From 6bd1d5af79e98b2cbd877834bdcde532d66d8617 Mon Sep 17 00:00:00 2001
From: Falk <falk.neumann@adfinis.com>
Date: Mon, 6 Nov 2023 17:10:47 +0100
Subject: [PATCH] fix(graphql): disable introspection endpoint on production

---
 caluma/schema.py          | 11 +++++++++++
 caluma/settings/caluma.py |  1 +
 2 files changed, 12 insertions(+)

diff --git a/caluma/schema.py b/caluma/schema.py
index 0fb6becd2..d2377e5a7 100644
--- a/caluma/schema.py
+++ b/caluma/schema.py
@@ -1,8 +1,12 @@
+from functools import partial
+
 import graphene
 from django.conf import settings
 from graphene.relay import Node
+from graphene.validation import DisableIntrospection
 from graphene_django.converter import convert_django_field, convert_field_to_string
 from graphene_django.debug import DjangoDebug
+from graphql import validate
 from localized_fields.fields import LocalizedField
 
 from .caluma_analytics import schema as analytics_schema
@@ -93,3 +97,10 @@ class Query(*query_inherit_from):
     # TODO: define what app exposes what types
     types=types,
 )
+
+if settings.DISABLE_INTROSPECTION:
+    validate = partial(validate, rules=(DisableIntrospection,))
+
+validation_errors = validate(
+    schema=schema.graphql_schema,
+)
diff --git a/caluma/settings/caluma.py b/caluma/settings/caluma.py
index c063b95f0..6f13c0ecf 100644
--- a/caluma/settings/caluma.py
+++ b/caluma/settings/caluma.py
@@ -51,6 +51,7 @@ def default(default_dev=env.NOTSET, default_prod=env.NOTSET):
     "MIDDLEWARE": [],
     "RELAY_CONNECTION_MAX_LIMIT": None,
 }
+DISABLE_INTROSPECTION = env.bool("DISABLE_INTROSPECTION", default=default(False, True))
 
 # OpenID connect