushed the no-introspection-rule branch 2 times, most recently from e95cc70 to f291cf3 Compare June 3, 2020 02:19
@danielrearden
Copy link
Contributor Author

@IvanGoncharov Ok, that should be all of it 😓

.vscode/settings.json Outdated Show resolved Hide resolved
@danielrearden danielrearden force-pushed the no-introspection-rule branch from f291cf3 to 9bdde6f Compare June 3, 2020 11:19
@IvanGoncharov
Copy link
Member

IvanGoncharov commented Jun 4, 2020

@danielrearden Forget about this one.
But it too late in my timezone so I will go to 🛌 and will check it tomorrow.

P.S. It's totally okay to ping in comments after you addressed all review comments.
Moreover actually makes my life easier since I don't need to check all current PRs to see their statuses 😄

@danielrearden danielrearden force-pushed the no-introspection-rule branch from 9bdde6f to b1fbab0 Compare June 6, 2020 00:32
@danielrearden danielrearden changed the title Add ProhibitIntrospectionQueriesRule Add NoSchemaIntrospectionCustomRule Jun 6, 2020
},
},
}),
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danielrearden I merged #2608 so now buildSchema should work fine can you please use it instead.

@danielrearden danielrearden force-pushed the no-introspection-rule branch from b1fbab0 to 13086bb Compare June 20, 2020 18:54
@danielrearden danielrearden force-pushed the no-introspection-rule branch from 13086bb to d48a015 Compare June 20, 2020 18:56
@IvanGoncharov IvanGoncharov merged commit 00077f1 into graphql:master Jun 20, 2020
joeyAghion added a commit to joeyAghion/metaphysics that referenced this pull request Sep 2, 2020
This rule is adapted from graphql/graphql-js#2600
and should be replaced once using graphql >=15.2.0.

Co-authored by: dzucconi <mail@damonzucconi.com>
joeyAghion added a commit to joeyAghion/metaphysics that referenced this pull request Sep 2, 2020
This rule is adapted from graphql/graphql-js#2600
and should be replaced once using graphql >=15.2.0.

Co-authored by: dzucconi <mail@damonzucconi.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
PR: feature 🚀 requires increase of "minor" version number
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants