Best way to swap out the out of the box graphiql client?

[SquireOfSoftware]

Sup DGS wizards,

So the context is: I am looking for a way to wrap some security around graphiql so that you can only use the endpoint if you are properly authenticated.

I was digging around the DGS documentation to see if there was a way that you could customise this endpoint, like maybe you want to swap it out for a customised secure http client or something...if there was a specialised yaml/property that you could specify to route the import of the htmls from another location...

And I might be blind but I couldn't find anything that relates to this...so I turned to the next worst thing...the code...and started poking around in the internals of the framework.

And I found this line of code:

dgs-framework/graphql-dgs-spring-webmvc-autoconfigure/src/main/kotlin/com/netflix/graphql/dgs/webmvc/autoconfigure/GraphiQLConfigurer.kt

Line 56 in 4297da5

.addResourceLocations("classpath:/static/graphiql/")

What is interesting is that it is loading up the classpath of: /static/graphiql/index.html...

So I decided to create this directory in my spring boot application:

 - main
   - resources
     - static
        - graphiql
          - index.html

And place my stubbed html page of:

<html>
<body>hello world</world>
</html>

Reloaded the spring boot service to see what would happen and lo and behold, it loads the hello world page.

So my question is....

Is this the best way to do this?

Or have I violated some deep ancient set of guidelines that I was not aware of?

Also take note that this was all so that I could wrap some security around the graphiql endpoint, I imagine that my workflow would be to write up some sort of WebApp, then when deploying I could bind the last working and secure graphiql html files to this directory, initiate a build and the resulting spring boot jar would have the customised secure html client inside.

But at this point, I realised, its probably best that I roll my own front end and just route the API calls to the service...

If there is a better/proper way to do this, I am all ears.

[paulbakker]

I think the best way would be to:

1. Disable the built-in graphiql support with the dgs.graphql.graphiql.enabled property. Just to make sure you don’t run into weird conflicts between the built-in one, and your own.
2. Add your own graphiql setup. This could be a separate module in your app, or just based on static resources like you already did.

Spring Boot, out of the box, serves files out of the static folder I believe, so you might not need any config, or you can further customize it with the standard SB features to work with resources.
You’ll find all the configuration options for graphiql itself in their docs.

If you “just” want to secure it; you might not not need any of this, but instead use Spring Security to protect the /graphiql endpoint, which should also work with the built-in version.

[SquireOfSoftware]

Awesome, thanks @paulbakker, I suspected that is what I needed to do. I will give that a spin and see what becomes of my efforts.