出于安全原因,我必须在生产环境中禁用内省请求。 (仅针对自省请求禁用该功能或添加安全性)
如何执行此类行为?
我在 symfony:4 上使用 api-platform:2.6.8
[编辑]
对于那些正在寻找解决方案的人,我分享我的解决方案。希望这会对社区有所帮助。
我在
Executor
文件中修饰了 src/GraphQl/Executor
类,如下所示:
在 services.yaml 文件中:
App\Core\GraphQl\Executor:
decorates: api_platform.graphql.executor
arguments:
$decorated: '@App\Core\GraphQl\Executor.inner'
$enableGraphQlIntrospection: '%env(bool:ENABLE_FEATURE_GRAPHQLINTROSPECTION)%'
在装饰的 Executor 类中:
<?php
declare(strict_types=1);
namespace App\Core\GraphQl;
use ApiPlatform\Core\GraphQl\ExecutorInterface;
use GraphQL\Executor\ExecutionResult;
use GraphQL\Type\Schema;
use GraphQL\Validator\Rules\DisableIntrospection;
/**
* Class Executor
* @package App\Core\GraphQl
*/
final class Executor implements ExecutorInterface
{
/** @var ExecutorInterface $decorated */
private ExecutorInterface $decorated;
/** @var bool $enableGraphQlIntrospection */
private bool $enableGraphQlIntrospection;
public function __construct(
ExecutorInterface $decorated,
bool $enableGraphQlIntrospection
) {
$this->decorated = $decorated;
$this->enableGraphQlIntrospection = $enableGraphQlIntrospection;
}
public function executeQuery(
Schema $schema,
$source,
$rootValue = null,
$context = null,
array $variableValues = null,
string $operationName = null,
callable $fieldResolver = null,
array $validationRules = null
): ExecutionResult {
$validationRules[] = new DisableIntrospection(
$this->enableGraphQlIntrospection ? DisableIntrospection::DISABLED : DisableIntrospection::ENABLED
);
return $this->decorated->executeQuery(
$schema,
$source,
$rootValue,
$context,
$variableValues,
$operationName,
$fieldResolver,
$validationRules
);
}
}