feat(graphql): graphQL custom field complexity and validationRules (#9955)

### What? Adds the ability to set custom validation rules on the root `graphQL` config property and the ability to define custom complexity on relationship, join and upload type fields. ### Why? **Validation Rules** These give you the option to add your own validation rules. For example, you may want to prevent introspection queries in production. You can now do that with the following: ```ts import { GraphQL } from '@payloadcms/graphql/types' import { buildConfig } from 'payload' export default buildConfig({ // ... graphQL: { validationRules: (args) => [ NoProductionIntrospection ] }, // ... }) const NoProductionIntrospection: GraphQL.ValidationRule = (context) => ({ Field(node) { if (process.env.NODE_ENV === 'production') { if (node.name.value === '__schema' || node.name.value === '__type') { context.reportError( new GraphQL.GraphQLError( 'GraphQL introspection is not allowed, but the query contained __schema or __type', { nodes: [node] } ) ); } } } }) ``` **Custom field complexity** You can now increase the complexity of a field, this will help users from running queries that are too expensive. A higher number will make the `maxComplexity` trigger sooner. ```ts const fieldWithComplexity = { name: 'authors', type: 'relationship', relationship: 'authors', graphQL: { complexity: 100, // highlight-line } } ```
2024-12-13 15:03:57 -05:00
parent c1673652a8
commit 36e21f182a
16 changed files with 2293 additions and 9 deletions
--- a/test/graphql/config.ts
+++ b/test/graphql/config.ts
@@ -0,0 +1,67 @@
+import { GraphQL } from '@payloadcms/graphql/types'
+import { fileURLToPath } from 'node:url'
+import path from 'path'
+
+import { buildConfigWithDefaults } from '../buildConfigWithDefaults.js'
+import { devUser } from '../credentials.js'
+
+const filename = fileURLToPath(import.meta.url)
+const dirname = path.dirname(filename)
+
+export default buildConfigWithDefaults({
+  // ...extend config here
+  collections: [
+    {
+      slug: 'posts',
+      fields: [
+        {
+          name: 'title',
+          label: 'Title',
+          type: 'text',
+        },
+        {
+          type: 'relationship',
+          relationTo: 'posts',
+          name: 'relationToSelf',
+          graphQL: {
+            complexity: 801,
+          },
+        },
+      ],
+    },
+  ],
+  admin: {
+    importMap: {
+      baseDir: path.resolve(dirname),
+    },
+  },
+  onInit: async (payload) => {
+    await payload.create({
+      collection: 'users',
+      data: {
+        email: devUser.email,
+        password: devUser.password,
+      },
+    })
+  },
+  typescript: {
+    outputFile: path.resolve(dirname, 'payload-types.ts'),
+  },
+  graphQL: {
+    maxComplexity: 800,
+    validationRules: () => [NoIntrospection],
+  },
+})
+
+const NoIntrospection: GraphQL.ValidationRule = (context) => ({
+  Field(node) {
+    if (node.name.value === '__schema' || node.name.value === '__type') {
+      context.reportError(
+        new GraphQL.GraphQLError(
+          'GraphQL introspection is not allowed, but the query contained __schema or __type',
+          { nodes: [node] },
+        ),
+      )
+    }
+  },
+})
--- a/test/graphql/eslint.config.js
+++ b/test/graphql/eslint.config.js
@@ -0,0 +1,19 @@
+import { rootParserOptions } from '../../eslint.config.js'
+import testEslintConfig from '../eslint.config.js'
+
+/** @typedef {import('eslint').Linter.Config} Config */
+
+/** @type {Config[]} */
+export const index = [
+  ...testEslintConfig,
+  {
+    languageOptions: {
+      parserOptions: {
+        ...rootParserOptions,
+        tsconfigRootDir: import.meta.dirname,
+      },
+    },
+  },
+]
+
+export default index
--- a/test/graphql/int.spec.ts
+++ b/test/graphql/int.spec.ts
@@ -0,0 +1,84 @@
+import type { Payload } from 'payload'
+
+import path from 'path'
+import { fileURLToPath } from 'url'
+
+import type { NextRESTClient } from '../helpers/NextRESTClient.js'
+
+import { idToString } from '../helpers/idToString.js'
+import { initPayloadInt } from '../helpers/initPayloadInt.js'
+
+let payload: Payload
+let restClient: NextRESTClient
+
+const filename = fileURLToPath(import.meta.url)
+const dirname = path.dirname(filename)
+
+describe('graphql', () => {
+  beforeAll(async () => {
+    ;({ payload, restClient } = await initPayloadInt(dirname))
+  })
+
+  afterAll(async () => {
+    if (typeof payload.db.destroy === 'function') {
+      await payload.db.destroy()
+    }
+  })
+
+  describe('graphql', () => {
+    it('should not be able to query introspection', async () => {
+      const query = `query {
+        __schema {
+          queryType { 
+            name
+          }
+        }
+      }`
+
+      const response = await restClient
+        .GRAPHQL_POST({
+          body: JSON.stringify({ query }),
+        })
+        .then((res) => res.json())
+
+      expect(response.errors[0].message).toMatch(
+        'GraphQL introspection is not allowed, but the query contained __schema or __type',
+      )
+    })
+
+    it('should respect maxComplexity', async () => {
+      const post = await payload.create({
+        collection: 'posts',
+        data: {
+          title: 'example post',
+        },
+      })
+      await payload.update({
+        collection: 'posts',
+        id: post.id,
+        data: {
+          relatedToSelf: post.id,
+        },
+      })
+
+      const query = `query {
+        Post(id: ${idToString(post.id, payload)}) {
+          title
+          relationToSelf {
+            id
+          }
+        }
+      }`
+
+      const response = await restClient
+        .GRAPHQL_POST({
+          body: JSON.stringify({ query }),
+        })
+        .then((res) => res.json())
+
+      expect(response.errors[0].message).toMatch(
+        'The query exceeds the maximum complexity of 800. Actual complexity is 804',
+      )
+    })
+  })
+})
--- a/test/graphql/payload-types.ts
+++ b/test/graphql/payload-types.ts
@@ -0,0 +1,214 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * This file was automatically generated by Payload.
+ * DO NOT MODIFY IT BY HAND. Instead, modify your source Payload config,
+ * and re-run `payload generate:types` to regenerate this file.
+ */
+
+export interface Config {
+  auth: {
+    users: UserAuthOperations;
+  };
+  collections: {
+    posts: Post;
+    users: User;
+    'payload-locked-documents': PayloadLockedDocument;
+    'payload-preferences': PayloadPreference;
+    'payload-migrations': PayloadMigration;
+  };
+  collectionsJoins: {};
+  collectionsSelect: {
+    posts: PostsSelect<false> | PostsSelect<true>;
+    users: UsersSelect<false> | UsersSelect<true>;
+    'payload-locked-documents': PayloadLockedDocumentsSelect<false> | PayloadLockedDocumentsSelect<true>;
+    'payload-preferences': PayloadPreferencesSelect<false> | PayloadPreferencesSelect<true>;
+    'payload-migrations': PayloadMigrationsSelect<false> | PayloadMigrationsSelect<true>;
+  };
+  db: {
+    defaultIDType: string;
+  };
+  globals: {};
+  globalsSelect: {};
+  locale: null;
+  user: User & {
+    collection: 'users';
+  };
+  jobs: {
+    tasks: unknown;
+    workflows: unknown;
+  };
+}
+export interface UserAuthOperations {
+  forgotPassword: {
+    email: string;
+    password: string;
+  };
+  login: {
+    email: string;
+    password: string;
+  };
+  registerFirstUser: {
+    email: string;
+    password: string;
+  };
+  unlock: {
+    email: string;
+    password: string;
+  };
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "posts".
+ */
+export interface Post {
+  id: string;
+  title?: string | null;
+  relationToSelf?: (string | null) | Post;
+  updatedAt: string;
+  createdAt: string;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "users".
+ */
+export interface User {
+  id: string;
+  updatedAt: string;
+  createdAt: string;
+  email: string;
+  resetPasswordToken?: string | null;
+  resetPasswordExpiration?: string | null;
+  salt?: string | null;
+  hash?: string | null;
+  loginAttempts?: number | null;
+  lockUntil?: string | null;
+  password?: string | null;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-locked-documents".
+ */
+export interface PayloadLockedDocument {
+  id: string;
+  document?:
+    | ({
+        relationTo: 'posts';
+        value: string | Post;
+      } | null)
+    | ({
+        relationTo: 'users';
+        value: string | User;
+      } | null);
+  globalSlug?: string | null;
+  user: {
+    relationTo: 'users';
+    value: string | User;
+  };
+  updatedAt: string;
+  createdAt: string;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-preferences".
+ */
+export interface PayloadPreference {
+  id: string;
+  user: {
+    relationTo: 'users';
+    value: string | User;
+  };
+  key?: string | null;
+  value?:
+    | {
+        [k: string]: unknown;
+      }
+    | unknown[]
+    | string
+    | number
+    | boolean
+    | null;
+  updatedAt: string;
+  createdAt: string;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-migrations".
+ */
+export interface PayloadMigration {
+  id: string;
+  name?: string | null;
+  batch?: number | null;
+  updatedAt: string;
+  createdAt: string;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "posts_select".
+ */
+export interface PostsSelect<T extends boolean = true> {
+  title?: T;
+  relationToSelf?: T;
+  updatedAt?: T;
+  createdAt?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "users_select".
+ */
+export interface UsersSelect<T extends boolean = true> {
+  updatedAt?: T;
+  createdAt?: T;
+  email?: T;
+  resetPasswordToken?: T;
+  resetPasswordExpiration?: T;
+  salt?: T;
+  hash?: T;
+  loginAttempts?: T;
+  lockUntil?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-locked-documents_select".
+ */
+export interface PayloadLockedDocumentsSelect<T extends boolean = true> {
+  document?: T;
+  globalSlug?: T;
+  user?: T;
+  updatedAt?: T;
+  createdAt?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-preferences_select".
+ */
+export interface PayloadPreferencesSelect<T extends boolean = true> {
+  user?: T;
+  key?: T;
+  value?: T;
+  updatedAt?: T;
+  createdAt?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "payload-migrations_select".
+ */
+export interface PayloadMigrationsSelect<T extends boolean = true> {
+  name?: T;
+  batch?: T;
+  updatedAt?: T;
+  createdAt?: T;
+}
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "auth".
+ */
+export interface Auth {
+  [k: string]: unknown;
+}
+
+
+declare module 'payload' {
+  // @ts-ignore 
+  export interface GeneratedTypes extends Config {}
+}
--- a/test/graphql/schema.graphql
+++ b/test/graphql/schema.graphql
--- a/test/graphql/tsconfig.eslint.json
+++ b/test/graphql/tsconfig.eslint.json
@@ -0,0 +1,13 @@
+{
+  // extend your base config to share compilerOptions, etc
+  //"extends": "./tsconfig.json",
+  "compilerOptions": {
+    // ensure that nobody can accidentally use this config for a build
+    "noEmit": true
+  },
+  "include": [
+    // whatever paths you intend to lint
+    "./**/*.ts",
+    "./**/*.tsx"
+  ]
+}
--- a/test/graphql/tsconfig.json
+++ b/test/graphql/tsconfig.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../tsconfig.json"
+}