fix(handler): Don't validate if onSubscribe returns execution arguments

Author: enisdenjo

docs/interfaces/HandlerOptions.md

@@ -140,6 +140,8 @@ If you return `ExecutionArgs` from the callback, it will be used instead of
 trying to build one internally. In this case, you are responsible for providing
 a ready set of arguments which will be directly plugged in the operation execution.
 
+You *must* validate the `ExecutionArgs` yourself if returning them.
+
 If you return an array of `GraphQLError` from the callback, they will be reported
 to the client while complying with the spec.
 

src/__tests__/server.ts

@@ -108,10 +108,7 @@ describe('Request', () => {
   describe('GET', () => {
     it('must not allow executing mutations', async () => {
       const url = new URL(serverUrl);
-      url.searchParams.set(
-        'query',
-        'mutation { f10d019f15804f92a7c7470205c866da }', // making sure the field doesnt exist
-      );
+      url.searchParams.set('query', 'mutation { __typename }');
 
       const res = await fetch(url.toString(), {
         headers: {

src/handler.ts

@@ -77,6 +77,8 @@ export interface HandlerOptions<RawRequest = unknown> {
   /**
    * A custom GraphQL validate function allowing you to apply your
    * own validation rules.
+   *
+   * Will not be used when implementing a custom `onSubscribe`.
    */
   validate?: typeof graphqlValidate;
   /**
@@ -104,6 +106,8 @@ export interface HandlerOptions<RawRequest = unknown> {
    * trying to build one internally. In this case, you are responsible for providing
    * a ready set of arguments which will be directly plugged in the operation execution.
    *
+   * You *must* validate the `ExecutionArgs` yourself if returning them.
+   *
    * If you return an array of `GraphQLError` from the callback, they will be reported
    * to the client while complying with the spec.
    *
@@ -485,6 +489,30 @@ export function createHandler<RawRequest = unknown>(
           schema,
         };
       }
+
+      const validationErrs = validate(args.schema, args.document);
+      if (validationErrs.length) {
+        return [
+          JSON.stringify({ errors: validationErrs }),
+          {
+            ...(acceptedMediaType === 'application/json'
+              ? {
+                  status: 200,
+                  statusText: 'OK',
+                }
+              : {
+                  status: 400,
+                  statusText: 'Bad Request',
+                }),
+            headers: {
+              'content-type':
+                acceptedMediaType === 'application/json'
+                  ? 'application/json; charset=utf-8'
+                  : 'application/graphql+json; charset=utf-8',
+            },
+          },
+        ];
+      }
     }
 
     let operation: OperationTypeNode;
@@ -542,30 +570,6 @@ export function createHandler<RawRequest = unknown>(
       args.contextValue = maybeResOrContext;
     }
 
-    const validationErrs = validate(args.schema, args.document);
-    if (validationErrs.length) {
-      return [
-        JSON.stringify({ errors: validationErrs }),
-        {
-          ...(acceptedMediaType === 'application/json'
-            ? {
-                status: 200,
-                statusText: 'OK',
-              }
-            : {
-                status: 400,
-                statusText: 'Bad Request',
-              }),
-          headers: {
-            'content-type':
-              acceptedMediaType === 'application/json'
-                ? 'application/json; charset=utf-8'
-                : 'application/graphql+json; charset=utf-8',
-          },
-        },
-      ];
-    }
-
     let result = await execute(args);
     const maybeResOrResult = await onOperation?.(req, args, result);
     if (isResponse(maybeResOrResult)) return maybeResOrResult;