fix: allow schema introspection for unauthenticated users

KK-1108
City-of-Helsinki · Aug 22, 2024 · 2084067 · 2084067
1 parent 501fb82
commit 2084067
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/kukkuu/graphene.py b/kukkuu/graphene.py
@@ -3,6 +3,9 @@
 
 from kukkuu.exceptions import AuthenticationExpiredError
 
+SCHEMA_INTROSPECTION_OPERATION = "operation_definition"
+SCHEMA_INTROSPECTION_OPERATION_NAME = "IntrospectionQuery"
+
 
 # pretty much copied from https://github.com/City-of-Helsinki/open-city-profile/blob/4f46f9f9f195c4254f79f5dfbd97d03b7fa87a5b/open_city_profile/graphene.py#L18  # noqa
 class JWTMiddleware:
@@ -11,6 +14,13 @@ def resolve(self, next, root, info, **kwargs):
 
         auth_error = getattr(request, "auth_error", None)
         if isinstance(auth_error, Exception):
+            # The GraphQL schema introspection can be allowed for unauthenticated users
+            if (
+                info.operation.kind == SCHEMA_INTROSPECTION_OPERATION
+                and info.operation.name.value == SCHEMA_INTROSPECTION_OPERATION_NAME
+            ):
+                return next(root, info, **kwargs)
+
             # TODO with the current version of django-helusers (v0.7.0) there is no
             # proper way to catch only expired token errors, so this kind of hax is
             # needed for that. If/when helusers offers a way to do this properly