@vendure/harden-plugin 1.9.1

package/README.md

@@ -0,0 +1,7 @@
+# Vendure Harden Plugin
+
+Hardens your Vendure GraphQL APIs against attacks.
+
+`npm install @vendure/harden-plugin`
+
+For documentation, see [www.vendure.io/docs/typescript-api/harden-plugin/](https://www.vendure.io/docs/typescript-api/harden-plugin/)

package/lib/index.d.ts

@@ -0,0 +1,3 @@
+export * from './src/harden.plugin';
+export * from './src/types';
+export * from './src/middleware/query-complexity-plugin';

package/lib/index.js

@@ -0,0 +1,16 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./src/harden.plugin"), exports);
+__exportStar(require("./src/types"), exports);
+__exportStar(require("./src/middleware/query-complexity-plugin"), exports);
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,sDAAoC;AACpC,8CAA4B;AAC5B,2EAAyD"}

package/lib/src/constants.d.ts

@@ -0,0 +1,2 @@
+export declare const loggerCtx = "HardenPlugin";
+export declare const HARDEN_PLUGIN_OPTIONS: unique symbol;

package/lib/src/constants.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HARDEN_PLUGIN_OPTIONS = exports.loggerCtx = void 0;
+exports.loggerCtx = 'HardenPlugin';
+exports.HARDEN_PLUGIN_OPTIONS = Symbol('HARDEN_PLUGIN_OPTIONS');
+//# sourceMappingURL=constants.js.map

package/lib/src/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,SAAS,GAAG,cAAc,CAAC;AAC3B,QAAA,qBAAqB,GAAG,MAAM,CAAC,uBAAuB,CAAC,CAAC"}

package/lib/src/harden.plugin.d.ts

@@ -0,0 +1,138 @@
+import { HardenPluginOptions } from './types';
+/**
+ * @description
+ * The HardenPlugin hardens the Shop and Admin GraphQL APIs against attacks and abuse.
+ *
+ * - It analyzes the complexity on incoming graphql queries and rejects queries that are too complex and
+ *   could be used to overload the resources of the server.
+ * - It disables dev-mode API features such as introspection and the GraphQL playground app.
+ * - It removes field name suggestions to prevent trial-and-error schema sniffing.
+ *
+ * It is a recommended plugin for all production configurations.
+ *
+ * ## Installation
+ *
+ * `yarn add \@vendure/harden-plugin`
+ *
+ * or
+ *
+ * `npm install \@vendure/harden-plugin`
+ *
+ * Then add the `HardenPlugin`, calling the `.init()` method with {@link HardenPluginOptions}:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@vendure/harden-plugin';
+ *
+ * const config: VendureConfig = {
+ *   // Add an instance of the plugin to the plugins array
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        apiMode: process.env.NODE_ENV === 'development' ? 'dev' : 'prod',
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * ## Setting the max query complexity
+ *
+ * The `maxQueryComplexity` option determines how complex a query can be. The complexity of a query relates to how many, and how
+ * deeply-nested are the fields being selected, and is intended to roughly correspond to the amount of server resources that would
+ * be required to resolve that query.
+ *
+ * The goal of this setting is to prevent attacks in which a malicious actor crafts a very complex query in order to overwhelm your
+ * server resources. Here's an example of a request which would likely overwhelm a Vendure server:
+ *
+ * ```GraphQL
+ * query EvilQuery {
+ *   products {
+ *     items {
+ *       collections {
+ *         productVariants {
+ *           items {
+ *             product {
+ *               collections {
+ *                 productVariants {
+ *                   items {
+ *                     product {
+ *                       variants {
+ *                         name
+ *                       }
+ *                     }
+ *                   }
+ *                 }
+ *               }
+ *             }
+ *           }
+ *         }
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * This evil query has a complexity score of 2,443,203 - much greater than the default of 1,000!
+ *
+ * The complexity score is calculated by the [graphql-query-complexity library](https://www.npmjs.com/package/graphql-query-complexity),
+ * and by default uses the {@link defaultVendureComplexityEstimator}, which is tuned specifically to the Vendure Shop API.
+ *
+ * The optimal max complexity score will vary depending on:
+ *
+ * - The requirements of your storefront and other clients using the Shop API
+ * - The resources available to your server
+ *
+ * You should aim to set the maximum as low as possible while still being able to service all the requests required. This will take some manual tuning.
+ * While tuning the max, you can turn on the `logComplexityScore` to get a detailed breakdown of the complexity of each query, as well as how
+ * that total score is derived from its child fields:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@vendure/harden-plugin';
+ *
+ * const config: VendureConfig = {
+ *   // A detailed summary is logged at the "debug" level
+ *   logger: new DefaultLogger({ level: LogLevel.Debug }),
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        logComplexityScore: true,
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * With logging configured as above, the following query:
+ *
+ * ```GraphQL
+ * query ProductList {
+ *   products(options: { take: 5 }) {
+ *     items {
+ *       id
+ *       name
+ *       featuredAsset {
+ *         preview
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ * will log the following breakdown:
+ *
+ * ```sh
+ * debug 16/12/22, 14:12 - [HardenPlugin] Calculating complexity of [ProductList]
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.id: ID!     childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.name: String!       childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Asset.preview: String!      childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.featuredAsset: Asset        childComplexity: 1, score: 2
+ * debug 16/12/22, 14:12 - [HardenPlugin] ProductList.items: [Product!]!      childComplexity: 4, score: 20
+ * debug 16/12/22, 14:12 - [HardenPlugin] Query.products: ProductList!        childComplexity: 20, score: 35
+ * verbose 16/12/22, 14:12 - [HardenPlugin] Query complexity [ProductList]: 35
+ * ```
+ *
+ * @docsCategory HardenPlugin
+ */
+export declare class HardenPlugin {
+    static options: HardenPluginOptions;
+    static init(options: HardenPluginOptions): typeof HardenPlugin;
+}

package/lib/src/harden.plugin.js

@@ -0,0 +1,178 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var HardenPlugin_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HardenPlugin = void 0;
+const core_1 = require("@vendure/core");
+const constants_1 = require("./constants");
+const hide_validation_errors_plugin_1 = require("./middleware/hide-validation-errors-plugin");
+const query_complexity_plugin_1 = require("./middleware/query-complexity-plugin");
+/**
+ * @description
+ * The HardenPlugin hardens the Shop and Admin GraphQL APIs against attacks and abuse.
+ *
+ * - It analyzes the complexity on incoming graphql queries and rejects queries that are too complex and
+ *   could be used to overload the resources of the server.
+ * - It disables dev-mode API features such as introspection and the GraphQL playground app.
+ * - It removes field name suggestions to prevent trial-and-error schema sniffing.
+ *
+ * It is a recommended plugin for all production configurations.
+ *
+ * ## Installation
+ *
+ * `yarn add \@vendure/harden-plugin`
+ *
+ * or
+ *
+ * `npm install \@vendure/harden-plugin`
+ *
+ * Then add the `HardenPlugin`, calling the `.init()` method with {@link HardenPluginOptions}:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@vendure/harden-plugin';
+ *
+ * const config: VendureConfig = {
+ *   // Add an instance of the plugin to the plugins array
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        apiMode: process.env.NODE_ENV === 'development' ? 'dev' : 'prod',
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * ## Setting the max query complexity
+ *
+ * The `maxQueryComplexity` option determines how complex a query can be. The complexity of a query relates to how many, and how
+ * deeply-nested are the fields being selected, and is intended to roughly correspond to the amount of server resources that would
+ * be required to resolve that query.
+ *
+ * The goal of this setting is to prevent attacks in which a malicious actor crafts a very complex query in order to overwhelm your
+ * server resources. Here's an example of a request which would likely overwhelm a Vendure server:
+ *
+ * ```GraphQL
+ * query EvilQuery {
+ *   products {
+ *     items {
+ *       collections {
+ *         productVariants {
+ *           items {
+ *             product {
+ *               collections {
+ *                 productVariants {
+ *                   items {
+ *                     product {
+ *                       variants {
+ *                         name
+ *                       }
+ *                     }
+ *                   }
+ *                 }
+ *               }
+ *             }
+ *           }
+ *         }
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * This evil query has a complexity score of 2,443,203 - much greater than the default of 1,000!
+ *
+ * The complexity score is calculated by the [graphql-query-complexity library](https://www.npmjs.com/package/graphql-query-complexity),
+ * and by default uses the {@link defaultVendureComplexityEstimator}, which is tuned specifically to the Vendure Shop API.
+ *
+ * The optimal max complexity score will vary depending on:
+ *
+ * - The requirements of your storefront and other clients using the Shop API
+ * - The resources available to your server
+ *
+ * You should aim to set the maximum as low as possible while still being able to service all the requests required. This will take some manual tuning.
+ * While tuning the max, you can turn on the `logComplexityScore` to get a detailed breakdown of the complexity of each query, as well as how
+ * that total score is derived from its child fields:
+ *
+ * @example
+ * ```ts
+ * import { HardenPlugin } from '\@vendure/harden-plugin';
+ *
+ * const config: VendureConfig = {
+ *   // A detailed summary is logged at the "debug" level
+ *   logger: new DefaultLogger({ level: LogLevel.Debug }),
+ *   plugins: [
+ *      HardenPlugin.init({
+ *        maxQueryComplexity: 650,
+ *        logComplexityScore: true,
+ *      }),
+ *   ],
+ * };
+ * ```
+ *
+ * With logging configured as above, the following query:
+ *
+ * ```GraphQL
+ * query ProductList {
+ *   products(options: { take: 5 }) {
+ *     items {
+ *       id
+ *       name
+ *       featuredAsset {
+ *         preview
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ * will log the following breakdown:
+ *
+ * ```sh
+ * debug 16/12/22, 14:12 - [HardenPlugin] Calculating complexity of [ProductList]
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.id: ID!     childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.name: String!       childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Asset.preview: String!      childComplexity: 0, score: 1
+ * debug 16/12/22, 14:12 - [HardenPlugin] Product.featuredAsset: Asset        childComplexity: 1, score: 2
+ * debug 16/12/22, 14:12 - [HardenPlugin] ProductList.items: [Product!]!      childComplexity: 4, score: 20
+ * debug 16/12/22, 14:12 - [HardenPlugin] Query.products: ProductList!        childComplexity: 20, score: 35
+ * verbose 16/12/22, 14:12 - [HardenPlugin] Query complexity [ProductList]: 35
+ * ```
+ *
+ * @docsCategory HardenPlugin
+ */
+let HardenPlugin = HardenPlugin_1 = class HardenPlugin {
+    static init(options) {
+        this.options = options;
+        return HardenPlugin_1;
+    }
+};
+HardenPlugin = HardenPlugin_1 = __decorate([
+    core_1.VendurePlugin({
+        providers: [
+            {
+                provide: constants_1.HARDEN_PLUGIN_OPTIONS,
+                useFactory: () => HardenPlugin_1.options,
+            },
+        ],
+        configuration: config => {
+            if (HardenPlugin_1.options.hideFieldSuggestions !== false) {
+                core_1.Logger.verbose(`Configuring HideValidationErrorsPlugin`, constants_1.loggerCtx);
+                config.apiOptions.apolloServerPlugins.push(new hide_validation_errors_plugin_1.HideValidationErrorsPlugin());
+            }
+            config.apiOptions.apolloServerPlugins.push(new query_complexity_plugin_1.QueryComplexityPlugin(HardenPlugin_1.options));
+            if (HardenPlugin_1.options.apiMode !== 'dev') {
+                config.apiOptions.adminApiDebug = false;
+                config.apiOptions.shopApiDebug = false;
+                config.apiOptions.introspection = false;
+            }
+            return config;
+        },
+    })
+], HardenPlugin);
+exports.HardenPlugin = HardenPlugin;
+//# sourceMappingURL=harden.plugin.js.map

package/lib/src/harden.plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"harden.plugin.js","sourceRoot":"","sources":["../../src/harden.plugin.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,wCAAsD;AAEtD,2CAA+D;AAC/D,8FAAwF;AACxF,kFAA6E;AAG7E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoIG;AAuBH,IAAa,YAAY,oBAAzB,MAAa,YAAY;IAGrB,MAAM,CAAC,IAAI,CAAC,OAA4B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,OAAO,cAAY,CAAC;IACxB,CAAC;CACJ,CAAA;AAPY,YAAY;IAtBxB,oBAAa,CAAC;QACX,SAAS,EAAE;YACP;gBACI,OAAO,EAAE,iCAAqB;gBAC9B,UAAU,EAAE,GAAG,EAAE,CAAC,cAAY,CAAC,OAAO;aACzC;SACJ;QACD,aAAa,EAAE,MAAM,CAAC,EAAE;YACpB,IAAI,cAAY,CAAC,OAAO,CAAC,oBAAoB,KAAK,KAAK,EAAE;gBACrD,aAAM,CAAC,OAAO,CAAC,wCAAwC,EAAE,qBAAS,CAAC,CAAC;gBACpE,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,0DAA0B,EAAE,CAAC,CAAC;aAChF;YACD,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,+CAAqB,CAAC,cAAY,CAAC,OAAO,CAAC,CAAC,CAAC;YAC5F,IAAI,cAAY,CAAC,OAAO,CAAC,OAAO,KAAK,KAAK,EAAE;gBACxC,MAAM,CAAC,UAAU,CAAC,aAAa,GAAG,KAAK,CAAC;gBACxC,MAAM,CAAC,UAAU,CAAC,YAAY,GAAG,KAAK,CAAC;gBACvC,MAAM,CAAC,UAAU,CAAC,aAAa,GAAG,KAAK,CAAC;aAC3C;YAED,OAAO,MAAM,CAAC;QAClB,CAAC;KACJ,CAAC;GACW,YAAY,CAOxB;AAPY,oCAAY"}

package/lib/src/middleware/hide-validation-errors-plugin.d.ts

@@ -0,0 +1,9 @@
+import { ApolloServerPlugin, GraphQLRequestListener } from 'apollo-server-plugin-base';
+/**
+ * @description
+ * Hides graphql-js suggestions when invalid field names are given.
+ * Based on ideas discussed in https://github.com/apollographql/apollo-server/issues/3919
+ */
+export declare class HideValidationErrorsPlugin implements ApolloServerPlugin {
+    requestDidStart(): GraphQLRequestListener;
+}

package/lib/src/middleware/hide-validation-errors-plugin.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HideValidationErrorsPlugin = void 0;
+const apollo_server_core_1 = require("apollo-server-core");
+/**
+ * @description
+ * Hides graphql-js suggestions when invalid field names are given.
+ * Based on ideas discussed in https://github.com/apollographql/apollo-server/issues/3919
+ */
+class HideValidationErrorsPlugin {
+    requestDidStart() {
+        return {
+            willSendResponse: async (requestContext) => {
+                const { errors, context } = requestContext;
+                if (errors) {
+                    requestContext.response.errors = errors.map(err => {
+                        if (err.message.includes('Did you mean')) {
+                            return new apollo_server_core_1.ValidationError('Invalid request');
+                        }
+                        else {
+                            return err;
+                        }
+                    });
+                }
+            },
+        };
+    }
+}
+exports.HideValidationErrorsPlugin = HideValidationErrorsPlugin;
+//# sourceMappingURL=hide-validation-errors-plugin.js.map

package/lib/src/middleware/hide-validation-errors-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hide-validation-errors-plugin.js","sourceRoot":"","sources":["../../../src/middleware/hide-validation-errors-plugin.ts"],"names":[],"mappings":";;;AAAA,2DAAqD;AAGrD;;;;GAIG;AACH,MAAa,0BAA0B;IACnC,eAAe;QACX,OAAO;YACH,gBAAgB,EAAE,KAAK,EAAC,cAAc,EAAC,EAAE;gBACrC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC;gBAC3C,IAAI,MAAM,EAAE;oBACP,cAAc,CAAC,QAAgB,CAAC,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;wBACvD,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE;4BACtC,OAAO,IAAI,oCAAe,CAAC,iBAAiB,CAAC,CAAC;yBACjD;6BAAM;4BACH,OAAO,GAAG,CAAC;yBACd;oBACL,CAAC,CAAC,CAAC;iBACN;YACL,CAAC;SACJ,CAAC;IACN,CAAC;CACJ;AAjBD,gEAiBC"}

package/lib/src/middleware/query-complexity-plugin.d.ts

@@ -0,0 +1,26 @@
+import { ApolloServerPlugin, GraphQLRequestListener } from 'apollo-server-plugin-base';
+import { GraphQLRequestContext } from 'apollo-server-types';
+import { ComplexityEstimatorArgs } from 'graphql-query-complexity';
+import { HardenPluginOptions } from '../types';
+/**
+ * @description
+ * Implements query complexity analysis on Shop API requests.
+ */
+export declare class QueryComplexityPlugin implements ApolloServerPlugin {
+    private options;
+    constructor(options: HardenPluginOptions);
+    requestDidStart({ schema }: GraphQLRequestContext): GraphQLRequestListener;
+}
+/**
+ * @description
+ * A complexity estimator which takes into account List and PaginatedList types and can
+ * be further configured by providing a customComplexityFactors object.
+ *
+ * When selecting PaginatedList types, the "take" argument is used to estimate a complexity
+ * factor. If the "take" argument is omitted, a default factor of 1000 is applied.
+ *
+ * @docsCategory HardenPlugin
+ */
+export declare function defaultVendureComplexityEstimator(customComplexityFactors: {
+    [path: string]: number;
+}, logFieldScores: boolean): (options: ComplexityEstimatorArgs) => number | void;

package/lib/src/middleware/query-complexity-plugin.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultVendureComplexityEstimator = exports.QueryComplexityPlugin = void 0;
+const core_1 = require("@vendure/core");
+const graphql_1 = require("graphql");
+const graphql_query_complexity_1 = require("graphql-query-complexity");
+const constants_1 = require("../constants");
+/**
+ * @description
+ * Implements query complexity analysis on Shop API requests.
+ */
+class QueryComplexityPlugin {
+    constructor(options) {
+        this.options = options;
+    }
+    requestDidStart({ schema }) {
+        var _a;
+        const maxQueryComplexity = (_a = this.options.maxQueryComplexity) !== null && _a !== void 0 ? _a : 1000;
+        return {
+            didResolveOperation: async ({ request, document }) => {
+                var _a, _b, _c, _d, _e, _f;
+                if (isAdminApi(schema)) {
+                    // We don't want to apply the cost analysis on the
+                    // Admin API, since any expensive operations would require
+                    // an authenticated session.
+                    return;
+                }
+                const query = request.operationName
+                    ? graphql_1.separateOperations(document)[request.operationName]
+                    : document;
+                if (this.options.logComplexityScore === true) {
+                    core_1.Logger.debug(`Calculating complexity of "${(_a = request.operationName) !== null && _a !== void 0 ? _a : 'anonymous'}"`, constants_1.loggerCtx);
+                }
+                const complexity = graphql_query_complexity_1.getComplexity({
+                    schema,
+                    query,
+                    variables: request.variables,
+                    estimators: (_b = this.options.queryComplexityEstimators) !== null && _b !== void 0 ? _b : [
+                        defaultVendureComplexityEstimator((_c = this.options.customComplexityFactors) !== null && _c !== void 0 ? _c : {}, (_d = this.options.logComplexityScore) !== null && _d !== void 0 ? _d : false),
+                        graphql_query_complexity_1.simpleEstimator({ defaultComplexity: 1 }),
+                    ],
+                });
+                if (this.options.logComplexityScore === true) {
+                    core_1.Logger.verbose(`Query complexity "${(_e = request.operationName) !== null && _e !== void 0 ? _e : 'anonymous'}": ${complexity}`, constants_1.loggerCtx);
+                }
+                if (complexity >= maxQueryComplexity) {
+                    core_1.Logger.error(`Query complexity of "${(_f = request.operationName) !== null && _f !== void 0 ? _f : 'anonymous'}" is ${complexity}, which exceeds the maximum of ${maxQueryComplexity}`, constants_1.loggerCtx);
+                    throw new core_1.InternalServerError(`Query is too complex`);
+                }
+            },
+        };
+    }
+}
+exports.QueryComplexityPlugin = QueryComplexityPlugin;
+function isAdminApi(schema) {
+    const queryType = schema.getQueryType();
+    if (queryType) {
+        return !!queryType.getFields().administrators;
+    }
+    return false;
+}
+/**
+ * @description
+ * A complexity estimator which takes into account List and PaginatedList types and can
+ * be further configured by providing a customComplexityFactors object.
+ *
+ * When selecting PaginatedList types, the "take" argument is used to estimate a complexity
+ * factor. If the "take" argument is omitted, a default factor of 1000 is applied.
+ *
+ * @docsCategory HardenPlugin
+ */
+function defaultVendureComplexityEstimator(customComplexityFactors, logFieldScores) {
+    return (options) => {
+        var _a, _b;
+        const { type, args, childComplexity, field } = options;
+        const namedType = graphql_1.getNamedType(field.type);
+        const path = `${type.name}.${field.name}`;
+        let result = childComplexity + 1;
+        const customFactor = customComplexityFactors[path];
+        if (customFactor != null) {
+            result = Math.max(childComplexity, 1) * customFactor;
+        }
+        else {
+            if (graphql_1.isObjectType(namedType)) {
+                const isPaginatedList = !!namedType.getInterfaces().find(i => i.name === 'PaginatedList');
+                if (isPaginatedList) {
+                    const take = (_b = (_a = args.options) === null || _a === void 0 ? void 0 : _a.take) !== null && _b !== void 0 ? _b : 1000;
+                    result = childComplexity + Math.round(Math.log(childComplexity) * take);
+                }
+            }
+            if (graphql_1.isListType(graphql_1.getNullableType(field.type))) {
+                result = childComplexity * 5;
+            }
+        }
+        if (logFieldScores) {
+            core_1.Logger.debug(`${path}: ${field.type.toString()}\tchildComplexity: ${childComplexity}, score: ${result}`, constants_1.loggerCtx);
+        }
+        return result;
+    };
+}
+exports.defaultVendureComplexityEstimator = defaultVendureComplexityEstimator;
+//# sourceMappingURL=query-complexity-plugin.js.map

package/lib/src/middleware/query-complexity-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-complexity-plugin.js","sourceRoot":"","sources":["../../../src/middleware/query-complexity-plugin.ts"],"names":[],"mappings":";;;AAAA,wCAA4D;AAG5D,qCAOiB;AACjB,uEAAmG;AAEnG,4CAAyC;AAGzC;;;GAGG;AACH,MAAa,qBAAqB;IAC9B,YAAoB,OAA4B;QAA5B,YAAO,GAAP,OAAO,CAAqB;IAAG,CAAC;IAEpD,eAAe,CAAC,EAAE,MAAM,EAAyB;;QAC7C,MAAM,kBAAkB,GAAG,MAAA,IAAI,CAAC,OAAO,CAAC,kBAAkB,mCAAI,IAAI,CAAC;QACnE,OAAO;YACH,mBAAmB,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;;gBACjD,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE;oBACpB,kDAAkD;oBAClD,0DAA0D;oBAC1D,4BAA4B;oBAC5B,OAAO;iBACV;gBACD,MAAM,KAAK,GAAG,OAAO,CAAC,aAAa;oBAC/B,CAAC,CAAC,4BAAkB,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;oBACrD,CAAC,CAAC,QAAQ,CAAC;gBAEf,IAAI,IAAI,CAAC,OAAO,CAAC,kBAAkB,KAAK,IAAI,EAAE;oBAC1C,aAAM,CAAC,KAAK,CACR,8BAA8B,MAAA,OAAO,CAAC,aAAa,mCAAI,WAAW,GAAG,EACrE,qBAAS,CACZ,CAAC;iBACL;gBACD,MAAM,UAAU,GAAG,wCAAa,CAAC;oBAC7B,MAAM;oBACN,KAAK;oBACL,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,UAAU,EAAE,MAAA,IAAI,CAAC,OAAO,CAAC,yBAAyB,mCAAI;wBAClD,iCAAiC,CAC7B,MAAA,IAAI,CAAC,OAAO,CAAC,uBAAuB,mCAAI,EAAE,EAC1C,MAAA,IAAI,CAAC,OAAO,CAAC,kBAAkB,mCAAI,KAAK,CAC3C;wBACD,0CAAe,CAAC,EAAE,iBAAiB,EAAE,CAAC,EAAE,CAAC;qBAC5C;iBACJ,CAAC,CAAC;gBAEH,IAAI,IAAI,CAAC,OAAO,CAAC,kBAAkB,KAAK,IAAI,EAAE;oBAC1C,aAAM,CAAC,OAAO,CACV,qBAAqB,MAAA,OAAO,CAAC,aAAa,mCAAI,WAAW,MAAM,UAAU,EAAE,EAC3E,qBAAS,CACZ,CAAC;iBACL;gBACD,IAAI,UAAU,IAAI,kBAAkB,EAAE;oBAClC,aAAM,CAAC,KAAK,CACR,wBACI,MAAA,OAAO,CAAC,aAAa,mCAAI,WAC7B,QAAQ,UAAU,kCAAkC,kBAAkB,EAAE,EACxE,qBAAS,CACZ,CAAC;oBACF,MAAM,IAAI,0BAAmB,CAAC,sBAAsB,CAAC,CAAC;iBACzD;YACL,CAAC;SACJ,CAAC;IACN,CAAC;CACJ;AAtDD,sDAsDC;AAED,SAAS,UAAU,CAAC,MAAqB;IACrC,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC;IACxC,IAAI,SAAS,EAAE;QACX,OAAO,CAAC,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,cAAc,CAAC;KACjD;IACD,OAAO,KAAK,CAAC;AACjB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,iCAAiC,CAC7C,uBAAmD,EACnD,cAAuB;IAEvB,OAAO,CAAC,OAAgC,EAAiB,EAAE;;QACvD,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;QACvD,MAAM,SAAS,GAAG,sBAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1C,IAAI,MAAM,GAAG,eAAe,GAAG,CAAC,CAAC;QACjC,MAAM,YAAY,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,YAAY,IAAI,IAAI,EAAE;YACtB,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,GAAG,YAAY,CAAC;SACxD;aAAM;YACH,IAAI,sBAAY,CAAC,SAAS,CAAC,EAAE;gBACzB,MAAM,eAAe,GAAG,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;gBAC1F,IAAI,eAAe,EAAE;oBACjB,MAAM,IAAI,GAAG,MAAA,MAAA,IAAI,CAAC,OAAO,0CAAE,IAAI,mCAAI,IAAI,CAAC;oBACxC,MAAM,GAAG,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,CAAC;iBAC3E;aACJ;YACD,IAAI,oBAAU,CAAC,yBAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE;gBACzC,MAAM,GAAG,eAAe,GAAG,CAAC,CAAC;aAChC;SACJ;QACD,IAAI,cAAc,EAAE;YAChB,aAAM,CAAC,KAAK,CACR,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,sBAAsB,eAAe,YAAY,MAAM,EAAE,EAC1F,qBAAS,CACZ,CAAC;SACL;QACD,OAAO,MAAM,CAAC;IAClB,CAAC,CAAC;AACN,CAAC;AAhCD,8EAgCC"}

package/lib/src/types.d.ts

@@ -0,0 +1,79 @@
+import { ComplexityEstimator } from 'graphql-query-complexity/dist/cjs/QueryComplexity';
+/**
+ * @description
+ * Options that can be passed to the `.init()` static method of the HardenPlugin.
+ *
+ * @docsCategory HardenPlugin
+ */
+export interface HardenPluginOptions {
+    /**
+     * @description
+     * Defines the maximum permitted complexity score of a query. The complexity score is based
+     * on the number of fields being selected as well as other factors like whether there are nested
+     * lists.
+     *
+     * A query which exceeds the maximum score will result in an error.
+     *
+     * @default 1000
+     */
+    maxQueryComplexity?: number;
+    /**
+     * @description
+     * An array of custom estimator functions for calculating the complexity of a query. By default,
+     * the plugin will use the {@link defaultVendureComplexityEstimator} which is specifically
+     * tuned to accurately estimate Vendure queries.
+     */
+    queryComplexityEstimators?: ComplexityEstimator[];
+    /**
+     * @description
+     * When set to `true`, the complexity score of each query will be logged at the Verbose
+     * log level, and a breakdown of the calculation for each field will be logged at the Debug level.
+     *
+     * This is very useful for tuning your complexity scores.
+     *
+     * @default false
+     */
+    logComplexityScore?: boolean;
+    /**
+     * @description
+     * This object allows you to tune the complexity weight of specific fields. For example,
+     * if you have a custom `stockLocations` field defined on the `ProductVariant` type, and
+     * you know that it is a particularly expensive operation to execute, you can increase
+     * its complexity like this:
+     *
+     * @example
+     * ```TypeScript
+     * HardenPlugin.init({
+     *   maxQueryComplexity: 650,
+     *   customComplexityFactors: {
+     *     'ProductVariant.stockLocations': 10
+     *   }
+     * }),
+     * ```
+     */
+    customComplexityFactors?: {
+        [path: string]: number;
+    };
+    /**
+     * @description
+     * Graphql-js will make suggestions about the names of fields if an invalid field name is provided.
+     * This would allow an attacker to find out the available fields by brute force even if introspection
+     * is disabled.
+     *
+     * Setting this option to `true` will prevent these suggestion error messages from being returned,
+     * instead replacing the message with a generic "Invalid request" message.
+     *
+     * @default true
+     */
+    hideFieldSuggestions?: boolean;
+    /**
+     * @description
+     * When set to `'prod'`, the plugin will disable dev-mode features of the GraphQL APIs:
+     *
+     * - introspection
+     * - GraphQL playground
+     *
+     * @default 'prod'
+     */
+    apiMode?: 'dev' | 'prod';
+}

package/lib/src/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/lib/src/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@vendure/harden-plugin",
+  "version": "1.9.1",
+  "license": "MIT",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "files": [
+    "lib/**/*"
+  ],
+  "scripts": {
+    "watch": "tsc -p ./tsconfig.build.json --watch",
+    "build": "rimraf lib && tsc -p ./tsconfig.build.json",
+    "lint": "tslint --fix --project ./"
+  },
+  "homepage": "https://www.vendure.io/",
+  "funding": "https://github.com/sponsors/michaelbromley",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "graphql-query-complexity": "^0.12.0"
+  }
+}