Add security related options to config to disable in production and/or use a custom route (#4)

mfn · spawnia · commit 20b41bae5f8f · 2018-07-23T14:15:19.000+02:00
diff --git a/README.md b/README.md
@@ -16,20 +16,28 @@ Easily integrate [GraphQL Playground](https://github.com/prismagraphql/graphql-p
 
 If you are using Laravel < 5.4, add the service provider to your `config/app.php`
 
-````php
+```php
 'providers' => [
     // Other providers...
     MLL\\GraphQLPlayground\\GraphQLPlaygroundServiceProvider::class,
 ]
-````
+```
 
 You may publish the configuration and/or the views:
 
-    php artisan vendor:publish
+    php artisan vendor:publish --provider="MLL\GraphQLPlayground\GraphQLPlaygroundServiceProvider"
 
 ## Usage
 
 By default, the playground is reachable at `/graphql-playground`
 
 It assumes a running GraphQL endpoint at `/graphql`. You can enter another URL in the
 UI or change the default setting in the configuration file.
+
+## Security
+
+If you do not want to enable the GraphQL playground in production, you can disable it in the config file.
+The easiest way is to set the environment variable `GRAPHQL_PLAYGROUND_ENABLED=false`
+
+If you want to add custom middleware to protect the route to the GraphQL playground, you can
+add it in the configuration file.
diff --git a/config/graphql-playground.php b/config/graphql-playground.php
@@ -3,7 +3,16 @@
 return [
     // Route for the frontend
     'route' => 'graphql-playground',
-
+    
+    // Which middleware to apply, if any
+    'middleware' => [
+        // 'web',
+    ],
+    
     // Route for the GraphQL endpoint
     'endpoint' => 'graphql',
+
+    // Control if the playground is accessible at all
+    // This allows you to disable it completely in production
+    'enabled' => env('GRAPHQL_PLAYGROUND_ENABLED', true),
 ];
diff --git a/src/GraphQLPlaygroundServiceProvider.php b/src/GraphQLPlaygroundServiceProvider.php
@@ -26,9 +26,17 @@ public function boot()
             self::VIEW_PATH => resource_path('views/vendor/graphql-playground'),
         ], 'views');
 
-        \Route::get(config('graphql-playground.route'), function () {
-            return view('graphql-playground::index');
-        });
+        if (!config('graphql-playground.enabled', true)) {
+            return;
+        }
+
+        \Route::get(config('graphql-playground.route'), [
+            'middleware' => config('graphql-playground.middleware', ''),
+            'as' => 'graphql-playgroundcontroller',
+            'uses' => function () {
+                return view('graphql-playground::index');
+            },
+        ]);
     }
 
     /**
