How to disable Absinthe field suggestions?

abuzz · May 23, 2024, 12:03am

Is there a best practice for disabling field suggestions when using Absinthe? The goal is to prevent random requests from finding out more about how the queries and mutations are structured.

For example:
error: Error: Cannot query field "use" on type "RootQueryType". Did you mean "user"?: {"response":{"errors":[{"locations":[{"column":5,"line":3}],"message":"Cannot query field \"user\" on type \"RootQueryType\". Did you mean \"user\"?"}],"status":200,"headers":{}},"request":{"query":"\n {\n use {\n email\n name\n state\n }\n }\n"}}

I would like to have some generic error that does not provide more information.

I am guessing a plug or middleware will be needed but have not been able to catch the error yet.

benwilson512 · May 23, 2024, 12:58am

As we have said before when people try to disable introspection, obscuring the available fields is not any form of security. Introspection is part of the graphQL spec. Suggestions are a natural extension of this. There are probably ways you could disable it but as it is mandated by the spec, there will not be first class support in Absinthe.