1.0.3

multipliedtwice · multipliedtwice · commit e52c119c7313 · 2023-11-19T12:39:56.000+07:00
diff --git a/dist/index.d.ts b/dist/index.d.ts
@@ -2,7 +2,13 @@ import { NextFunction, Request, Response } from 'express';
 export declare class GraphQLQueryPurifier {
     private gqlPath;
     private queryMap;
-    constructor(gqlPath: string);
+    private allowStudio?;
+    private allowAll;
+    constructor({ gqlPath, allowAll, allowStudio, }: {
+        gqlPath: string;
+        allowStudio?: boolean;
+        allowAll?: boolean;
+    });
     private loadQueries;
-    filter: (req: Request, res: Response, next: NextFunction) => void;
+    filter: (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
 }
diff --git a/dist/index.js b/dist/index.js
@@ -1 +1,76 @@
-"use strict";var e=this&&this.__importDefault||function(e){return e&&e.__esModule?e:{default:e}};Object.defineProperty(exports,"__esModule",{value:!0}),exports.GraphQLQueryPurifier=void 0;const r=e(require("fs")),i=e(require("glob")),t=require("graphql"),u=e(require("path")),s=require("./merge");class a{constructor(e){this.filter=(e,r,i)=>{if(e.body&&e.body.query){const r=Object.values(this.queryMap);e.body.query=(0,s.mergeQueries)(e.body.query,r)}i()},this.gqlPath=e,this.queryMap={},this.loadQueries()}loadQueries(){i.default.sync(`${this.gqlPath}/**/*.gql`).forEach((e=>{if(".gql"===u.default.extname(e)){const i=r.default.readFileSync(e,"utf8"),u=(0,t.parse)(i).definitions.find((e=>"OperationDefinition"===e.kind)),s=u?.name?.value;s&&(this.queryMap[s]=i)}}))}}exports.GraphQLQueryPurifier=a;
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GraphQLQueryPurifier = void 0;
+const fs_1 = __importDefault(require("fs"));
+const glob_1 = __importDefault(require("glob"));
+const graphql_1 = require("graphql");
+const path_1 = __importDefault(require("path"));
+const merge_1 = require("./merge");
+class GraphQLQueryPurifier {
+    constructor({ gqlPath, allowAll = false, allowStudio = false, }) {
+        this.filter = (req, res, next) => {
+            if (this.allowAll)
+                return next();
+            if (req.body.operationName === 'IntrospectionQuery' ||
+                req.body.extensions?.persistedQuery) {
+                if (this.allowStudio) {
+                    return next();
+                }
+                else {
+                    return res
+                        .status(403)
+                        .send('Access to studio is disabled by GraphQLQueryPurifier, pass { allowStudio: true }');
+                }
+            }
+            // Get all allowed queries as an array of strings
+            const allowedQueries = Object.values(this.queryMap);
+            if (allowedQueries.length === 0) {
+                console.warn('Warning: No GraphQL queries were loaded in GraphQLQueryPurifier. ' +
+                    'Ensure that your .gql files are located in the specified directory: ' +
+                    this.gqlPath);
+                return res
+                    .status(500)
+                    .send('GraphQL queries are not loaded. Please check server logs for more details.');
+            }
+            if (req.body && req.body.query) {
+                // Use mergeQueries to filter the incoming request query
+                req.body.query = (0, merge_1.mergeQueries)(req.body.query, allowedQueries);
+            }
+            next();
+        };
+        this.gqlPath = gqlPath;
+        this.queryMap = {};
+        this.loadQueries();
+        this.allowAll = allowAll;
+        this.allowStudio = allowStudio;
+    }
+    loadQueries() {
+        const files = glob_1.default.sync(`${this.gqlPath}/**/*.gql`);
+        files.forEach((file) => {
+            if (path_1.default.extname(file) === '.gql') {
+                const content = fs_1.default.readFileSync(file, 'utf8');
+                const parsedQuery = (0, graphql_1.parse)(content);
+                parsedQuery.definitions.forEach((definition) => {
+                    if (definition.kind === 'OperationDefinition') {
+                        const operationDefinition = definition;
+                        let queryName = operationDefinition.name?.value;
+                        if (!queryName) {
+                            // Extract the name from the first field of the selection set
+                            const firstField = operationDefinition.selectionSet.selections[0];
+                            if (firstField && firstField.kind === 'Field') {
+                                queryName = firstField.name.value;
+                            }
+                        }
+                        if (queryName) {
+                            this.queryMap[queryName] = content;
+                        }
+                    }
+                });
+            }
+        });
+    }
+}
+exports.GraphQLQueryPurifier = GraphQLQueryPurifier;
diff --git a/package.json b/package.json
@@ -1,13 +1,13 @@
 {
   "name": "graphql-query-purifier",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "A small library to match .gql queries vs user input. Removes fields from user requests that are not expected by your frontend code.",
   "main": "./dist/index.js",
   "author": "multipliedtwice",
   "license": "MIT",
   "scripts": {
     "test": "jest",
-    "build": "tsc && terser -c -m toplevel -o dist/index.js -- dist/index.js"
+    "build": "tsc"
   },
   "repository": {
     "type": "git",
diff --git a/src/index.ts b/src/index.ts
@@ -9,37 +9,88 @@ import { mergeQueries } from './merge';
 export class GraphQLQueryPurifier {
   private gqlPath: string;
   private queryMap: { [key: string]: string };
+  private allowStudio?: boolean;
+  private allowAll: boolean;
 
-  constructor(gqlPath: string) {
+  constructor({
+    gqlPath,
+    allowAll = false,
+    allowStudio = false,
+  }: {
+    gqlPath: string;
+    allowStudio?: boolean;
+    allowAll?: boolean;
+  }) {
     this.gqlPath = gqlPath;
     this.queryMap = {};
     this.loadQueries();
+    this.allowAll = allowAll;
+    this.allowStudio = allowStudio;
   }
 
   private loadQueries() {
     const files = glob.sync(`${this.gqlPath}/**/*.gql`);
+
     files.forEach((file) => {
       if (path.extname(file) === '.gql') {
         const content = fs.readFileSync(file, 'utf8');
         const parsedQuery = parse(content);
 
-        const operationDefinition = parsedQuery.definitions.find(
-          (def) => def.kind === 'OperationDefinition'
-        ) as OperationDefinitionNode | undefined;
+        parsedQuery.definitions.forEach((definition) => {
+          if (definition.kind === 'OperationDefinition') {
+            const operationDefinition = definition as OperationDefinitionNode;
+
+            let queryName = operationDefinition.name?.value;
+            if (!queryName) {
+              // Extract the name from the first field of the selection set
+              const firstField = operationDefinition.selectionSet.selections[0];
+              if (firstField && firstField.kind === 'Field') {
+                queryName = firstField.name.value;
+              }
+            }
 
-        const queryName = operationDefinition?.name?.value;
-        if (queryName) {
-          this.queryMap[queryName] = content;
-        }
+            if (queryName) {
+              this.queryMap[queryName] = content;
+            }
+          }
+        });
       }
     });
   }
 
   public filter = (req: Request, res: Response, next: NextFunction) => {
-    if (req.body && req.body.query) {
-      // Get all allowed queries as an array of strings
-      const allowedQueries = Object.values(this.queryMap);
+    if (this.allowAll) return next();
+    if (
+      req.body.operationName === 'IntrospectionQuery' ||
+      req.body.extensions?.persistedQuery
+    ) {
+      if (this.allowStudio) {
+        return next();
+      } else {
+        return res
+          .status(403)
+          .send(
+            'Access to studio is disabled by GraphQLQueryPurifier, pass { allowStudio: true }'
+          );
+      }
+    }
+
+    // Get all allowed queries as an array of strings
+    const allowedQueries = Object.values(this.queryMap);
+    if (allowedQueries.length === 0) {
+      console.warn(
+        'Warning: No GraphQL queries were loaded in GraphQLQueryPurifier. ' +
+          'Ensure that your .gql files are located in the specified directory: ' +
+          this.gqlPath
+      );
+      return res
+        .status(500)
+        .send(
+          'GraphQL queries are not loaded. Please check server logs for more details.'
+        );
+    }
 
+    if (req.body && req.body.query) {
       // Use mergeQueries to filter the incoming request query
       req.body.query = mergeQueries(req.body.query, allowedQueries);
     }
