Restricting access to Custom endpoints and Persisted queries by IP

In order to allow access to some Custom Endpoint or Persisted Query only to visitors from a certain IP or IP range, we can add a filter hook on Hooks::FORBID_ACCESS (triggered by method isAccessForbidden):

use GraphQLAPI\GraphQLAPI\Services\CustomPostTypes\Hooks;

// ID of the Custom Endpoint or Persisted Query
$customEndpointPostID = 34;
add_action(
Hooks::FORBID_ACCESS,
function(bool $forbidAccess) use ($customEndpointPostID): bool
{
if (!is_single($customEndpointPostID)) {
return $forbidAccess;
}
$visitorIP = $_SERVER['REMOTE_ADDR'];
$allowedIPs = [
"192.168.*.*",
"202.119.42.*",
];
foreach ($allowedIPs as $allowedIP) {
if (filter_var($visitorIP, FILTER_VALIDATE_IP)) {
// Allowed IP => Do not forbid access
return false;
}
}
// No allowed IP matches => forbid access
return true;
}
);

And also make sure to not enable Cache Control on the endpoint, as the response must not be cached.