twenty/packages/twenty-server/test/integration/twenty-config/utils/make-unauthenticated-api-request.util.ts at 9e21e55db4df6747c1debcf8c60a5a2cd4585f4f - Elgato_dark/twenty - Forgejo: Beyond coding. We Forge.

Elgato_dark/twenty

mirror of https://github.com/twentyhq/twenty synced 2026-04-21 21:47:38 +00:00

Charles Bochet 9e21e55db4

Prevent leak between /metadata and /graphql GQL schemas (#17845 )

## Fix resolver schema leaking between `/metadata` and `/graphql`
endpoints

### Summary
- Patch `@nestjs/graphql` to support a `resolverSchemaScope` option that
filters resolvers at both schema generation and runtime, preventing
cross-endpoint leaking
- Introduce `@CoreResolver()` and `@MetadataResolver()` decorators to
explicitly scope each resolver to its endpoint
- Move most resolvers (auth, billing, workspace, user, etc.) to the
metadata schema where the frontend expects them; only workflow and
timeline calendar/messaging resolvers remain on `/graphql`
- Fix frontend `SSEQuerySubscribeEffect` to use the default (metadata)
Apollo client instead of the core client

### Problem
NestJS GraphQL's module-based resolver discovery traverses transitive
imports, causing resolvers from `/metadata` modules to leak into the
`/graphql` schema and vice versa. This made the schemas unpredictable
and tightly coupled to module import order.

### Approach
- Added `resolverSchemaScope` to `GqlModuleOptions` via a patch on
`@nestjs/graphql`, filtering in both `filterResolvers()` (runtime
binding) and `getAllCtors()` (schema generation)
- Each resolver is explicitly decorated with `@CoreResolver()` or
`@MetadataResolver()`
- Organized decorator, constant, and type files under `graphql-config/`
following project conventions


Core GQL Schema: (see: no more fields!)
<img width="827" height="894" alt="image"
src="https://github.com/user-attachments/assets/668f3f0f-485e-43f0-92be-4345aeccacb6"
/>

Metadata GQL Schema (see no more getTimelineCalendarEventsFromCompany)
<img width="827" height="894" alt="image"
src="https://github.com/user-attachments/assets/443913db-e5fe-4161-b0e7-4a971cc80a71"
/>

2026-02-11 10:05:24 +00:00

12 lines

257 B

TypeScript

Raw Blame History

 import request from 'supertest';
 export const makeUnauthenticatedAPIRequest = async (query: string) => {
   const client = request(`http://localhost:${APP_PORT}`);
   return client
     .post('/metadata')
     .send({
       query,
     })
     .expect(200);
 };