node.jsgraphqlapollo-federationgraphql-shield

Use Rover with graphql-shield


I'm using graphql-shield on a subgraph and rover-cli to generate the schema.

I've set the fallback rule to deny everything as I don't want anything to be accessible by default. But now rover-cli fails when introspecting the subgraph. I'm aware that you can pass a token to rover but I'm unable to do so during my build process.

I've already looked at this issue: Apollo Server Federation with graphql-shield and on both graphql-shield & rover GitHub repository but not luck so far.

I've also tried to explicitly add SubgraphIntrospectQuery like so:

export const permissions = shield(
  {
    Query: {
      SubgraphIntrospectQuery: allow,
    },

  },
  {
    fallbackRule: deny,
    debug: true,
    allowExternalErrors: true,
  }
);

Thanks for your help!


Solution

  • Try this:

    export const permissions = shield({
        Query: {
            _service: allow,
        },
        _Service: {
            sdl: allow
        }
    },{
        fallbackRule: deny,
        debug: true,
        allowExternalErrors: true,
    });
    

    This seems to be what Apollo uses when performing the introspection. You might also need to allow: "Query._entities", "Query._service", "_Entity.*", "_Service.*", "_Any.*" since these are also used by Apollo.

    You should probably implement some form of security rather than using "allow" for these, but I hope this answers your question...