@stratumn/postgraphile-plugin-connection-filter

postgraphile-plugin-connection-filter

This plugin adds a filter argument for advanced filtering of list types.

Warning: Use of this plugin (particularly with the default options) may make it astoundingly trivial for a malicious actor (or a well-intentioned application that generates complex GraphQL queries) to overwhelm your database with expensive queries. See the Performance and Security section below for details.

Performance and Security

By default, this plugin:

• Exposes a large number of filter operators, including some that can perform expensive pattern matching.
• Allows filtering on computed columns, which can result in expensive operations.
• Allows filtering on functions that return setof, which can result in expensive operations.
• Allows filtering on List fields (Postgres arrays), which can result in expensive operations.

To protect your server, you can:

• Use the connectionFilterAllowedFieldTypes and connectionFilterAllowedOperators options to limit the filterable fields and operators exposed through GraphQL.
• Set connectionFilterComputedColumns: false to prevent filtering on computed columns.
• Set connectionFilterSetofFunctions: false to prevent filtering on functions that return setof.
• Set connectionFilterLists: false to prevent filtering on List fields (Postgres arrays).

Also see the Production Considerations page of the official PostGraphile docs, which discusses query whitelisting.

Getting Started

CLI

postgraphile --append-plugins `pwd`/path/to/this/plugin/index.js

Library

const express = require("express");
const { postgraphile } = require("postgraphile");
const PostGraphileConnectionFilterPlugin = require("postgraphile-plugin-connection-filter");

const app = express();

app.use(
  postgraphile(pgConfig, schema, {
    graphiql: true,
    appendPlugins: [PostGraphileConnectionFilterPlugin],
  })
);

app.listen(5000);

Operators

The following filter operators are exposed by default:

Logical Operators

Postgres operator	GraphQL field	GraphQL field type
AND	and	List
OR	or	List
NOT	not	Object

Comparison Operators

Postgres expression	GraphQL field	GraphQL field type
IS [NOT] NULL	isNull	Boolean
=	equalTo	Scalar/Enum
<>	notEqualTo	Scalar/Enum
IS DISTINCT FROM	distinctFrom	Scalar/Enum
IS NOT DISTINCT FROM	notDistinctFrom	Scalar/Enum
<	lessThan	Scalar/Enum
<=	lessThanOrEqualTo	Scalar/Enum
>	greaterThan	Scalar/Enum
>=	greaterThanOrEqualTo	Scalar/Enum
IN	in	List
NOT IN	notIn	List
LIKE '%...%'	includes	String
NOT LIKE '%...%'	notIncludes	String
ILIKE '%...%'	includesInsensitive	String
NOT ILIKE '%...%'	notIncludesInsensitive	String
LIKE '...%'	startsWith	String
NOT LIKE '...%'	notStartsWith	String
ILIKE '...%'	startsWithInsensitive	String
NOT ILIKE '...%'	notStartsWithInsensitive	String
LIKE '%...'	endsWith	String
NOT LIKE '%...'	notEndsWith	String
ILIKE '%...'	endsWithInsensitive	String
NOT ILIKE '%...'	notEndsWithInsensitive	String
LIKE '...'	like	String
NOT LIKE '...'	notLike	String
ILIKE '...'	likeInsensitive	String
NOT ILIKE '...'	notLikeInsensitive	String
SIMILAR TO '...'	similarTo	String
NOT SIMILAR TO '...'	notSimilarTo	String
@>	contains	JSON
<@	containedBy	JSON
<<	inetContainedBy	InternetAddress
<<=	inetContainedByOrEquals	InternetAddress
>>	inetContains	InternetAddress
>>=	inetContainsOrEquals	InternetAddress
&&	inetContainsOrIsContainedBy	InternetAddress

List Comparison Operators

Postgres expression	GraphQL field	GraphQL field type
IS [NOT] NULL	isNull	Boolean
=	equalTo	List
<>	notEqualTo	List
IS DISTINCT FROM	distinctFrom	List
IS NOT DISTINCT FROM	notDistinctFrom	List
<	lessThan	List
<=	lessThanOrEqualTo	List
>	greaterThan	List
>=	greaterThanOrEqualTo	List
= ANY()	anyEqualTo	Scalar/Enum
<> ANY()	anyNotEqualTo	Scalar/Enum
> ANY()	anyLessThan	Scalar/Enum
>= ANY()	anyLessThanOrEqualTo	Scalar/Enum
< ANY()	anyGreaterThan	Scalar/Enum
<= ANY()	anyGreaterThanOrEqualTo	Scalar/Enum

Examples

Null values

query {
  allPosts(filter: {
    body: { isNull: true }
  }) {
    ...
  }
}

Non-null values

query {
  allPosts(filter: {
    body: { isNull: false }
  }) {
    ...
  }
}

Comparison operator with scalar input

query {
  allPosts(filter: {
    createdAt: { greaterThan: "2016-01-01" }
  }) {
    ...
  }
}

Comparison operator with array input

query {
  allPosts(filter: {
    authorId: { in: [1, 2] }
  }) {
    ...
  }
}

Multiple comparison operators

Note: Objects with multiple keys are interpreted with an implicit AND between the conditions.

query {
  allPosts(filter: {
    body: { isNull: false },
    createdAt: { greaterThan: "2016-01-01" }
  }) {
    ...
  }
}

Logical operator

query {
  allPosts(filter: {
    or: [
      { authorId: { equalTo: 6 } },
      { createdAt: { greaterThan: "2016-01-01" } }
    ]
  }) {
    ...
  }
}

Compound logic

query {
  allPosts(filter: {
    not: {
      or: [
        { authorId: { equalTo: 6 } },
        { createdAt: { greaterThan: "2016-01-01" } }
      ]
    }
  }) {
    ...
  }
}

Relations: Nested

query {
  allPeople(filter: {
    firstName: { startsWith:"John" }
  }) {
    nodes {
      firstName
      lastName
      postsByAuthorId(filter: {
        createdAt: { greaterThan: "2016-01-01" }
      }) {
        nodes {
          ...
        }
      }
    }
  }
}

Relations: Root-level, many-to-one

Requires connectionFilterRelations: true

query {
  allPosts(filter: {
    personByAuthorId: { createdAt: { greaterThan: "2018-01-01" } }
  }) {
    ...
  }
}

Relations: Root-level, one-to-one

Requires connectionFilterRelations: true

query {
  allPeople(filter: {
    accountByPersonId: { status: { equalTo: ACTIVE } }
  }) {
    ...
  }
}

Relations: Root-level, one-to-many

Not supported yet. #26

For additional examples, see the tests.

Plugin Options

When using PostGraphile as a library, the following plugin options can be passed via graphileBuildOptions:

connectionFilterAllowedOperators

Restrict filtering to specific operators:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterAllowedOperators: [
      "isNull",
      "equalTo",
      "notEqualTo",
      "distinctFrom",
      "notDistinctFrom",
      "lessThan",
      "lessThanOrEqualTo",
      "greaterThan",
      "greaterThanOrEqualTo",
      "in",
      "notIn",
    ],
  },
})

For a full list of the available operators, see the Comparison Operators table above.

connectionFilterAllowedFieldTypes

Restrict filtering to specific field types:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterAllowedFieldTypes: ["String", "Int"],
  },
})

The available field types will depend on your database schema.

connectionFilterComputedColumns

Enable/disable filtering by computed columns:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterComputedColumns: false, // default: true
  },
})

connectionFilterLists

Enable/disable filtering on List fields:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterLists: false, // default: true
  },
})

connectionFilterOperatorNames

Use alternative names (e.g. eq, ne) for operators:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterOperatorNames: {
      equalTo: "eq",
      notEqualTo: "ne",
    },
  },
})

connectionFilterRelations

Enable/disable filtering on related fields:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterRelations: true, // default: false
  },
})

connectionFilterSetofFunctions

Enable/disable filtering on functions that return setof:

postgraphile(pgConfig, schema, {
  graphileBuildOptions: {
    connectionFilterSetofFunctions: false, // default: true
  },
})

Development

To establish a test environment, create an empty Postgres database (e.g. graphile_build_test) and set a TEST_DATABASE_URL environment variable with your connection string (e.g. postgres://localhost:5432/graphile_build_test). Ensure that psql is installed locally and then run:

yarn
npm run test