feat/expose-limits (#717)

* feat(packages/plugins/character-limit): add exposeLimits and errorMessage options

* feat(packages/plugins/cost-limit): add exposeLimits and errorMessage options

* feat(packages/plugins/max-aliases): add exposeLimits and errorMessage options

* feat(packages/plugins/max-depth): add exposeLimits and errorMessage options

* feat(packages/plugins/max-tokens): add exposeLimits and errorMessage options

* fix(plugins): ensure proper newline at end of character-limit file

* fix(plugins): ensure proper newline at end of cost-limit file

* fix(plugins): ensure proper newline at end of max-aliases file

* fix(plugins): ensure proper newline at end of max-depth file

* fix(plugins): ensure proper newline at end of max-tokens file

* fix: revert max tokens

* feat(plugins): expose limits in default options

* test(character-limit): update tests for character limit plugin

* test(cost-limit): update tests for cost limit plugin

* test(max-aliases): update tests for max aliases plugin

* test(max-depth): update tests for max depth plugin

* test(max-directives): update tests for max directives plugin

* test(max-tokens): update tests for max tokens plugin

* fix(test/character-limit): clean up error messages and remove unused tests

* fix(test/cost-limit): update cost parameters and remove unused tests

* fix(test/max-aliases): simplify alias checks and remove unused tests

* fix(test/max-depth): adjust depth limits and clean up tests

* fix(test/max-directives): refine directive limits and clear out tests

* fix(src/max-tokens): ensure consistent end of file formatting

* fix(test/max-tokens): format operation strings for readability

* feat: changeset

Author: nullswan

.changeset/lemon-suns-chew.md

@@ -0,0 +1,12 @@
+---
+'@escape.tech/graphql-armor-character-limit': minor
+'@escape.tech/graphql-armor-max-directives': minor
+'@escape.tech/graphql-armor-max-aliases': minor
+'@escape.tech/graphql-armor-cost-limit': minor
+'@escape.tech/graphql-armor-max-tokens': minor
+'@escape.tech/graphql-armor-max-depth': minor
+'@escape.tech/graphql-armor': minor
+'@escape.tech/graphql-armor-types': minor
+---
+
+Add exposeLimit [!716](https://github.com/Escape-Technologies/graphql-armor/issues/716)

packages/plugins/character-limit/src/index.ts

@@ -2,16 +2,29 @@ import type { Plugin } from '@envelop/core';
 import type { GraphQLArmorCallbackConfiguration } from '@escape.tech/graphql-armor-types';
 import { GraphQLError } from 'graphql';
 
-export type CharacterLimitOptions = { maxLength?: number } & GraphQLArmorCallbackConfiguration;
+export type CharacterLimitOptions = {
+  maxLength?: number;
+  exposeLimits?: boolean;
+  errorMessage?: string;
+} & GraphQLArmorCallbackConfiguration;
+
 export const characterLimitDefaultOptions: Required<CharacterLimitOptions> = {
   maxLength: 15000,
+  exposeLimits: true,
+  errorMessage: 'Query validation error.',
   onAccept: [],
   onReject: [],
   propagateOnRejection: true,
 };
 
-/* CharacterLimitPlugin Supports Apollo Server v3 and ver4 */
-export const ApolloServerCharacterLimitPlugin = function (maxLength: number): any {
+/* CharacterLimitPlugin Supports Apollo Server v3 and v4 */
+export const ApolloServerCharacterLimitPlugin = function (options?: CharacterLimitOptions): any {
+  const config = Object.assign(
+    {},
+    characterLimitDefaultOptions,
+    ...Object.entries(options ?? {}).map(([k, v]) => (v === undefined ? {} : { [k]: v })),
+  );
+
   return {
     requestDidStart(requestContext: any): Promise<any> | undefined {
       const { request } = requestContext;
@@ -21,11 +34,18 @@ export const ApolloServerCharacterLimitPlugin = function (maxLength: number): an
       }
       const queryLength = request.query.length;
 
-      if (queryLength > maxLength) {
-        throw new GraphQLError(`Query exceeds our maximum allowed length`, {
+      if (queryLength > config.maxLength) {
+        const message = config.exposeLimits
+          ? `Query exceeds the maximum allowed length of ${config.maxLength}, found ${queryLength}.`
+          : config.errorMessage;
+        throw new GraphQLError(message, {
           extensions: { code: 'BAD_USER_INPUT' },
         });
       }
+
+      for (const handler of config.onAccept) {
+        handler(null, { queryLength });
+      }
     },
   };
 };
@@ -38,14 +58,16 @@ export const characterLimitPlugin = (options?: CharacterLimitOptions): Plugin =>
   );
 
   return {
-    onParse({ parseFn, setParseFn }) {
-      setParseFn((source, options) => {
+    onParse({ parseFn, setParseFn }: any) {
+      setParseFn((source: string | { body: string }, options: any) => {
         const query = typeof source === 'string' ? source : source.body;
+        const queryLength = query.length;
 
-        if (query && query.length > config.maxLength) {
-          const err = new GraphQLError(
-            `Syntax Error: Character limit of ${config.maxLength} exceeded, found ${query.length}.`,
-          );
+        if (query && queryLength > config.maxLength) {
+          const message = config.exposeLimits
+            ? `Character limit of ${config.maxLength} exceeded, found ${queryLength}.`
+            : config.errorMessage;
+          const err = new GraphQLError(`Syntax Error: ${message}`);
 
           for (const handler of config.onReject) {
             handler(null, err);
@@ -56,7 +78,7 @@ export const characterLimitPlugin = (options?: CharacterLimitOptions): Plugin =>
           }
         } else {
           for (const handler of config.onAccept) {
-            handler(null, { query });
+            handler(null, { queryLength });
           }
         }
 

packages/plugins/character-limit/test/index.spec.ts

@@ -14,6 +14,7 @@ const typeDefinitions = `
     books: [Book]
   }
 `;
+
 const books = [
   {
     title: 'The Awakening',
@@ -36,7 +37,7 @@ const schema = makeExecutableSchema({
   typeDefs: [typeDefinitions],
 });
 
-describe('global', () => {
+describe('characterLimitPlugin', () => {
   it('should be defined', () => {
     expect(characterLimitPlugin).toBeDefined();
 
@@ -52,7 +53,7 @@ describe('global', () => {
     }
   }`;
 
-  it('should works by default', async () => {
+  it('should work by default', async () => {
     const testkit = createTestkit([], schema);
     const result = await testkit.execute(query);
 
@@ -63,16 +64,16 @@ describe('global', () => {
     });
   });
 
-  it('should reject query', async () => {
+  it('should reject query exceeding max length', async () => {
     const length = query.length - 1;
     const testkit = createTestkit([characterLimitPlugin({ maxLength: length })], schema);
     const result = await testkit.execute(query);
 
     assertSingleExecutionValue(result);
     expect(result.errors).toBeDefined();
-    expect(result.errors?.map((error) => error.message)).toEqual([
+    expect(result.errors?.[0].message).toEqual(
       `Syntax Error: Character limit of ${length} exceeded, found ${length + 1}.`,
-    ]);
+    );
   });
 
   it('should not limit query variables', async () => {
@@ -90,4 +91,46 @@ describe('global', () => {
       books: books,
     });
   });
+
+  it('rejects with a generic error message when exposeLimits is false', async () => {
+    const length = 10;
+    const customMessage = 'Custom error message.';
+    const testkit = createTestkit(
+      [
+        characterLimitPlugin({
+          maxLength: length,
+          exposeLimits: false,
+          errorMessage: customMessage,
+        }),
+      ],
+      schema,
+    );
+    const longQuery = 'query { ' + 'a'.repeat(length + 1) + ' }';
+    const result = await testkit.execute(longQuery);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.[0].message).toEqual(`Syntax Error: ${customMessage}`);
+  });
+
+  it('rejects with detailed error message when exposeLimits is true', async () => {
+    const length = 10;
+    const testkit = createTestkit(
+      [
+        characterLimitPlugin({
+          maxLength: length,
+          exposeLimits: true,
+        }),
+      ],
+      schema,
+    );
+    const longQuery = 'query { ' + 'a'.repeat(length + 2) + ' }';
+    const result = await testkit.execute(longQuery);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.[0].message).toEqual(
+      `Syntax Error: Character limit of ${length} exceeded, found ${length + 10 + 2}.`,
+    );
+  });
 });

packages/plugins/cost-limit/src/index.ts

@@ -18,14 +18,19 @@ export type CostLimitOptions = {
   depthCostFactor?: number;
   ignoreIntrospection?: boolean;
   fragmentRecursionCost?: number;
+  exposeLimits?: boolean;
+  errorMessage?: string;
 } & GraphQLArmorCallbackConfiguration;
+
 const costLimitDefaultOptions: Required<CostLimitOptions> = {
   maxCost: 5000,
   objectCost: 2,
   scalarCost: 1,
   depthCostFactor: 1.5,
   fragmentRecursionCost: 1000,
   ignoreIntrospection: true,
+  exposeLimits: true,
+  errorMessage: 'Query validation error.',
   onAccept: [],
   onReject: [],
   propagateOnRejection: true,
@@ -48,16 +53,17 @@ class CostLimitVisitor {
     this.visitedFragments = new Map();
 
     this.OperationDefinition = {
-      enter: this.onOperationDefinitionEnter,
+      enter: this.onOperationDefinitionEnter.bind(this),
     };
   }
 
   onOperationDefinitionEnter(operation: OperationDefinitionNode): void {
     const complexity = this.computeComplexity(operation);
     if (complexity > this.config.maxCost) {
-      const err = new GraphQLError(
-        `Syntax Error: Query Cost limit of ${this.config.maxCost} exceeded, found ${complexity}.`,
-      );
+      const message = this.config.exposeLimits
+        ? `Query Cost limit of ${this.config.maxCost} exceeded, found ${complexity}.`
+        : this.config.errorMessage;
+      const err = new GraphQLError(`Syntax Error: ${message}`);
 
       for (const handler of this.config.onReject) {
         handler(this.context, err);
@@ -81,7 +87,7 @@ class CostLimitVisitor {
       return 0;
     }
 
-    if (node.kind == Kind.OPERATION_DEFINITION) {
+    if (node.kind === Kind.OPERATION_DEFINITION) {
       return node.selectionSet.selections.reduce((v, child) => v + this.computeComplexity(child, depth + 1), 0);
     }
 
@@ -93,7 +99,7 @@ class CostLimitVisitor {
       }
     }
 
-    if (node.kind == Kind.FRAGMENT_SPREAD) {
+    if (node.kind === Kind.FRAGMENT_SPREAD) {
       if (this.visitedFragments.has(node.name.value)) {
         const visitCost = this.visitedFragments.get(node.name.value) ?? 0;
         return cost + this.config.depthCostFactor * visitCost;

packages/plugins/cost-limit/test/index.spec.ts

@@ -16,6 +16,7 @@ const typeDefinitions = `
     getBook(title: String): Book
   }
 `;
+
 const books = [
   {
     title: 'The Awakening',
@@ -30,7 +31,7 @@ const books = [
 const resolvers = {
   Query: {
     books: () => books,
-    getBook: (title: string) => books.find((book) => book.title === title),
+    getBook: (_: any, { title }: { title: string }) => books.find((book) => book.title === title),
   },
 };
 
@@ -39,7 +40,7 @@ export const schema = makeExecutableSchema({
   typeDefs: [typeDefinitions],
 });
 
-describe('global', () => {
+describe('costLimitPlugin', () => {
   it('should be defined', () => {
     expect(costLimitPlugin).toBeDefined();
 
@@ -55,7 +56,7 @@ describe('global', () => {
     }
   }`;
 
-  it('should works for default query', async () => {
+  it('should work for default query', async () => {
     const testkit = createTestkit([], schema);
     const result = await testkit.execute(query);
 
@@ -90,7 +91,7 @@ describe('global', () => {
     const testkit = createTestkit(
       [
         costLimitPlugin({
-          maxCost: 11 - 1,
+          maxCost: 10,
           objectCost: 1,
           scalarCost: 1,
           depthCostFactor: 2,
@@ -169,4 +170,52 @@ describe('global', () => {
     expect(result.errors).toBeDefined();
     expect(result.errors?.map((error) => error.message)).toContain('Cannot spread fragment "A" within itself via "B".');
   });
+
+  it('rejects with a generic error message when exposeLimits is false', async () => {
+    const maxCost = 10;
+    const customMessage = 'Custom error message.';
+    const testkit = createTestkit(
+      [
+        costLimitPlugin({
+          maxCost: maxCost,
+          exposeLimits: false,
+          errorMessage: customMessage,
+          objectCost: 4,
+          scalarCost: 2,
+          depthCostFactor: 2,
+          ignoreIntrospection: true,
+        }),
+      ],
+      schema,
+    );
+    const result = await testkit.execute(query);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.map((error) => error.message)).toEqual([`Syntax Error: ${customMessage}`]);
+  });
+
+  it('rejects with detailed error message when exposeLimits is true', async () => {
+    const maxCost = 10;
+    const testkit = createTestkit(
+      [
+        costLimitPlugin({
+          maxCost: maxCost,
+          exposeLimits: true,
+          objectCost: 4,
+          scalarCost: 2,
+          depthCostFactor: 2,
+          ignoreIntrospection: true,
+        }),
+      ],
+      schema,
+    );
+    const result = await testkit.execute(query);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.map((error) => error.message)).toEqual([
+      `Syntax Error: Query Cost limit of ${maxCost} exceeded, found 12.`,
+    ]);
+  });
 });

packages/plugins/max-aliases/src/index.ts

@@ -11,13 +11,21 @@ import {
   ValidationContext,
 } from 'graphql';
 
-type MaxAliasesOptions = { n?: number; allowList?: string[] } & GraphQLArmorCallbackConfiguration;
+type MaxAliasesOptions = {
+  n?: number;
+  allowList?: string[];
+  exposeLimits?: boolean;
+  errorMessage?: string;
+} & GraphQLArmorCallbackConfiguration;
+
 const maxAliasesDefaultOptions: Required<MaxAliasesOptions> = {
   n: 15,
+  allowList: [],
+  exposeLimits: true,
+  errorMessage: 'Query validation error.',
   onAccept: [],
   onReject: [],
   propagateOnRejection: true,
-  allowList: [],
 };
 
 class MaxAliasesVisitor {
@@ -37,14 +45,17 @@ class MaxAliasesVisitor {
     this.visitedFragments = new Map();
 
     this.OperationDefinition = {
-      enter: this.onOperationDefinitionEnter,
+      enter: this.onOperationDefinitionEnter.bind(this),
     };
   }
 
   onOperationDefinitionEnter(operation: OperationDefinitionNode): void {
     const aliases = this.countAliases(operation);
     if (aliases > this.config.n) {
-      const err = new GraphQLError(`Syntax Error: Aliases limit of ${this.config.n} exceeded, found ${aliases}.`);
+      const message = this.config.exposeLimits
+        ? `Aliases limit of ${this.config.n} exceeded, found ${aliases}.`
+        : this.config.errorMessage;
+      const err = new GraphQLError(`Syntax Error: ${message}`);
 
       for (const handler of this.config.onReject) {
         handler(this.context, err);