Graphql Introspection in Feathersjs with Cockroachdb

GraphQL introspection allows clients to query the schema for types, queries, and mutations. In Feathersjs, when GraphQL support is added via integrations such as feathers-graphql, introspection is often enabled by default in development and sometimes left exposed in production. If an API endpoint serving GraphQL in a Feathersjs app is reachable without authentication and introspection is permitted, an attacker can discover the full schema, including queries that interact with Cockroachdb.

When Feathersjs services are backed by Cockroachdb, the database schema often maps closely to GraphQL type definitions. Introspection responses can reveal table and column names, relationships, and even hint at sensitive data structures stored in Cockroachdb. Because Feathersjs typically exposes a single GraphQL endpoint (e.g., /graphql) and may not enforce strict query restrictions, introspection can become an information leakage vector. Attackers can use introspection to identify queries such as user or account that pull data from Cockroachdb, then craft malicious queries that exploit excessive data exposure or IDOR.

The risk is compounded when the GraphQL server in Feathersjs does not differentiate between authenticated and unauthenticated introspection. Without additional guards, unauthenticated introspection provides a blueprint of the data model backed by Cockroachdb, making it easier to chain findings such as BOLA/IDOR or Property Authorization issues. MiddleBrick’s LLM/AI Security checks include Unauthenticated LLM endpoint detection, which can flag an exposed GraphQL endpoint that allows introspection without credentials, highlighting the exposure of schema details that could aid further attacks.

Introspection can also expose arguments and return types that reveal validation rules enforced by Feathersjs before data reaches Cockroachdb. For example, knowing the exact input shape for a create mutation can assist in bypassing input validation or probing for server-side filtering issues. Because introspection is a standard GraphQL feature, disabling it requires explicit configuration in Feathersjs, and many teams overlook this step when deploying services backed by Cockroachdb.

To secure a Feathersjs app backed by Cockroachdb, you should disable introspection for non-admin contexts and enforce strict query whitelisting. Below are concrete code examples that show how to configure introspection settings and restrict queries in production.

Disable Introspection in Production

When initializing the GraphQL service in Feathersjs, set introspection to false outside of development environments. This prevents unauthenticated schema discovery against Cockroachdb-backed models.

const { GraphQLService } = require('@feathersjs/graphql');

app.use('/graphql', new GraphQLService({
  store: new SequelizeStore({ sequelize }),
  introspection: process.env.NODE_ENV !== 'production',
  playground: process.env.NODE_ENV !== 'production',
  plugins: [],
  context: { app },
}));

Whitelist Queries and Mutations

Instead of allowing arbitrary queries, define explicit resolvers and limit which operations can be executed. This reduces the risk of attackers leveraging introspection output to probe Cockroachdb through unexpected queries.

const myGraphQLService = new GraphQLService({
  typeDefs: `
    type User {
      id: ID!
      email: String!
      role: String!
    }

    type Query {
      me: User
      users(limit: Int = 10, offset: Int = 0): [User]
    }

    type Mutation {
      updateUserRole(id: ID!, role: String!): User
    }
  `,
  resolvers: {
    Query: {
      me: async (_, __, { user }) => {
        if (!user) throw new Error('Unauthenticated');
        return user;
      },
      users: async (_, { limit, offset }, { user }) => {
        if (!user) throw new Error('Unauthenticated');
        // Safe query against Cockroachdb using a constrained service
        return userService.find({ query: { $limit: limit, $skip: offset } });
      }
    }
  },
  introspection: false,
  playground: false
});
app.use('/graphql', myGraphQLService);

Apply Middleware to Enforce Authentication

Use Feathersjs hooks to ensure that GraphQL requests are authenticated before reaching services that query Cockroachdb. This complements the schema-level restrictions.

app.use('/graphql', localHooks({
  before: {
    all: [ authenticate('jwt'), (context) => {
      if (!context.params.user) {
        throw new Error('Unauthorized');
      }
      return context;
    } ]
  }
}));

Use Parameterized Queries and ORM Safeguards

When the Feathersjs service interacts with Cockroachdb, prefer parameterized queries or an ORM that enforces type safety. This prevents injection and ensures that data access patterns are predictable and auditable.

// Using Sequelize with Cockroachdb
const { User } = require('./models');
app.use('/users', new SequelizeService({
  Model: User,
  paginate: { default: 10, max: 50 }
}));

Combine with API Security Best Practices

Disable introspection as one layer, and pair it with rate limiting, input validation, and property-level authorization checks. For environments requiring continuous monitoring, the Pro plan’s GitHub Action can fail builds if a GraphQL endpoint exposes introspection in staging before deployment.