Merge branch 'feature/disable-gql' of github.com:payloadcms/payload

demo/payload.config.ts

@@ -100,9 +100,10 @@ export default buildConfig({
   defaultDepth: 2,
   graphQL: {
     maxComplexity: 1000,
-    mutations: {}, // TODO: needs typing
-    queries: {}, // TODO: needs typing
+    mutations: {},
+    queries: {},
     disablePlaygroundInProduction: true,
+    disable: false,
   },
   // rateLimit: {
   //   window: 15 * 60 * 100,

docs/production/preventing-abuse.mdx

@@ -41,7 +41,8 @@ CSRF prevention will verify the authenticity of each request to your API to prev
 To securely allow headless operation you will need to configure the allowed origins for requests to be able to use the Payload API. You can see how to set CORS as well as other payload configuration settings [here](http://localhost:3000/docs/configuration/overview)
 
 ### Limiting GraphQL Complexity
-
 Because GraphQL gives the power of query writing outside a server's control, someone with bad intentions might write a maliciously complex query and bog down your server. To prevent resource-intensive GraphQL requests, Payload provides a way specify complexity limits which are based on a complexity score that is calculated for each request.
 
 Any GraphQL request that is calculated to be too expensive is rejected. On the Payload config, in `graphQL` you can set the `maxComplexity` value as an integer. For reference, the default complexity value for each added field is 1, and all `relationship` and `upload` fields are assigned a value of 10.
+
+If you do not need GraphQL it is advised that you disable it altogether with the Payload config by setting `graphQL.disable: true`. Should you wish to enable GraphQL again, you can remove this property or set it `false`, any time. By turning it off, Payload will bypass creating schemas from your collections and will not register the express route.

src/config/schema.ts

@@ -84,6 +84,7 @@ export default joi.object({
       queries: joi.object(),
       maxComplexity: joi.number(),
       disablePlaygroundInProduction: joi.boolean(),
+      disable: joi.boolean(),
     }),
   localization: joi.alternatives()
     .try(

src/config/types.ts

@@ -132,6 +132,7 @@ export type PayloadConfig = {
     } | ((graphQL: typeof GraphQL, payload: InitializeGraphQL) => any),
     maxComplexity?: number;
     disablePlaygroundInProduction?: boolean;
+    disable?: boolean;
   };
   components?: { [key: string]: JSX.Element | (() => JSX.Element) };
   paths?: { [key: string]: string };

src/graphql/initPlayground.ts

@@ -2,7 +2,7 @@ import graphQLPlayground from 'graphql-playground-middleware-express';
 import { Payload } from '../index';
 
 function initPlayground(ctx: Payload): void {
-  if ((!ctx.config.graphQL.disablePlaygroundInProduction && process.env.NODE_ENV === 'production') || process.env.NODE_ENV !== 'production') {
+  if ((!ctx.config.graphQL.disable && !ctx.config.graphQL.disablePlaygroundInProduction && process.env.NODE_ENV === 'production') || process.env.NODE_ENV !== 'production') {
     ctx.router.get(ctx.config.routes.graphQLPlayground, graphQLPlayground({
       endpoint: `${ctx.config.routes.api}${ctx.config.routes.graphQL}`,
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment

src/index.ts

@@ -159,13 +159,15 @@ export class Payload {
 
       const graphQLHandler = new GraphQL(this);
 
-      this.router.use(
-        this.config.routes.graphQL,
-        identifyAPI('GraphQL'),
-        (req, res) => graphQLHandler.init(req, res)(req, res),
-      );
+      if (!this.config.graphQL.disable) {
+        this.router.use(
+          this.config.routes.graphQL,
+          identifyAPI('GraphQL'),
+          (req, res) => graphQLHandler.init(req, res)(req, res),
+        );
+        initGraphQLPlayground(this);
+      }
 
-      initGraphQLPlayground(this);
 
       // Bind router to API
       this.express.use(this.config.routes.api, this.router);