Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: Allow skipping complexity check in Harden Plugin #3340

Open
wants to merge 2 commits into
base: minor
Choose a base branch
from
Open

Feat: Allow skipping complexity check in Harden Plugin #3340

wants to merge 2 commits into from

Conversation

martijnvdbrug
Copy link
Collaborator

@martijnvdbrug martijnvdbrug commented Jan 30, 2025
edited
Loading

Description

We are using the Harden Plugin, but would like to be able to skip the complexity check for storefront SSR builds.

This PR introduces an optional skip function, inspired by express-rate-limit, that allows the consumer to skip certain requests.

Screenshots below we're tested with the following config:

  skip: (ctx) => {
    return !!ctx.request.http?.headers.get("x-skip-complexity")
  }

This skips the complexity check when the header x-skip-complexity is present. In production use, you would check for a token or something.

Breaking changes

No

Screenshots

Complex query without header
image

The same complex query with custom header
image

And, another test without a skip function specified.
image

Checklist

📌 Always:

  • I have set a clear title
  • My PR is small and contains a single feature
  • I have checked my own PR

👍 Most of the time:

  • I have added or updated test cases
  • I have updated the README if needed

@vercel Vercel
Copy link

vercel bot commented Jan 30, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
docs ✅ Ready (Inspect) Visit Preview Jan 30, 2025 10:17am

@martijnvdbrug martijnvdbrug changed the base branch from master to minor January 30, 2025 08:17
@martijnvdbrug
Copy link
Collaborator Author

@michaelbromley Not sure why tests are failing, HardenPlugin doesn't seem to be included in any e2e tests. Someone else broke the minor branch maybe?

twlite
twlite reviewed Jan 30, 2025
View reviewed changes
packages/harden-plugin/src/middleware/query-complexity-plugin.ts Outdated
const maxQueryComplexity = this.options.maxQueryComplexity ?? 1000;
return {
didResolveOperation: async ({ request, document }) => {
if (isAdminApi(schema)) {
if (this.options.skip?.(ctx)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great if this supported Awaitable<boolean> in addition to boolean. Supporting promises would allow developers to include external resources, such as making a third-party validation request.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I purposely did not do that, because it can have severe performance impact if you do anything async in every request.

But I guess we can move that responsibility to the consumer.... Let me add it.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twlite twlite twlite left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@martijnvdbrug @twlite