Description
Authorization | GraphQL talks about delegating authorization logic to the business logic layer. This makes sense to me for most things. One thing I'm not sure on though is how can I lock down introspection if I want to have a tool in production where most people can't use it (for security reasons) but software engineers, product managers, operators, and possibly others who I configure can use introspection so that tools they use (e.g. a hosted GraphiQL or GraphQL Playground app to make queries and even some mutations) will work out of the boxy without needing a schema registry or anything.
Is there a straight forward way to hook into the out-of-the-box introspection tooling in graphql-js to run introspection like normal if my user is authorized to do so but return error(s) otherwise?