redwoodjs · dthyresson · Apr 25, 2023 · Apr 4, 2023 · Apr 7, 2023 · Apr 11, 2023
diff --git a/docs/docs/graphql.md b/docs/docs/graphql.md
@@ -1450,7 +1450,32 @@ Because it is often useful to ask a GraphQL schema for information about what qu
 
 The [GraphQL Playground](https://www.graphql-yoga.com/docs/features/graphiql) is a way for you to interact with your schema and try out queries and mutations. It can show you the schema by inspecting it. You can find the GraphQL Playground at http://localhost:8911/graphql when your dev server is running.
 
-> Because both introspection and the playground share possibly sensitive information about your data model, your data, your queries and mutations, best practices for deploying a GraphQL Server call to disable these in production, RedwoodJS **only enables introspection and the playground when running in development**. That is when `process.env.NODE_ENV === 'development'`.
+> Because both introspection and the playground share possibly sensitive information about your data model, your data, your queries and mutations, best practices for deploying a GraphQL Server call to disable these in production, RedwoodJS **, by default, only enables introspection and the playground when running in development**. That is when `process.env.NODE_ENV === 'development'`.
+
+However, there may be cases where you want to enable introspection. You can enable introspection by setting the `allowIntrospection` option to `true`.
+
+Here is an example of `createGraphQLHandler` function with the `allowIntrospection` option set to `true`:
+```ts {8}
+export const handler = createGraphQLHandler({
+  authDecoder,
+  getCurrentUser,
+  loggerConfig: { logger, options: {} },
+  directives,
+  sdls,
+  services,
+  allowIntrospection: true, // 👈 enable introspection in all environments
+  onException: () => {
+    // Disconnect from your database with an unhandled exception.
+    db.$disconnect()
+  },
+})
+```
+
+:::caution
+
+Enabling introspection in production may pose a security risk, as it allows users to access information about your schema, queries, and mutations. Use this option with caution and make sure to secure your GraphQL API properly.
+
+:::
 
 ### GraphQL Armor Configuration
 

diff --git a/docs/docs/security.md b/docs/docs/security.md
@@ -48,7 +48,13 @@ GraphQL is a fundamental part of Redwood. For details on how Redwood uses GraphQ
 The RedwoodJS GraphQL handler sets [reasonable defaults](graphql.md#security) to prevent abusive queries that attackers often use to exploit systems.
 ### Disable Introspection and Playground
 
-Because both introspection and the playground share possibly sensitive information about your data model, your data, your queries and mutations, best practices for deploying a GraphQL Server call to [disable these in production](graphql.md#introspection-and-playground-disabled-in-production), RedwoodJS **only enables introspection and the playground when running in development**.
+Because both introspection and the playground share possibly sensitive information about your data model, your data, your queries and mutations, best practices for deploying a GraphQL Server call to [disable these in production](graphql.md#introspection-and-playground-disabled-in-production), By default RedwoodJS **only enables introspection and the playground when running in development**.
+
+:::note
+<!-- Link to graphql.md docs -->
+For more information on how to enable introspection in production, please see the [GraphQL Docs](graphql.md#introspection-and-playground-disabled-in-production).
+:::
+
 ## Functions
 
 When deployed, a [serverless function](serverless-functions.md) is an open API endpoint. That means anyone can access it and perform any tasks it's asked to do. In many cases, this is completely appropriate and desired behavior. But there are often times you need to restrict access to a function, and Redwood can help you do that using a [variety of methods and approaches](serverless-functions.md#security-considerations).

diff --git a/packages/graphql-server/src/functions/graphql.ts b/packages/graphql-server/src/functions/graphql.ts
@@ -54,6 +54,7 @@ export const createGraphQLHandler = ({
   directives = [],
   armorConfig,
   allowedOperations,
+  allowIntrospection,
   defaultError = 'Something went wrong.',
   graphiQLEndpoint = '/graphql',
   schemaOptions,
@@ -93,7 +94,10 @@ export const createGraphQLHandler = ({
 
   const plugins: Array<Plugin<any>> = []
 
-  if (!isDevEnv) {
+  if (
+    (allowIntrospection == null && !isDevEnv) ||
+    allowIntrospection === false
+  ) {
     plugins.push(useDisableIntrospection())
   }
 

diff --git a/packages/graphql-server/src/functions/types.ts b/packages/graphql-server/src/functions/types.ts
@@ -152,6 +152,13 @@ export interface GraphQLHandlerOptions {
    * Defaults to '/graphql' as this value must match the name of the `graphql` function on the api-side.
    */
   graphiQLEndpoint?: string
+
+  /**
+   * @description Allow schema introspection.
+   * By default, schema introspection is disabled in production. Explicitly set this to true or false to override in all environments.
+   */
+  allowIntrospection?: boolean
+
   /**
    * @description Function that returns custom headers (as string) for GraphiQL.
    *