Use Rover with graphql-shield

Question

I'm using graphql-shield on a subgraph and rover-cli to generate the schema.

I've set the fallback rule to deny everything as I don't want anything to be accessible by default. But now rover-cli fails when introspecting the subgraph. I'm aware that you can pass a token to rover but I'm unable to do so during my build process.

I've already looked at this issue: Apollo Server Federation with graphql-shield and on both graphql-shield & rover GitHub repository but not luck so far.

I've also tried to explicitly add SubgraphIntrospectQuery like so:

export const permissions = shield(
  {
    Query: {
      SubgraphIntrospectQuery: allow,
    },

  },
  {
    fallbackRule: deny,
    debug: true,
    allowExternalErrors: true,
  }
);

Thanks for your help!

score 2 · Accepted Answer · answered Mar 02 '22 at 12:46

Try this:

export const permissions = shield({
    Query: {
        _service: allow,
    },
    _Service: {
        sdl: allow
    }
},{
    fallbackRule: deny,
    debug: true,
    allowExternalErrors: true,
});

This seems to be what Apollo uses when performing the introspection. You might also need to allow: "Query._entities", "Query._service", "_Entity.*", "_Service.*", "_Any.*" since these are also used by Apollo.

You should probably implement some form of security rather than using "allow" for these, but I hope this answers your question...

Use Rover with graphql-shield

1 Answers1