From 2084067b8bd00a97892374c34d12325ded0967b0 Mon Sep 17 00:00:00 2001
From: Niko Lindroos <niko.j.makela@gmail.com>
Date: Thu, 22 Aug 2024 17:34:34 +0300
Subject: [PATCH] fix: allow schema introspection for unauthenticated users

KK-1108
---
 kukkuu/graphene.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/kukkuu/graphene.py b/kukkuu/graphene.py
index 2093fe1e..5e6794ce 100644
--- a/kukkuu/graphene.py
+++ b/kukkuu/graphene.py
@@ -3,6 +3,9 @@
 
 from kukkuu.exceptions import AuthenticationExpiredError
 
+SCHEMA_INTROSPECTION_OPERATION = "operation_definition"
+SCHEMA_INTROSPECTION_OPERATION_NAME = "IntrospectionQuery"
+
 
 # pretty much copied from https://github.com/City-of-Helsinki/open-city-profile/blob/4f46f9f9f195c4254f79f5dfbd97d03b7fa87a5b/open_city_profile/graphene.py#L18  # noqa
 class JWTMiddleware:
@@ -11,6 +14,13 @@ def resolve(self, next, root, info, **kwargs):
 
         auth_error = getattr(request, "auth_error", None)
         if isinstance(auth_error, Exception):
+            # The GraphQL schema introspection can be allowed for unauthenticated users
+            if (
+                info.operation.kind == SCHEMA_INTROSPECTION_OPERATION
+                and info.operation.name.value == SCHEMA_INTROSPECTION_OPERATION_NAME
+            ):
+                return next(root, info, **kwargs)
+
             # TODO with the current version of django-helusers (v0.7.0) there is no
             # proper way to catch only expired token errors, so this kind of hax is
             # needed for that. If/when helusers offers a way to do this properly