decidim-api 0.31.0 → 0.31.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90bfaab797efb7afc1f414c5373d7e4c1ad27ea6a6a78ac7d166cd5454236ee4
-  data.tar.gz: 60e938e693e9c5e2ab22a729dfc4e2ee8c281e8aa05da7630c0a961562009c28
+  metadata.gz: a229eb60485e45b884a7db5f974fa518fee469dd3e83baf02d0d9cdb27e2e808
+  data.tar.gz: 6834b6467deb4c9325aeab500d77fa41ecab50f8f2d3ddb6b74de963fdbecf96
 SHA512:
-  metadata.gz: c726b72fe940d5b09796ce8ebf66e395cd94014a79bbd0bd32e13debd71f877eb456468fd9b3d2ee09e6eb13e0cc6b412c35faca0d53f30bcffa3f88cfcfdab8
-  data.tar.gz: a009454f4afa8870c1031c0c78d1b64aa207466f73321d85eb27ef5bb19a854c9ddc2d8fb5f0ec530c18ef8e45250a45985c4e0a03a50e64205214b07a9dc547
+  metadata.gz: d52282c385a287f6484916c9077b687550a17d67eb47dfa4cecd6920119d5195d629439c270fb24edca6c52a0333170899016b5e07c347b3ebf029061ce5fef4
+  data.tar.gz: 1293a67073053c56ffdb6c25cd6bdcf8d3168216ae484ada6b11648aa170a1a461cda61dfe5f3b95ed9a6dde5a7a1d62d444e510a4b7d8e5bf29fd4a6e3cf2e9

data/app/controllers/decidim/api/queries_controller.rb

@@ -30,7 +30,8 @@ module Decidim
         {
           current_organization:,
           current_user: api_user,
-          scopes: api_scopes
+          scopes: api_scopes,
+          can_introspect: Decidim::Api.enable_anonymous_introspection || api_user&.admin?
         }
       end
 

data/config/locales/am-ET.yml

@@ -0,0 +1 @@
+am:

data/config/locales/ar.yml

@@ -0,0 +1 @@
+ar:

data/config/locales/bg.yml

@@ -0,0 +1 @@
+bg:

data/config/locales/bn-BD.yml

@@ -0,0 +1 @@
+bn:

data/config/locales/bs-BA.yml

@@ -0,0 +1 @@
+bs:

data/config/locales/ca-IT.yml

@@ -0,0 +1,8 @@
+---
+ca-IT:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspecció està desactivada per a aquesta sol·licitud
+        recursion_limit_exceeded_error: S'han detectat massa consultes recurrents
+        too_many_aliases_error: S'han fet servir massa àlies (nicknames). Has fet servir %{size} àlies, però es permet un màxim de %{limit}.

data/config/locales/ca.yml

@@ -0,0 +1,8 @@
+---
+ca:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspecció està desactivada per a aquesta sol·licitud
+        recursion_limit_exceeded_error: S'han detectat massa consultes recurrents
+        too_many_aliases_error: S'han fet servir massa àlies (nicknames). Has fet servir %{size} àlies, però es permet un màxim de %{limit}.

data/config/locales/cs.yml

@@ -0,0 +1 @@
+cs:

data/config/locales/da.yml

@@ -0,0 +1 @@
+da:

data/config/locales/de.yml

@@ -0,0 +1 @@
+de:

data/config/locales/el.yml

@@ -0,0 +1 @@
+el:

data/config/locales/en.yml

@@ -0,0 +1,8 @@
+---
+en:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Introspection is disabled for this request
+        recursion_limit_exceeded_error: Too many recursions detected in query
+        too_many_aliases_error: Too many aliases used. You have used %{size} aliases, but %{limit} are allowed.

data/config/locales/eo.yml

@@ -0,0 +1 @@
+eo:

data/config/locales/es-MX.yml

@@ -0,0 +1,8 @@
+---
+es-MX:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspección está desactivada para esta solicitud
+        recursion_limit_exceeded_error: Se han detectado demasiadas consultas recurrentes
+        too_many_aliases_error: Has utilizado demasiados alias (nicknames). Has usado %{size} alias, pero se permite un máximo de %{limit}.

data/config/locales/es-PY.yml

@@ -0,0 +1,8 @@
+---
+es-PY:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspección está desactivada para esta solicitud
+        recursion_limit_exceeded_error: Se han detectado demasiadas consultas recurrentes
+        too_many_aliases_error: Has utilizado demasiados alias (nicknames). Has usado %{size} alias, pero se permite un máximo de %{limit}.

data/config/locales/es.yml

@@ -0,0 +1,8 @@
+---
+es:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: La introspección está desactivada para esta solicitud
+        recursion_limit_exceeded_error: Se han detectado demasiadas consultas recurrentes
+        too_many_aliases_error: Has utilizado demasiados alias (nicknames). Has usado %{size} alias, pero se permite un máximo de %{limit}.

data/config/locales/et.yml

@@ -0,0 +1 @@
+et:

data/config/locales/eu.yml

@@ -0,0 +1,6 @@
+---
+eu:
+  decidim:
+    api:
+      errors:
+        too_many_aliases_error: Ezizen gehiegi erabiltzen dira. %{size} ezizen erabili dituzu, baina %{limit} onartuta daude.

data/config/locales/fa-IR.yml

@@ -0,0 +1 @@
+fa:

data/config/locales/fi-plain.yml

@@ -0,0 +1,8 @@
+---
+fi-pl:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Rajapintamallin tarkastelu ei ole käytössä tälle pyynnölle
+        recursion_limit_exceeded_error: Rajapintakyselyssä on liikaa rekursiivisia kyselyitä
+        too_many_aliases_error: Rajapintakysely käyttää liian monta alias-nimitystä. Kyselyssä on %{size} aliasta, mutta maksimissaan %{limit} on sallittu.

data/config/locales/fi.yml

@@ -0,0 +1,8 @@
+---
+fi:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Rajapintamallin tarkastelu ei ole käytössä tälle pyynnölle
+        recursion_limit_exceeded_error: Rajapintakyselyssä on liikaa rekursiivisia kyselyitä
+        too_many_aliases_error: Rajapintakysely käyttää liian monta alias-nimitystä. Kyselyssä on %{size} aliasta, mutta maksimissaan %{limit} on sallittu.

data/config/locales/fr-CA.yml

@@ -0,0 +1,8 @@
+---
+fr-CA:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: L'introspection est désactivée pour cette requête
+        recursion_limit_exceeded_error: Trop de récursions détectées dans la requête
+        too_many_aliases_error: Trop d'alias utilisés. Vous avez utilisé %{size} alias, mais seulement %{limit} sont autorisés.

data/config/locales/fr.yml

@@ -0,0 +1,8 @@
+---
+fr:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: L'introspection est désactivée pour cette requête
+        recursion_limit_exceeded_error: Trop de récursions détectées dans la requête
+        too_many_aliases_error: Trop d'alias utilisés. Vous avez utilisé %{size} alias, mais seulement %{limit} sont autorisés.

data/config/locales/ga-IE.yml

@@ -0,0 +1 @@
+ga:

data/config/locales/gl.yml

@@ -0,0 +1 @@
+gl:

data/config/locales/gn-PY.yml

@@ -0,0 +1 @@
+gn:

data/config/locales/he-IL.yml

@@ -0,0 +1 @@
+he:

data/config/locales/hr.yml

@@ -0,0 +1 @@
+hr:

data/config/locales/hu.yml

@@ -0,0 +1 @@
+hu:

data/config/locales/id-ID.yml

@@ -0,0 +1 @@
+id:

data/config/locales/is-IS.yml

@@ -0,0 +1 @@
+is-IS:

data/config/locales/it.yml

@@ -0,0 +1 @@
+it:

data/config/locales/ja.yml

@@ -0,0 +1,8 @@
+---
+ja:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: このリクエストのイントロスペクションは無効です
+        recursion_limit_exceeded_error: クエリで再帰が検出された回数が多すぎます
+        too_many_aliases_error: エイリアスが多すぎます。 %{size} 件のエイリアスを使用していますが、許可されているのは %{limit} 件までです。

data/config/locales/ka-GE.yml

@@ -0,0 +1 @@
+ka:

data/config/locales/kaa.yml

@@ -0,0 +1 @@
+kaa:

data/config/locales/ko.yml

@@ -0,0 +1 @@
+ko:

data/config/locales/lb.yml

@@ -0,0 +1 @@
+lb:

data/config/locales/lo-LA.yml

@@ -0,0 +1 @@
+lo:

data/config/locales/lt.yml

@@ -0,0 +1 @@
+lt:

data/config/locales/lv.yml

@@ -0,0 +1 @@
+lv:

data/config/locales/mt.yml

@@ -0,0 +1 @@
+mt:

data/config/locales/nl.yml

@@ -0,0 +1 @@
+nl:

data/config/locales/no.yml

@@ -0,0 +1,6 @@
+---
+"no":
+  decidim:
+    api:
+      errors:
+        recursion_limit_exceeded_error: For mange rekursjoner oppdaget i spørringen

data/config/locales/oc-FR.yml

@@ -0,0 +1 @@
+oc:

data/config/locales/om-ET.yml

@@ -0,0 +1 @@
+om:

data/config/locales/pl.yml

@@ -0,0 +1 @@
+pl:

data/config/locales/pt-BR.yml

@@ -0,0 +1,8 @@
+---
+pt-BR:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: A inspeção está desabilitada para esta requisição
+        recursion_limit_exceeded_error: Muitas recursões detectadas na consulta
+        too_many_aliases_error: Foram utilizados muitos aliases. Você usou %{size} aliases, mas são permitidos apenas %{limit}.

data/config/locales/pt.yml

@@ -0,0 +1 @@
+pt:

data/config/locales/ro-RO.yml

@@ -0,0 +1,8 @@
+---
+ro:
+  decidim:
+    api:
+      errors:
+        introspection_disabled: Introspection este dezactivat pentru această solicitare
+        recursion_limit_exceeded_error: Prea multe recursii detectate în interogare
+        too_many_aliases_error: Prea multe aliasuri folosite. Ați folosit aliasuri %{size}, dar %{limit} sunt permise.

data/config/locales/ru.yml

@@ -0,0 +1 @@
+ru:

data/config/locales/si-LK.yml

@@ -0,0 +1 @@
+si:

data/config/locales/sk.yml

@@ -0,0 +1 @@
+sk:

data/config/locales/sl.yml

@@ -0,0 +1 @@
+sl:

data/config/locales/so-SO.yml

@@ -0,0 +1 @@
+so:

data/config/locales/sq-AL.yml

@@ -0,0 +1 @@
+sq:

data/config/locales/sr-CS.yml

@@ -0,0 +1 @@
+sr:

data/config/locales/sv.yml

@@ -0,0 +1 @@
+sv:

data/config/locales/sw-KE.yml

@@ -0,0 +1 @@
+sw:

data/config/locales/th-TH.yml

@@ -0,0 +1 @@
+th:

data/config/locales/ti-ER.yml

@@ -0,0 +1 @@
+ti:

data/config/locales/tr-TR.yml

@@ -0,0 +1 @@
+tr:

data/config/locales/uk.yml

@@ -0,0 +1 @@
+uk:

data/config/locales/val-ES.yml

@@ -0,0 +1 @@
+val:

data/config/locales/vi.yml

@@ -0,0 +1 @@
+vi:

data/config/locales/zh-CN.yml

@@ -0,0 +1 @@
+zh-CN:

data/config/locales/zh-TW.yml

@@ -0,0 +1 @@
+zh-TW:

data/lib/decidim/api/alias_analyzer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    class AliasAnalyzer < GraphQL::Analysis::AST::Analyzer
+      def initialize(query)
+        super
+
+        @aliases = Set.new
+      end
+
+      def on_enter_field(node, _parent, _visitor)
+        @aliases.add(node.alias) if node.alias.present?
+      end
+
+      def result
+        if @aliases.size > Decidim::Api.max_aliases
+          Errors::TooManyAliasesError.new(I18n.t("decidim.api.errors.too_many_aliases_error", size: @aliases.size, limit: Decidim::Api.max_aliases))
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/errors/introspection_disabled_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module Errors
+      # i18n-tasks-use t("decidim.api.errors.introspection_disabled")
+      class IntrospectionDisabledError < GraphQL::ExecutionError
+        def to_h
+          super.merge({ "extensions" => { "code" => "INTROSPECTION_DISABLED_ERROR" } })
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/errors/recursion_limit_exceeded_error.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module Errors
+      # i18n-tasks-use t("decidim.api.errors.recursion_limit_exceeded_error")
+      class RecursionLimitExceededError < GraphQL::AnalysisError
+        def to_h
+          super.merge({ "extensions" => { "code" => "RECURSION_LIMIT_EXCEEDED_ERROR" } })
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/errors/too_many_aliases_error.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module Errors
+      # i18n-tasks-use t("decidim.api.errors.too_many_aliases_error")
+
+      class TooManyAliasesError < GraphQL::AnalysisError
+        def to_h
+          super.merge({ "extensions" => { "code" => "TOO_MANY_ALIASES_ERROR" } })
+        end
+      end
+    end
+  end
+end

data/lib/decidim/api/introspection_analyzer.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Api
+    module IntrospectionAnalyzer
+      module FieldVisibility
+        extend ActiveSupport::Concern
+
+        included do
+          def self.visible?(context)
+            raise Errors::IntrospectionDisabledError, I18n.t("decidim.api.errors.introspection_disabled") unless context[:can_introspect] == true
+
+            super
+          end
+        end
+      end
+
+      class SchemaType < GraphQL::Introspection::SchemaType
+        include FieldVisibility
+      end
+
+      class TypeType < GraphQL::Introspection::TypeType
+        include FieldVisibility
+      end
+
+      class DirectiveType < GraphQL::Introspection::DirectiveType
+        include FieldVisibility
+      end
+
+      class DirectiveLocationEnum < GraphQL::Introspection::DirectiveLocationEnum
+        include FieldVisibility
+      end
+
+      class EnumValueType < GraphQL::Introspection::EnumValueType
+        include FieldVisibility
+      end
+
+      class FieldType < GraphQL::Introspection::FieldType
+        include FieldVisibility
+      end
+
+      class InputValueType < GraphQL::Introspection::InputValueType
+        include FieldVisibility
+      end
+
+      class TypeKindEnum < GraphQL::Introspection::TypeKindEnum
+        include FieldVisibility
+      end
+    end
+  end
+end

data/lib/decidim/api/recursion_analyzer.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+# This analyzer checks for too many recursions in GraphQL queries.
+# Copyright (c) GitLab B.V.
+# License: MIT Expat license
+# This content of the class was copied from the GitLab repository
+# @see https://gitlab.com/gitlab-org/gitlab/-/blob/f59f7aa0d86f07496e68abf7172edd703669e7bd/lib/gitlab/graphql/query_analyzers/ast/recursion_analyzer.rb
+# To which I have modified the result format to be compatible with decidim-api.
+
+module Decidim
+  module Api
+    class RecursionAnalyzer < GraphQL::Analysis::AST::Analyzer
+      IGNORED_FIELDS = %w(node edges nodes ofType).freeze
+      RECURSION_THRESHOLD = 2
+
+      def initialize(query)
+        super
+
+        @node_visits = {}
+        @recurring_fields = {}
+      end
+
+      def on_enter_field(node, _parent, visitor)
+        return if skip_node?(node, visitor)
+
+        node_name = node.name
+        node_visits[node_name] ||= 0
+        node_visits[node_name] += 1
+
+        times_encountered = @node_visits[node_name]
+        recurring_fields[node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered)
+      end
+
+      # Visitors are all defined on the AST::Analyzer base class
+      # We override them for custom analyzers.
+      def on_leave_field(node, _parent, visitor)
+        return if skip_node?(node, visitor)
+
+        node_name = node.name
+        node_visits[node_name] ||= 0
+        node_visits[node_name] -= 1
+      end
+
+      def result
+        @recurring_fields = @recurring_fields.select { |k, v| recursion_too_deep?(k, v) }
+
+        Decidim::Api::Errors::RecursionLimitExceededError.new I18n.t("decidim.api.errors.recursion_limit_exceeded_error") if @recurring_fields.any?
+      end
+
+      private
+
+      attr_reader :node_visits, :recurring_fields
+
+      def recursion_too_deep?(node_name, times_encountered)
+        return false if IGNORED_FIELDS.include?(node_name)
+
+        times_encountered > recursion_threshold
+      end
+
+      def skip_node?(node, visitor)
+        # We do not want to count skipped fields or fields
+        # inside fragment definitions
+        return false if visitor.skipping? || visitor.visiting_fragment_definition?
+
+        !node.is_a?(GraphQL::Language::Nodes::Field) || node.selections.empty?
+      end
+
+      # Separated into a method to allow overriding or customization of the recursion limit.
+      def recursion_threshold
+        RECURSION_THRESHOLD
+      end
+    end
+  end
+end

data/lib/decidim/api/schema.rb

@@ -7,6 +7,10 @@ module Decidim
       mutation(MutationType)
       query(QueryType)
 
+      introspection IntrospectionAnalyzer
+      query_analyzer RecursionAnalyzer
+      query_analyzer AliasAnalyzer
+
       default_max_page_size Decidim::Api.schema_max_per_page
       max_depth Decidim::Api.schema_max_depth
       max_complexity Decidim::Api.schema_max_complexity

data/lib/decidim/api/test/component_context.rb

@@ -2,6 +2,7 @@
 
 shared_context "with a graphql decidim component" do
   include_context "with a graphql class type"
+  include_examples "when the introspection is disabled"
 
   let(:schema) { Decidim::Api::Schema }
 

data/lib/decidim/api/test/type_context.rb

@@ -15,6 +15,7 @@ shared_context "with a graphql class type" do
   let(:type_class) { described_class }
   let(:variables) { {} }
   let(:root_value) { model }
+  let(:can_introspect) { Decidim::Api.enable_anonymous_introspection || current_user&.admin? }
 
   let(:schema) do
     klass = type_class
@@ -28,6 +29,20 @@ shared_context "with a graphql class type" do
     execute_query query, variables.stringify_keys
   end
 
+  def raise_proper_error(error)
+    code = error.dig("extensions", "code")
+
+    # Matches the error code with the Error class
+    # For instance, if the error code is NOT_FOUND_ERROR then it will raise the "Decidim::Api::Errors::NotFoundError" class
+    raise "Decidim::Api::Errors::#{code.downcase.classify}".constantize, error["message"] if %w(
+      INTROSPECTION_DISABLED_ERROR
+      TOO_MANY_ALIASES_ERROR
+      RECURSION_LIMIT_EXCEEDED_ERROR
+    ).include?(code)
+
+    raise GraphQL::ExecutionError, error["message"]
+  end
+
   def execute_query(query, variables)
     result = schema.execute(
       query,
@@ -36,17 +51,94 @@ shared_context "with a graphql class type" do
         current_organization:,
         current_user:,
         current_component:,
-        scopes: api_scopes
+        scopes: api_scopes,
+        can_introspect:
       },
       variables:
     )
 
-    raise StandardError, result["errors"].map { |e| e["message"] }.join(", ") if result["errors"]
+    raise_proper_error(result["errors"].first) if result["errors"]
 
     result["data"]
   end
 end
 
+shared_examples "when the introspection is disabled" do
+  shared_examples "check introspection behavior" do
+    context "and the user is not authenticated" do
+      let!(:current_user) { nil }
+
+      it "raises an Decidim::Api::Errors::IntrospectionDisabledError" do
+        expect { response }.to raise_error(Decidim::Api::Errors::IntrospectionDisabledError, "Introspection is disabled for this request")
+      end
+    end
+
+    context "and the user is not an admin" do
+      let!(:current_user) { create(:user, :confirmed, organization: current_organization) }
+
+      it "raises an Decidim::Api::Errors::IntrospectionDisabledError" do
+        expect { response }.to raise_error(Decidim::Api::Errors::IntrospectionDisabledError, "Introspection is disabled for this request")
+      end
+    end
+
+    context "and the user is an admin" do
+      let!(:current_user) { create(:user, :confirmed, :admin, organization: current_organization) }
+
+      it "runs successfully" do
+        expect { response }.not_to raise_error
+      end
+    end
+
+    context "and the setting is true" do
+      before do
+        allow(Decidim::Api).to receive(:enable_anonymous_introspection).and_return(true)
+      end
+
+      it "runs successfully" do
+        expect { response }.not_to raise_error
+      end
+    end
+
+    context "and the setting is false" do
+      before do
+        allow(Decidim::Api).to receive(:enable_anonymous_introspection).and_return(false)
+      end
+
+      it "raises an Decidim::Api::Errors::IntrospectionDisabledError" do
+        expect { response }.to raise_error(Decidim::Api::Errors::IntrospectionDisabledError, "Introspection is disabled for this request")
+      end
+    end
+  end
+
+  context "when requesting the schema introspection" do
+    let(:query) do
+      %( query { __schema { types { fields { type { fields { type { name } } } } } } } )
+    end
+
+    it_behaves_like "check introspection behavior"
+  end
+
+  context "when requesting the type introspection" do
+    let(:query) do
+      %( query CircularIntrospection {
+  __type(name: "User") {
+    fields {
+      type {
+        fields {
+          type {
+            name
+          }
+        }
+      }
+    }
+  }
+} )
+    end
+
+    it_behaves_like "check introspection behavior"
+  end
+end
+
 shared_context "with a graphql scalar class type" do
   include_context "with a graphql class type"
 

data/lib/decidim/api/types.rb

@@ -2,6 +2,9 @@
 
 module Decidim
   module Api
+    autoload :RecursionAnalyzer, "decidim/api/recursion_analyzer"
+    autoload :IntrospectionAnalyzer, "decidim/api/introspection_analyzer"
+    autoload :AliasAnalyzer, "decidim/api/alias_analyzer"
     autoload :QueryType, "decidim/api/query_type"
     autoload :MutationType, "decidim/api/mutation_type"
     autoload :Schema, "decidim/api/schema"
@@ -9,6 +12,12 @@ module Decidim
     autoload :GraphqlPermissions, "decidim/api/graphql_permissions"
     autoload :ComponentMutationType, "decidim/api/component_mutation_type"
 
+    module Errors
+      autoload :IntrospectionDisabledError, "decidim/api/errors/introspection_disabled_error"
+      autoload :TooManyAliasesError, "decidim/api/errors/too_many_aliases_error"
+      autoload :RecursionLimitExceededError, "decidim/api/errors/recursion_limit_exceeded_error"
+    end
+
     module Types
       autoload :BaseArgument, "decidim/api/types/base_argument"
       autoload :BaseEnum, "decidim/api/types/base_enum"

data/lib/decidim/api/version.rb

@@ -4,7 +4,7 @@ module Decidim
   # This holds the decidim-api version.
   module Api
     def self.version
-      "0.31.0"
+      "0.31.1"
     end
   end
 end

data/lib/decidim/api.rb

@@ -23,6 +23,11 @@ module Decidim
       Decidim::Env.new("API_SCHEMA_MAX_COMPLEXITY", 5000).to_i
     end
 
+    # defines how many aliases are permitted in a query
+    config_accessor :max_aliases do
+      Decidim::Env.new("API_SCHEMA_MAX_ALIASES", 5).to_i
+    end
+
     # defines the schema max_depth to configure GraphQL query max_depth
     config_accessor :schema_max_depth do
       Decidim::Env.new("API_SCHEMA_MAX_DEPTH", 15).to_i
@@ -32,12 +37,19 @@ module Decidim
       Decidim::Env.new("DECIDIM_API_DISCLOSE_SYSTEM_VERSION").present?
     end
 
-    # Public Setting that can make the API authentication necessary in order to
-    # access it.
+    # makes the API authentication necessary in order to access it
+
     config_accessor :force_api_authentication do
       Decidim::Env.new("DECIDIM_API_FORCE_API_AUTHENTICATION", nil).present?
     end
 
+    # Allows anonymous introspection queries.
+    # If you are not sure, leave it set to false. In this way, only administrator users will be able to access the introspection query.
+    # Otherwise, anyone can access it, which may cause security issues.
+    config_accessor :enable_anonymous_introspection do
+      Decidim::Env.new("DECIDIM_API_ENABLE_ANONYMOUS_INTROSPECTION", nil).present?
+    end
+
     # The expiration time of the JWT tokens, after which issued token will
     # expire. Recommended to match the value of
     # `DECIDIM_OAUTH_ACCESS_TOKEN_EXPIRES_IN`.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: decidim-api
 version: !ruby/object:Gem::Version
-  version: 0.31.0
+  version: 0.31.1
 platform: ruby
 authors:
 - Josep Jaume Rey Peroy
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-20 00:00:00.000000000 Z
+date: 2026-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim-core
@@ -18,14 +18,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
 - !ruby/object:Gem::Dependency
   name: devise-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -94,56 +94,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
 - !ruby/object:Gem::Dependency
   name: decidim-comments
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
 - !ruby/object:Gem::Dependency
   name: decidim-dev
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
 - !ruby/object:Gem::Dependency
   name: decidim-participatory_processes
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.31.0
+        version: 0.31.1
 description: API engine for decidim
 email:
 - josepjaume@gmail.com
@@ -173,18 +173,90 @@ files:
 - app/views/layouts/decidim/api/documentation.html.erb
 - config/assets.rb
 - config/initializers/devise.rb
+- config/locales/am-ET.yml
+- config/locales/ar.yml
+- config/locales/bg.yml
+- config/locales/bn-BD.yml
+- config/locales/bs-BA.yml
+- config/locales/ca-IT.yml
+- config/locales/ca.yml
+- config/locales/cs.yml
+- config/locales/da.yml
+- config/locales/de.yml
+- config/locales/el.yml
+- config/locales/en.yml
+- config/locales/eo.yml
+- config/locales/es-MX.yml
+- config/locales/es-PY.yml
+- config/locales/es.yml
+- config/locales/et.yml
+- config/locales/eu.yml
+- config/locales/fa-IR.yml
+- config/locales/fi-plain.yml
+- config/locales/fi.yml
+- config/locales/fr-CA.yml
+- config/locales/fr.yml
+- config/locales/ga-IE.yml
+- config/locales/gl.yml
+- config/locales/gn-PY.yml
+- config/locales/he-IL.yml
+- config/locales/hr.yml
+- config/locales/hu.yml
+- config/locales/id-ID.yml
+- config/locales/is-IS.yml
+- config/locales/it.yml
+- config/locales/ja.yml
+- config/locales/ka-GE.yml
+- config/locales/kaa.yml
+- config/locales/ko.yml
+- config/locales/lb.yml
+- config/locales/lo-LA.yml
+- config/locales/lt.yml
+- config/locales/lv.yml
+- config/locales/mt.yml
+- config/locales/nl.yml
+- config/locales/no.yml
+- config/locales/oc-FR.yml
+- config/locales/om-ET.yml
+- config/locales/pl.yml
+- config/locales/pt-BR.yml
+- config/locales/pt.yml
+- config/locales/ro-RO.yml
+- config/locales/ru.yml
+- config/locales/si-LK.yml
+- config/locales/sk.yml
+- config/locales/sl.yml
+- config/locales/so-SO.yml
+- config/locales/sq-AL.yml
+- config/locales/sr-CS.yml
+- config/locales/sv.yml
+- config/locales/sw-KE.yml
+- config/locales/th-TH.yml
+- config/locales/ti-ER.yml
+- config/locales/tr-TR.yml
+- config/locales/uk.yml
+- config/locales/val-ES.yml
+- config/locales/vi.yml
+- config/locales/zh-CN.yml
+- config/locales/zh-TW.yml
 - config/routes.rb
 - decidim-api.gemspec
 - docs/usage.md
 - lib/decidim/api.rb
+- lib/decidim/api/alias_analyzer.rb
 - lib/decidim/api/component_mutation_type.rb
 - lib/decidim/api/devise.rb
 - lib/decidim/api/engine.rb
+- lib/decidim/api/errors/introspection_disabled_error.rb
+- lib/decidim/api/errors/recursion_limit_exceeded_error.rb
+- lib/decidim/api/errors/too_many_aliases_error.rb
 - lib/decidim/api/graphiql-initial-query.txt
 - lib/decidim/api/graphiql/config.rb
 - lib/decidim/api/graphql_permissions.rb
+- lib/decidim/api/introspection_analyzer.rb
 - lib/decidim/api/mutation_type.rb
 - lib/decidim/api/query_type.rb
+- lib/decidim/api/recursion_analyzer.rb
 - lib/decidim/api/required_scopes.rb
 - lib/decidim/api/schema.rb
 - lib/decidim/api/test.rb