spike(core): enablelist for gql proxy queries

Author: chanceaclark

core/app/api/wallets/graphql/route.spec.ts

@@ -0,0 +1,282 @@
+import { print } from 'graphql';
+import { graphql as gql, HttpResponse } from 'msw';
+import { NextRequest } from 'next/server';
+import { beforeEach, describe, expect, test } from 'vitest';
+
+import { graphql } from '~/client/graphql';
+import { server } from '~/msw.server';
+
+import { POST } from './route';
+
+// Mock the API requests
+beforeEach(() => {
+  server.use(
+    gql.query('PaymentWalletWithInitializationDataQuery', () => {
+      return HttpResponse.json({ data: { site: { paymentWalletWithInitializationData: null } } });
+    }),
+    gql.mutation('CreatePaymentWalletIntentMutation', () => {
+      return HttpResponse.json({
+        data: {
+          payment: {
+            paymentWallet: {
+              createPaymentWalletIntent: {
+                paymentWalletIntentData: {
+                  __typename: 'PayPalCommercePaymentWalletIntentData',
+                  orderId: '123',
+                  approvalUrl: 'https://example.com/approval',
+                  initializationEntityId: '456',
+                },
+                errors: [],
+              },
+            },
+          },
+        },
+      });
+    }),
+  );
+});
+
+describe('query validation', () => {
+  test('route handler with valid query', async () => {
+    const query = graphql(`
+      query PaymentWalletWithInitializationDataQuery(
+        $paymentWalletEntityId: String!
+        $cartEntityId: String
+      ) {
+        site {
+          paymentWalletWithInitializationData(
+            filter: { paymentWalletEntityId: $paymentWalletEntityId, cartEntityId: $cartEntityId }
+          ) {
+            initializationData
+          }
+        }
+      }
+    `);
+
+    const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+      method: 'POST',
+      body: JSON.stringify({
+        query: print(query),
+        variables: JSON.stringify({
+          paymentWalletEntityId: '123',
+          cartEntityId: '456',
+        }),
+      }),
+    });
+
+    const response = await POST(request);
+    const data: unknown = await response.json();
+
+    expect(data).toMatchObject({ site: { paymentWalletWithInitializationData: null } });
+  });
+
+  test('route handler with invalid query name', async () => {
+    const query = graphql(`
+      query FooBar($paymentWalletEntityId: String!, $cartEntityId: String) {
+        site {
+          paymentWalletWithInitializationData(
+            filter: { paymentWalletEntityId: $paymentWalletEntityId, cartEntityId: $cartEntityId }
+          ) {
+            initializationData
+          }
+        }
+      }
+    `);
+
+    const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+      method: 'POST',
+      body: JSON.stringify({
+        query: print(query),
+        variables: JSON.stringify({
+          paymentWalletEntityId: '123',
+          cartEntityId: '456',
+        }),
+      }),
+    });
+
+    const response = await POST(request);
+    const text = await response.text();
+
+    expect(response.status).toBe(403);
+    expect(text).toBe('Operation not allowed');
+  });
+
+  test('route handler with invalid query data', async () => {
+    const query = graphql(`
+      query PaymentWalletWithInitializationDataQuery {
+        site {
+          settings {
+            storeName
+          }
+        }
+      }
+    `);
+
+    const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+      method: 'POST',
+      body: JSON.stringify({
+        query: print(query),
+      }),
+    });
+
+    const response = await POST(request);
+    const text = await response.text();
+
+    expect(response.status).toBe(400);
+    expect(text).toBe('Query is invalid');
+  });
+});
+
+describe('mutation validation', () => {
+  test('route handler with valid mutation', async () => {
+    const mutation = graphql(`
+      mutation CreatePaymentWalletIntentMutation(
+        $paymentWalletEntityId: String!
+        $cartEntityId: String!
+      ) {
+        payment {
+          paymentWallet {
+            createPaymentWalletIntent(
+              input: { paymentWalletEntityId: $paymentWalletEntityId, cartEntityId: $cartEntityId }
+            ) {
+              paymentWalletIntentData {
+                __typename
+                ... on PayPalCommercePaymentWalletIntentData {
+                  orderId
+                  approvalUrl
+                  initializationEntityId
+                }
+              }
+              errors {
+                __typename
+                ... on CreatePaymentWalletIntentGenericError {
+                  message
+                }
+                ... on Error {
+                  message
+                }
+              }
+            }
+          }
+        }
+      }
+    `);
+
+    const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+      method: 'POST',
+      body: JSON.stringify({
+        query: print(mutation),
+        variables: JSON.stringify({
+          paymentWalletEntityId: '123',
+          cartEntityId: '456',
+        }),
+      }),
+    });
+
+    const response = await POST(request);
+    const data: unknown = await response.json();
+
+    expect(data).toMatchObject({
+      payment: {
+        paymentWallet: {
+          createPaymentWalletIntent: {
+            errors: [],
+            paymentWalletIntentData: {
+              __typename: 'PayPalCommercePaymentWalletIntentData',
+              approvalUrl: 'https://example.com/approval',
+              initializationEntityId: '456',
+              orderId: '123',
+            },
+          },
+        },
+      },
+    });
+  });
+
+  test('route handler with invalid mutation name', async () => {
+    const mutation = graphql(`
+      mutation FooBar($paymentWalletEntityId: String!, $cartEntityId: String!) {
+        payment {
+          paymentWallet {
+            createPaymentWalletIntent(
+              input: { paymentWalletEntityId: $paymentWalletEntityId, cartEntityId: $cartEntityId }
+            ) {
+              paymentWalletIntentData {
+                __typename
+                ... on PayPalCommercePaymentWalletIntentData {
+                  orderId
+                  approvalUrl
+                  initializationEntityId
+                }
+              }
+              errors {
+                __typename
+                ... on CreatePaymentWalletIntentGenericError {
+                  message
+                }
+                ... on Error {
+                  message
+                }
+              }
+            }
+          }
+        }
+      }
+    `);
+
+    const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+      method: 'POST',
+      body: JSON.stringify({
+        query: print(mutation),
+        variables: JSON.stringify({
+          paymentWalletEntityId: '123',
+          cartEntityId: '456',
+        }),
+      }),
+    });
+
+    const response = await POST(request);
+    const text = await response.text();
+
+    expect(response.status).toBe(403);
+    expect(text).toBe('Operation not allowed');
+  });
+
+  test('route handler with invalid mutation data', async () => {
+    const query = graphql(`
+      mutation CreatePaymentWalletIntentMutation {
+        logout {
+          result
+        }
+      }
+    `);
+
+    const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+      method: 'POST',
+      body: JSON.stringify({
+        query: print(query),
+      }),
+    });
+
+    const response = await POST(request);
+    const text = await response.text();
+
+    expect(response.status).toBe(400);
+    expect(text).toBe('Query is invalid');
+  });
+});
+
+test('route handler with invalid operation', async () => {
+  const request = new NextRequest('http://localhost:3000/api/wallets/graphql', {
+    method: 'POST',
+    body: JSON.stringify({
+      query: 'fragment Foo on Bar { baz }',
+    }),
+  });
+
+  const response = await POST(request);
+  const text = await response.text();
+
+  expect(response.status).toBe(400);
+  expect(text).toBe('No operation found');
+});

core/app/api/wallets/graphql/route.ts

@@ -0,0 +1,116 @@
+import { OperationDefinitionNode, parse, SelectionNode } from 'graphql';
+import { NextRequest } from 'next/server';
+import { z } from 'zod';
+
+import { client } from '~/client';
+import { graphql } from '~/client/graphql';
+
+const ENABLE_LIST = [
+  {
+    name: 'PaymentWalletWithInitializationDataQuery',
+    type: 'query',
+    allowedFields: {
+      site: {
+        paymentWalletWithInitializationData: true, // allow any subfields of paymentWallets
+      },
+    },
+  },
+  {
+    name: 'CreatePaymentWalletIntentMutation',
+    type: 'mutation',
+    allowedFields: {
+      payment: {
+        paymentWallet: {
+          createPaymentWalletIntent: {
+            paymentWalletIntentData: true,
+            errors: true,
+          },
+        },
+      },
+    },
+  },
+];
+
+export const POST = async (request: NextRequest) => {
+  const body: unknown = await request.json();
+  const { document, variables } = z
+    .object({ document: z.string(), variables: z.string().optional() })
+    .parse(body);
+
+  const ast = parse(document, { noLocation: true });
+
+  // Validate operation structure
+  const operation = ast.definitions.find(
+    (definition): definition is OperationDefinitionNode =>
+      definition.kind === 'OperationDefinition',
+  );
+
+  if (!operation) return new Response('No operation found', { status: 400 });
+
+  const config = ENABLE_LIST.find(
+    (entry) => entry.name === operation.name?.value && entry.type === operation.operation,
+  );
+
+  if (!config) return new Response('Operation not allowed', { status: 403 });
+
+  try {
+    assertFieldsAllowed(operation.selectionSet.selections, config.allowedFields);
+  } catch {
+    return new Response('Query is invalid', { status: 400 });
+  }
+
+  const response = await client.fetch({
+    document: graphql(document),
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+    variables: variables ? JSON.parse(variables) : undefined,
+    errorPolicy: 'ignore',
+  });
+
+  return new Response(JSON.stringify(response.data), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  });
+};
+
+interface Allowed {
+  [key: string]: Allowed | boolean | null | undefined;
+}
+
+function assertFieldsAllowed(
+  selections: readonly SelectionNode[],
+  allowed: Allowed,
+  path: string[] = ['site'],
+): asserts selections is readonly SelectionNode[] {
+  selections.forEach((selection) => {
+    if (selection.kind !== 'Field') return;
+
+    const fieldName = selection.name.value;
+    const currentPath = [...path, fieldName];
+
+    if (!(fieldName in allowed)) {
+      throw new Error(`Disallowed field: ${currentPath.join('.')}`);
+    }
+
+    const allowedValue = allowed[fieldName];
+
+    if (allowedValue === true) {
+      // All descendants allowed
+      return;
+    }
+
+    if (typeof allowedValue === 'object' && allowedValue !== null) {
+      if (!selection.selectionSet) {
+        throw new Error(`Expected subfields for: ${currentPath.join('.')}`);
+      }
+
+      assertFieldsAllowed(selection.selectionSet.selections, allowedValue, currentPath);
+
+      return;
+    }
+
+    if (typeof allowedValue !== 'object' && selection.selectionSet) {
+      throw new Error(`Field ${currentPath.join('.')} does not allow subfields`);
+    }
+    // If allowedValue is falsy and no selectionSet, it's fine (already checked above)
+  });
+}