feature: NoSchemaIntrospectionCustomRule

Author: NeedleInAJayStack

Sources/GraphQL/Type/Introspection.swift

@@ -476,3 +476,18 @@ let TypeNameMetaFieldDef = GraphQLFieldDefinition(
         eventLoopGroup.next().makeSucceededFuture(info.parentType.name)
     }
 )
+
+let introspectionTypeNames = [
+    __Schema.name,
+    __Directive.name,
+    __DirectiveLocation.name,
+    __Type.name,
+    __Field.name,
+    __InputValue.name,
+    __EnumValue.name,
+    __TypeKind.name,
+]
+
+func isIntrospectionType(type: GraphQLNamedType) -> Bool {
+    return introspectionTypeNames.contains(type.name)
+}

Sources/GraphQL/Validation/Rules/Custom/NoSchemaIntrospectionCustomRule.swift

@@ -0,0 +1,31 @@
+
+/**
+ * Prohibit introspection queries
+ *
+ * A GraphQL document is only valid if all fields selected are not fields that
+ * return an introspection type.
+ *
+ * Note: This rule is optional and is not part of the Validation section of the
+ * GraphQL Specification. This rule effectively disables introspection, which
+ * does not reflect best practices and should only be done if absolutely necessary.
+ */
+public func NoSchemaIntrospectionCustomRule(context: ValidationContext) -> Visitor {
+    return Visitor(
+        enter: { node, _, _, _, _ in
+            if let node = node as? Field {
+                if
+                    let type = getNamedType(type: context.type),
+                    isIntrospectionType(type: type)
+                {
+                    context.report(
+                        error: GraphQLError(
+                            message: "GraphQL introspection has been disabled, but the requested query contained the field \(node.name.value)",
+                            nodes: [node]
+                        )
+                    )
+                }
+            }
+            return .continue
+        }
+    )
+}