feat(fhir-router/graphql): fix #4567 configurable system setting for …

…graphql max depth

packages/fhir-router/src/fhirrouter.ts

@@ -30,6 +30,7 @@ export type FhirRouteHandler = (req: FhirRequest, repo: FhirRepository, router:
 
 export interface FhirOptions {
  introspectionEnabled?: boolean;
+ graphqlMaxDepth?: number;
 }
 
 // Execute batch

packages/fhir-router/src/graphql/graphql.ts

@@ -100,7 +100,7 @@ export async function graphqlHandler(
  }
 
  const schema = getRootSchema();
- const validationRules = [...specifiedRules, MaxDepthRule];
+ const validationRules = [...specifiedRules, MaxDepthRule(router.options.graphqlMaxDepth)];
  const validationErrors = validate(schema, document, validationRules);
  if (validationErrors.length > 0) {
  return [invalidRequest(validationErrors)];
@@ -408,31 +408,34 @@ async function resolveByDelete(
  await ctx.repo.deleteResource(resourceType, args.id);
 }
 
+const DEFAULT_MAX_DEPTH = 15;
+
 /**
  * Custom GraphQL rule that enforces max depth constraint.
- * @param context - The validation context.
- * @returns An ASTVisitor that validates the maximum depth rule.
+ * @param maxDepth - The maximum allowed depth.
+ * @returns A function that is an ASTVisitor that validates the maximum depth rule.
  */
-const MaxDepthRule = (context: ValidationContext): ASTVisitor => ({
- Field(
- /** The current node being visiting. */
- node: any,
- /** The index or key to this node from the parent node or Array. */
- _key: string | number | undefined,
- /** The parent immediately above this node, which may be an Array. */
- _parent: ASTNode | readonly ASTNode[] | undefined,
- /** The key path to get to this node from the root node. */
- path: readonly (string | number)[]
- ): any {
- const depth = getDepth(path);
- const maxDepth = 12;
- if (depth > maxDepth) {
- const fieldName = node.name.value;
- context.reportError(
- new GraphQLError(`Field "${fieldName}" exceeds max depth (depth=${depth}, max=${maxDepth})`, {
- nodes: node,
- })
- );
- }
- },
-});
+const MaxDepthRule =
+ (maxDepth: number = DEFAULT_MAX_DEPTH) =>
+ (context: ValidationContext): ASTVisitor => ({
+ Field(
+ /** The current node being visiting. */
+ node: any,
+ /** The index or key to this node from the parent node or Array. */
+ _key: string | number | undefined,
+ /** The parent immediately above this node, which may be an Array. */
+ _parent: ASTNode | readonly ASTNode[] | undefined,
+ /** The key path to get to this node from the root node. */
+ path: readonly (string | number)[]
+ ): any {
+ const depth = getDepth(path);
+ if (depth > maxDepth) {
+ const fieldName = node.name.value;
+ context.reportError(
+ new GraphQLError(`Field "${fieldName}" exceeds max depth (depth=${depth}, max=${maxDepth})`, {
+ nodes: node,
+ })
+ );
+ }
+ },
+ });

packages/server/src/fhir/routes.ts

@@ -4,7 +4,7 @@ import { ResourceType } from '@medplum/fhirtypes';
 import { NextFunction, Request, Response, Router } from 'express';
 import { asyncWrap } from '../async';
 import { getConfig } from '../config';
-import { getAuthenticatedContext } from '../context';
+import { AuthenticatedRequestContext, getAuthenticatedContext } from '../context';
 import { authenticateRequest } from '../oauth/middleware';
 import { recordHistogramValue } from '../otel/otel';
 import { bulkDataRouter } from './bulkdata';
@@ -122,22 +122,27 @@ protectedRoutes.use('/job', jobRouter);
 /**
  * Returns the internal FHIR router.
  * This function will be executed on every request.
+ * @param ctx - The authenticated request context.
  * @returns The lazy initialized internal FHIR router.
  */
-function getInternalFhirRouter(): FhirRouter {
+function getInternalFhirRouter(ctx: AuthenticatedRequestContext): FhirRouter {
  if (!internalFhirRouter) {
- internalFhirRouter = initInternalFhirRouter();
+ internalFhirRouter = initInternalFhirRouter(ctx);
  }
  return internalFhirRouter;
 }
 
 /**
  * Returns a new FHIR router.
  * This function should only be called once on the first request.
+ * @param ctx - The authenticated request context.
  * @returns A new FHIR router with all the internal operations.
  */
-function initInternalFhirRouter(): FhirRouter {
- const router = new FhirRouter({ introspectionEnabled: getConfig().introspectionEnabled });
+function initInternalFhirRouter(ctx: AuthenticatedRequestContext): FhirRouter {
+ const router = new FhirRouter({
+ introspectionEnabled: getConfig().introspectionEnabled,
+ graphqlMaxDepth: ctx.project.systemSetting?.find((s) => s.name === 'graphqlMaxDepth')?.valueInteger,
+ });
 
  // Project $export
  router.add('GET', '/$export', bulkExportHandler);
@@ -288,7 +293,7 @@ protectedRoutes.use(
  headers: req.headers,
  };
 
- const result = await getInternalFhirRouter().handleRequest(request, ctx.repo);
+ const result = await getInternalFhirRouter(ctx).handleRequest(request, ctx.repo);
  if (result.length === 1) {
  if (!isOk(result[0])) {
  throw new OperationOutcomeError(result[0]);