feat(serve/legacy/http): allow extra params in body (#7183)

* feat(serve/legacy/http): allow extra params in body * chore(dependencies): updated changesets for modified dependencies * Tests --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
ardatan · Jul 1, 2024 · 8a04cf7 · 8a04cf7
1 parent bd2814d
commit 8a04cf7
Show file tree

Hide file tree

Showing 23 changed files with 187 additions and 25 deletions.
diff --git a/.changeset/@graphql-mesh_fusion-runtime-7183-dependencies.md b/.changeset/@graphql-mesh_fusion-runtime-7183-dependencies.md
@@ -0,0 +1,5 @@
+---
+"@graphql-mesh/fusion-runtime": patch
+---
+dependencies updates:
+  - Updated dependency [`graphql-yoga@^5.6.0` ↗︎](https://www.npmjs.com/package/graphql-yoga/v/5.6.0) (from `^5.3.0`, in `dependencies`)
diff --git a/.changeset/@graphql-mesh_http-7183-dependencies.md b/.changeset/@graphql-mesh_http-7183-dependencies.md
@@ -0,0 +1,5 @@
+---
+"@graphql-mesh/http": patch
+---
+dependencies updates:
+  - Updated dependency [`graphql-yoga@^5.6.0` ↗︎](https://www.npmjs.com/package/graphql-yoga/v/5.6.0) (from `^5.3.0`, in `dependencies`)
diff --git a/.changeset/@graphql-mesh_plugin-response-cache-7183-dependencies.md b/.changeset/@graphql-mesh_plugin-response-cache-7183-dependencies.md
@@ -0,0 +1,5 @@
+---
+"@graphql-mesh/plugin-response-cache": patch
+---
+dependencies updates:
+  - Updated dependency [`graphql-yoga@^5.6.0` ↗︎](https://www.npmjs.com/package/graphql-yoga/v/5.6.0) (from `^5.1.1`, in `dependencies`)
diff --git a/.changeset/@graphql-mesh_serve-runtime-7183-dependencies.md b/.changeset/@graphql-mesh_serve-runtime-7183-dependencies.md
@@ -0,0 +1,5 @@
+---
+"@graphql-mesh/serve-runtime": patch
+---
+dependencies updates:
+  - Updated dependency [`graphql-yoga@^5.6.0` ↗︎](https://www.npmjs.com/package/graphql-yoga/v/5.6.0) (from `^5.3.0`, in `dependencies`)
diff --git a/.changeset/flat-actors-heal.md b/.changeset/flat-actors-heal.md
@@ -0,0 +1,30 @@
+---
+'@graphql-mesh/types': patch
+'@graphql-mesh/http': patch
+---
+
+By default, Mesh does not allow extra parameters in the request body other than `query`, `operationName`, `extensions`, and `variables`, then throws 400 HTTP Error.
+This change adds a new option called `extraParamNames` to allow extra parameters in the request body.
+
+```yaml
+serve:
+  extraParamNames:
+    - extraParam1
+    - extraParam2
+```
+
+```ts
+const res = await fetch('/graphql', {
+    method: 'POST',
+    headers: {
+        'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+        query: 'query { __typename }',
+        extraParam1: 'value1',
+        extraParam2: 'value2',
+    }),
+});
+
+console.assert(res.status === 200);
+```
diff --git a/e2e/auto-type-merging/package.json b/e2e/auto-type-merging/package.json
@@ -6,6 +6,6 @@
     "@graphql-mesh/serve-cli": "workspace:*",
     "@omnigraph/openapi": "workspace:*",
     "graphql": "^16.8.1",
-    "graphql-yoga": "^5.3.0"
+    "graphql-yoga": "^5.6.0"
   }
 }
diff --git a/e2e/type-merging-batching/package.json b/e2e/type-merging-batching/package.json
@@ -6,6 +6,6 @@
     "@graphql-mesh/fusion-runtime": "workspace:*",
     "@graphql-mesh/serve-cli": "workspace:*",
     "graphql": "^16.8.1",
-    "graphql-yoga": "^5.3.0"
+    "graphql-yoga": "^5.6.0"
   }
 }
diff --git a/examples/graphql-file-upload-example/package.json b/examples/graphql-file-upload-example/package.json
@@ -13,7 +13,7 @@
     "@graphql-mesh/graphql": "0.98.10",
     "concurrently": "8.2.2",
     "graphql": "16.9.0",
-    "graphql-yoga": "^5.3.0",
+    "graphql-yoga": "^5.6.0",
     "sharp": "0.33.4"
   },
   "devDependencies": {

diff --git a/examples/v1-next/hive-example/my-graphql/package.json b/examples/v1-next/hive-example/my-graphql/package.json
@@ -8,7 +8,7 @@
   "dependencies": {
     "@graphql-hive/cli": "0.38.4",
     "graphql": "16.9.0",
-    "graphql-yoga": "5.4.0",
+    "graphql-yoga": "5.6.0",
     "tsx": "4.15.8"
   }
 }
diff --git a/packages/fusion/runtime/package.json b/packages/fusion/runtime/package.json
@@ -64,7 +64,7 @@
     "@graphql-tools/wrap": "^10.0.5",
     "change-case": "^4.1.2",
     "disposablestack": "^1.1.6",
-    "graphql-yoga": "^5.3.0",
+    "graphql-yoga": "^5.6.0",
     "tslib": "^2.4.0"
   },
   "publishConfig": {

diff --git a/packages/legacy/cli/src/commands/serve/yaml-config.graphql b/packages/legacy/cli/src/commands/serve/yaml-config.graphql
@@ -70,6 +70,17 @@ type ServeConfig @md {
   Endpoint for [Health Check](https://the-guild.dev/graphql/yoga-server/docs/features/health-check)
   """
   healthCheckEndpoint: String
+
+  """
+  By default, GraphQL Mesh does not allow parameters in the request body except `query`, `variables`, `extensions`, and `operationName`.
+
+  This option allows you to specify additional parameters that are allowed in the request body.
+
+  @default []
+
+  @example ['doc_id', 'id']
+  """
+  extraParamNames: [String]
 }
 
 union Port = Int | String

diff --git a/packages/legacy/http/package.json b/packages/legacy/http/package.json
@@ -42,7 +42,7 @@
   },
   "dependencies": {
     "@whatwg-node/server": "^0.9.34",
-    "graphql-yoga": "^5.3.0"
+    "graphql-yoga": "^5.6.0"
   },
   "devDependencies": {
     "@types/lodash.get": "4.4.9",

diff --git a/packages/legacy/http/src/graphqlHandler.ts b/packages/legacy/http/src/graphqlHandler.ts
@@ -10,6 +10,7 @@ export const graphqlHandler = ({
   corsConfig,
   batchingLimit,
   healthCheckEndpoint = '/healthcheck',
+  extraParamNames,
 }: {
   getBuiltMesh: () => Promise<MeshInstance>;
   playgroundTitle: string;
@@ -18,6 +19,7 @@ export const graphqlHandler = ({
   corsConfig: CORSOptions;
   batchingLimit?: number;
   healthCheckEndpoint?: string;
+  extraParamNames?: string[];
 }) => {
   const getYogaForMesh = memoize1(function getYogaForMesh(mesh: MeshInstance) {
     return createYoga({
@@ -32,6 +34,7 @@ export const graphqlHandler = ({
           },
         }),
       ],
+      extraParamNames,
       logging: mesh.logger,
       maskedErrors: false,
       graphiql: playgroundEnabled && {

diff --git a/packages/legacy/http/src/index.ts b/packages/legacy/http/src/index.ts
@@ -31,6 +31,7 @@ export function createMeshHTTPHandler<TServerContext>({
     healthCheckEndpoint = '/healthcheck',
     // TODO
     // trustProxy = 'loopback',
+    extraParamNames,
   } = rawServeConfig;
 
   getBuiltMesh()
@@ -50,6 +51,7 @@ export function createMeshHTTPHandler<TServerContext>({
       graphqlEndpoint: graphqlPath,
       corsConfig,
       batchingLimit,
+      extraParamNames,
     }),
     {
       plugins: [

diff --git a/packages/legacy/http/test/http.spec.ts b/packages/legacy/http/test/http.spec.ts
@@ -1,3 +1,4 @@
+import { ExecutionResult } from 'graphql';
 import { createMeshHTTPHandler } from '@graphql-mesh/http';
 import { MeshInstance } from '@graphql-mesh/runtime';
 import { getTestMesh } from '../../testing/getTestMesh.js';
@@ -56,5 +57,75 @@ describe('http', () => {
       const response = await httpHandler.fetch('http://localhost:4000/custom-health-check');
       expect(response.status).toBe(200);
     });
+    it('throws when unprovided extra parameters are given in the request', async () => {
+      await using mesh = await getTestMesh();
+      const httpHandler = createMeshHTTPHandler({
+        baseDir: __dirname,
+        getBuiltMesh: async () => mesh,
+      });
+      const response = await httpHandler.fetch('http://localhost:4000/graphql', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          query: `query { __typename }`,
+          extraParam: 'extraParamValue',
+        }),
+      });
+      expect(response.status).toBe(400);
+      const result: ExecutionResult = await response.json();
+      expect(result.errors[0].message).toBe(
+        'Unexpected parameter "extraParam" in the request body.',
+      );
+    });
+    it('respects the extra parameters given in the config', async () => {
+      await using mesh = await getTestMesh();
+      const httpHandler = createMeshHTTPHandler({
+        baseDir: __dirname,
+        getBuiltMesh: async () => mesh,
+        rawServeConfig: {
+          extraParamNames: ['extraParam'],
+        },
+      });
+      const response = await httpHandler.fetch('http://localhost:4000/graphql', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          query: `query { __typename }`,
+          extraParam: 'extraParamValue',
+        }),
+      });
+      expect(response.status).toBe(200);
+      const result: ExecutionResult = await response.json();
+      expect(result.data.__typename).toBe('Query');
+    });
+    it('throws when unprovided extra parameters are given in the request while there are provided some', async () => {
+      await using mesh = await getTestMesh();
+      const httpHandler = createMeshHTTPHandler({
+        baseDir: __dirname,
+        getBuiltMesh: async () => mesh,
+        rawServeConfig: {
+          extraParamNames: ['extraParam'],
+        },
+      });
+      const response = await httpHandler.fetch('http://localhost:4000/graphql', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          query: `query { __typename }`,
+          extraParam1: 'extraParamValue',
+        }),
+      });
+      expect(response.status).toBe(400);
+      const result: ExecutionResult = await response.json();
+      expect(result.errors[0].message).toBe(
+        'Unexpected parameter "extraParam1" in the request body.',
+      );
+    });
   });
 });
diff --git a/packages/legacy/types/src/config-schema.json b/packages/legacy/types/src/config-schema.json
@@ -173,6 +173,14 @@
         "healthCheckEndpoint": {
           "type": "string",
           "description": "Endpoint for [Health Check](https://the-guild.dev/graphql/yoga-server/docs/features/health-check)"
+        },
+        "extraParamNames": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "additionalItems": false,
+          "description": "By default, GraphQL Mesh does not allow parameters in the request body except `query`, `variables`, `extensions`, and `operationName`.\n\nThis option allows you to specify additional parameters that are allowed in the request body.\n\n@default []\n\n@example ['doc_id', 'id']"
         }
       }
     },

diff --git a/packages/legacy/types/src/config.ts b/packages/legacy/types/src/config.ts
@@ -125,6 +125,16 @@ export interface ServeConfig {
    * Endpoint for [Health Check](https://the-guild.dev/graphql/yoga-server/docs/features/health-check)
    */
   healthCheckEndpoint?: string;
+  /**
+   * By default, GraphQL Mesh does not allow parameters in the request body except `query`, `variables`, `extensions`, and `operationName`.
+   *
+   * This option allows you to specify additional parameters that are allowed in the request body.
+   *
+   * @default []
+   *
+   * @example ['doc_id', 'id']
+   */
+  extraParamNames?: string[];
 }
 /**
  * Configuration for CORS

diff --git a/packages/loaders/openapi/package.json b/packages/loaders/openapi/package.json
@@ -50,7 +50,7 @@
     "@graphql-tools/utils": "10.2.2",
     "@whatwg-node/fetch": "0.9.18",
     "fets": "0.8.1",
-    "graphql-yoga": "5.4.0",
+    "graphql-yoga": "5.6.0",
     "json-bigint-patch": "0.0.8"
   },
   "publishConfig": {

diff --git a/packages/plugins/newrelic/package.json b/packages/plugins/newrelic/package.json
@@ -48,7 +48,7 @@
   "devDependencies": {
     "@newrelic/test-utilities": "6.5.5",
     "@types/newrelic": "9.14.4",
-    "graphql-yoga": "5.4.0",
+    "graphql-yoga": "5.6.0",
     "newrelic": "10.6.2"
   },
   "publishConfig": {

diff --git a/packages/plugins/response-cache/package.json b/packages/plugins/response-cache/package.json
@@ -43,7 +43,7 @@
     "@envelop/response-cache": "^6.1.1",
     "@graphql-mesh/string-interpolation": "0.5.4",
     "@graphql-yoga/plugin-response-cache": "^3.1.1",
-    "graphql-yoga": "^5.1.1"
+    "graphql-yoga": "^5.6.0"
   },
   "publishConfig": {
     "access": "public",

diff --git a/packages/serve-runtime/package.json b/packages/serve-runtime/package.json
@@ -51,7 +51,7 @@
     "@graphql-tools/utils": "^10.2.1",
     "@whatwg-node/server": "^0.9.34",
     "disposablestack": "^1.1.6",
-    "graphql-yoga": "^5.3.0"
+    "graphql-yoga": "^5.6.0"
   },
   "publishConfig": {
     "access": "public",

diff --git a/website/src/generated-markdown/ServeConfig.generated.md b/website/src/generated-markdown/ServeConfig.generated.md
@@ -29,4 +29,11 @@ This feature can be disabled by passing `false` One of:
 * `trustProxy` (type: `String`) - Configure Express Proxy Handling
 [Learn more](https://expressjs.com/en/guide/behind-proxies.html)
 * `batchingLimit` (type: `Int`) - Enable and define a limit for [Request Batching](https://github.com/graphql/graphql-over-http/blob/main/rfcs/Batching.md)
-* `healthCheckEndpoint` (type: `String`) - Endpoint for [Health Check](https://the-guild.dev/graphql/yoga-server/docs/features/health-check)
+* `healthCheckEndpoint` (type: `String`) - Endpoint for [Health Check](https://the-guild.dev/graphql/yoga-server/docs/features/health-check)
+* `extraParamNames` (type: `Array of String`) - By default, GraphQL Mesh does not allow parameters in the request body except `query`, `variables`, `extensions`, and `operationName`.
+
+This option allows you to specify additional parameters that are allowed in the request body.
+
+@default []
+
+@example ['doc_id', 'id']