Feature request
MAS exposes a GraphQL endpoint at /graphql which is used by the self-service account UI.
This endpoint allows unauthenticated clients to run introspection queries:
curl -X POST https://auth.matrix.example.com/graphql -H "Content-Type: application/json" -d '{"query":"{ __schema { types { name } } }"}'This returns the full schema (129 types) without any authentication. While actual data queries correctly return viewer: Anonymous for unauthenticated requests, the schema itself is fully discoverable.
Request
Add a configuration option to disable GraphQL introspection for unauthenticated (anonymous) requests, similar to how playground: false disables the playground UI.
For example:
http:
listeners:
- name: graphql
playground: false
introspection: authenticated_only # or: false / public / authenticated_onlyContext
- The schema is already publicly documented, so this is a defence-in-depth measure
- The playground option already exists as precedent for this kind of configuration
- The self-service UI does not require introspection for anonymous users; it only needs it after the user has authenticated via session cookie
- Operators deploying MAS in regulated environments (healthcare, government) may have privacy requirements that prohibit exposing API schemas without authentication
Feature request
MAS exposes a GraphQL endpoint at
/graphqlwhich is used by the self-service account UI.This endpoint allows unauthenticated clients to run introspection queries:
This returns the full schema (129 types) without any authentication. While actual data queries correctly return
viewer: Anonymousfor unauthenticated requests, the schema itself is fully discoverable.Request
Add a configuration option to disable GraphQL introspection for unauthenticated (anonymous) requests, similar to how
playground: falsedisables the playground UI.For example:
Context