expose an endpoint to debug trusted documents (#155)

adds a by default disabled endpoint to debug all the trusted documents
that are currently in the cache


```
persisted_operations:
  # configures a '/internal/debug_trusted_documents' endpoint to print the persisted operations as json
  # Make sure you DONT expose this endpoint publicly if you enable this feature!  
  enable_debug_endpoint: false

```

---------

Co-authored-by: Rick Bijkerk <[email protected]>

Author: rickbijkerk

cmd/serve.go

@@ -11,6 +11,7 @@ import (
 	"github.com/ldebruijn/graphql-protect/internal/business/rules/obfuscate_upstream_errors"
 	"github.com/ldebruijn/graphql-protect/internal/business/schema"
 	"github.com/ldebruijn/graphql-protect/internal/business/trusteddocuments"
+	"github.com/ldebruijn/graphql-protect/internal/http/debug"
 	"github.com/ldebruijn/graphql-protect/internal/http/middleware"
 	"github.com/ldebruijn/graphql-protect/internal/http/proxy"
 	"github.com/ldebruijn/graphql-protect/internal/http/readiness"
@@ -71,6 +72,7 @@ func httpServer(log *slog.Logger, cfg *config.Config, shutdown chan os.Signal) e
 
 	mux.Handle("/metrics", promhttp.Handler())
 	mux.Handle("/internal/healthz/readiness", readiness.NewReadinessHandler())
+	mux.Handle("/internal/debug_trusted_documents", debug.NewTrustedDocumentsDebugger(po, cfg.PersistedOperations.EnableDebugEndpoint))
 	mux.Handle(cfg.Web.Path, mid(protectHandler))
 
 	api := http.Server{

docs/configuration.md

@@ -62,6 +62,9 @@ obfuscate_upstream_errors: true
 persisted_operations:
   # Enable or disable the feature, disabled by default
   enabled: false
+  # configures a '/internal/debug_trusted_documents' endpoint to print the persisted operations as json
+  # Make sure you DONT expose this endpoint publicly if you enable this feature!  
+  enable_debug_endpoint: false
   # Fail unknown operations, disable this feature to allow unknown operations to reach your GraphQL API
   reject_on_failure: true
   # Loader decides how persisted operations are loaded, see loader chapter for more details

docs/protections/trusted_documents.md

@@ -29,6 +29,9 @@ You can configure `graphql-protect` to enable Persisted Operations.
 persisted_operations:
   # Enable or disable the feature, disabled by default
   enabled: false
+  # configures a '/internal/debug_trusted_documents' endpoint to print the persisted operations as json
+  # Make sure you dont expose this ednpoint publicly if you enable this feature!  
+  enable_debug_endpoint: false
   # Fail unknown operations, disable this feature to allow unknown operations to reach your GraphQL API
   reject_on_failure: true
   # Loader decides how persisted operations are loaded, see loader chapter for more details

internal/app/config/config_test.go

@@ -67,6 +67,7 @@ obfuscate_upstream_errors: false
     
 persisted_operations:
   enabled: true
+  enable_debug_endpoint: true
   reject_on_failure: false
   loader:
     type: gcp
@@ -152,7 +153,8 @@ log:
 					Host:      "host",
 				},
 				PersistedOperations: trusteddocuments.Config{
-					Enabled: true,
+					Enabled:             true,
+					EnableDebugEndpoint: true,
 					Loader: trusteddocuments.LoaderConfig{
 						Type:     "gcp",
 						Location: "some-bucket",

internal/business/trusteddocuments/persisted_operations.go

@@ -57,9 +57,10 @@ type ErrorMessage struct {
 }
 
 type Config struct {
-	Enabled         bool         `yaml:"enabled"`
-	RejectOnFailure bool         `yaml:"reject_on_failure"`
-	Loader          LoaderConfig `yaml:"loader"`
+	Enabled             bool         `yaml:"enabled"`
+	EnableDebugEndpoint bool         `yaml:"enable_debug_endpoint"`
+	RejectOnFailure     bool         `yaml:"reject_on_failure"`
+	Loader              LoaderConfig `yaml:"loader"`
 }
 
 func DefaultConfig() Config {
@@ -247,6 +248,10 @@ func (p *Handler) SwapHashForQuery(next http.Handler) http.Handler { // nolint:f
 	return http.HandlerFunc(fn)
 }
 
+func (p *Handler) GetTrustedDocuments() map[string]PersistedOperation {
+	return p.cache
+}
+
 func (p *Handler) Validate(validate func(operation string) gqlerror.List) []validation.Error {
 	var errs []validation.Error
 	for hash, operation := range p.cache {

internal/http/debug/debugging.go

@@ -0,0 +1,27 @@
+package debug
+
+import (
+	"encoding/json"
+	"github.com/ldebruijn/graphql-protect/internal/business/trusteddocuments"
+	"net/http"
+)
+
+func NewTrustedDocumentsDebugger(po *trusteddocuments.Handler, enableDebugEndpoint bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, _ *http.Request) {
+		if !enableDebugEndpoint {
+			w.WriteHeader(http.StatusNotFound)
+		} else {
+			trustedDocuments := po.GetTrustedDocuments()
+
+			jsonData, err := json.MarshalIndent(trustedDocuments, "", "  ")
+			if err != nil {
+				return
+			}
+
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+
+			_, _ = w.Write(jsonData)
+		}
+	}
+}