Download the PHP package emran-alhaddad/statamic-graphql-protect without Composer
On this page you can find all versions of the php package emran-alhaddad/statamic-graphql-protect. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download emran-alhaddad/statamic-graphql-protect
More information about emran-alhaddad/statamic-graphql-protect
Files in emran-alhaddad/statamic-graphql-protect
Package statamic-graphql-protect
Short Description Protect Statamic /graphql (rebing/graphql-laravel) with token + optional IP allow list.
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package statamic-graphql-protect
Statamic GraphQL Protect
🔐 Secure your Statamic GraphQL endpoint
A lightweight, production-ready addon that protects Statamic’s /graphql endpoint using a token-based middleware with optional IP allow-listing.
Perfect for headless setups (Next.js, Nuxt, mobile apps) where public GraphQL access must be locked down without changing existing queries.
👉 Statamic Marketplace:
https://statamic.com/addons/emran-alhaddad/statamic-graphql-protect
📦 Package Information
🚀 Features
- 🔐 Token-protected
/graphqlendpoint - 🛡️ Optional IP allow-list
- 🧩 Works with Statamic’s GraphQL layer (Rebing GraphQL under the hood)
- ⚙️ Fully configurable via
.env - 🗂️ Middleware-based (no route overrides)
- 🧼 No Statamic core hacks or forks
📦 Installation
Install via Composer:
`
Publish the config file:
⚙️ Configuration
Published config file:
Example .env configuration:
Your frontend must send the header:
⚠️ REQUIRED: Register Middleware in Statamic GraphQL Config
This addon does not automatically inject itself into every Statamic install.
You must manually register the middleware.
Open:
Add the middleware to the middleware array:
❗ Without this step,
/graphqlwill remain public.
🧪 Example Usage
❌ Request without token (blocked)
Response:
✅ Request with token (allowed)
Response:
🔧 Postman Setup
- Headers
| Key | Value |
|---|---|
| X-Statamic-GraphQL-Token | your-token |
| Content-Type | application/json |
-
Body → Raw → JSON
- Send ✅
⚠️ IMPORTANT: Disable Statamic GraphQL Cache
Statamic’s GraphQL cache does NOT respect request headers.
If enabled:
- First unauthenticated request → 401 cached → everyone gets 401
- First authenticated request → 200 cached → endpoint effectively public
✅ Disable it:
Edit:
or:
Then clear caches:
✅ Recommended: cache at Next.js / CDN / Edge level, not inside Statamic.
🔄 Compatibility
- ✅ Statamic 4, 5, and 6 (per your project’s
statamic/cmsconstraint) - ✅ PHP 8.1+ (newer Statamic/Laravel stacks may require a higher minimum)
- ✅ Headless & traditional installs
- ✅ Next.js / Nuxt / Mobile apps
📁 Directory Structure
🩺 Troubleshooting
“Unauthorized.” (missing or wrong token)
- Header name mismatch
- Token contains whitespace
- Middleware not registered in
config/statamic/graphql.php
Works in cURL but not Postman
- Use Body → Raw → JSON
- Ensure headers are manually added
Random 200 / 401 responses
- GraphQL cache still enabled
- Disable it and clear caches
👤 Author
Emran Alhaddad GitHub: https://github.com/emran-alhaddad Statamic Addons: https://statamic.com/addons/emran-alhaddad
📄 License
MIT License
See the LICENSE file for full details.
