1.0.12

Author: multipliedtwice

dist/__tests__/merge.spec.js

@@ -162,6 +162,32 @@ describe('mergeQueries', () => {
   salaries {
     amount
   }
+}`,
+        ];
+        const expected = ``;
+        expect((0, merge_1.mergeQueries)(requestQuery, allowedQueries)).toBe(expected);
+    });
+    test('should handle subqueries', () => {
+        const requestQuery = `query ExampleQuery($where: DepartmentWhereUniqueInput!) {
+  department(where: $where) {
+    id
+  }
+}`;
+        const allowedQueries = [
+            `query {
+  departments {
+    id
+    name
+    employees {
+      id
+      name
+    }
+  }
+}`,
+            `query {
+  salaries {
+    amount
+  }
 }`,
         ];
         const expected = ``;

dist/index.js

@@ -37,9 +37,9 @@ class GraphQLQueryPurifier {
                 // Use mergeQueries to filter the incoming request query
                 const filteredQuery = (0, merge_1.mergeQueries)(req.body.query, allowedQueries);
                 if (!filteredQuery.trim()) {
-                    // Log the incident for monitoring
                     console.warn(`Query was blocked due to security rules: ${req.body.query}`);
-                    return res.status(403).send('The requested query is not allowed.');
+                    req.body.query = '{ __typename }';
+                    delete req.body.operationName; // Remove the operation name
                 }
                 else {
                     req.body.query = filteredQuery;
@@ -57,24 +57,38 @@ class GraphQLQueryPurifier {
         const files = glob_1.default.sync(`${this.gqlPath}/**/*.gql`.replace(/\\/g, '/'));
         files.forEach((file) => {
             if (path_1.default.extname(file) === '.gql') {
-                const content = fs_1.default.readFileSync(file, 'utf8');
-                const parsedQuery = (0, graphql_1.parse)(content);
-                parsedQuery.definitions.forEach((definition) => {
-                    if (definition.kind === 'OperationDefinition') {
-                        const operationDefinition = definition;
-                        let queryName = operationDefinition.name?.value;
-                        if (!queryName) {
-                            // Extract the name from the first field of the selection set
-                            const firstField = operationDefinition.selectionSet.selections[0];
-                            if (firstField && firstField.kind === 'Field') {
-                                queryName = firstField.name.value;
+                const content = fs_1.default.readFileSync(file, 'utf8').trim();
+                if (!content) {
+                    console.warn(`Warning: Empty or invalid GraphQL file found: ${file}`);
+                    return;
+                }
+                try {
+                    const parsedQuery = (0, graphql_1.parse)(content);
+                    parsedQuery.definitions.forEach((definition) => {
+                        if (definition.kind === 'OperationDefinition') {
+                            const operationDefinition = definition;
+                            let queryName = operationDefinition.name?.value;
+                            if (!queryName) {
+                                // Extract the name from the first field of the selection set
+                                const firstField = operationDefinition.selectionSet.selections[0];
+                                if (firstField && firstField.kind === 'Field') {
+                                    queryName = firstField.name.value;
+                                }
+                            }
+                            if (queryName) {
+                                this.queryMap[queryName] = content;
                             }
                         }
-                        if (queryName) {
-                            this.queryMap[queryName] = content;
-                        }
+                    });
+                }
+                catch (error) {
+                    if (error instanceof graphql_1.GraphQLError) {
+                        console.error(`Error parsing GraphQL file ${file}: ${error.message}`);
+                    }
+                    else {
+                        console.error(`Unexpected error processing file ${file}: ${error}`);
                     }
-                });
+                }
             }
         });
     }

dist/merge.js

@@ -35,6 +35,13 @@ function mergeQueries(requestQuery, allowedQueries) {
             return undefined; // Continue visiting child nodes
         },
     });
+    // Check if the modified query has any fields left in its selection set
+    const hasFields = modifiedAST.definitions.some((def) => def.kind === 'OperationDefinition' &&
+        def.selectionSet.selections.length > 0);
+    if (!hasFields) {
+        // Return a placeholder or minimal query
+        return '';
+    }
     return (0, graphql_1.print)(modifiedAST);
 }
 exports.mergeQueries = mergeQueries;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-query-purifier",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "description": "A small library to match .gql queries vs user input. Removes fields from user requests that are not expected by your frontend code.",
   "main": "./dist/index.js",
   "author": "multipliedtwice",

src/__tests__/merge.spec.ts

@@ -174,6 +174,33 @@ describe('mergeQueries', () => {
   salaries {
     amount
   }
+}`,
+    ];
+    const expected = ``;
+    expect(mergeQueries(requestQuery, allowedQueries)).toBe(expected);
+  });
+
+  test('should handle subqueries', () => {
+    const requestQuery = `query ExampleQuery($where: DepartmentWhereUniqueInput!) {
+  department(where: $where) {
+    id
+  }
+}`;
+    const allowedQueries = [
+      `query {
+  departments {
+    id
+    name
+    employees {
+      id
+      name
+    }
+  }
+}`,
+      `query {
+  salaries {
+    amount
+  }
 }`,
     ];
     const expected = ``;

src/index.ts

@@ -1,6 +1,6 @@
 import { NextFunction, Request, Response } from 'express';
 import fs from 'fs';
-import { OperationDefinitionNode, parse } from 'graphql';
+import { GraphQLError, OperationDefinitionNode, parse } from 'graphql';
 import path from 'path';
 // @ts-ignore
 import glob from 'glob';
@@ -33,27 +33,43 @@ export class GraphQLQueryPurifier {
 
     files.forEach((file: string) => {
       if (path.extname(file) === '.gql') {
-        const content = fs.readFileSync(file, 'utf8');
-        const parsedQuery = parse(content);
+        const content = fs.readFileSync(file, 'utf8').trim();
 
-        parsedQuery.definitions.forEach((definition) => {
-          if (definition.kind === 'OperationDefinition') {
-            const operationDefinition = definition as OperationDefinitionNode;
+        if (!content) {
+          console.warn(`Warning: Empty or invalid GraphQL file found: ${file}`);
+          return;
+        }
 
-            let queryName = operationDefinition.name?.value;
-            if (!queryName) {
-              // Extract the name from the first field of the selection set
-              const firstField = operationDefinition.selectionSet.selections[0];
-              if (firstField && firstField.kind === 'Field') {
-                queryName = firstField.name.value;
+        try {
+          const parsedQuery = parse(content);
+          parsedQuery.definitions.forEach((definition) => {
+            if (definition.kind === 'OperationDefinition') {
+              const operationDefinition = definition as OperationDefinitionNode;
+
+              let queryName = operationDefinition.name?.value;
+              if (!queryName) {
+                // Extract the name from the first field of the selection set
+                const firstField =
+                  operationDefinition.selectionSet.selections[0];
+                if (firstField && firstField.kind === 'Field') {
+                  queryName = firstField.name.value;
+                }
               }
-            }
 
-            if (queryName) {
-              this.queryMap[queryName] = content;
+              if (queryName) {
+                this.queryMap[queryName] = content;
+              }
             }
+          });
+        } catch (error) {
+          if (error instanceof GraphQLError) {
+            console.error(
+              `Error parsing GraphQL file ${file}: ${error.message}`
+            );
+          } else {
+            console.error(`Unexpected error processing file ${file}: ${error}`);
           }
-        });
+        }
       }
     });
   }
@@ -90,12 +106,11 @@ export class GraphQLQueryPurifier {
       const filteredQuery = mergeQueries(req.body.query, allowedQueries);
 
       if (!filteredQuery.trim()) {
-        // Log the incident for monitoring
         console.warn(
           `Query was blocked due to security rules: ${req.body.query}`
         );
-
-        return res.status(403).send('The requested query is not allowed.');
+        req.body.query = '{ __typename }';
+        delete req.body.operationName; // Remove the operation name
       } else {
         req.body.query = filteredQuery;
       }

src/merge.ts

@@ -41,5 +41,17 @@ export function mergeQueries(
     },
   });
 
+  // Check if the modified query has any fields left in its selection set
+  const hasFields = modifiedAST.definitions.some(
+    (def) =>
+      def.kind === 'OperationDefinition' &&
+      def.selectionSet.selections.length > 0
+  );
+
+  if (!hasFields) {
+    // Return a placeholder or minimal query
+    return '';
+  }
+
   return print(modifiedAST);
 }