feat(graphql): graphQL custom field complexity and validationRules (#9955)

### What?
Adds the ability to set custom validation rules on the root `graphQL`
config property and the ability to define custom complexity on
relationship, join and upload type fields.

### Why?
**Validation Rules**

These give you the option to add your own validation rules. For example,
you may want to prevent introspection queries in production. You can now
do that with the following:

```ts
import { GraphQL } from '@payloadcms/graphql/types'
import { buildConfig } from 'payload'

export default buildConfig({
  // ...
  graphQL: {
    validationRules: (args) => [
      NoProductionIntrospection
    ]
  },
  // ...
})

const NoProductionIntrospection: GraphQL.ValidationRule = (context) => ({
  Field(node) {
    if (process.env.NODE_ENV === 'production') {
      if (node.name.value === '__schema' || node.name.value === '__type') {
        context.reportError(
          new GraphQL.GraphQLError(
            'GraphQL introspection is not allowed, but the query contained __schema or __type',
            { nodes: [node] }
          )
        );
      }	
    }
  }
})
```

**Custom field complexity**

You can now increase the complexity of a field, this will help users
from running queries that are too expensive. A higher number will make
the `maxComplexity` trigger sooner.

```ts
const fieldWithComplexity = {
  name: 'authors',
  type: 'relationship',
  relationship: 'authors',
  graphQL: {
    complexity: 100, // highlight-line
  }
}
```

Author: JarrodMFlesch

docs/fields/join.mdx

@@ -136,6 +136,7 @@ powerful Admin UI.
 | **`admin`**            | Admin-specific configuration. [More details](#admin-config-options).                                                                                                                           |
 | **`custom`**           | Extension point for adding custom data (e.g. for plugins).                                                                                                                                     |
 | **`typescriptSchema`** | Override field type generation with providing a JSON schema.                                                                                                                                   |
+| **`graphQL`**          | Custom graphQL configuration for the field. [More details](/docs/graphql/overview#field-complexity)                                                                                            |
 
 _\* An asterisk denotes that a property is required._
 

docs/fields/relationship.mdx

@@ -61,6 +61,7 @@ export const MyRelationshipField: Field = {
 | **`custom`**           | Extension point for adding custom data (e.g. for plugins)                                                                                                                       |
 | **`typescriptSchema`** | Override field type generation with providing a JSON schema                                                                                                                     |
 | **`virtual`**          | Provide `true` to disable field in the database. See [Virtual Fields](https://payloadcms.com/blog/learn-how-virtual-fields-can-help-solve-common-cms-challenges)                |
+| **`graphQL`**          | Custom graphQL configuration for the field. [More details](/docs/graphql/overview#field-complexity)                                                                             |
 
 _\* An asterisk denotes that a property is required._
 

docs/fields/upload.mdx

@@ -68,6 +68,7 @@ export const MyUploadField: Field = {
 | **`custom`**           | Extension point for adding custom data (e.g. for plugins)                                                                                                                   |
 | **`typescriptSchema`** | Override field type generation with providing a JSON schema                                                                                                                 |
 | **`virtual`**          | Provide `true` to disable field in the database. See [Virtual Fields](https://payloadcms.com/blog/learn-how-virtual-fields-can-help-solve-common-cms-challenges)            |
+| **`graphQL`**          | Custom graphQL configuration for the field. [More details](/docs/graphql/overview#field-complexity)                                                                         |
 
 _\* An asterisk denotes that a property is required._
 

docs/graphql/overview.mdx

@@ -23,6 +23,7 @@ At the top of your Payload Config you can define all the options to manage Graph
 | `maxComplexity`                 | A number used to set the maximum allowed complexity allowed by requests [More](/docs/graphql/overview#query-complexity-limits)  |
 | `disablePlaygroundInProduction` | A boolean that if false will enable the GraphQL playground, defaults to true. [More](/docs/graphql/overview#graphql-playground) |
 | `disable`                       | A boolean that if true will disable the GraphQL entirely, defaults to false.                                                    |
+| `validationRules`               | A function that takes the ExecutionArgs and returns an array of ValidationRules.                                                |
 
 ## Collections
 
@@ -124,6 +125,55 @@ You can even log in using the `login[collection-singular-label-here]` mutation t
   see a ton of detail about how GraphQL operates within Payload.
 </Banner>
 
+## Custom Validation Rules
+
+You can add custom validation rules to your GraphQL API by defining a `validationRules` function in your Payload Config. This function should return an array of [Validation Rules](https://graphql.org/graphql-js/validation/#validation-rules) that will be applied to all incoming queries and mutations.
+
+```ts
+import { GraphQL } from '@payloadcms/graphql/types'
+import { buildConfig } from 'payload'
+
+export default buildConfig({
+  // ...
+  graphQL: {
+    validationRules: (args) => [
+      NoProductionIntrospection
+    ]
+  },
+  // ...
+})
+
+const NoProductionIntrospection: GraphQL.ValidationRule = (context) => ({
+  Field(node) {
+    if (process.env.NODE_ENV === 'production') {
+      if (node.name.value === '__schema' || node.name.value === '__type') {
+        context.reportError(
+          new GraphQL.GraphQLError(
+            'GraphQL introspection is not allowed, but the query contained __schema or __type',
+            { nodes: [node] }
+          )
+        );
+      }	
+    }
+  }
+})
+```
+
 ## Query complexity limits
 
 Payload comes with a built-in query complexity limiter to prevent bad people from trying to slow down your server by running massive queries. To learn more, [click here](/docs/production/preventing-abuse#limiting-graphql-complexity).
+
+## Field complexity
+
+You can define custom complexity for `relationship`, `upload` and `join` type fields. This is useful if you want to assign a higher complexity to a field that is more expensive to resolve. This can help prevent users from running queries that are too complex.
+
+```ts
+const fieldWithComplexity = {
+  name: 'authors',
+  type: 'relationship',
+  relationship: 'authors',
+  graphQL: {
+    complexity: 100, // highlight-line
+  }
+}
+```

packages/graphql/src/index.ts

@@ -98,14 +98,12 @@ export function configToSchema(config: SanitizedConfig): {
   const query = new GraphQL.GraphQLObjectType(graphqlResult.Query)
   const mutation = new GraphQL.GraphQLObjectType(graphqlResult.Mutation)
 
-  const schemaToCreate = {
+  const schema = new GraphQL.GraphQLSchema({
     mutation,
     query,
-  }
-
-  const schema = new GraphQL.GraphQLSchema(schemaToCreate)
+  })
 
-  const validationRules = (args) => [
+  const validationRules = (args): GraphQL.ValidationRule[] => [
     createComplexityRule({
       estimators: [
         fieldExtensionsEstimator(),
@@ -115,6 +113,9 @@ export function configToSchema(config: SanitizedConfig): {
       variables: args.variableValues,
       // onComplete: (complexity) => { console.log('Query Complexity:', complexity); },
     }),
+    ...(typeof config?.graphQL?.validationRules === 'function'
+      ? config.graphQL.validationRules(args)
+      : []),
   ]
 
   return {

packages/graphql/src/schema/buildObjectType.ts

@@ -245,7 +245,10 @@ export function buildObjectType({
             type: graphqlResult.collections[field.collection].graphQL.whereInputType,
           },
         },
-        extensions: { complexity: 10 },
+        extensions: {
+          complexity:
+            typeof field?.graphQL?.complexity === 'number' ? field.graphQL.complexity : 10,
+        },
         async resolve(parent, args, context: Context) {
           const { collection } = field
           const { limit, sort, where } = args
@@ -416,7 +419,10 @@ export function buildObjectType({
           forceNullable,
         ),
         args: relationshipArgs,
-        extensions: { complexity: 10 },
+        extensions: {
+          complexity:
+            typeof field?.graphQL?.complexity === 'number' ? field.graphQL.complexity : 10,
+        },
         async resolve(parent, args, context: Context) {
           const value = parent[field.name]
           const locale = args.locale || context.req.locale
@@ -768,7 +774,10 @@ export function buildObjectType({
           forceNullable,
         ),
         args: relationshipArgs,
-        extensions: { complexity: 10 },
+        extensions: {
+          complexity:
+            typeof field?.graphQL?.complexity === 'number' ? field.graphQL.complexity : 10,
+        },
         async resolve(parent, args, context: Context) {
           const value = parent[field.name]
           const locale = args.locale || context.req.locale

packages/payload/src/config/types.ts

@@ -950,6 +950,12 @@ export type Config = {
      * Filepath to write the generated schema to
      */
     schemaOutputFile?: string
+    /**
+     * Function that returns an array of validation rules to apply to the GraphQL schema
+     *
+     * @see https://payloadcms.com/docs/graphql/overview#custom-validation-rules
+     */
+    validationRules?: (args: GraphQL.ExecutionArgs) => GraphQL.ValidationRule[]
   }
   /**
    * Tap into Payload-wide hooks.

packages/payload/src/fields/config/client.ts

@@ -32,6 +32,7 @@ export type ServerOnlyFieldProperties =
   | 'editor' // This is a `richText` only property
   | 'enumName' // can be a function
   | 'filterOptions' // This is a `relationship` and `upload` only property
+  | 'graphQL'
   | 'label'
   | 'typescriptSchema'
   | 'validate'
@@ -53,6 +54,7 @@ const serverOnlyFieldProperties: Partial<ServerOnlyFieldProperties>[] = [
   'typescriptSchema',
   'dbName', // can be a function
   'enumName', // can be a function
+  'graphQL', // client does not need graphQL
   // the following props are handled separately (see below):
   // `label`
   // `fields`

packages/payload/src/fields/config/types.ts

@@ -370,6 +370,17 @@ export type OptionObject = {
 
 export type Option = OptionObject | string
 
+export type FieldGraphQLType = {
+  graphQL?: {
+    /**
+     * Complexity for the query. This is used to limit the complexity of the join query.
+     *
+     * @default 10
+     */
+    complexity?: number
+  }
+}
+
 export interface FieldBase {
   /**
    * Do not set this property manually. This is set to true during sanitization, to avoid
@@ -844,6 +855,7 @@ type SharedUploadProperties = {
       validate?: UploadFieldSingleValidation
     }
 ) &
+  FieldGraphQLType &
   Omit<FieldBase, 'validate'>
 
 type SharedUploadPropertiesClient = FieldBaseClient &
@@ -1023,6 +1035,7 @@ type SharedRelationshipProperties = {
       validate?: RelationshipFieldSingleValidation
     }
 ) &
+  FieldGraphQLType &
   Omit<FieldBase, 'validate'>
 
 type SharedRelationshipPropertiesClient = FieldBaseClient &
@@ -1405,7 +1418,8 @@ export type JoinField = {
   type: 'join'
   validate?: never
   where?: Where
-} & FieldBase
+} & FieldBase &
+  FieldGraphQLType
 
 export type JoinFieldClient = {
   admin?: AdminClient & Pick<JoinField['admin'], 'allowCreate' | 'disableBulkEdit' | 'readOnly'>

test/graphql/config.ts

@@ -0,0 +1,67 @@
+import { GraphQL } from '@payloadcms/graphql/types'
+import { fileURLToPath } from 'node:url'
+import path from 'path'
+
+import { buildConfigWithDefaults } from '../buildConfigWithDefaults.js'
+import { devUser } from '../credentials.js'
+
+const filename = fileURLToPath(import.meta.url)
+const dirname = path.dirname(filename)
+
+export default buildConfigWithDefaults({
+  // ...extend config here
+  collections: [
+    {
+      slug: 'posts',
+      fields: [
+        {
+          name: 'title',
+          label: 'Title',
+          type: 'text',
+        },
+        {
+          type: 'relationship',
+          relationTo: 'posts',
+          name: 'relationToSelf',
+          graphQL: {
+            complexity: 801,
+          },
+        },
+      ],
+    },
+  ],
+  admin: {
+    importMap: {
+      baseDir: path.resolve(dirname),
+    },
+  },
+  onInit: async (payload) => {
+    await payload.create({
+      collection: 'users',
+      data: {
+        email: devUser.email,
+        password: devUser.password,
+      },
+    })
+  },
+  typescript: {
+    outputFile: path.resolve(dirname, 'payload-types.ts'),
+  },
+  graphQL: {
+    maxComplexity: 800,
+    validationRules: () => [NoIntrospection],
+  },
+})
+
+const NoIntrospection: GraphQL.ValidationRule = (context) => ({
+  Field(node) {
+    if (node.name.value === '__schema' || node.name.value === '__type') {
+      context.reportError(
+        new GraphQL.GraphQLError(
+          'GraphQL introspection is not allowed, but the query contained __schema or __type',
+          { nodes: [node] },
+        ),
+      )
+    }
+  },
+})