Disable GraphQL Introspection in graphql-java-tools

Question

I am trying to disable GraphQL Introspection in my project and not having much luck with specific framework I am using. Some articles say it can be done in CcodeRegistry module but that is a decompiled source which is read only. Has anyone achieved this with the GraphQL-java-kickstart framework ?

Below are the dependencies in my pom file:

        <dependency>
            <groupId>com.graphql-java</groupId>
            <artifactId>graphql-java</artifactId>
            <version>${graphql.java.version}</version>
        </dependency>
        <dependency>
            <groupId>com.graphql-java-kickstart</groupId>
            <artifactId>graphql-java-tools</artifactId>
            <version>${graphql.java.tools.version}</version>
        </dependency>
        <dependency>
            <groupId>com.graphql-java</groupId>
            <artifactId>graphql-java-extended-validation</artifactId>
            <version>0.0.3</version>
        </dependency>

Answer 1

spring-boot-starter-graphql

In your application.yml

graphql:
  schema:
    introspection:
      enabled: false

It is implied here: https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/autoconfigure/graphql/GraphQlProperties.Schema.Introspection.html

I am aware that I am not answering the direct question but searches for related queries all end up here.

Answer 2

Graphql-java

With graphql-java, you build a GraphQLSchema using a GraphQLSchema.Builder. You need to set the builder visibility for the introspection field before building to disable the introspection query.

GraphQLSchema.Builder builder = GraphQLSchema.newSchema()
                                     .query(query)
                                     .mutation(mutation)
                                     .subscription(subscription)
                                     .additionalTypes(dictionary);

builder.fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);

GraphQLSchema = builder.build();

You can use the graphql-java-tools implementation as a reference.

Graphql-java-tools

With graphql-java-tools, you build a SchemaParser using a SchemaParserBuilder. The SchemaParserBuilder needs a SchemaParserOptions object. When building the SchemaParserOptions, you can enable or disable the introspection query. Here is a very simplified implementation.

SchemaParserBuilder builder = new SchemaParserBuilder();
final SchemaParserOptions.Builder optionsBuilder = newOptions();
optionsBuilder.introspectionEnabled(introspectionEnabled);
return builder.options(optionsBuilder.build()).build();

You can use the graphql-spring-boot implementation as a reference.

Graphql-spring-boot

If you are using graphql-spring-boot, according to the graphql-java-tools README, you can disable the introspection query by setting the graphql.tools.introspection-enabled property to false in your application.properties or application.yml file.

graphql:
    tools:
        schema-location-pattern: "**/*.graphqls"
        # Enable or disable the introspection query. Disabling it puts your server in contravention of the GraphQL
        # specification and expectations of most clients, so use this option with caution
        introspection-enabled: false  

Graphql-spqr

With Graphql-spqr, the idea is the same as in graphql-java: the setting the builder field visibility. See my answer to this question for how to implement it.