Port #2343

Author: pwizla

docusaurus/docs/dev-docs/configurations/plugins.md

@@ -25,7 +25,7 @@ Plugin configurations are stored in `/config/plugins.js|ts` (see [project struct
 | `resolve`<br/> _Optional, only required for local plugins_             | Path to the plugin's folder                                                                                                                                            | String  |
 
 :::note
-Some features of Strapi are provided by plugins and the following plugins can also have specific configuration options: [GraphQL](#graphql) and [Upload](#upload).
+Some features of Strapi are provided by plugins and the following plugins can also have specific configuration options: the [GraphQL](/dev-docs/plugins/graphql#code-based-configuration) plugin and the [Upload](/user-docs/features/media-library#available-options) package which powers the Media Library.
 :::
 
 **Basic example custom configuration for plugins:**
@@ -91,70 +91,3 @@ export default ({ env }) => ({
 :::tip
 If no specific configuration is required, a plugin can also be declared with the shorthand syntax `'plugin-name': true`.
 :::
-
-## GraphQL configuration {#graphql}
-
-The [GraphQL plugin](/dev-docs/plugins/graphql) has the following specific configuration options that should be declared in a `graphql.config` object within the `config/plugins` file. All parameters are optional:
-
-| Parameter          | Description                                                                                                                                                   | Type    | Default |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------- |
-| `apolloServer`     | Additional configuration for [`ApolloServer`](https://www.apollographql.com/docs/apollo-server/api/apollo-server/#apolloserver).                   | Object  | `{}`    |
-| `artifacts`        | Object containing filepaths, defining where to store generated artifacts. Can include the following properties: <ul><li>`schema`: path to the generated GraphQL schema file</li><li>`typegen`: path to generated TypeScript types</li></ul>Only works if `generateArtifacts` is set to `true`.  | Object  | <ul><li>`schema: false`</li><li>`typegen: false`</li></ul> |
-| `defaultLimit` | Default value for [the `pagination[limit]` parameter](/dev-docs/api/graphql#pagination-by-offset) used in API calls | Integer | 100 |
-| `depthLimit`       | Limits the [complexity of GraphQL queries](https://www.npmjs.com/package/graphql-depth-limit).                                                                 | Integer  | `10`    |
-| `endpoint`         | The URL path on which the plugin is exposed | String | `/graphql` |
-| `generateArtifacts`| Whether Strapi should automatically generate and output a GraphQL schema file and corresponding TypeScript definitions.<br/><br/>The file system location can be configured through `artifacts`.  | Boolean | `false` |
-| `maxLimit`         | Maximum value for [the `pagination[limit]` parameter](/dev-docs/api/graphql#pagination-by-offset) used in API calls                                                                                                              | Integer  | `-1`    |
-| `playgroundAlways` | Whether the playground should be publicly exposed.<br/><br/>Enabled by default in if `NODE_ENV` is set to `development`.                                        | Boolean | `false`  |
-| `shadowCRUD`       | Whether type definitions for queries, mutations and resolvers based on models should be created automatically (see [Shadow CRUD documentation](/dev-docs/plugins/graphql#shadow-crud)). | Boolean | `true` |
-| `v4ComptabilityMode` | Enables the retro-compatibility with the Strapi v4 format (see more details in the [breaking change entry](/dev-docs/migration/v4-to-v5/breaking-changes/graphql-api-updated) | Boolean | `false` |
-
-**Example custom configuration**:
-
-<Tabs groupId="js-ts">
-
-<TabItem value="javascript" label="JavaScript">
-
-```js title="./config/plugins.js"
-
-module.exports = () => ({
-  graphql: {
-    enabled: true,
-    config: {
-      playgroundAlways: false,
-      defaultLimit: 10,
-      maxLimit: 20,
-      apolloServer: {
-        tracing: true,
-      },
-    }
-  }
-})
-```
-
-</TabItem>
-
-<TabItem value="typescript" label="TypeScript">
-
-```ts title="./config/plugins.ts"
-
-export default () => ({
-  graphql: {
-    enabled: true,
-    config: {
-      playgroundAlways: false,
-      defaultLimit: 10,
-      maxLimit: 20,
-      apolloServer: {
-        tracing: true,
-      },
-    }
-  }
-})
-```
-
-</TabItem>
-
-</Tabs>
-
-## Upload configuration {#upload}

docusaurus/docs/dev-docs/plugins/graphql.md

@@ -19,7 +19,7 @@ tags:
 
 # GraphQL plugin
 
-By default Strapi create [REST endpoints](/dev-docs/api/rest#endpoints) for each of your content-types. The GraphQL plugin adds a GraphQL endpoint to fetch and mutate your content. With the GraphQL plugin installed, you can use the Apollo Server-based GraphQL Playground to interactively build your queries and mutations and read documentation tailored to your content types.
+By default Strapi create [REST endpoints](/dev-docs/api/rest#endpoints) for each of your content-types. The GraphQL plugin adds a GraphQL endpoint to fetch and mutate your content. With the GraphQL plugin installed, you can use the Apollo Server-based GraphQL Sandbox to interactively build your queries and mutations and read documentation tailored to your content types.
 
 :::prerequisites Identity Card of the Plugin
 <Icon name="navigation-arrow"/> **Location:** Usable via the admin panel. Configured through both admin panel and server code, with different sets of options.<br/>
@@ -57,9 +57,9 @@ npm install @strapi/plugin-graphql
 
 </Tabs>
 
-Once installed, the GraphQL playground is accessible at the `/graphql` URL and can be used to interactively build your queries and mutations and read documentation tailored to your content-types.
+Once installed, the GraphQL sandbox is accessible at the `/graphql` URL and can be used to interactively build your queries and mutations and read documentation tailored to your content-types.
 
-Once the plugin is installed, the **GraphQL Playground** is accessible at the `/graphql` route (e.g., [localhost:1337/graphql](http://localhost:1337/graphql)) when your Strapi application server is running.
+Once the plugin is installed, the **GraphQL Sandbox** is accessible at the `/graphql` route (e.g., [localhost:1337/graphql](http://localhost:1337/graphql)) when your Strapi application server is running.
 
 ## Configuration
 
@@ -73,29 +73,43 @@ The Strapi admin panel does not provide Strapi-specific settings for the GraphQL
 
 Plugins configuration are defined in the `config/plugins.js` file. This configuration file can include a `graphql.config` object to define specific configurations for the GraphQL plugin (see [plugins configuration documentation](/dev-docs/configurations/plugins#graphql)).
 
-Apollo Server options can be set with the `graphql.config.apolloServer` [configuration object](/dev-docs/configurations/plugins#graphql). Apollo Server options can be used for instance to enable the [tracing feature](https://www.apollographql.com/docs/federation/metrics/), which is supported by the GraphQL playground to track the response time of each part of your query. From `Apollo Server` version 3.9 default cache option is `cache: 'bounded'`. You can change it in the `apolloServer` configuration (for details, see [Apollo Server Docs](https://www.apollographql.com/docs/apollo-server/performance/cache-backends/)).
+#### Available options
+
+[Apollo Server](https://www.apollographql.com/docs/apollo-server/api/apollo-server/#apolloserver) options can be passed directly to Apollo with the `graphql.config.apolloServer` [configuration object](/dev-docs/configurations/plugins#graphql). Apollo Server options can be used for instance to enable the [tracing feature](https://www.apollographql.com/docs/federation/metrics/), which is supported by the GraphQL Sandbox to track the response time of each part of your query. The `Apollo Server` default cache option is `cache: 'bounded'`. You can change it in the `apolloServer` configuration. For more information visit [Apollo Server Docs](https://www.apollographql.com/docs/apollo-server/performance/cache-backends/).
+
+The [GraphQL plugin](/dev-docs/plugins/graphql) has the following specific configuration options that should be declared in a `graphql.config` object within the `config/plugins` file. All parameters are optional:
+
+| Option             | Type                | Description                                                                                                                                                      | Default Value | Notes                                               |
+| ------------------ | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | --------------------------------------------------- |
+| `endpoint`         | String              | Sets the GraphQL endpoint path.                                                                                                                                  | `'/graphql'`  | Example: `/custom-graphql`                          |
+| `shadowCRUD`       | Boolean             | Enables or disables automatic schema generation for content types.                                                                                               | `true`        |                                                     |
+| `depthLimit`       | Number              | Limits the depth of GraphQL queries to prevent excessive nesting.                                                                                                | `10`          | Use this to mitigate potential DoS attacks.         |
+| `amountLimit`      | Number              | Limits the maximum number of items returned in a single response.                                                                                                | `100`         | Use cautiously to avoid performance issues.         |
+| `playgroundAlways` | Boolean             | [Deprecated] Enables GraphQL Playground in all environments (deprecated).                                                                                        | `false`       | Prefer using `landingPage` instead.                 |
+| `landingPage`      | Boolean \| Function | Enables or disables the landing page for GraphQL. Accepts a boolean or a function returning a boolean or an ApolloServerPlugin implementing `renderLandingPage`. |               | `false` in production, `true` in other environments |
+| `apolloServer`     | Object              | Passes configuration options directly to Apollo Server.                                                                                                          | `{}`          | Example: `{ tracing: true }`    
 
 :::caution
 The maximum number of items returned by the response is limited to 100 by default. This value can be changed using the `amountLimit` configuration option, but should only be changed after careful consideration: a large query can cause a DDoS (Distributed Denial of Service) and may cause abnormal load on your Strapi server, as well as your database server.
 :::
 
 :::note
-The GraphQL Playground is enabled by default for both the development and staging environments, but disabled in production environments. Set the `playgroundAlways` configuration option to `true` to also enable the GraphQL Playground in production environments (see [plugins configuration documentation](/dev-docs/configurations/plugins#graphql)).
+The GraphQL Sandbox is enabled by default in all environments except production. Set the `landingPage` configuration option to `true` to also enable the GraphQL Sandbox in production environments.
 :::
 
+The following is an example custom configuration:
+
 <Tabs groupId="js-ts">
 
 <TabItem value="javascript" label="JavaScript">
 
 ```js title="/config/plugins.js"
-
 module.exports = {
-  //
   graphql: {
     config: {
       endpoint: '/graphql',
       shadowCRUD: true,
-      playgroundAlways: false,
+      landingPage: false, // disable Sandbox everywhere
       depthLimit: 7,
       amountLimit: 100,
       apolloServer: {
@@ -111,21 +125,131 @@ module.exports = {
 <TabItem value="typescript" label="TypeScript">
 
 ```ts title="/config/plugins.ts"
-
-export default {
-  //
+export default () => ({
   graphql: {
     config: {
       endpoint: '/graphql',
       shadowCRUD: true,
-      playgroundAlways: false,
+      landingPage: false, // disable Sandbox everywhere
       depthLimit: 7,
       amountLimit: 100,
       apolloServer: {
         tracing: false,
       },
     },
   },
+})
+```
+
+</TabItem>
+
+</Tabs>
+
+
+#### Dynamically enable Apollo Sandbox
+
+You can use a function to dynamically enable Apollo Sandbox depending on the environment:
+
+<Tabs groupId="js-ts">
+
+<TabItem value="javascript" label="JavaScript">
+
+```javascript title="./config/plugins.js" {6-12}
+module.exports = ({ env }) => {
+  graphql: {
+    config: {
+      endpoint: '/graphql',
+      shadowCRUD: true,
+      landingPage: (strapi) => {
+        if (env("NODE_ENV") !== "production") {
+          return true;
+        } else {
+          return false;
+        }
+      },
+    },
+  },
+};
+```
+
+</TabItem>
+
+<TabItem value="typescript" label="TypeScript">
+
+```ts title="./config/plugins.ts" {6-12}
+export default ({ env }) => {
+  graphql: {
+    config: {
+      endpoint: '/graphql',
+      shadowCRUD: true,
+      landingPage: (strapi) => {
+        if (env("NODE_ENV") !== "production") {
+          return true;
+        } else {
+          return false;
+        }
+      },
+    },
+  },
+};
+```
+</TabItem>
+
+</Tabs>
+
+#### CORS exceptions for Landing Page
+
+If the landing page is enabled in production environments (which is not recommended), CORS headers for the Apollo Server landing page must be added manually.
+
+To add them globally, you can merge the following into your middleware configuration:
+
+```javascript title="/config/middlewares"
+{
+  name: "strapi::security",
+  config: {
+    contentSecurityPolicy: {
+      useDefaults: true,
+      directives: {
+        "connect-src": ["'self'", "https:", "apollo-server-landing-page.cdn.apollographql.com"],
+        "img-src": ["'self'", "data:", "blob:", "apollo-server-landing-page.cdn.apollographql.com"],
+        "script-src": ["'self'", "'unsafe-inline'", "apollo-server-landing-page.cdn.apollographql.com"],
+        "style-src": ["'self'", "'unsafe-inline'", "apollo-server-landing-page.cdn.apollographql.com"],
+        "frame-src": ["sandbox.embed.apollographql.com"]
+      }
+    }
+  }
+}
+```
+
+To add these exceptions only for the `/graphql` path (recommended), you can create a new middleware to handle it. For example:
+
+<Tabs groupId="js-ts">
+
+<TabItem value="javascript" label="JavaScript">
+
+```javascript title="./middlewares/graphql-security.js"
+module.exports = (config, { strapi }) => {
+  return async (ctx, next) => {
+    if (ctx.request.path === '/graphql') {
+      ctx.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.jsdelivr.net apollo-server-landing-page.cdn.apollographql.com; connect-src 'self' https:; img-src 'self' data: blob: apollo-server-landing-page.cdn.apollographql.com; media-src 'self' data: blob: apollo-server-landing-page.cdn.apollographql.com; frame-src sandbox.embed.apollographql.com; manifest-src apollo-server-landing-page.cdn.apollographql.com;");
+    }
+    await next();
+  };
+};
+```
+
+</TabItem>
+
+<TabItem value="typescript" label="TypeScript">
+
+```ts title="./middlewares/graphql-security.ts"
+export default (config, { strapi }) => {
+  return async (ctx, next) => {
+    if (ctx.request.path === '/graphql') {
+      ctx.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.jsdelivr.net apollo-server-landing-page.cdn.apollographql.com; connect-src 'self' https:; img-src 'self' data: blob: apollo-server-landing-page.cdn.apollographql.com; media-src 'self' data: blob: apollo-server-landing-page.cdn.apollographql.com; frame-src sandbox.embed.apollographql.com; manifest-src apollo-server-landing-page.cdn.apollographql.com;");
+    }
+    await next();
+  };
 };
 ```
 
@@ -913,10 +1037,10 @@ export default {
 
 GraphQL is a query language allowing users to use a broader panel of inputs than traditional REST APIs. GraphQL APIs are inherently prone to security risks, such as credential leakage and denial of service attacks, that can be reduced by taking appropriate precautions.
 
-###### Disable introspection and playground in production
+### Disable introspection and Sandbox in production
 
-In production environments, disabling the GraphQL Playground and the introspection query is recommended.
-If you haven't edited the [configuration file](/dev-docs/configurations/plugins#graphql), it is already disabled in production by default.
+In production environments, disabling the GraphQL Sandbox and the introspection query is strongly recommended.
+If you haven't edited the [configuration file](#availabel-options), it is already disabled in production by default.
 
 ###### Limit max depth and complexity
 
@@ -973,14 +1097,14 @@ mutation {
 
 </Request>
 
-Then on each request, send along an `Authorization` header in the form of `{ "Authorization": "Bearer YOUR_JWT_GOES_HERE" }`. This can be set in the HTTP Headers section of your GraphQL Playground.
+Then on each request, send along an `Authorization` header in the form of `{ "Authorization": "Bearer YOUR_JWT_GOES_HERE" }`. This can be set in the HTTP Headers section of your GraphQL Sandbox.
 
 #### Usage with API tokens
 
 To use API tokens for authentication, pass the token in the `Authorization` header using the format `Bearer your-api-token`.
 
 :::note
-Using API tokens in the the GraphQL playground requires adding the authorization header with your token in the `HTTP HEADERS` tab:
+Using API tokens in the the GraphQL Sandbox requires adding the authorization header with your token in the `HTTP HEADERS` tab:
 
 ```http
 {