GraphIQL introspection schema call v/s query, mutation calls

Question

I am using Spring Boot 3.2.0 with Spring GraphQL to build a simple CRUD application. I provided the query, mutation and GraphQL types to perfrom CRUD on database.

In my application /graphql endpoint is secured (requiring an authentication token).

However GraphIQL (default test/play tool) also needs to call this endpoint to introspect schema and build context sensitive help in the browser.

Any tips on how to circumvent introspection calls (requiring no authentication token) from query, mutation calls (requiring authentication token)?

Answer 1

You could only protect controller methods with Spring Security annotations and let the main endpoint accessible to anonymous users, but introspection queries are quite invasive so this is a tough tradeoff.

GraphiQL allows to set credentials as headers. If this is not flexible enough, you should look into creating your own GraphiQL build and having a tighter integration with your authentication provider (like GitHub explorer does)

Answer 2

Ok, I found a workaround for the above. It was quite simple and was available in the GraphIQL tool itself.

1. Under headers add your authentication token. In my case it was so { "Authorization": "Bearer my-token }
2. Click on document explorer (folder icon on left hand corner)
3. If it shows an error Error fetching schema then click refresh schema icon underneath (just above open short keys dialog )