1.0.14

Author: multipliedtwice

dist/index.d.ts

@@ -1,14 +1,49 @@
 import { NextFunction, Request, Response } from 'express';
 export declare class GraphQLQueryPurifier {
+    /**
+     * The path to the directory containing GraphQL (.gql) files.
+     * @private
+     */
     private gqlPath;
+    /**
+     * A map of allowed query names to their corresponding GraphQL query strings.
+     * @private
+     */
     private queryMap;
+    /**
+     * Flag to allow Apollo Studio's introspection queries.
+     * @private
+     */
     private allowStudio?;
+    /**
+     * Flag to indicate whether to allow all queries (bypassing purifier).
+     * @private
+     */
     private allowAll;
+    /**
+     * Constructs a GraphQLQueryPurifier instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {string} params.gqlPath - Path to the directory containing .gql files.
+     * @param {boolean} [params.allowAll=false] - Whether to allow all queries.
+     * @param {boolean} [params.allowStudio=false] - Whether to allow Apollo Studio introspection queries.
+     */
     constructor({ gqlPath, allowAll, allowStudio, }: {
         gqlPath: string;
         allowStudio?: boolean;
         allowAll?: boolean;
     });
+    startWatchingFiles(): void;
+    /**
+     * Loads queries from .gql files in the specified directory and updates the query map.
+     * @private
+     */
     private loadQueries;
+    /**
+     * Middleware function to filter incoming GraphQL queries based on the allowed list.
+     * If a query is not allowed, it's replaced with a minimal query.
+     * @param {Request} req - The request object.
+     * @param {Response} res - The response object.
+     * @param {NextFunction} next - The next middleware function in the stack.
+     */
     filter: (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
 }

dist/index.js

@@ -11,7 +11,21 @@ const path_1 = __importDefault(require("path"));
 const glob_1 = __importDefault(require("glob"));
 const merge_1 = require("./merge");
 class GraphQLQueryPurifier {
+    /**
+     * Constructs a GraphQLQueryPurifier instance.
+     * @param {Object} params - Configuration parameters.
+     * @param {string} params.gqlPath - Path to the directory containing .gql files.
+     * @param {boolean} [params.allowAll=false] - Whether to allow all queries.
+     * @param {boolean} [params.allowStudio=false] - Whether to allow Apollo Studio introspection queries.
+     */
     constructor({ gqlPath, allowAll = false, allowStudio = false, }) {
+        /**
+         * Middleware function to filter incoming GraphQL queries based on the allowed list.
+         * If a query is not allowed, it's replaced with a minimal query.
+         * @param {Request} req - The request object.
+         * @param {Response} res - The response object.
+         * @param {NextFunction} next - The next middleware function in the stack.
+         */
         this.filter = (req, res, next) => {
             if (this.allowAll)
                 return next();
@@ -50,9 +64,22 @@ class GraphQLQueryPurifier {
         this.gqlPath = gqlPath;
         this.queryMap = {};
         this.loadQueries();
+        this.startWatchingFiles();
         this.allowAll = allowAll;
         this.allowStudio = allowStudio;
     }
+    startWatchingFiles() {
+        fs_1.default.watch(this.gqlPath, { recursive: true }, (eventType, filename) => {
+            if (filename && path_1.default.extname(filename) === '.gql') {
+                console.log(`Detected ${eventType} in ${filename}`);
+                this.loadQueries();
+            }
+        });
+    }
+    /**
+     * Loads queries from .gql files in the specified directory and updates the query map.
+     * @private
+     */
     loadQueries() {
         const files = glob_1.default.sync(`${this.gqlPath}/**/*.gql`.replace(/\\/g, '/'));
         files.forEach((file) => {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-query-purifier",
-  "version": "1.0.12",
+  "version": "1.0.13",
   "description": "A small library to match .gql queries vs user input. Removes fields from user requests that are not expected by your frontend code.",
   "main": "./dist/index.js",
   "author": "multipliedtwice",

src/__tests__/merge.spec.ts

@@ -201,6 +201,23 @@ describe('mergeQueries', () => {
   salaries {
     amount
   }
+}`,
+    ];
+    const expected = ``;
+    expect(mergeQueries(requestQuery, allowedQueries)).toBe(expected);
+  });
+
+  test('should handle subqueries', () => {
+    const requestQuery = `query GetDepartment {
+  departments {
+    name
+  }
+}`;
+    const allowedQueries = [
+      `query departments {
+  departments {
+    id
+  }
 }`,
     ];
     const expected = ``;

src/index.ts

@@ -7,11 +7,38 @@ import glob from 'glob';
 import { mergeQueries } from './merge';
 
 export class GraphQLQueryPurifier {
+  /**
+   * The path to the directory containing GraphQL (.gql) files.
+   * @private
+   */
+
   private gqlPath: string;
+  /**
+   * A map of allowed query names to their corresponding GraphQL query strings.
+   * @private
+   */
+
   private queryMap: { [key: string]: string };
+  /**
+   * Flag to allow Apollo Studio's introspection queries.
+   * @private
+   */
+
   private allowStudio?: boolean;
+  /**
+   * Flag to indicate whether to allow all queries (bypassing purifier).
+   * @private
+   */
+
   private allowAll: boolean;
 
+  /**
+   * Constructs a GraphQLQueryPurifier instance.
+   * @param {Object} params - Configuration parameters.
+   * @param {string} params.gqlPath - Path to the directory containing .gql files.
+   * @param {boolean} [params.allowAll=false] - Whether to allow all queries.
+   * @param {boolean} [params.allowStudio=false] - Whether to allow Apollo Studio introspection queries.
+   */
   constructor({
     gqlPath,
     allowAll = false,
@@ -24,10 +51,24 @@ export class GraphQLQueryPurifier {
     this.gqlPath = gqlPath;
     this.queryMap = {};
     this.loadQueries();
+    this.startWatchingFiles();
     this.allowAll = allowAll;
     this.allowStudio = allowStudio;
   }
 
+  public startWatchingFiles() {
+    fs.watch(this.gqlPath, { recursive: true }, (eventType, filename) => {
+      if (filename && path.extname(filename) === '.gql') {
+        console.log(`Detected ${eventType} in ${filename}`);
+        this.loadQueries();
+      }
+    });
+  }
+
+  /**
+   * Loads queries from .gql files in the specified directory and updates the query map.
+   * @private
+   */
   private loadQueries() {
     const files = glob.sync(`${this.gqlPath}/**/*.gql`.replace(/\\/g, '/'));
 
@@ -74,6 +115,13 @@ export class GraphQLQueryPurifier {
     });
   }
 
+  /**
+   * Middleware function to filter incoming GraphQL queries based on the allowed list.
+   * If a query is not allowed, it's replaced with a minimal query.
+   * @param {Request} req - The request object.
+   * @param {Response} res - The response object.
+   * @param {NextFunction} next - The next middleware function in the stack.
+   */
   public filter = (req: Request, res: Response, next: NextFunction) => {
     if (this.allowAll) return next();
     if (
@@ -103,7 +151,11 @@ export class GraphQLQueryPurifier {
 
     if (req.body && req.body.query) {
       // Use mergeQueries to filter the incoming request query
-      const filteredQuery = mergeQueries(req.body.query, allowedQueries);
+      const filteredQuery = mergeQueries(
+        req.body.query,
+        allowedQueries,
+        req.body.operationName
+      );
 
       if (!filteredQuery.trim()) {
         console.warn(

src/merge.ts

@@ -11,7 +11,8 @@ function getPath(node: FieldNode, ancestors: ASTNode[]) {
 
 export function mergeQueries(
   requestQuery: string,
-  allowedQueries: string[]
+  allowedQueries: string[],
+  operationName?: string
 ): string {
   if (!requestQuery.trim()) {
     return '';