Authenticate introspection queries globally

[judocode]

Looking at the docs on introspection (https://graphql-ruby.org/schema/introspection.html) and authorization visibility (https://graphql-ruby.org/authorization/visibility.html), I cannot find a global way to keep introspection on, yet require authentication for it. Is there an easy way to do this that I am missing?

[mroach]

Do you need to authorise it on a per-user level? If not, this was our solution to disable it per environment:

class MySchema < GraphQL::Schema
  unless ENV.fetch("GRAPHQL_SCHEMA_INTROSPECTION", "off") == "on"
    disable_introspection_entry_points
  end
end

[mmcgahan]

For per-user-level authorization, provide custom Introspection::TypeType and Introspection::SchemaType module classes, with a self.authorized? method, and then register that custom introspection module with your schema class

# /app/graphql/introspection/type_type.rb
module Introspection
  class TypeType < GraphQL::Introspection::TypeType
    def self.authorized?(object, context)
      # use whatever auth rules you can derive from `context`, e.g.
      super && context[:current_ability].can?(:read, Introspection::TypeType) 
    end
  end
end

# /app/graphql/introspection/schema_type.rb
module Introspection
  class SchemaType < GraphQL::Introspection::SchemaType
    def self.authorized?(object, context)
      super && context[:current_ability].can?(:read, Introspection::SchemaType)
    end
  end
end

# /app/graphql/graphql_schema.rb
class GraphqlSchema < GraphQL::Schema
  # ...
  introspection Introspection
end

docs: https://graphql-ruby.org/schema/introspection#customizing-introspection