Enable to configure allowed HTTP methods for subscriptions (#225)

* Enable to configure allowed HTTP methods for subscriptions * Move test * Add changeset * Update packages/core/lib/process-request.ts Co-authored-by: Laurin Quast <laurinquast@googlemail.com> * adjust test Co-authored-by: Laurin Quast <laurinquast@googlemail.com>
contra · Mar 8, 2022 · baf0b15 · baf0b15
1 parent e534015
commit baf0b15
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 4 deletions.
diff --git a/.changeset/sweet-icons-enjoy.md b/.changeset/sweet-icons-enjoy.md
@@ -0,0 +1,5 @@
+---
+"graphql-helix": minor
+---
+
+Enable to configure allowed HTTP methods for subscriptions.
diff --git a/packages/core/lib/process-request.ts b/packages/core/lib/process-request.ts
@@ -97,6 +97,7 @@ export const processRequest = async <TContext = {}, TRootValue = {}>(
     validate = defaultValidate,
     validationRules,
     variables,
+    allowedSubscriptionHttpMethods = ["GET", "POST"],
   } = options;
 
   let context: TContext | undefined;
@@ -165,10 +166,20 @@ export const processRequest = async <TContext = {}, TRootValue = {}>(
         rootValue = rootValueFactory ? await rootValueFactory(executionContext) : ({} as TRootValue);
 
         if (operation.operation === "subscription") {
-          if (!isHttpMethod("GET", request.method)) {
-            throw new HttpError(405, "Can only perform subscription operation from a GET request.", {
-              headers: [...defaultSingleResponseHeaders, { name: "Allow", value: "GET" }],
-            });
+          if (!allowedSubscriptionHttpMethods.some((method) => isHttpMethod(method, request.method))) {
+            throw new HttpError(
+              405,
+              `Can only perform subscription operation from a ${allowedSubscriptionHttpMethods.join(" or ")} request.`,
+              {
+                headers: [
+                  ...defaultSingleResponseHeaders,
+                  {
+                    name: "Allow",
+                    value: allowedSubscriptionHttpMethods.join(", "),
+                  },
+                ],
+              }
+            );
           }
           const result = await subscribe({
             schema,

diff --git a/packages/core/lib/types.ts b/packages/core/lib/types.ts
@@ -121,6 +121,10 @@ export interface ProcessRequestOptions<TContext, TRootValue> {
    * Values for any Variables defined by the Operation.
    */
   variables?: string | { [name: string]: any };
+  /**
+   * HTTP methods that are allowed for subscriptions.
+   */
+  allowedSubscriptionHttpMethods?: ReadonlyArray<"POST" | "GET">;
 }
 
 export interface FormatPayloadParams<TContext, TRootValue> {

diff --git a/packages/core/test/process-request.test.ts b/packages/core/test/process-request.test.ts
@@ -0,0 +1,49 @@
+import { getGraphQLParameters, processRequest } from "../lib";
+import { makeExecutableSchema } from "@graphql-tools/schema";
+import { GraphQLError } from "graphql";
+
+const schema = makeExecutableSchema({
+  typeDefs: /* GraphQL */ `
+    type Query {
+      hello: String
+    }
+    type Subscription {
+      countdown(from: Int): Int
+    }
+  `,
+  resolvers: {
+    Subscription: {
+      countdown: {
+        subscribe: async function* () {
+          yield "Hi";
+        },
+      },
+    },
+  },
+});
+
+describe("process-request", () => {
+  it("should not allow POST if disabled", async () => {
+    const request = {
+      body: { query: "subscription { countdown }" },
+      method: "POST",
+      headers: {},
+      query: "",
+    };
+
+    const { operationName, query, variables } = getGraphQLParameters(request);
+
+    const result = await processRequest({
+      operationName,
+      query,
+      variables,
+      request,
+      schema,
+      allowedSubscriptionHttpMethods: ["GET"],
+    });
+
+    expect(result.type).toBe("RESPONSE");
+    expect((result as any).status).toBe(405);
+    expect((result as any).payload.errors[0] instanceof GraphQLError).toBe(true);
+  });
+});