feat: allow extra params in body (#3333)

ardatan · web-flow · commit 9f3f94522a9e · 2024-07-01T13:54:38.000+03:00
* feat: allow extra params in body * Apply feedback https://github.com/dotansimha/graphql-yoga/pull/3333\#discussion_r1658423243 * Docs * Update request-customization.mdx * Prettier
diff --git a/.changeset/eighty-books-wonder.md b/.changeset/eighty-books-wonder.md
@@ -0,0 +1,29 @@
+---
+'graphql-yoga': minor
+---
+
+By default, Yoga does not allow extra parameters in the request body other than `query`, `operationName`, `extensions`, and `variables`, then throws 400 HTTP Error.
+This change adds a new option called `extraParamNames` to allow extra parameters in the request body.
+
+```ts
+import { createYoga } from 'graphql-yoga';
+
+const yoga = createYoga({
+  /* other options */
+  extraParamNames: ['extraParam1', 'extraParam2'],
+});
+
+const res = await yoga.fetch('/graphql', {
+    method: 'POST',
+    headers: {
+        'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+        query: 'query { __typename }',
+        extraParam1: 'value1',
+        extraParam2: 'value2',
+    }),
+});
+
+console.assert(res.status === 200);
+```
diff --git a/packages/graphql-yoga/__tests__/requests.spec.ts b/packages/graphql-yoga/__tests__/requests.spec.ts
@@ -402,6 +402,47 @@ describe('requests', () => {
     expect(body.errors?.[0].message).toBe('Unexpected parameter "test" in the request body.');
   });
 
+  it('does not error if there is a specified invalid parameter in the request body', async () => {
+    const yoga = createYoga({
+      schema,
+      logging: false,
+      extraParamNames: ['test'],
+    });
+    const response = await yoga.fetch(`http://yoga/graphql`, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/graphql+json',
+      },
+      body: JSON.stringify({ query: '{ ping }', test: 'a' }),
+    });
+
+    expect(response.status).toBe(200);
+    const body = await response.json();
+    expect(body.errors).toBeUndefined();
+    expect(body.data.ping).toBe('pong');
+  });
+
+  it('throws when there is an invalid parameter in the request body other than the specified invalid parameters', async () => {
+    const yoga = createYoga({
+      schema,
+      logging: false,
+      extraParamNames: ['test'],
+    });
+    const response = await yoga.fetch(`http://yoga/graphql`, {
+      method: 'POST',
+      headers: {
+        accept: 'application/graphql-response+json',
+        'content-type': 'application/graphql+json',
+      },
+      body: JSON.stringify({ query: '{ ping }', test2: 'a' }),
+    });
+
+    expect(response.status).toBe(400);
+    const body = await response.json();
+    expect(body.data).toBeUndefined();
+    expect(body.errors?.[0].message).toBe('Unexpected parameter "test2" in the request body.');
+  });
+
   it('should use supported accept header when multiple are provided', async () => {
     const response = await yoga.fetch('http://yoga/test-graphql', {
       method: 'POST',
diff --git a/packages/graphql-yoga/src/plugins/request-validation/use-check-graphql-query-params.ts b/packages/graphql-yoga/src/plugins/request-validation/use-check-graphql-query-params.ts
@@ -4,7 +4,10 @@ import type { Plugin } from '../types.js';
 
 const expectedParameters = new Set(['query', 'variables', 'operationName', 'extensions']);
 
-export function assertInvalidParams(params: unknown): asserts params is GraphQLParams {
+export function assertInvalidParams(
+  params: unknown,
+  extraParamNames?: string[],
+): asserts params is GraphQLParams {
   if (params == null || typeof params !== 'object') {
     throw createGraphQLError('Invalid "params" in the request body', {
       extensions: {
@@ -20,6 +23,9 @@ export function assertInvalidParams(params: unknown): asserts params is GraphQLP
       continue;
     }
     if (!expectedParameters.has(paramKey)) {
+      if (extraParamNames?.includes(paramKey)) {
+        continue;
+      }
       throw createGraphQLError(`Unexpected parameter "${paramKey}" in the request body.`, {
         extensions: {
           http: {
@@ -31,7 +37,10 @@ export function assertInvalidParams(params: unknown): asserts params is GraphQLP
   }
 }
 
-export function checkGraphQLQueryParams(params: unknown): GraphQLParams {
+export function checkGraphQLQueryParams(
+  params: unknown,
+  extraParamNames?: string[],
+): GraphQLParams {
   if (!isObject(params)) {
     throw createGraphQLError(
       `Expected params to be an object but given ${extendedTypeof(params)}.`,
@@ -48,7 +57,7 @@ export function checkGraphQLQueryParams(params: unknown): GraphQLParams {
     );
   }
 
-  assertInvalidParams(params);
+  assertInvalidParams(params, extraParamNames);
 
   if (params.query == null) {
     throw createGraphQLError('Must provide query string.', {
@@ -124,10 +133,10 @@ export function isValidGraphQLParams(params: unknown): params is GraphQLParams {
   }
 }
 
-export function useCheckGraphQLQueryParams(): Plugin {
+export function useCheckGraphQLQueryParams(extraParamNames?: string[]): Plugin {
   return {
     onParams({ params }) {
-      checkGraphQLQueryParams(params);
+      checkGraphQLQueryParams(params, extraParamNames);
     },
   };
 }
diff --git a/packages/graphql-yoga/src/server.ts b/packages/graphql-yoga/src/server.ts
@@ -163,6 +163,17 @@ export type YogaServerOptions<TServerContext, TUserContext> = {
    * @default false
    */
   batching?: BatchingOptions | undefined;
+
+  /**
+   * By default, GraphQL Yoga does not allow parameters in the request body except `query`, `variables`, `extensions`, and `operationName`.
+   *
+   * This option allows you to specify additional parameters that are allowed in the request body.
+   *
+   * @default []
+   *
+   * @example ['doc_id', 'id']
+   */
+  extraParamNames?: string[] | undefined;
 };
 
 export type BatchingOptions =
@@ -359,7 +370,7 @@ export class YogaServer<
           // @ts-expect-error Add plugins has context but this hook doesn't care
           addPlugin(useLimitBatching(batchingLimit));
           // @ts-expect-error Add plugins has context but this hook doesn't care
-          addPlugin(useCheckGraphQLQueryParams());
+          addPlugin(useCheckGraphQLQueryParams(options?.extraParamNames));
           const showLandingPage = !!(options?.landingPage ?? true);
           addPlugin(
             // @ts-expect-error Add plugins has context but this hook doesn't care
diff --git a/website/src/pages/docs/features/_meta.ts b/website/src/pages/docs/features/_meta.ts
@@ -24,4 +24,5 @@ export default {
   testing: 'Testing',
   jwt: 'JWT',
   'landing-page': 'Landing Page',
+  'request-customization': 'Request Customization',
 };
diff --git a/website/src/pages/docs/features/request-customization.mdx b/website/src/pages/docs/features/request-customization.mdx
@@ -0,0 +1,204 @@
+---
+description: You can customize the request handling in GraphQL Yoga
+---
+
+# Request Customization
+
+For each type of request, GraphQL Yoga uses a specific parser to parse the incoming request and
+extract the GraphQL operation from it. Then it applies some validation logic to the extracted
+object, then it passes it to the GraphQL execution engine. Yoga mostly follows GraphQL-over-HTTP
+standards for this validation and parsing logic.
+[See the GraphQL-over-HTTP compliance test results of GraphQL Yoga](https://github.com/graphql/graphql-http/blob/main/implementations/graphql-yoga/README.md)
+
+The parsers are expected to return `GraphQLParams` object that contains the following properties:
+
+- `query`: The GraphQL operation as a string.
+- `variables`: The variables for the operation.
+- `operationName`: The name of the operation.
+- `extensions`: The extensions for the operation.
+
+It doesn't matter how the request is sent, Yoga engine expects the request to parsed in the form of
+a `GraphQLParams` object.
+
+## Request Parser
+
+Request parsers are responsible for extracting the GraphQL operation and the other relevant
+information from the incoming request. Each parser is responsible for a specific type of request
+based on the content type and the HTTP method.
+
+### GraphQL-over-HTTP Spec
+
+These parsers are implemented following the
+[GraphQL-over-HTTP spec](https://graphql.github.io/graphql-over-http/).
+
+#### `GET` Parser
+
+This request parser extracts the GraphQL operation from the query string by following
+GraphQL-over-HTTP spec.
+
+[See the implementation](https://github.com/dotansimha/graphql-yoga/blob/main/packages/graphql-yoga/src/plugins/request-parser/get.ts)
+[See the relevant part in GraphQL-over-HTTP spec](https://graphql.github.io/graphql-over-http/draft/#sec-GET)
+
+##### Example Request
+
+```ts
+fetch('/graphql?query=query { __typename }')
+```
+
+#### `POST` JSON Parser
+
+This request parser extracts the GraphQL operation from the JSON body of the POST request by
+following GraphQL-over-HTTP spec.
+
+[See the implementation](https://github.com/dotansimha/graphql-yoga/blob/main/packages/graphql-yoga/src/plugins/request-parser/post-json.ts).
+
+##### Example Request
+
+```ts
+fetch('/graphql', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({
+    query: 'query { __typename }'
+  })
+})
+```
+
+### GraphQL Multipart Request Spec
+
+The parser for multipart requests is implemented following the
+[GraphQL Multipart Request Spec](https://github.com/jaydenseric/graphql-multipart-request-spec).
+
+#### `POST` Multipart Parser
+
+This request parser extracts the GraphQL operation from the multipart request by following the
+GraphQL Multipart Request Spec. It handles the HTTP request by parsing it as `multipart/form-data`
+and extracting the GraphQL operation from it.
+
+[See the implementation](https://github.com/dotansimha/graphql-yoga/blob/main/packages/graphql-yoga/src/plugins/request-parser/post-multipart.ts).
+
+##### Example Request
+
+```ts
+const formData = new FormData()
+formData.append('operations', JSON.stringify({ query: 'query { __typename }' }))
+fetch('/graphql', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'multipart/form-data'
+  },
+  body: formData
+})
+```
+
+### Extra Parsers
+
+These parsers are not part of any spec but are de-facto standards in the GraphQL community.
+
+### `POST` GraphQL String Parser
+
+This request parser extracts the GraphQL operation from the body of the POST request as a string.
+
+[See the implementation](https://github.com/dotansimha/graphql-yoga/blob/main/packages/graphql-yoga/src/plugins/request-parser/post-graphql-string.ts).
+
+##### Example Request
+
+```ts
+fetch('/graphql', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/graphql'
+  },
+  body: 'query { __typename }'
+})
+```
+
+### `POST` FormUrlEncoded Parser
+
+This request parser extracts the GraphQL operation from the form data as url encoded in the POST
+body. The context is similar to the `GET` parser but the data is sent in the body of the request.
+
+[See the implementation](https://github.com/dotansimha/graphql-yoga/blob/main/packages/graphql-yoga/src/plugins/request-parser/post-form-url-encoded.ts)
+
+##### Example Request
+
+```ts
+fetch('/graphql', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/x-www-form-urlencoded'
+  },
+  body: 'query=query { __typename }'
+})
+```
+
+### Write your own parser
+
+If you want to handle a specific type of request body that is not part of the list above, you can
+write your own parser. We use `onRequestParse` to hook into the request parsing process and add your
+own logic.
+
+Request parsers are functions that take the request object and return a promise that resolves to a
+`GraphQLParams` object.
+
+```ts
+import { GraphQLParams, Plugin } from 'graphql-yoga'
+
+const useMyParser: Plugin = () => {
+  return {
+    onRequestParse({ request, url, setRequestParser }) {
+      const contentType = request.headers.get('Content-Type')
+      if (contentType === 'application/my-content-type') {
+        setRequestParser(async function myParser() {
+          const body = await request.text()
+          const params: GraphQLParams = getParamsFromMyParser(body)
+          return params
+        })
+      }
+    }
+  }
+}
+```
+
+## Request Validation
+
+Request validation is the process of validating the incoming request to ensure that it follows the
+GraphQL-over-HTTP spec. Besides the required validation rules, Yoga applies some extra rules to
+ensure the security and the performance of the server such as disallowing extra paramters in the
+request body. However, you can customize this kind of behaviors on your own risk.
+
+### Extra Parameters in `GraphQLParams`
+
+Yoga doesn't allow extra parameters in the request body other than `query`, `operationName`,
+`extensions`, and `variables`. And it returns a 400 HTTP error if it finds any extra parameters. But
+you can customize this behavior by passing an array of extra parameter names to the
+`extraParamNames` option.
+
+```ts
+import { createYoga } from 'graphql-yoga'
+
+const yoga = createYoga({
+  /* other options */
+  extraParamNames: ['extraParam1', 'extraParam2']
+})
+```
+
+Then you can send extra parameters in the request body.
+
+```ts
+const res = await yoga.fetch('/graphql', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+  },
+  body: JSON.stringify({
+    query: 'query { __typename }',
+    extraParam1: 'value1',
+    extraParam2: 'value2'
+  })
+})
+
+console.assert(res.status === 200)
+```
