Enable custom headers in CLI GraphiQL

amcaplan · claude · amcaplan · commit 64f79b7a95c2 · 2025-12-10T15:11:19.000+02:00
Re-enables the header editor UI in GraphiQL and adds filtering to block problematic browser/hop-by-hop headers while allowing custom headers through. This allows users to pass headers like `Shopify-Search-Query-Debug=1` to the Admin API for debugging purposes. Changes: - Enable isHeadersEditorEnabled in GraphiQL component - Add BLOCKED_HEADERS set for hop-by-hop and proxy-controlled headers - Add filterCustomHeaders() to extract safe custom headers - Forward filtered custom headers to Admin API Fixes: shop/issues-develop#21688 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/packages/app/src/cli/services/dev/graphiql/server.test.ts b/packages/app/src/cli/services/dev/graphiql/server.test.ts
@@ -0,0 +1,135 @@
+import {BLOCKED_HEADERS, filterCustomHeaders} from './server.js'
+import {describe, expect, test} from 'vitest'
+
+describe('BLOCKED_HEADERS', () => {
+  test('includes hop-by-hop headers from RFC 7230', () => {
+    const hopByHopHeaders = [
+      'connection',
+      'keep-alive',
+      'proxy-authenticate',
+      'proxy-authorization',
+      'te',
+      'trailer',
+      'transfer-encoding',
+      'upgrade',
+    ]
+
+    for (const header of hopByHopHeaders) {
+      expect(BLOCKED_HEADERS.has(header)).toBe(true)
+    }
+  })
+
+  test('includes proxy-controlled headers', () => {
+    const proxyControlledHeaders = [
+      'host',
+      'content-length',
+      'content-type',
+      'accept',
+      'user-agent',
+      'authorization',
+      'cookie',
+      'x-shopify-access-token',
+    ]
+
+    for (const header of proxyControlledHeaders) {
+      expect(BLOCKED_HEADERS.has(header)).toBe(true)
+    }
+  })
+})
+
+describe('filterCustomHeaders', () => {
+  test('allows custom headers that are not blocked', () => {
+    const headers = {
+      'x-custom-header': 'custom-value',
+      'x-another-header': 'another-value',
+    }
+
+    const result = filterCustomHeaders(headers)
+
+    expect(result).toEqual({
+      'x-custom-header': 'custom-value',
+      'x-another-header': 'another-value',
+    })
+  })
+
+  test('blocks hop-by-hop headers', () => {
+    const headers = {
+      connection: 'keep-alive',
+      'keep-alive': 'timeout=5',
+      'transfer-encoding': 'chunked',
+      'x-custom-header': 'custom-value',
+    }
+
+    const result = filterCustomHeaders(headers)
+
+    expect(result).toEqual({
+      'x-custom-header': 'custom-value',
+    })
+  })
+
+  test('blocks proxy-controlled headers', () => {
+    const headers = {
+      host: 'localhost:3000',
+      'content-type': 'application/json',
+      accept: 'application/json',
+      'user-agent': 'Mozilla/5.0',
+      authorization: 'Bearer token',
+      cookie: 'session=abc',
+      'x-shopify-access-token': 'secret-token',
+      'x-custom-header': 'custom-value',
+    }
+
+    const result = filterCustomHeaders(headers)
+
+    expect(result).toEqual({
+      'x-custom-header': 'custom-value',
+    })
+  })
+
+  test('blocks headers case-insensitively', () => {
+    const headers = {
+      Connection: 'keep-alive',
+      HOST: 'localhost',
+      'Content-Type': 'application/json',
+      'X-Custom-Header': 'custom-value',
+    }
+
+    const result = filterCustomHeaders(headers)
+
+    expect(result).toEqual({
+      'X-Custom-Header': 'custom-value',
+    })
+  })
+
+  test('filters out non-string header values', () => {
+    const headers: {[key: string]: string | string[] | undefined} = {
+      'x-custom-header': 'custom-value',
+      'x-array-header': ['value1', 'value2'],
+      'x-undefined-header': undefined,
+    }
+
+    const result = filterCustomHeaders(headers)
+
+    expect(result).toEqual({
+      'x-custom-header': 'custom-value',
+    })
+  })
+
+  test('returns empty object when all headers are blocked', () => {
+    const headers = {
+      host: 'localhost',
+      connection: 'keep-alive',
+      'content-type': 'application/json',
+    }
+
+    const result = filterCustomHeaders(headers)
+
+    expect(result).toEqual({})
+  })
+
+  test('returns empty object for empty input', () => {
+    const result = filterCustomHeaders({})
+
+    expect(result).toEqual({})
+  })
+})
diff --git a/packages/app/src/cli/services/dev/graphiql/server.ts b/packages/app/src/cli/services/dev/graphiql/server.ts
@@ -15,6 +15,49 @@ import {createRequire} from 'module'
 
 const require = createRequire(import.meta.url)
 
+/**
+ * Headers that should NOT be forwarded from the GraphiQL client to the Admin API.
+ * These include:
+ * - Hop-by-hop headers (RFC 7230) that are connection-specific
+ * - Browser-specific headers that are not relevant to API requests
+ * - Headers the proxy sets itself (auth, content-type, etc.)
+ */
+export const BLOCKED_HEADERS = new Set([
+  // Hop-by-hop headers (RFC 7230 Section 6.1)
+  'connection',
+  'keep-alive',
+  'proxy-authenticate',
+  'proxy-authorization',
+  'te',
+  'trailer',
+  'transfer-encoding',
+  'upgrade',
+
+  // Headers the proxy controls
+  'host',
+  'content-length',
+  'content-type',
+  'accept',
+  'user-agent',
+  'authorization',
+  'cookie',
+  'x-shopify-access-token',
+])
+
+/**
+ * Filters request headers to extract only custom headers that are safe to forward.
+ * Blocked headers and non-string values are excluded.
+ */
+export function filterCustomHeaders(headers: {[key: string]: string | string[] | undefined}): {[key: string]: string} {
+  const customHeaders: {[key: string]: string} = {}
+  for (const [key, value] of Object.entries(headers)) {
+    if (!BLOCKED_HEADERS.has(key.toLowerCase()) && typeof value === 'string') {
+      customHeaders[key] = value
+    }
+  }
+  return customHeaders
+}
+
 class TokenRefreshError extends AbortError {
   constructor() {
     super('Failed to refresh credentials. Check that your app is installed, and try again.')
@@ -185,8 +228,12 @@ export function setupGraphiQLServer({
     try {
       const reqBody = JSON.stringify(req.body)
 
+      // Extract custom headers from the request, filtering out blocked headers
+      const customHeaders = filterCustomHeaders(req.headers)
+
       const runRequest = async () => {
         const headers = {
+          ...customHeaders,
           Accept: 'application/json',
           'Content-Type': 'application/json',
           'X-Shopify-Access-Token': await token(),
diff --git a/packages/app/src/cli/services/dev/graphiql/templates/graphiql.tsx b/packages/app/src/cli/services/dev/graphiql/templates/graphiql.tsx
@@ -265,7 +265,7 @@ export function graphiqlTemplate({
                 {query: "{%if query.preface %}{{query.preface}}\\n{% endif %}{{query.query}}", variables: "{{query.variables}}"},
               {%endfor%}
             ],
-            isHeadersEditorEnabled: false,
+            isHeadersEditorEnabled: true,
           }),
           document.getElementById('graphiql-explorer'),
         )

Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ export function graphiqlTemplate({`
`265`	`265`	`{query: "{%if query.preface %}{{query.preface}}\\n{% endif %}{{query.query}}", variables: "{{query.variables}}"},`
`266`	`266`	`{%endfor%}`
`267`	`267`	`],`
`268`		`- isHeadersEditorEnabled: false,`
	`268`	`+ isHeadersEditorEnabled: true,`
`269`	`269`	`}),`
`270`	`270`	`document.getElementById('graphiql-explorer'),`
`271`	`271`	`)`