feat(wabe): block graphql introspection in production (#264)

Author: coratgerl

bun.lock

@@ -29,7 +29,6 @@
 		"generate:codegen": "touch generated/wabe.ts && CODEGEN=true bun dev/index.ts"
 	},
 	"dependencies": {
-		"@graphql-yoga/plugin-disable-introspection": "2.10.9",
 		"croner": "9.0.0",
 		"graphql": "16.12.0",
 		"js-srp6a": "1.0.2",

packages/wabe/package.json

@@ -22,6 +22,49 @@ describe('Security tests', () => {
 		await wabe.close()
 	})
 
+	it('should block GraphQL introspection queries for anonymous and authenticated users for isProduction server', async () => {
+		const setup = await setupTests([], true)
+		wabe = setup.wabe
+		port = setup.port
+		client = getAnonymousClient(port)
+		rootClient = getGraphqlClient(port)
+
+		// Test pour un utilisateur anonyme
+		expect(
+			client.request(gql`
+				query IntrospectionQuery {
+					__schema {
+						types {
+							name
+						}
+					}
+				}
+			`),
+		).rejects.toThrow('GraphQL introspection is not allowed in production')
+
+		// Test pour un utilisateur authentifié (même un admin)
+		const { userClient } = await createUserAndUpdateRole({
+			anonymousClient: client,
+			port,
+			roleName: 'Admin',
+			rootClient,
+		})
+
+		expect(
+			userClient.request(gql`
+				query IntrospectionQuery {
+					__schema {
+						types {
+							name
+						}
+					}
+				}
+			`),
+		).rejects.toThrow('GraphQL introspection is not allowed in production')
+
+		await closeTests(wabe)
+	})
+
 	it('should return null if the accessToken is an invalid accessToken', async () => {
 		const setup = await setupTests()
 		wabe = setup.wabe

packages/wabe/src/security.test.ts

@@ -5,7 +5,7 @@ import {
 	Schema,
 	type SchemaInterface,
 } from '../schema/Schema'
-import { GraphQLObjectType, GraphQLSchema } from 'graphql'
+import { GraphQLError, GraphQLObjectType, GraphQLSchema } from 'graphql'
 import { GraphQLSchema as WabeGraphQLSchema } from '../graphql'
 import type { AuthenticationConfig } from '../authentication/interface'
 import { type WabeRoute, defaultRoutes } from './routes'
@@ -23,7 +23,6 @@ import { defaultSessionHandler } from './defaultHandlers'
 import type { CronConfig } from '../cron'
 import type { FileConfig } from '../file'
 import { WobeGraphqlYogaPlugin } from 'wobe-graphql-yoga'
-import { useDisableIntrospection } from '@graphql-yoga/plugin-disable-introspection'
 
 type SecurityConfig = {
 	corsOptions?: CorsOptions
@@ -285,7 +284,38 @@ export class Wabe<T extends WabeTypes> {
 					this.config.security?.hideSensitiveErrorMessage ||
 					this.config.isProduction,
 				graphqlEndpoint: '/graphql',
-				plugins: this.config.isProduction ? [useDisableIntrospection()] : [],
+				plugins: [
+					{
+						// @ts-expect-error
+						onValidate: ({ addValidationRule }) => {
+							// @ts-expect-error
+							addValidationRule((context) => {
+								return {
+									// @ts-expect-error
+									Field(node) {
+										const introspectionFields = [
+											'__schema',
+											'__type',
+											'__typeKind',
+											'__field',
+											'__inputValue',
+											'__enumValue',
+											'__directive',
+										]
+
+										if (introspectionFields.includes(node.name.value)) {
+											context.reportError(
+												new GraphQLError(
+													'GraphQL introspection is not allowed in production',
+												),
+											)
+										}
+									},
+								}
+							})
+						},
+					},
+				],
 				context: async (ctx): Promise<WabeContext<T>> => ctx.wabe,
 			}),
 		)

packages/wabe/src/server/index.ts

@@ -17,13 +17,14 @@ export const getDatabaseAdapter = async (databaseName: string) => {
 
 export const setupTests = async (
 	additionalClasses: ClassInterface<any>[] = [],
+	isProduction = false,
 ) => {
 	const databaseId = uuid()
 
 	const port = await getPort()
 
 	const wabe = new Wabe<DevWabeTypes>({
-		isProduction: false,
+		isProduction,
 		rootKey: 'dev',
 		database: {
 			// @ts-expect-error