Option to enable GraphQL introspection in production

[callingmedic911]

Users can enable introspection in production by setting the allowIntrospectionInProduction option to true. This option is a boolean and is optional. If it is not
provided or is set to false, introspection will remain disabled in production.

Also updated the docs.

[callingmedic911]

@dthyresson mind taking a look at this? I thought to discuss with you first before doing changes but it was minor change, so 🤷‍♂️

[replay-io]

16 replays were recorded for 08cc89f.

0 Failed

16 Passed

requireAuth graphql checks

    ```
    locator.waitFor: Target closed
    =========================== logs ===========================
    waiting for locator('.rw-form-error-title').locator('text=You don\'t have permission to do that') to be visible
    ============================================================
    ```
  </ol>
</details>
<li><a href=https://app.replay.io/recording/5f6ed981-fb15-426f-a533-a3c300a9b155>useAuth hook, auth redirects checks</a></li>
<li><a href=https://app.replay.io/recording/038fd38a-5d07-46ec-9353-d1a0f378974c>Check that a specific blog post is prerendered</a></li>
<li><a href=https://app.replay.io/recording/01ec45b7-63e2-4e55-8bcf-ffa7701fa2bd>Check that about is prerendered</a></li>
<li><a href=https://app.replay.io/recording/359c5689-8827-460a-8063-9b10cfd83ca7>Check that homepage is prerendered</a></li>
<li><a href=https://app.replay.io/recording/1b26b567-9adf-41af-bfc0-2d96da47dcf7>Check that meta-tags are rendering the correct dynamic data</a></li>
<li><a href=https://app.replay.io/recording/86d20dc7-b191-40e1-96d3-d81491b175d4>Check that you can navigate from home page to specific blog post</a></li>
<li><a href=https://app.replay.io/recording/ae03d7f1-7786-4e1f-a5aa-7f951331ada3>Waterfall prerendering (nested cells)</a></li>
<li><a href=https://app.replay.io/recording/82092509-b01e-4e52-af8d-e1f28c0e2e5a>RBAC: Admin user should be able to delete contacts</a></li>
<li><a href=https://app.replay.io/recording/f4d82493-43fe-4241-aafd-7bcd33e09365>RBAC: Should not be able to delete contact as non-admin user</a></li>
<li><a href=https://app.replay.io/recording/eef6330f-181c-40e3-918f-68f2ecd4ccca>Smoke test with dev server</a></li>
<li><a href=https://app.replay.io/recording/9d2520a8-b4d7-418f-8618-3a42a0f0fc1b>Smoke test with rw serve</a></li>
<li><a href=https://app.replay.io/recording/594ed09a-204e-4404-b181-9cbf3cd477d8>Loads Cell mocks when Cell is nested in another story</a></li>
<li><a href=https://app.replay.io/recording/a973dc99-d980-43a1-a6a9-dd169280694e>Loads Cell Stories</a></li>
<li><a href=https://app.replay.io/recording/d669c8e0-db9f-434f-9315-abd75c3e9a86>Loads MDX Stories</a></li>
<li><a href=https://app.replay.io/recording/2f1d946e-0bcd-480c-9800-f113151e2bfe>Mocks current user, and updates UI while dev server is running</a></li>

View test run on Replay ↗︎

[dthyresson]

This override option makes sense to me. But, I was wondering if it should be allow Introspection and default to true is isDev and then set if want to say y/n.

[dthyresson]

Suggested a "caution" admonition in the docs.

Otherwise LGTM.

[dthyresson]

@BurnedChris is being able to allow introspection on a properly public GraphQL api something you needed? I think it was -- so just an FYI.

[dthyresson]

@callingmedic911 I think we need one more small docs update here: https://deploy-preview-8014--redwoodjs-docs.netlify.app/docs/canary/security#disable-introspection-and-playground

best practices for deploying a GraphQL Server call to disable these in production, RedwoodJS only enables introspection and the playground when running in development.

Maybe a :::note to link to how to enable in prod if want.

[callingmedic911]

Right! Added like this:

Let me know if you want rephrase or change anything.