From 5bf6f6a8fea1a66f1f57a236ca641b0bd2fcdefe Mon Sep 17 00:00:00 2001
From: Tif Tran <ttran@mozilla.com>
Date: Thu, 15 Jun 2023 23:53:15 -0700
Subject: [PATCH 1/3] add middleware to disable introspection query

---
 normandy/schema.py   | 14 +++++++++++++-
 normandy/settings.py |  6 +++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/normandy/schema.py b/normandy/schema.py
index 14696d07d..f03e0fd27 100644
--- a/normandy/schema.py
+++ b/normandy/schema.py
@@ -9,4 +9,16 @@ class NormandyQuery(BaseQuery, RecipesQuery, StudiesQuery, graphene.ObjectType):
     pass
 
 
-schema = graphene.Schema(query=NormandyQuery)
+class DisableIntrospectionMiddleware:
+    """
+    This class hides the introspection.
+    """
+
+    def resolve(self, next, root, info, **kwargs):
+
+        if info.field_name.lower() in ['__schema', '_introspection']:
+            return None
+        return next(root, info, **kwargs)
+
+
+schema = graphene.Schema(query=NormandyQuery)
\ No newline at end of file
diff --git a/normandy/settings.py b/normandy/settings.py
index 5472f51a8..2e8e92510 100644
--- a/normandy/settings.py
+++ b/normandy/settings.py
@@ -102,7 +102,11 @@ class Core(Configuration):
         "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.NamespaceVersioning",
     }
 
-    GRAPHENE = {"SCHEMA": "normandy.schema.schema"}
+    GRAPHENE = {"SCHEMA": "normandy.schema.schema",
+                "MIDDLEWARE": [
+                    "normandy.schema.DisableIntrospectionMiddleware",
+                ],
+                }
 
     # Content Security Policy
     def CSP_DEFAULT_SRC(self):

From 9fea5e5c7f7b3da22acbeed526b028eb5899637a Mon Sep 17 00:00:00 2001
From: Tif Tran <ttran@mozilla.com>
Date: Fri, 16 Jun 2023 11:14:38 -0700
Subject: [PATCH 2/3] add poetry flag

---
 .circleci/config.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 090b844cc..1829a329a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -38,7 +38,7 @@ jobs:
           command: pip install -U poetry
       - run:
           name: Install python dependencies
-          command: poetry install --no-dev --no-interaction --verbose
+          command: poetry install --no-dev --no-interaction --verbose --no-ansi
       - restore_cache:
           keys:
             - v2-dependencies-{{ checksum "yarn.lock" }}
@@ -145,7 +145,7 @@ jobs:
             echo "source ~/venv/bin/activate" >> $BASH_ENV
       - run:
           name: Install requirements
-          command: poetry install --extras docs --no-interaction --verbose
+          command: poetry install --extras docs --no-interaction --verbose --no-ansi
       - run:
           name: Build docs
           command: |
@@ -209,7 +209,7 @@ jobs:
             echo "source ~/venv/bin/activate" >> $BASH_ENV
       - run:
           name: Install python dependencies
-          command: poetry install --no-dev --no-interaction --verbose
+          command: poetry install --no-dev --no-interaction --verbose --no-ansi
       - run:
           name: Install node dependencies
           command: yarn install --frozen-lockfile

From 400799a79c1d79cd25ace9e68d674eb318ddf683 Mon Sep 17 00:00:00 2001
From: Tif Tran <ttran@mozilla.com>
Date: Fri, 16 Jun 2023 16:26:12 -0700
Subject: [PATCH 3/3] formatting and links in docs

---
 normandy/schema.py   | 17 +++++++++++++----
 normandy/settings.py | 11 ++++++-----
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/normandy/schema.py b/normandy/schema.py
index f03e0fd27..03b9a1039 100644
--- a/normandy/schema.py
+++ b/normandy/schema.py
@@ -11,14 +11,23 @@ class NormandyQuery(BaseQuery, RecipesQuery, StudiesQuery, graphene.ObjectType):
 
 class DisableIntrospectionMiddleware:
     """
-    This class hides the introspection.
+    This class hides the introspection. As it is best practice to not allow introspection queries
+    in production. ref: https://docs.graphene-python.org/en/latest/execution/queryvalidation/#disable-introspection
     """
 
     def resolve(self, next, root, info, **kwargs):
-
-        if info.field_name.lower() in ['__schema', '_introspection']:
+        # introspection fields taken from https://graphql.org/learn/introspection/
+        if info.field_name.lower() in [
+            "__Schema",
+            "__Type",
+            "__TypeKind",
+            "__Field",
+            "__InputValue",
+            "__EnumValue",
+            "__Directive",
+        ]:
             return None
         return next(root, info, **kwargs)
 
 
-schema = graphene.Schema(query=NormandyQuery)
\ No newline at end of file
+schema = graphene.Schema(query=NormandyQuery)
diff --git a/normandy/settings.py b/normandy/settings.py
index 2e8e92510..4464e48f9 100644
--- a/normandy/settings.py
+++ b/normandy/settings.py
@@ -102,11 +102,12 @@ class Core(Configuration):
         "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.NamespaceVersioning",
     }
 
-    GRAPHENE = {"SCHEMA": "normandy.schema.schema",
-                "MIDDLEWARE": [
-                    "normandy.schema.DisableIntrospectionMiddleware",
-                ],
-                }
+    GRAPHENE = {
+        "SCHEMA": "normandy.schema.schema",
+        "MIDDLEWARE": [
+            "normandy.schema.DisableIntrospectionMiddleware",
+        ],
+    }
 
     # Content Security Policy
     def CSP_DEFAULT_SRC(self):