@deenruv/harden-plugin 1.0.0

package/LICENSE

@@ -0,0 +1,23 @@
+# License 1
+
+The MIT License
+
+Copyright (c) 2025-present Aexol
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# License 2
+
+The MIT License
+
+Copyright (c) 2018-2025 Michael Bromley
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,52 @@
+# @deenruv/harden-plugin
+
+Hardens your Deenruv GraphQL APIs against abuse and attacks. Recommended for all production deployments.
+
+## Installation
+
+```bash
+pnpm add @deenruv/harden-plugin
+```
+
+## Configuration
+
+```typescript
+import { HardenPlugin } from '@deenruv/harden-plugin';
+
+const config = {
+  plugins: [
+    HardenPlugin.init({
+      maxQueryComplexity: 650,
+      apiMode: process.env.APP_ENV === 'dev' ? 'dev' : 'prod',
+    }),
+  ],
+};
+```
+
+**Options:**
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `maxQueryComplexity` | `number` | `1000` | Maximum permitted query complexity score |
+| `apiMode` | `'dev' \| 'prod'` | `'prod'` | In `prod` mode, disables introspection and GraphQL playground |
+| `hideFieldSuggestions` | `boolean` | `true` | Prevents field name suggestions in error messages (blocks schema sniffing) |
+| `logComplexityScore` | `boolean` | `false` | Logs complexity score breakdown for each query (useful for tuning) |
+| `customComplexityFactors` | `{ [path: string]: number }` | - | Custom complexity weights for specific fields |
+| `queryComplexityEstimators` | `ComplexityEstimator[]` | Deenruv default | Custom estimator functions for complexity calculation |
+
+## Features
+
+- **Query complexity analysis** - Rejects overly complex queries that could overload server resources (powered by [graphql-query-complexity](https://www.npmjs.com/package/graphql-query-complexity))
+- **Introspection control** - Disables introspection and GraphQL playground in production mode
+- **Field suggestion hiding** - Removes field name suggestions from validation errors, preventing trial-and-error schema discovery
+- **Complexity logging** - Optional detailed logging of query complexity scores for tuning the `maxQueryComplexity` threshold
+- **Custom complexity weights** - Per-field complexity factors for expensive custom operations
+- **Deenruv-optimized estimator** - Default complexity estimator tuned specifically for the Deenruv API (applies a factor of 1000 for list queries without a `take` argument)
+
+## Admin UI
+
+Server-only plugin. No Admin UI extensions.
+
+## API Extensions
+
+No GraphQL API extensions. This plugin configures Apollo Server plugins for query analysis and validation.

package/lib/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./src/harden.plugin";
+export * from "./src/types";
+export * from "./src/middleware/query-complexity-plugin";

package/lib/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./src/harden.plugin"), exports);
+__exportStar(require("./src/types"), exports);
+__exportStar(require("./src/middleware/query-complexity-plugin"), exports);
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,8CAA4B;AAC5B,2EAAyD"}

package/lib/src/constants.d.ts

@@ -0,0 +1,2 @@
+export declare const loggerCtx = "HardenPlugin";
+export declare const HARDEN_PLUGIN_OPTIONS: unique symbol;

package/lib/src/constants.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HARDEN_PLUGIN_OPTIONS = exports.loggerCtx = void 0;
+exports.loggerCtx = "HardenPlugin";
+exports.HARDEN_PLUGIN_OPTIONS = Symbol("HARDEN_PLUGIN_OPTIONS");
+//# sourceMappingURL=constants.js.map

package/lib/src/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,SAAS,GAAG,cAAc,CAAC;AAC3B,QAAA,qBAAqB,GAAG,MAAM,CAAC,uBAAuB,CAAC,CAAC"}

package/lib/src/harden.plugin.d.ts

@@ -0,0 +1,143 @@
+import { HardenPluginOptions } from "./types";
+/**
+ * @description
+ * The HardenPlugin hardens the Shop and Admin GraphQL APIs against attacks and abuse.
+ *
+ * - It analyzes the complexity on incoming graphql queries and rejects queries that are too complex and
+ *   could be used to overload the resources of the server.
+ * - It disables dev-mode API features such as introspection and the GraphQL playground app.
+ * - It removes field name suggestions to prevent trial-and-error schema sniffing.
+ *
+ * It is a recommended plugin for all production configurations.
+ *
+ * ## Installation
+ *
+ * `yarn add \@deenruv/harden-plugin`
+ *
+ * or
+ *
+ * `npm install \@deenruv/harden-plugin`
+ *
+ * Then add the `HardenPlugin`, calling the `.init()` method with {@link HardenPluginOptions}:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@deenruv/harden-plugin';
+ *
+ * const config: DeenruvConfig = {
+ *   // Add an instance of the plugin to the plugins array
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        apiMode: process.env.APP_ENV === 'dev' ? 'dev' : 'prod',
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * ## Setting the max query complexity
+ *
+ * The `maxQueryComplexity` option determines how complex a query can be. The complexity of a query relates to how many, and how
+ * deeply-nested are the fields being selected, and is intended to roughly correspond to the amount of server resources that would
+ * be required to resolve that query.
+ *
+ * The goal of this setting is to prevent attacks in which a malicious actor crafts a very complex query in order to overwhelm your
+ * server resources. Here's an example of a request which would likely overwhelm a Deenruv server:
+ *
+ * ```GraphQL
+ * query EvilQuery {
+ *   products {
+ *     items {
+ *       collections {
+ *         productVariants {
+ *           items {
+ *             product {
+ *               collections {
+ *                 productVariants {
+ *                   items {
+ *                     product {
+ *                       variants {
+ *                         name
+ *                       }
+ *                     }
+ *                   }
+ *                 }
+ *               }
+ *             }
+ *           }
+ *         }
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * This evil query has a complexity score of 2,443,203 - much greater than the default of 1,000!
+ *
+ * The complexity score is calculated by the [graphql-query-complexity library](https://www.npmjs.com/package/graphql-query-complexity),
+ * and by default uses the {@link defaultDeenruvComplexityEstimator}, which is tuned specifically to the Deenruv Shop API.
+ *
+ * :::caution
+ * Note: By default, if the "take" argument is omitted from a list query (e.g. the `products` or `collections` query), a default factor of 1000 is applied.
+ * :::
+ *
+ * The optimal max complexity score will vary depending on:
+ *
+ * - The requirements of your storefront and other clients using the Shop API
+ * - The resources available to your server
+ *
+ * You should aim to set the maximum as low as possible while still being able to service all the requests required.
+ * This will take some manual tuning.
+ * While tuning the max, you can turn on the `logComplexityScore` to get a detailed breakdown of the complexity of each query, as well as how
+ * that total score is derived from its child fields:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@deenruv/harden-plugin';
+ *
+ * const config: DeenruvConfig = {
+ *   // A detailed summary is logged at the "debug" level
+ *   logger: new DefaultLogger({ level: LogLevel.Debug }),
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        logComplexityScore: true,
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * With logging configured as above, the following query:
+ *
+ * ```GraphQL
+ * query ProductList {
+ *   products(options: { take: 5 }) {
+ *     items {
+ *       id
+ *       name
+ *       featuredAsset {
+ *         preview
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ * will log the following breakdown:
+ *
+ * ```sh
+ * debug 16/12/22, 14:12 - [HardenPlugin] Calculating complexity of [ProductList]
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.id: ID!     childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.name: String!       childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Asset.preview: String!      childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.featuredAsset: Asset        childComplexity: 1, score: 2
+ * debug 16/12/22, 14:12 - [HardenPlugin] ProductList.items: [Product!]!      childComplexity: 4, score: 20
+ * debug 16/12/22, 14:12 - [HardenPlugin] Query.products: ProductList!        childComplexity: 20, score: 35
+ * verbose 16/12/22, 14:12 - [HardenPlugin] Query complexity [ProductList]: 35
+ * ```
+ *
+ * @docsCategory core plugins/HardenPlugin
+ */
+export declare class HardenPlugin {
+    static options: HardenPluginOptions;
+    static init(options: HardenPluginOptions): typeof HardenPlugin;
+}

package/lib/src/harden.plugin.js

@@ -0,0 +1,184 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var HardenPlugin_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HardenPlugin = void 0;
+const core_1 = require("@deenruv/core");
+const constants_1 = require("./constants");
+const hide_validation_errors_plugin_1 = require("./middleware/hide-validation-errors-plugin");
+const query_complexity_plugin_1 = require("./middleware/query-complexity-plugin");
+/**
+ * @description
+ * The HardenPlugin hardens the Shop and Admin GraphQL APIs against attacks and abuse.
+ *
+ * - It analyzes the complexity on incoming graphql queries and rejects queries that are too complex and
+ *   could be used to overload the resources of the server.
+ * - It disables dev-mode API features such as introspection and the GraphQL playground app.
+ * - It removes field name suggestions to prevent trial-and-error schema sniffing.
+ *
+ * It is a recommended plugin for all production configurations.
+ *
+ * ## Installation
+ *
+ * `yarn add \@deenruv/harden-plugin`
+ *
+ * or
+ *
+ * `npm install \@deenruv/harden-plugin`
+ *
+ * Then add the `HardenPlugin`, calling the `.init()` method with {@link HardenPluginOptions}:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@deenruv/harden-plugin';
+ *
+ * const config: DeenruvConfig = {
+ *   // Add an instance of the plugin to the plugins array
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        apiMode: process.env.APP_ENV === 'dev' ? 'dev' : 'prod',
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * ## Setting the max query complexity
+ *
+ * The `maxQueryComplexity` option determines how complex a query can be. The complexity of a query relates to how many, and how
+ * deeply-nested are the fields being selected, and is intended to roughly correspond to the amount of server resources that would
+ * be required to resolve that query.
+ *
+ * The goal of this setting is to prevent attacks in which a malicious actor crafts a very complex query in order to overwhelm your
+ * server resources. Here's an example of a request which would likely overwhelm a Deenruv server:
+ *
+ * ```GraphQL
+ * query EvilQuery {
+ *   products {
+ *     items {
+ *       collections {
+ *         productVariants {
+ *           items {
+ *             product {
+ *               collections {
+ *                 productVariants {
+ *                   items {
+ *                     product {
+ *                       variants {
+ *                         name
+ *                       }
+ *                     }
+ *                   }
+ *                 }
+ *               }
+ *             }
+ *           }
+ *         }
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * This evil query has a complexity score of 2,443,203 - much greater than the default of 1,000!
+ *
+ * The complexity score is calculated by the [graphql-query-complexity library](https://www.npmjs.com/package/graphql-query-complexity),
+ * and by default uses the {@link defaultDeenruvComplexityEstimator}, which is tuned specifically to the Deenruv Shop API.
+ *
+ * :::caution
+ * Note: By default, if the "take" argument is omitted from a list query (e.g. the `products` or `collections` query), a default factor of 1000 is applied.
+ * :::
+ *
+ * The optimal max complexity score will vary depending on:
+ *
+ * - The requirements of your storefront and other clients using the Shop API
+ * - The resources available to your server
+ *
+ * You should aim to set the maximum as low as possible while still being able to service all the requests required.
+ * This will take some manual tuning.
+ * While tuning the max, you can turn on the `logComplexityScore` to get a detailed breakdown of the complexity of each query, as well as how
+ * that total score is derived from its child fields:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@deenruv/harden-plugin';
+ *
+ * const config: DeenruvConfig = {
+ *   // A detailed summary is logged at the "debug" level
+ *   logger: new DefaultLogger({ level: LogLevel.Debug }),
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        logComplexityScore: true,
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * With logging configured as above, the following query:
+ *
+ * ```GraphQL
+ * query ProductList {
+ *   products(options: { take: 5 }) {
+ *     items {
+ *       id
+ *       name
+ *       featuredAsset {
+ *         preview
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ * will log the following breakdown:
+ *
+ * ```sh
+ * debug 16/12/22, 14:12 - [HardenPlugin] Calculating complexity of [ProductList]
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.id: ID!     childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.name: String!       childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Asset.preview: String!      childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.featuredAsset: Asset        childComplexity: 1, score: 2
+ * debug 16/12/22, 14:12 - [HardenPlugin] ProductList.items: [Product!]!      childComplexity: 4, score: 20
+ * debug 16/12/22, 14:12 - [HardenPlugin] Query.products: ProductList!        childComplexity: 20, score: 35
+ * verbose 16/12/22, 14:12 - [HardenPlugin] Query complexity [ProductList]: 35
+ * ```
+ *
+ * @docsCategory core plugins/HardenPlugin
+ */
+let HardenPlugin = HardenPlugin_1 = class HardenPlugin {
+    static init(options) {
+        this.options = options;
+        return HardenPlugin_1;
+    }
+};
+exports.HardenPlugin = HardenPlugin;
+exports.HardenPlugin = HardenPlugin = HardenPlugin_1 = __decorate([
+    (0, core_1.DeenruvPlugin)({
+        providers: [
+            {
+                provide: constants_1.HARDEN_PLUGIN_OPTIONS,
+                useFactory: () => HardenPlugin.options,
+            },
+        ],
+        configuration: (config) => {
+            if (HardenPlugin.options.hideFieldSuggestions !== false) {
+                core_1.Logger.verbose("Configuring HideValidationErrorsPlugin", constants_1.loggerCtx);
+                config.apiOptions.apolloServerPlugins.push(new hide_validation_errors_plugin_1.HideValidationErrorsPlugin());
+            }
+            config.apiOptions.apolloServerPlugins.push(new query_complexity_plugin_1.QueryComplexityPlugin(HardenPlugin.options));
+            if (HardenPlugin.options.apiMode !== "dev") {
+                config.apiOptions.adminApiDebug = false;
+                config.apiOptions.shopApiDebug = false;
+                config.apiOptions.introspection = false;
+            }
+            return config;
+        },
+        compatibility: "^0.0.0",
+    })
+], HardenPlugin);
+//# sourceMappingURL=harden.plugin.js.map

package/lib/src/harden.plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"harden.plugin.js","sourceRoot":"","sources":["../../src/harden.plugin.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,wCAAsD;AAEtD,2CAA+D;AAC/D,8FAAwF;AACxF,kFAA6E;AAG7E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyIG;AA4BI,IAAM,YAAY,oBAAlB,MAAM,YAAY;IAGvB,MAAM,CAAC,IAAI,CAAC,OAA4B;QACtC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,OAAO,cAAY,CAAC;IACtB,CAAC;CACF,CAAA;AAPY,oCAAY;uBAAZ,YAAY;IA3BxB,IAAA,oBAAa,EAAC;QACb,SAAS,EAAE;YACT;gBACE,OAAO,EAAE,iCAAqB;gBAC9B,UAAU,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO;aACvC;SACF;QACD,aAAa,EAAE,CAAC,MAAM,EAAE,EAAE;YACxB,IAAI,YAAY,CAAC,OAAO,CAAC,oBAAoB,KAAK,KAAK,EAAE,CAAC;gBACxD,aAAM,CAAC,OAAO,CAAC,wCAAwC,EAAE,qBAAS,CAAC,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,CACxC,IAAI,0DAA0B,EAAE,CACjC,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,CACxC,IAAI,+CAAqB,CAAC,YAAY,CAAC,OAAO,CAAC,CAChD,CAAC;YACF,IAAI,YAAY,CAAC,OAAO,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;gBAC3C,MAAM,CAAC,UAAU,CAAC,aAAa,GAAG,KAAK,CAAC;gBACxC,MAAM,CAAC,UAAU,CAAC,YAAY,GAAG,KAAK,CAAC;gBACvC,MAAM,CAAC,UAAU,CAAC,aAAa,GAAG,KAAK,CAAC;YAC1C,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,aAAa,EAAE,QAAQ;KACxB,CAAC;GACW,YAAY,CAOxB"}

package/lib/src/middleware/hide-validation-errors-plugin.d.ts

@@ -0,0 +1,9 @@
+import { ApolloServerPlugin, GraphQLRequestListener } from "@apollo/server";
+/**
+ * @description
+ * Hides graphql-js suggestions when invalid field names are given.
+ * Based on ideas discussed in https://github.com/apollographql/apollo-server/issues/3919
+ */
+export declare class HideValidationErrorsPlugin implements ApolloServerPlugin {
+    requestDidStart(): Promise<GraphQLRequestListener<any>>;
+}

package/lib/src/middleware/hide-validation-errors-plugin.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HideValidationErrorsPlugin = void 0;
+const index_1 = require("graphql/error/index");
+/**
+ * @description
+ * Hides graphql-js suggestions when invalid field names are given.
+ * Based on ideas discussed in https://github.com/apollographql/apollo-server/issues/3919
+ */
+class HideValidationErrorsPlugin {
+    async requestDidStart() {
+        return {
+            willSendResponse: async (requestContext) => {
+                const { errors } = requestContext;
+                if (errors) {
+                    requestContext.response.errors = errors.map((err) => {
+                        if (err.message.includes("Did you mean")) {
+                            return new index_1.GraphQLError("Invalid request");
+                        }
+                        else {
+                            return err;
+                        }
+                    });
+                }
+            },
+        };
+    }
+}
+exports.HideValidationErrorsPlugin = HideValidationErrorsPlugin;
+//# sourceMappingURL=hide-validation-errors-plugin.js.map

package/lib/src/middleware/hide-validation-errors-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hide-validation-errors-plugin.js","sourceRoot":"","sources":["../../../src/middleware/hide-validation-errors-plugin.ts"],"names":[],"mappings":";;;AACA,+CAAmD;AAEnD;;;;GAIG;AACH,MAAa,0BAA0B;IACrC,KAAK,CAAC,eAAe;QACnB,OAAO;YACL,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;gBACzC,MAAM,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC;gBAClC,IAAI,MAAM,EAAE,CAAC;oBACV,cAAc,CAAC,QAAgB,CAAC,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;wBAC3D,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;4BACzC,OAAO,IAAI,oBAAY,CAAC,iBAAiB,CAAC,CAAC;wBAC7C,CAAC;6BAAM,CAAC;4BACN,OAAO,GAAG,CAAC;wBACb,CAAC;oBACH,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF;AAjBD,gEAiBC"}

package/lib/src/middleware/query-complexity-plugin.d.ts

@@ -0,0 +1,25 @@
+import { ApolloServerPlugin, GraphQLRequestListener, GraphQLRequestContext } from "@apollo/server";
+import { ComplexityEstimatorArgs } from "graphql-query-complexity";
+import { HardenPluginOptions } from "../types";
+/**
+ * @description
+ * Implements query complexity analysis on Shop API requests.
+ */
+export declare class QueryComplexityPlugin implements ApolloServerPlugin {
+    private options;
+    constructor(options: HardenPluginOptions);
+    requestDidStart({ schema, }: GraphQLRequestContext<any>): Promise<GraphQLRequestListener<any>>;
+}
+/**
+ * @description
+ * A complexity estimator which takes into account List and PaginatedList types and can
+ * be further configured by providing a customComplexityFactors object.
+ *
+ * When selecting PaginatedList types, the "take" argument is used to estimate a complexity
+ * factor. If the "take" argument is omitted, a default factor of 1000 is applied.
+ *
+ * @docsCategory core plugins/HardenPlugin
+ */
+export declare function defaultDeenruvComplexityEstimator(customComplexityFactors: {
+    [path: string]: number;
+}, logFieldScores: boolean): (options: ComplexityEstimatorArgs) => number | void;

package/lib/src/middleware/query-complexity-plugin.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultDeenruvComplexityEstimator = exports.QueryComplexityPlugin = void 0;
+const core_1 = require("@deenruv/core");
+const graphql_1 = require("graphql");
+const graphql_query_complexity_1 = require("graphql-query-complexity");
+const constants_1 = require("../constants");
+/**
+ * @description
+ * Implements query complexity analysis on Shop API requests.
+ */
+class QueryComplexityPlugin {
+    constructor(options) {
+        this.options = options;
+    }
+    async requestDidStart({ schema, }) {
+        var _a;
+        const maxQueryComplexity = (_a = this.options.maxQueryComplexity) !== null && _a !== void 0 ? _a : 1000;
+        return {
+            didResolveOperation: async ({ request, document }) => {
+                var _a, _b, _c, _d, _e, _f;
+                if (isAdminApi(schema)) {
+                    // We don't want to apply the cost analysis on the
+                    // Admin API, since any expensive operations would require
+                    // an authenticated session.
+                    return;
+                }
+                const query = request.operationName
+                    ? (0, graphql_1.separateOperations)(document)[request.operationName]
+                    : document;
+                if (this.options.logComplexityScore === true) {
+                    core_1.Logger.debug(`Calculating complexity of "${(_a = request.operationName) !== null && _a !== void 0 ? _a : "anonymous"}"`, constants_1.loggerCtx);
+                }
+                const complexity = (0, graphql_query_complexity_1.getComplexity)({
+                    schema,
+                    query,
+                    variables: request.variables,
+                    estimators: (_b = this.options.queryComplexityEstimators) !== null && _b !== void 0 ? _b : [
+                        defaultDeenruvComplexityEstimator((_c = this.options.customComplexityFactors) !== null && _c !== void 0 ? _c : {}, (_d = this.options.logComplexityScore) !== null && _d !== void 0 ? _d : false),
+                        (0, graphql_query_complexity_1.simpleEstimator)({ defaultComplexity: 1 }),
+                    ],
+                });
+                if (this.options.logComplexityScore === true) {
+                    core_1.Logger.verbose(`Query complexity "${(_e = request.operationName) !== null && _e !== void 0 ? _e : "anonymous"}": ${complexity}`, constants_1.loggerCtx);
+                }
+                if (complexity >= maxQueryComplexity) {
+                    core_1.Logger.error(`Query complexity of "${(_f = request.operationName) !== null && _f !== void 0 ? _f : "anonymous"}" is ${complexity}, which exceeds the maximum of ${maxQueryComplexity}`, constants_1.loggerCtx);
+                    throw new core_1.InternalServerError("Query is too complex");
+                }
+            },
+        };
+    }
+}
+exports.QueryComplexityPlugin = QueryComplexityPlugin;
+function isAdminApi(schema) {
+    const queryType = schema.getQueryType();
+    if (queryType) {
+        return !!queryType.getFields().administrators;
+    }
+    return false;
+}
+/**
+ * @description
+ * A complexity estimator which takes into account List and PaginatedList types and can
+ * be further configured by providing a customComplexityFactors object.
+ *
+ * When selecting PaginatedList types, the "take" argument is used to estimate a complexity
+ * factor. If the "take" argument is omitted, a default factor of 1000 is applied.
+ *
+ * @docsCategory core plugins/HardenPlugin
+ */
+function defaultDeenruvComplexityEstimator(customComplexityFactors, logFieldScores) {
+    return (options) => {
+        var _a, _b;
+        const { type, args, childComplexity, field } = options;
+        const namedType = (0, graphql_1.getNamedType)(field.type);
+        const path = `${type.name}.${field.name}`;
+        let result = childComplexity + 1;
+        const customFactor = customComplexityFactors[path];
+        if (customFactor != null) {
+            result = Math.max(childComplexity, 1) * customFactor;
+        }
+        else {
+            if ((0, graphql_1.isObjectType)(namedType)) {
+                const isPaginatedList = !!namedType
+                    .getInterfaces()
+                    .find((i) => i.name === "PaginatedList");
+                if (isPaginatedList) {
+                    const take = (_b = (_a = args.options) === null || _a === void 0 ? void 0 : _a.take) !== null && _b !== void 0 ? _b : 1000;
+                    result =
+                        childComplexity + Math.round(Math.log(childComplexity) * take);
+                }
+            }
+            if ((0, graphql_1.isListType)((0, graphql_1.getNullableType)(field.type))) {
+                result = childComplexity * 5;
+            }
+        }
+        if (logFieldScores) {
+            core_1.Logger.debug(`${path}: ${field.type.toString()}\tchildComplexity: ${childComplexity}, score: ${result}`, constants_1.loggerCtx);
+        }
+        return result;
+    };
+}
+exports.defaultDeenruvComplexityEstimator = defaultDeenruvComplexityEstimator;
+//# sourceMappingURL=query-complexity-plugin.js.map

package/lib/src/middleware/query-complexity-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-complexity-plugin.js","sourceRoot":"","sources":["../../../src/middleware/query-complexity-plugin.ts"],"names":[],"mappings":";;;AAKA,wCAA4D;AAC5D,qCAOiB;AACjB,uEAIkC;AAElC,4CAAyC;AAGzC;;;GAGG;AACH,MAAa,qBAAqB;IAChC,YAAoB,OAA4B;QAA5B,YAAO,GAAP,OAAO,CAAqB;IAAG,CAAC;IAEpD,KAAK,CAAC,eAAe,CAAC,EACpB,MAAM,GACqB;;QAC3B,MAAM,kBAAkB,GAAG,MAAA,IAAI,CAAC,OAAO,CAAC,kBAAkB,mCAAI,IAAI,CAAC;QACnE,OAAO;YACL,mBAAmB,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;;gBACnD,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBACvB,kDAAkD;oBAClD,0DAA0D;oBAC1D,4BAA4B;oBAC5B,OAAO;gBACT,CAAC;gBACD,MAAM,KAAK,GAAG,OAAO,CAAC,aAAa;oBACjC,CAAC,CAAC,IAAA,4BAAkB,EAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;oBACrD,CAAC,CAAC,QAAQ,CAAC;gBAEb,IAAI,IAAI,CAAC,OAAO,CAAC,kBAAkB,KAAK,IAAI,EAAE,CAAC;oBAC7C,aAAM,CAAC,KAAK,CACV,8BAA8B,MAAA,OAAO,CAAC,aAAa,mCAAI,WAAW,GAAG,EACrE,qBAAS,CACV,CAAC;gBACJ,CAAC;gBACD,MAAM,UAAU,GAAG,IAAA,wCAAa,EAAC;oBAC/B,MAAM;oBACN,KAAK;oBACL,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,UAAU,EAAE,MAAA,IAAI,CAAC,OAAO,CAAC,yBAAyB,mCAAI;wBACpD,iCAAiC,CAC/B,MAAA,IAAI,CAAC,OAAO,CAAC,uBAAuB,mCAAI,EAAE,EAC1C,MAAA,IAAI,CAAC,OAAO,CAAC,kBAAkB,mCAAI,KAAK,CACzC;wBACD,IAAA,0CAAe,EAAC,EAAE,iBAAiB,EAAE,CAAC,EAAE,CAAC;qBAC1C;iBACF,CAAC,CAAC;gBAEH,IAAI,IAAI,CAAC,OAAO,CAAC,kBAAkB,KAAK,IAAI,EAAE,CAAC;oBAC7C,aAAM,CAAC,OAAO,CACZ,qBAAqB,MAAA,OAAO,CAAC,aAAa,mCAAI,WAAW,MAAM,UAAU,EAAE,EAC3E,qBAAS,CACV,CAAC;gBACJ,CAAC;gBACD,IAAI,UAAU,IAAI,kBAAkB,EAAE,CAAC;oBACrC,aAAM,CAAC,KAAK,CACV,wBACE,MAAA,OAAO,CAAC,aAAa,mCAAI,WAC3B,QAAQ,UAAU,kCAAkC,kBAAkB,EAAE,EACxE,qBAAS,CACV,CAAC;oBACF,MAAM,IAAI,0BAAmB,CAAC,sBAAsB,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;CACF;AAxDD,sDAwDC;AAED,SAAS,UAAU,CAAC,MAAqB;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC;IACxC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,iCAAiC,CAC/C,uBAAmD,EACnD,cAAuB;IAEvB,OAAO,CAAC,OAAgC,EAAiB,EAAE;;QACzD,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;QACvD,MAAM,SAAS,GAAG,IAAA,sBAAY,EAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1C,IAAI,MAAM,GAAG,eAAe,GAAG,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,YAAY,IAAI,IAAI,EAAE,CAAC;YACzB,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,YAAY,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,IAAI,IAAA,sBAAY,EAAC,SAAS,CAAC,EAAE,CAAC;gBAC5B,MAAM,eAAe,GAAG,CAAC,CAAC,SAAS;qBAChC,aAAa,EAAE;qBACf,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;gBAC3C,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,IAAI,GAAG,MAAA,MAAA,IAAI,CAAC,OAAO,0CAAE,IAAI,mCAAI,IAAI,CAAC;oBACxC,MAAM;wBACJ,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,CAAC;gBACnE,CAAC;YACH,CAAC;YACD,IAAI,IAAA,oBAAU,EAAC,IAAA,yBAAe,EAAC,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;gBAC5C,MAAM,GAAG,eAAe,GAAG,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,IAAI,cAAc,EAAE,CAAC;YACnB,aAAM,CAAC,KAAK,CACV,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,sBAAsB,eAAe,YAAY,MAAM,EAAE,EAC1F,qBAAS,CACV,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAnCD,8EAmCC"}

package/lib/src/types.d.ts

@@ -0,0 +1,79 @@
+import { ComplexityEstimator } from "graphql-query-complexity";
+/**
+ * @description
+ * Options that can be passed to the `.init()` static method of the HardenPlugin.
+ *
+ * @docsCategory core plugins/HardenPlugin
+ */
+export interface HardenPluginOptions {
+    /**
+     * @description
+     * Defines the maximum permitted complexity score of a query. The complexity score is based
+     * on the number of fields being selected as well as other factors like whether there are nested
+     * lists.
+     *
+     * A query which exceeds the maximum score will result in an error.
+     *
+     * @default 1000
+     */
+    maxQueryComplexity?: number;
+    /**
+     * @description
+     * An array of custom estimator functions for calculating the complexity of a query. By default,
+     * the plugin will use the {@link defaultDeenruvComplexityEstimator} which is specifically
+     * tuned to accurately estimate Deenruv queries.
+     */
+    queryComplexityEstimators?: ComplexityEstimator[];
+    /**
+     * @description
+     * When set to `true`, the complexity score of each query will be logged at the Verbose
+     * log level, and a breakdown of the calculation for each field will be logged at the Debug level.
+     *
+     * This is very useful for tuning your complexity scores.
+     *
+     * @default false
+     */
+    logComplexityScore?: boolean;
+    /**
+     * @description
+     * This object allows you to tune the complexity weight of specific fields. For example,
+     * if you have a custom `stockLocations` field defined on the `ProductVariant` type, and
+     * you know that it is a particularly expensive operation to execute, you can increase
+     * its complexity like this:
+     *
+     * @example
+     * ```ts
+     * HardenPlugin.init({
+     *   maxQueryComplexity: 650,
+     *   customComplexityFactors: {
+     *     'ProductVariant.stockLocations': 10
+     *   }
+     * }),
+     * ```
+     */
+    customComplexityFactors?: {
+        [path: string]: number;
+    };
+    /**
+     * @description
+     * Graphql-js will make suggestions about the names of fields if an invalid field name is provided.
+     * This would allow an attacker to find out the available fields by brute force even if introspection
+     * is disabled.
+     *
+     * Setting this option to `true` will prevent these suggestion error messages from being returned,
+     * instead replacing the message with a generic "Invalid request" message.
+     *
+     * @default true
+     */
+    hideFieldSuggestions?: boolean;
+    /**
+     * @description
+     * When set to `'prod'`, the plugin will disable dev-mode features of the GraphQL APIs:
+     *
+     * - introspection
+     * - GraphQL playground
+     *
+     * @default 'prod'
+     */
+    apiMode?: "dev" | "prod";
+}

package/lib/src/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/lib/src/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@deenruv/harden-plugin",
+  "version": "1.0.0",
+  "license": "MIT",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "files": [
+    "lib/**/*"
+  ],
+  "homepage": "https://deenruv.com/",
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@deenruv/core": "^0.1.0"
+  },
+  "dependencies": {
+    "@apollo/server": "^4.10.4",
+    "graphql-query-complexity": "^0.12.0"
+  },
+  "devDependencies": {
+    "rimraf": "^5.0.5",
+    "@deenruv/core": "^1.0.0",
+    "@deenruv/common": "^1.0.0"
+  },
+  "scripts": {
+    "watch": "tsc -p ./tsconfig.build.json --watch",
+    "build": "rimraf lib && tsc -p ./tsconfig.build.json",
+    "lint": "eslint .",
+    "lint:fix": "eslint --fix ."
+  }
+}