https://kotlinlang.org logo
Title
a

Arnab

09/13/2021, 7:04 AM
Hey all! Say I have a
graphql
route in my ktor app. I want that route to be authenticated, but I don't want there to be any authentication on
Introspection
queries. Is that possible?
a

Aleksei Tirman [JB]

09/13/2021, 10:44 AM
Do you mean to disable authentication if some specific query parameters are present?
a

Arnab

09/13/2021, 4:41 PM
No as in the introspection query for a graphql server should return all the types without requiring any authentication, but the actual real queries should be authenticated.
a

Aleksei Tirman [JB]

09/13/2021, 4:42 PM
Could you please explain it in terms of HTTP?
a

Arnab

09/13/2021, 4:50 PM
Well, the introspection query is a special query that all graphql servers respond to with all the capabilities that the server implements. Think of it as an endpoint that returns a sort of response that creates your API documentation clientside. This should be open to all without any authentication. Regular queries should be different, and behind authentication.
n

Nikky

09/13/2021, 7:03 PM
i think the best you can do is.. check for auth headers after you know if it is a introspection query or not.. but thats not something ktor builtin functionality can do
a

Arnab

09/14/2021, 10:53 AM
Yeah, that's what I gathered. Just use
authenticate(optional = true) { ... }