feat: enable bypassing persisted operations

README.md

@@ -108,6 +108,26 @@ persistedOperations?: { [hash: string]: string };
  * stores (e.g. S3).
  */
 persistedOperationsGetter?: PersistedOperationGetter;
+
+/**
+ * There are situations where you may want to allow arbitrary operations
+ * (for example using GraphiQL in development, or allowing an admin to
+ * make arbitrary requests in production) whilst enforcing Persisted
+ * Operations for the application and non-admin users. This function
+ * allows you to determine under which circumstances persisted operations
+ * may be bypassed.
+ *
+ * @example
+ *
+ * ```
+ * app.use(postgraphile(DATABASE_URL, SCHEMAS, {
+ * allowUnpersistedOperation(req) {
+ * return process.env.NODE_ENV === "development" && req.headers.referer?.endsWith("/graphiql");
+ * }
+ * });
+ * ```
+ */ 
+ allowUnpersistedOperation?(request: IncomingMessage, payload: any): boolean;
 ```
 
 All these options are optional; but you should specify exactly one of

RELEASE_NOTES.md

@@ -11,3 +11,7 @@
 ### v0.0.1
 
 - Initial release
+
+### Pending
+
+- Added `allowUnpersistedOperation` option, allowing arbitrary operations to be issued under controlled circumstances

src/index.ts

@@ -1,5 +1,6 @@
 import { readFileSync, promises as fsp } from "fs";
 import { PostGraphileOptions, PostGraphilePlugin } from "postgraphile";
+import { IncomingMessage } from "http";
 
 /**
  * Given a persisted operation hash, return the associated GraphQL operation
@@ -49,6 +50,29 @@ declare module "postgraphile" {
  * stores (e.g. S3).
  */
  persistedOperationsGetter?: PersistedOperationGetter;
+
+ /**
+ * There are situations where you may want to allow arbitrary operations
+ * (for example using GraphiQL in development, or allowing an admin to
+ * make arbitrary requests in production) whilst enforcing Persisted
+ * Operations for the application and non-admin users. This function
+ * allows you to determine under which circumstances persisted operations
+ * may be bypassed.
+ *
+ * @example
+ *
+ * ```
+ * app.use(postgraphile(DATABASE_URL, SCHEMAS, {
+ * allowUnpersistedOperation(req) {
+ * return process.env.NODE_ENV === "development" && req.headers.referer.endsWith("/graphiql");
+ * }
+ * });
+ * ```
+ */
+ allowUnpersistedOperation?(
+ request: IncomingMessage,
+ payload: any
+ ): boolean;
  }
 }
 
@@ -195,12 +219,17 @@ function getterFromOptions(options: PostGraphileOptions) {
  */
 function persistedOperationFromPayload(
  payload: any,
- options: PostGraphileOptions
+ options: PostGraphileOptions,
+ allowUnpersistedOperation: boolean
 ): string | null {
  try {
  const hashFromPayload = options.hashFromPayload || defaultHashFromPayload;
  const hash = hashFromPayload(payload);
  if (typeof hash !== "string") {
+ if (allowUnpersistedOperation && typeof payload?.query === "string") {
+ return payload.query;
+ }
+
  throw new Error(
  "We could not find a persisted operation hash string in the request."
  );
@@ -251,20 +280,31 @@ const PersistedQueriesPlugin: PostGraphilePlugin = {
  },
 
  // For regular HTTP requests
- "postgraphile:httpParamsList"(paramsList, { options }) {
+ "postgraphile:httpParamsList"(paramsList, { options, req }) {
  return paramsList.map((params: any) => {
+ const allowUnpersistedOperations =
+ options.allowUnpersistedOperation || (() => false);
+
  // ALWAYS OVERWRITE, even if invalid; the error will be thrown elsewhere.
- params.query = persistedOperationFromPayload(params, options) as string;
+ params.query = persistedOperationFromPayload(
+ params,
+ options,
+ allowUnpersistedOperations(req, params)
+ ) as string;
  return params;
  });
  },
 
  // For websocket requests
- "postgraphile:ws:onOperation"(params, { message, options }) {
+ "postgraphile:ws:onOperation"(params, { message, options, req }) {
+ const allowUnpersistedOperations =
+ options.allowUnpersistedOperation || (() => false);
+
  // ALWAYS OVERWRITE, even if invalid; the error will be thrown elsewhere.
  params.query = persistedOperationFromPayload(
  message.payload,
- options
+ options,
+ allowUnpersistedOperations(req, message.payload)
  ) as string;
  return params;
  },