PLU-354: prevent batched queries in operations (#789)

## Problem

We previously disabled batching multiple operations in a single HTTP
request. However, we still allow multiple root level fields in a single
operation. It was flagged out during VAPT that this might facilitate
potential DOS attacks and should only be enabled when strictly
necessary.

## Solution

Create a custom apollo plugin to detect if there are multiple root level
fields. If there are, throw a `BadUserInputError`.

## How to test

1. Run dev server and open http://localhost:3000/graphql to access the
sandbox
2. Test with the following query 
```
query Batch {
  h1: healthcheck {
    version
  }
  h2: healthcheck {
    version
  }
}
```
3. You should be able to see the relevant error.

Author: pregnantboy

packages/backend/src/helpers/__tests__/graphql-instance.test.ts

@@ -0,0 +1,26 @@
+import { assert, describe, expect, it } from 'vitest'
+
+import { server } from '../graphql-instance'
+
+describe('GraphQL instance', () => {
+  describe('Batching within an operation', () => {
+    it('should not throw an error if a single root fields is present', async () => {
+      const result = await server.executeOperation({
+        query: `query HealthCheck { healthcheck { version } }`,
+      })
+      assert(result.body.kind === 'single')
+      expect(result.body.singleResult.errors).toBeUndefined()
+    })
+
+    it('should throw an error if multiple root fields are present', async () => {
+      const result = await server.executeOperation({
+        query: `query TwoHealthChecks { h1: healthcheck { version } h2: healthcheck { version } }`,
+      })
+      assert(result.body.kind === 'single')
+      expect(result.body.singleResult.errors[0]).toHaveProperty(
+        'code',
+        'BAD_USER_INPUT',
+      )
+    })
+  })
+})

packages/backend/src/helpers/graphql-instance.ts

@@ -4,9 +4,11 @@ import { ApolloServerPluginLandingPageDisabled } from '@apollo/server/plugin/dis
 import { ApolloServerPluginLandingPageLocalDefault } from '@apollo/server/plugin/landingPage/default'
 import { makeExecutableSchema } from '@graphql-tools/schema'
 import { RequestHandler } from 'express'
+import { Kind, OperationDefinitionNode } from 'graphql/language'
 import { applyMiddleware } from 'graphql-middleware'
 
 import appConfig from '@/config/app'
+import { BadUserInputError } from '@/errors/graphql-errors'
 import { typeDefs } from '@/graphql/__generated__/typeDefs.generated'
 import resolvers from '@/graphql/resolvers'
 import authentication, { setCurrentUserContext } from '@/helpers/authentication'
@@ -42,22 +44,48 @@ function ApolloServerPluginUserTracer(): ApolloServerPlugin<AuthenticatedContext
   }
 }
 
+function PreventBatching(): ApolloServerPlugin {
+  return {
+    async requestDidStart() {
+      return {
+        async didResolveOperation(requestContext) {
+          const { document } = requestContext
+          // There should only be one operation definition per document
+          const queryDefinition = document.definitions.find(
+            (definition) => definition.kind === Kind.OPERATION_DEFINITION,
+          ) as OperationDefinitionNode | undefined
+
+          // Check if there are multiple selections (root fields) in the query
+          if (queryDefinition?.selectionSet.selections.length > 1) {
+            throw new BadUserInputError(
+              'Multiple root fields in a single operation are not allowed.',
+            )
+          }
+        },
+      }
+    },
+  }
+}
+
 const schema = makeExecutableSchema({ typeDefs, resolvers })
 
 const schemaWithMiddleware = applyMiddleware(
   schema,
   authentication.generate(schema),
 )
 
-const server = new ApolloServer<UnauthenticatedContext>({
+export const server = new ApolloServer<UnauthenticatedContext>({
   schema: schemaWithMiddleware,
   introspection: appConfig.isDev,
   plugins: [
     appConfig.isDev
       ? ApolloServerPluginLandingPageLocalDefault()
       : ApolloServerPluginLandingPageDisabled(),
     ApolloServerPluginUserTracer(),
+    PreventBatching(),
   ],
+  // We don't want to allow batching within a single HTTP request, this defaults to false
+  allowBatchedHttpRequests: false,
   formatError: (error) => {
     logger.error(error)
     let errorMessage = error.message