Introspection
The schema introspection system is accessible from the meta-fields
__schemaand__typewhich are accessible from the type of the root of a query operation.__schema: __Schema! __type(name: String!): __TypeLike all meta-fields, these are implicit and do not appear in the fields list in the root type of the query operation.
GraphQL provides introspection, allowing to see what queries, mutations and subscriptions a GraphQL server supports at runtime.
Because introspection queries are just regular GraphQL queries, Juniper supports them natively. For example, to get all the names of the types supported, we could execute the following query against Juniper:
{
__schema {
types {
name
}
}
}
Disabling
Disabling introspection in production is a widely debated topic, but we believe it’s one of the first things you can do to harden your GraphQL API in production.
Some security requirements and considerations may mandate to disable GraphQL schema introspection in production environments. In Juniper this can be achieved by using the RootNode::disable_introspection() method:
extern crate juniper; use juniper::{ graphql_object, graphql_vars, EmptyMutation, EmptySubscription, GraphQLError, RootNode, }; pub struct Query; #[graphql_object] impl Query { fn some() -> bool { true } } type Schema = RootNode<'static, Query, EmptyMutation, EmptySubscription>; fn main() { let schema = Schema::new(Query, EmptyMutation::new(), EmptySubscription::new()) .disable_introspection(); let query = "query { __schema { queryType { name } } }"; match juniper::execute_sync(query, None, &schema, &graphql_vars! {}, &()) { Err(GraphQLError::ValidationError(errs)) => { assert_eq!( errs.first().unwrap().message(), "GraphQL introspection is not allowed, but the operation contained `__schema`", ); } res => panic!("expected `ValidationError`, returned: {res:#?}"), } }
NOTE: Attempt to execute an introspection query results in validation error, rather than execution error.