8 – How do I restrict GraphQL access with Basic Auth?


According to this Gitbook (near the bottom), its possible to require GraphQL query authentication with Drupal Core’s Basic Auth module. This allows GraphQL to authenticate against a user stored in the Drupal DB.

https://drupal-graphql.gitbook.io/graphql/authentication/authentication

I created an event subscriber that adds the Basic Auth option to the route like this:

use DrupalCoreRoutingRouteSubscriberBase;
use SymfonyComponentRoutingRouteCollection;

class RouteSubscriber extends RouteSubscriberBase {

  /**
   * {@inheritdoc}
   */
  protected function alterRoutes(RouteCollection $collection) {
    if ($route = $collection->get('graphql.query.default:default')) {
      $route->setOptions(('_auth' => ('basic_auth')));
    }
  }
}

However, when I make a curl request without an Authorization header it still goes through:

curl -X POST -H "Content-Type: application/json"   --data '{"query":"{fileById(id: "33") {changed}}","variables":null,"operationName":null}' http://MYLOCALHOST/graphql

Response:

{"data":{"fileById":{"changed":1572374455}}}

I did enable my custom module with the RouteSubscriber information above and also the Basic Auth module. When I visit the /graphql Drupal path in a browser, access is denied but when I make the CURL request it goes through. I was hoping to restrict CURL access as well.

Here is the Drupal 8 documentation on Basic Auth:

https://www.drupal.org/docs/8/core/modules/basic_auth/overview

I am using v3 of the Drupal 8 GraphQL module.