Execute queries over GET

CHANGELOG.md

@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## 0.23 (UNRELEASED)
+
+- Added `execute_get_queries` setting to the `GraphQL` apps that controls execution of the GraphQL "query" operations made with GET requests. Defaults to `False`.
+- Added support for the Apollo Federation versions up to 2.6.
+
+
 ## 0.22 (2024-01-31)
 
 - Deprecated `EnumType.bind_to_default_values` method. It will be removed in a future release.

ariadne/asgi/graphql.py

@@ -39,6 +39,7 @@ def __init__(
         query_parser: Optional[QueryParser] = None,
         query_validator: Optional[QueryValidator] = None,
         validation_rules: Optional[ValidationRules] = None,
+        execute_get_queries: bool = False,
         debug: bool = False,
         introspection: bool = True,
         explorer: Optional[Explorer] = None,
@@ -73,6 +74,9 @@ def __init__(
         list of extra validation rules server should use to validate the
         GraphQL queries. Defaults to `None`.
 
+        `execute_get_queries`: a `bool` that controls if `query` operations
+        sent using the `GET` method should be executed. Defaults to `False`.
+
         `debug`: a `bool` controlling in server should run in debug mode or
         not. Controls details included in error data returned to clients.
         Defaults to `False`.
@@ -126,6 +130,7 @@ def __init__(
             query_parser,
             query_validator,
             validation_rules,
+            execute_get_queries,
             debug,
             introspection,
             explorer,
@@ -140,6 +145,7 @@ def __init__(
             query_parser,
             query_validator,
             validation_rules,
+            execute_get_queries,
             debug,
             introspection,
             explorer,

ariadne/asgi/handlers/base.py

@@ -40,6 +40,7 @@ def __init__(self) -> None:
         self.query_parser: Optional[QueryParser] = None
         self.query_validator: Optional[QueryValidator] = None
         self.validation_rules: Optional[ValidationRules] = None
+        self.execute_get_queries: bool = False
         self.execution_context_class: Optional[Type[ExecutionContext]] = None
         self.middleware_manager_class: Optional[Type[MiddlewareManager]] = None
 
@@ -79,6 +80,7 @@ def configure(
         query_parser: Optional[QueryParser] = None,
         query_validator: Optional[QueryValidator] = None,
         validation_rules: Optional[ValidationRules] = None,
+        execute_get_queries: bool = False,
         debug: bool = False,
         introspection: bool = True,
         explorer: Optional[Explorer] = None,
@@ -94,6 +96,7 @@ def configure(
         self.context_value = context_value
         self.debug = debug
         self.error_formatter = error_formatter
+        self.execute_get_queries = execute_get_queries
         self.execution_context_class = execution_context_class
         self.introspection = introspection
         self.explorer = explorer

ariadne/asgi/handlers/http.py

@@ -1,6 +1,6 @@
 import json
 from inspect import isawaitable
-from typing import Any, Optional, Type, cast
+from typing import Any, Optional, Type, Union, cast
 
 from graphql import DocumentNode, MiddlewareManager
 from starlette.datastructures import UploadFile
@@ -114,9 +114,12 @@ async def handle_request(self, request: Request) -> Response:
 
         `request`: the `Request` instance from Starlette or FastAPI.
         """
-        if request.method == "GET" and self.introspection and self.explorer:
-            # only render explorer when introspection is enabled
-            return await self.render_explorer(request, self.explorer)
+        if request.method == "GET":
+            if self.execute_get_queries and request.query_params.get("query"):
+                return await self.graphql_http_server(request)
+            if self.introspection and self.explorer:
+                # only render explorer when introspection is enabled
+                return await self.render_explorer(request, self.explorer)
 
         if request.method == "POST":
             return await self.graphql_http_server(request)
@@ -182,14 +185,20 @@ async def extract_data_from_request(self, request: Request):
             return await self.extract_data_from_json_request(request)
         if content_type == DATA_TYPE_MULTIPART:
             return await self.extract_data_from_multipart_request(request)
+        if (
+            request.method == "GET"
+            and self.execute_get_queries
+            and request.query_params.get("query")
+        ):
+            return self.extract_data_from_get_request(request)
 
         raise HttpBadRequestError(
             "Posted content must be of type {} or {}".format(
                 DATA_TYPE_JSON, DATA_TYPE_MULTIPART
             )
         )
 
-    async def extract_data_from_json_request(self, request: Request):
+    async def extract_data_from_json_request(self, request: Request) -> dict:
         """Extracts GraphQL data from JSON request.
 
         Returns a `dict` with GraphQL query data that was not yet validated.
@@ -203,7 +212,9 @@ async def extract_data_from_json_request(self, request: Request):
         except (TypeError, ValueError) as ex:
             raise HttpBadRequestError("Request body is not a valid JSON") from ex
 
-    async def extract_data_from_multipart_request(self, request: Request):
+    async def extract_data_from_multipart_request(
+        self, request: Request
+    ) -> Union[dict, list]:
         """Extracts GraphQL data from `multipart/form-data` request.
 
         Returns an unvalidated `dict` with GraphQL query data.
@@ -240,6 +251,35 @@ async def extract_data_from_multipart_request(self, request: Request):
 
         return combine_multipart_data(operations, files_map, request_files)
 
+    def extract_data_from_get_request(self, request: Request) -> dict:
+        """Extracts GraphQL data from GET request's querystring.
+
+        Returns a `dict` with GraphQL query data that was not yet validated.
+
+        # Required arguments
+
+        `request`: the `Request` instance from Starlette or FastAPI.
+        """
+        query = request.query_params["query"].strip()
+        operation_name = request.query_params.get("operationName", "").strip()
+        variables = request.query_params.get("variables", "").strip()
+
+        clean_variables = None
+
+        if variables:
+            try:
+                clean_variables = json.loads(variables)
+            except (TypeError, ValueError) as ex:
+                raise HttpBadRequestError(
+                    "Variables query arg is not a valid JSON"
+                ) from ex
+
+        return {
+            "query": query,
+            "operationName": operation_name or None,
+            "variables": clean_variables,
+        }
+
     async def execute_graphql_query(
         self,
         request: Any,
@@ -275,6 +315,11 @@ async def execute_graphql_query(
         if self.schema is None:
             raise TypeError("schema is not set, call configure method to initialize it")
 
+        if isinstance(request, Request):
+            require_query = request.method == "GET"
+        else:
+            require_query = False
+
         return await graphql(
             self.schema,
             data,
@@ -284,6 +329,7 @@ async def execute_graphql_query(
             query_validator=self.query_validator,
             query_document=query_document,
             validation_rules=self.validation_rules,
+            require_query=require_query,
             debug=self.debug,
             introspection=self.introspection,
             logger=self.logger,

ariadne/graphql.py

@@ -22,6 +22,7 @@
     GraphQLError,
     GraphQLSchema,
     MiddlewareManager,
+    OperationDefinitionNode,
     TypeInfo,
     execute,
     execute_sync,
@@ -71,6 +72,7 @@
     introspection: bool = True,
     logger: Union[None, str, Logger, LoggerAdapter] = None,
     validation_rules: Optional[ValidationRules] = None,
+    require_query: bool = False,
     error_formatter: ErrorFormatter = format_error,
     middleware: MiddlewareList = None,
     middleware_manager_class: Optional[Type[MiddlewareManager]] = None,
@@ -123,6 +125,9 @@
     `validation_rules`: a `list` of or callable returning list of custom
     validation rules to use to validate query before it's executed.
 
+    `require_query`: a `bool` controlling if GraphQL operation to execute must be
+    a query (vs. mutation or subscription).
+
     `error_formatter`: an `ErrorFormatter` callable to use to convert GraphQL
     errors encountered during query execution to JSON-serializable format.
 
@@ -178,6 +183,9 @@
                     extension_manager=extension_manager,
                 )
 
+            if require_query:
+                validate_operation_is_query(document, operation_name)
+
             if callable(root_value):
                 try:
                     root_value = root_value(  # type: ignore
@@ -237,6 +245,7 @@
     introspection: bool = True,
     logger: Union[None, str, Logger, LoggerAdapter] = None,
     validation_rules: Optional[ValidationRules] = None,
+    require_query: bool = False,
     error_formatter: ErrorFormatter = format_error,
     middleware: MiddlewareList = None,
     middleware_manager_class: Optional[Type[MiddlewareManager]] = None,
@@ -289,6 +298,9 @@
     `validation_rules`: a `list` of or callable returning list of custom
     validation rules to use to validate query before it's executed.
 
+    `require_query`: a `bool` controlling if GraphQL operation to execute must be
+    a query (vs. mutation or subscription).
+
     `error_formatter`: an `ErrorFormatter` callable to use to convert GraphQL
     errors encountered during query execution to JSON-serializable format.
 
@@ -344,6 +356,9 @@
                     extension_manager=extension_manager,
                 )
 
+            if require_query:
+                validate_operation_is_query(document, operation_name)
+
             if callable(root_value):
                 try:
                     root_value = root_value(  # type: ignore
@@ -639,3 +654,29 @@
 def validate_operation_name(operation_name) -> None:
     if operation_name is not None and not isinstance(operation_name, str):
         raise GraphQLError('"%s" is not a valid operation name.' % operation_name)
+
+
+def validate_operation_is_query(
+    document_ast: DocumentNode, operation_name: Optional[str]
+):
+    query_operations: List[Optional[str]] = []
+    for definition in document_ast.definitions:
+        if (
+            isinstance(definition, OperationDefinitionNode)
+            and definition.operation.name == "QUERY"
+        ):
+            if definition.name:
+                query_operations.append(definition.name.value)
+            else:
+                query_operations.append(None)
+
+    if operation_name:
+        if operation_name not in query_operations:
+            raise GraphQLError(
+                f"Operation '{operation_name}' is not defined or "
+                "is not of a 'query' type."
+            )
+    elif len(query_operations) != 1:
+        raise GraphQLError(
+            "'operationName' is required if 'query' defines multiple operations."
+        )