I'm using graphql-shield
on a subgraph and rover-cli
to generate the schema.
I've set the fallback rule to deny everything as I don't want anything to be accessible by default. But now rover-cli
fails when introspecting the subgraph. I'm aware that you can pass a token to rover but I'm unable to do so during my build process.
I've already looked at this issue: Apollo Server Federation with graphql-shield and on both graphql-shield
& rover
GitHub repository but not luck so far.
I've also tried to explicitly add SubgraphIntrospectQuery
like so:
export const permissions = shield(
{
Query: {
SubgraphIntrospectQuery: allow,
},
},
{
fallbackRule: deny,
debug: true,
allowExternalErrors: true,
}
);
Thanks for your help!
Try this:
export const permissions = shield({
Query: {
_service: allow,
},
_Service: {
sdl: allow
}
},{
fallbackRule: deny,
debug: true,
allowExternalErrors: true,
});
This seems to be what Apollo uses when performing the introspection. You might also need to allow: "Query._entities", "Query._service", "_Entity.*", "_Service.*", "_Any.*" since these are also used by Apollo.
You should probably implement some form of security rather than using "allow" for these, but I hope this answers your question...