From 8d8165a4f231fd5f923100a632e25296c9d00b42 Mon Sep 17 00:00:00 2001 From: Max Date: Mon, 17 Mar 2025 16:06:27 +0100 Subject: [PATCH 1/4] Change obsolete AllowIntrospection to DisableIntrospection --- .../docs/hotchocolate/v15/server/introspection.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/website/src/docs/hotchocolate/v15/server/introspection.md b/website/src/docs/hotchocolate/v15/server/introspection.md index 94aaf3e3746..b667dea88fa 100644 --- a/website/src/docs/hotchocolate/v15/server/introspection.md +++ b/website/src/docs/hotchocolate/v15/server/introspection.md @@ -65,17 +65,17 @@ We can disable introspection by calling `AllowIntrospection()` with a `false` ar ```csharp builder.Services .AddGraphQLServer() - .AllowIntrospection(false); + .DisableIntrospection(false); ``` While clients can still issue introspection queries, Hot Chocolate will now return an error response. -But we most likely do not want to disable introspection while developing, so we can toggle it based on the current hosting environment. +But we most likely do not want to disable introspection while developing, so we can toggle it based on the current hosting environment. This is also the default behaviour. ```csharp builder.Services .AddGraphQLServer() - .AllowIntrospection(builder.Environment.IsDevelopment()); + .DisableIntrospection(!builder.Environment.IsDevelopment()); ``` ## Allowlisting requests @@ -91,7 +91,7 @@ public class IntrospectionInterceptor : DefaultHttpRequestInterceptor { if (context.Request.Headers.ContainsKey("X-Allow-Introspection")) { - requestBuilder.AllowIntrospection(); + requestBuilder.DisableIntrospection(false); } return base.OnCreateAsync(context, requestExecutor, requestBuilder, @@ -104,7 +104,7 @@ public class IntrospectionInterceptor : DefaultHttpRequestInterceptor builder.Services .AddGraphQLServer() // We disable introspection per default - .AllowIntrospection(false) + .DisableIntrospection() .AddHttpRequestInterceptor(); ``` @@ -145,7 +145,7 @@ public class IntrospectionInterceptor : DefaultHttpRequestInterceptor { if (context.Request.Headers.ContainsKey("X-Allow-Introspection")) { - requestBuilder.AllowIntrospection(); + requestBuilder.DisableIntrospection(false); } else { From ee91d5c7cc5ef90d4914a181155b3d6411df1250 Mon Sep 17 00:00:00 2001 From: Max Date: Mon, 17 Mar 2025 16:12:36 +0100 Subject: [PATCH 2/4] Add note that introspection is by default only enabled in Development note --- website/src/docs/hotchocolate/v15/server/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/src/docs/hotchocolate/v15/server/introspection.md b/website/src/docs/hotchocolate/v15/server/introspection.md index b667dea88fa..1922cd2c751 100644 --- a/website/src/docs/hotchocolate/v15/server/introspection.md +++ b/website/src/docs/hotchocolate/v15/server/introspection.md @@ -2,7 +2,7 @@ title: Introspection --- -Introspection is what enables GraphQL's rich tooling ecosystem as well powerful IDEs like [Nitro](/products/nitro) or GraphiQL. +Introspection is what enables GraphQL's rich tooling ecosystem as well powerful IDEs like [Nitro](/products/nitro) or GraphiQL. By default, introspection is only enabled in the "Development" environment. Every GraphQL server exposes a `__schema` and `__type` field on the query type as well as an `__typename` field on each type. These fields are used to gain insights into the schema of our GraphQL server. From 8b3eb7a54a313ebd6e861ab0de03737f456e491e Mon Sep 17 00:00:00 2001 From: Max Date: Mon, 17 Mar 2025 16:21:47 +0100 Subject: [PATCH 3/4] Update statement that references obsolete method --- website/src/docs/hotchocolate/v15/server/introspection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/src/docs/hotchocolate/v15/server/introspection.md b/website/src/docs/hotchocolate/v15/server/introspection.md index 1922cd2c751..9ee133ee472 100644 --- a/website/src/docs/hotchocolate/v15/server/introspection.md +++ b/website/src/docs/hotchocolate/v15/server/introspection.md @@ -60,12 +60,12 @@ While these fields can be useful to us, they are mainly intended for use in deve While introspection is a powerful feature that can tremendously improve our development workflow, it can also be used as an attack vector. A malicious user could for example request all details about all the types of our GraphQL server. Depending on the number of types this can degrade the performance of our GraphQL server. If our API should not be browsed by other developers we have the option to disable the introspection feature. -We can disable introspection by calling `AllowIntrospection()` with a `false` argument on the `IRequestExecutorBuilder`. +We can disable introspection by calling `DisableIntrospection()` on the `IRequestExecutorBuilder`. ```csharp builder.Services .AddGraphQLServer() - .DisableIntrospection(false); + .DisableIntrospection(); ``` While clients can still issue introspection queries, Hot Chocolate will now return an error response. From d625254601153eacbb936dcc82f76f8adf14780d Mon Sep 17 00:00:00 2001 From: Max Date: Mon, 17 Mar 2025 16:26:42 +0100 Subject: [PATCH 4/4] Add that introspection is still enabled in Development environment --- website/src/docs/hotchocolate/v15/server/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/src/docs/hotchocolate/v15/server/introspection.md b/website/src/docs/hotchocolate/v15/server/introspection.md index 9ee133ee472..535bc521b83 100644 --- a/website/src/docs/hotchocolate/v15/server/introspection.md +++ b/website/src/docs/hotchocolate/v15/server/introspection.md @@ -60,7 +60,7 @@ While these fields can be useful to us, they are mainly intended for use in deve While introspection is a powerful feature that can tremendously improve our development workflow, it can also be used as an attack vector. A malicious user could for example request all details about all the types of our GraphQL server. Depending on the number of types this can degrade the performance of our GraphQL server. If our API should not be browsed by other developers we have the option to disable the introspection feature. -We can disable introspection by calling `DisableIntrospection()` on the `IRequestExecutorBuilder`. +We can disable introspection by calling `DisableIntrospection()` on the `IRequestExecutorBuilder`. Note that despite this, introspection is still enabled in the "Development" environment. ```csharp builder.Services