Cannot remove GraphQL mutations related to plugins

[jwoodb]

Bug report

Required System information

• Node.js version: v14.19.1
• NPM version: 6.14.16
• Strapi version: 4.3.4
• Database: MySQL 8
• Operating system: MacOS

Describe the bug

I am using Strapi with the GraphQL plugin.

I would like to remove all of the queries and mutations that are generated related to plugins (e.g. users-permissions plugin).

I have seen from the docs that the way to remove operations from the schema is to do the following:

extensionService.shadowCRUD('api::category.category').disableQueries();
extensionService.shadowCRUD('api::address.address').disableMutations();

I have the following code to remove operations related to the plugins:

extensionService
  .shadowCRUD("plugin::users-permissions.role")
  .disableQueries();
extensionService
  .shadowCRUD("plugin::users-permissions.role")
  .disableMutations();
extensionService
  .shadowCRUD("plugin::users-permissions.user")
  .disableQueries();
extensionService
  .shadowCRUD("plugin::users-permissions.user")
  .disableMutations();
extensionService.shadowCRUD("plugin::i18n.locale").disableQueries();
extensionService.shadowCRUD("plugin::upload.folder").disableQueries();
extensionService.shadowCRUD("plugin::upload.folder").disableMutations();
extensionService.shadowCRUD("plugin::upload.file").disableMutations();
extensionService.shadowCRUD("plugin::upload.file").disableQueries();

This code successfully removes all queries (apart from 'me') from the schema. However, it does not remove all mutations.

Here is the original list of mutations without any exclusions:

• createUploadFile(...): UploadFileEntityResponse
• updateUploadFile(...): UploadFileEntityResponse
• deleteUploadFile(...): UploadFileEntityResponse
• createUploadFolder(...): UploadFolderEntityResponse
• updateUploadFolder(...): UploadFolderEntityResponse
• deleteUploadFolder(...): UploadFolderEntityResponse
• upload(...): UploadFileEntityResponse!
• multipleUpload(...): [UploadFileEntityResponse]!
• updateFileInfo(...): UploadFileEntityResponse!
• removeFile(...): UploadFileEntityResponse
• createUsersPermissionsRole(...): UsersPermissionsCreateRolePayload
• updateUsersPermissionsRole(...): UsersPermissionsUpdateRolePayload
• deleteUsersPermissionsRole(...): UsersPermissionsDeleteRolePayload
• createUsersPermissionsUser(...): UsersPermissionsUserEntityResponse!
• updateUsersPermissionsUser(...): UsersPermissionsUserEntityResponse!
• deleteUsersPermissionsUser(...): UsersPermissionsUserEntityResponse!
• login(...): UsersPermissionsLoginPayload!
• register(...): UsersPermissionsLoginPayload!
• forgotPassword(...): UsersPermissionsPasswordPayload
• resetPassword(...): UsersPermissionsLoginPayload
• changePassword(...): UsersPermissionsLoginPayload
• emailConfirmation(...): UsersPermissionsLoginPayload

The above code only removes the following mutations from the schema:

• createUploadFile(...): UploadFileEntityResponse
• updateUploadFile(...): UploadFileEntityResponse
• deleteUploadFile(...): UploadFileEntityResponse
• createUploadFolder(...): UploadFolderEntityResponse
• updateUploadFolder(...): UploadFolderEntityResponse
• deleteUploadFolder(...): UploadFolderEntityResponse

I cannot see why it removes some mutations related to files and folders, but not others. I also can't see why the code succeeds in removing queries relating to users-permissions, but not the mutations.

It could be that I just don't know how this works, but I've not been able to find any documentation related to removing operations related to plugins from the schema. The best I got was this SO question that as of yet has not had a proper answer. https://stackoverflow.com/questions/73331289/disable-graphql-queries-other-than-crud-in-strapi-v4

Anyway, it seems to me like it's behaving in a very inconsistent way, hence why I'm filing a bug report.

Steps to reproduce the behavior

Add the code above to src/index.ts.

Run Strapi and check out the schema in the GraphQL Playground - look for which operations have been excluded and which haven't.

Expected behavior

All operations related to the plugins would have been excluded.

[strapi-bot]

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/how-do-i-remove-graphql-mutations-related-to-plugins/21949/1

[derrickmehaffy]

Hello,

I see you are wanting to ask a question that is not really a bug report,

• questions should be directed to our forum or our Discord.
• feature requests should be directed to our feedback and feature request database

Please see the following contributing guidelines for asking a question here.

[peisenmann]

I know this issue is ancient, but I didn't easily find a newer version of it. This is still a problem, not just with documentation, but with functionality. When UsersPermissions adds some mutations, it does so outside of ShadowCRUD and cannot be disabled with .disableMutations. You can override the mutations, but you cannot remove them. I looked through the Nexus docs and I can't find an API to remove them there, either. As far as I can tell, they permanently pollute your GraphQL schema unless you completely disable ShadowCRUD and write all your resolvers from scratch.

[jwoodb]

@peisenmann So, I did actually figure out a way to achieve what I wanted here.

Here's what I have:

import { SubschemaConfig } from "@graphql-tools/delegate";
import { FilterRootFields } from "@graphql-tools/wrap";
import { schema } from ".."

const disabledQueries = [
  "me",
  "uploadFile",
  "uploadFiles",
  "uploadFolder",
  "uploadFolders",
  "i18NLocale",
  "i18NLocales",
  "usersPermissionsRole",
  "usersPermissionsRoles",
  "usersPermissionsUser",
  "usersPermissionsUsers",
];

export const getStrapiSchemaConfig = async () => {
    return {
      schema,
      transforms: [
        /**
         * Removes all mutations from the schema, and all the queries listed in the 'disabledQueries' array.
         */
        new FilterRootFields(
          (operation, rootField) => operation === "Query" && !disabledQueries.includes(rootField)
        )
    } as SubschemaConfig;
};

The key is the FilterRootFields class from @graphql-tools/wrap.

I'm passing the return value of this method to the the 'additionalSchemas' field on the createApolloServer to merge the schema from Strapi with my regular GraphQL schema.

Hope this helps!

[aturkewi]

Hi @jwoodb I am actually running into a similar issue right now where I'm trying to strip out the register mutation and the other user-permissions mutation off of the graphql schema. I really like the look of this solution you have setup, but I'm not sure how to implement it. Where are you passing this return value? Is it somewhere in the config setup?

// config/plugins.js

export default ({ env }) => (
  {
    graphql: {
      config: {
      // somewhere in here?
      }
    }
  }
)

[jwoodb]

I'm using Apollo Server, and I'm creating a remote schema from the Strapi GraphQL API and then passing the schema from my method above to the 'additionalSchemas' field on the createApolloServer method, which merges it with my main resolvers.

I realise I'm doing something a little more complicated here than just removing the mutations from the standard Strapi GraphQL schema. If you putting all your code inside Strapi, then I'm not sure whether this works or not.

const strapiSubSchema = await getStrapiSchemaConfig();

const server = createApolloServer({    
    typeDefs,
    resolvers,
    httpServer,
    additionalSchemas: [strapiSubSchema],
});

[LucaNerlich]

Hi @jwoodb where are you placing this code? Also, where are you getting schema from?
import { schema } from ".."

I am trying to achieve the same thing by customizing the query policies, but even following the docs exactly, strapi fails to boot:

#22679

Thanks!

[jwoodb]

@LucaNerlich To confirm, I'm doing something a bit differently to just trying to remove them in Strapi. I'm stitching the Strapi schema together with my own custom schema in Apollo Server. If all you want to do is remove them in Strapi and you're not trying to stitch it to your own schema, then I'm not sure how to do it.

But, if you want to remove them before stitching them to your own schema in Apollo Server, then I found a way to do it. This is my own custom code in my repo for my custom GraphQL server - totally separate from Strapi.

import { AsyncExecutor } from "@graphql-tools/utils";
import { schemaFromExecutor, wrapSchema } from "@graphql-tools/wrap";
import axios from "axios";
import { print } from "graphql";

interface CreateRemoteSchemaArgs {
  url: string;
  authToken: string;
}

const getRemoteExecutor =
  (args: CreateRemoteSchemaArgs): AsyncExecutor =>
  async (asyncExecutorArgs) => {
    const introspectionQuery = print(asyncExecutorArgs.document);

    const data = JSON.stringify({
      query: introspectionQuery,
      variables: asyncExecutorArgs.variables,
    });

    const fetchResult = await axios(args.url, {
      method: "post",
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${args.authToken}`,
      },
      data,
    });
    return fetchResult.data;
  };

export const createRemoteSchema = async (args: CreateRemoteSchemaArgs) => {
  const executor = getRemoteExecutor(args);
  const schema = await schemaFromExecutor(executor);

  return wrapSchema({
    schema,
    executor,
  });
};

const schema = await createRemoteSchema({
    url: // Location where Strapi server is running,
    authToken: // Strapi API token,
});

const disabledQueries = [
  "me",
  "uploadFile",
  "uploadFiles",
  "uploadFolder",
  "uploadFolders",
  "i18NLocale",
  "i18NLocales",
  "usersPermissionsRole",
  "usersPermissionsRoles",
  "usersPermissionsUser",
  "usersPermissionsUsers",
];

export const getStrapiSchemaConfig = async () => {
    return {
      schema,
      transforms: [
        /**
         * This is where the operations you don't want get removed. 
         */
        new FilterRootFields(
          (operation, rootField) => operation === "Query" && !disabledQueries.includes(rootField)
        )
    } as SubschemaConfig;
};

You can then use this like so:

const strapiSubSchema = await getStrapiSchemaConfig();

const server = createApolloServer({    
    typeDefs,
    resolvers,
    httpServer,
    additionalSchemas: [strapiSubSchema],
});