Skip to content

Enable custom headers in CLI GraphiQL #6703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amcaplan wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Enable custom headers in CLI GraphiQL #6703

amcaplan wants to merge 2 commits into from
+152 −1

Conversation

@amcaplan
Copy link
Contributor

@amcaplan amcaplan commented Dec 10, 2025
edited
Loading

Summary

  • Re-enables the GraphiQL header editor UI that was previously disabled
  • Adds header filtering to block problematic browser/hop-by-hop headers
  • Allows custom headers like Shopify-Search-Query-Debug=1 to pass through to the Admin API

Problem

The CLI's built-in GraphiQL didn't allow passing custom headers. This feature was explicitly disabled because the proxy couldn't distinguish between user-set headers and browser defaults, causing conflicts.

Solution

  • Enable isHeadersEditorEnabled: true in the GraphiQL component
  • Implement a blocklist of headers that should NOT be forwarded:
    • Hop-by-hop headers (RFC 7230): connection, keep-alive, transfer-encoding, etc.
    • Proxy-controlled headers: host, content-type, accept, authorization, cookie, etc.
  • Filter incoming request headers and merge safe custom headers with required headers

Test plan

  • All 9 new tests pass for header filtering logic
  • Type-check passes
  • Lint passes
  • Manual testing: Run shopify app dev, open GraphiQL, add custom header, verify it reaches the API

Fixes: https://github.com/shop/issues-develop/issues/21688

🤖 Generated with Claude Code

@amcaplan amcaplan added the claudeception Pull request created by Claudeception agents label Dec 10, 2025
@amcaplan @claude
Enable custom headers in CLI GraphiQL
f793848 
Re-enables the header editor UI in GraphiQL and adds filtering to block
problematic browser/hop-by-hop headers while allowing custom headers through.

This allows users to pass headers like `Shopify-Search-Query-Debug=1` to
the Admin API for debugging purposes.

Changes:
- Enable isHeadersEditorEnabled in GraphiQL component
- Add BLOCKED_HEADERS set for hop-by-hop and proxy-controlled headers
- Add filterCustomHeaders() to extract safe custom headers
- Forward filtered custom headers to Admin API

Fixes: shop/issues-develop#21688

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@amcaplan amcaplan force-pushed the allow-custom-headers-in-graphiql branch from 64f79b7 to f793848 Compare December 10, 2025 13:24
@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025
edited
Loading

Coverage report

St.
 Category Percentage Covered / Total
🟡 Statements
79.19% (-0.03% 🔻)
 13908/17562
🟡 Branches
73.18% (+0.07% 🔼)
 6794/9284
🟡 Functions
79.34% (-0.03% 🔻)
 3563/4491
🟡 Lines
79.55% (-0.03% 🔻)
 13139/16517
Show new covered files 🐣
St.
 File Statements Branches Functions Lines
🟢
... / admin-as-app.ts
 100% 100% 100% 100%
🟢
... / bulk-operation-run-mutation.ts
 100% 100% 100% 100%
🟢
... / bulk-operation-run-query.ts
 100% 100% 100% 100%
🟢
... / get-bulk-operation-by-id.ts
 100% 100% 100% 100%
🟢
... / list-bulk-operations.ts
 100% 100% 100% 100%
🟢
... / staged-uploads-create.ts
 100% 100% 100% 100%
🔴
... / execute.ts
 0% 0% 0% 0%
🔴
... / status.ts
 0% 0% 0% 0%
🔴
... / pull.ts
 0% 100% 0% 0%
🟢
... / execute-operation.ts
 92.86% 83.33% 100% 92.31%
🔴
... / pull.ts
 0% 0% 0% 0%
🟢
... / bulk-operation-status.ts
 96% 90.63% 100% 100%
🟢
... / download-bulk-operation-results.ts
 100% 100% 100% 100%
🟢
... / execute-bulk-operation.ts
 92.98% 86.84% 100% 92.73%
🟢
... / format-bulk-operation-status.ts
 100% 100% 100% 100%
🟢
... / run-mutation.ts
 100% 100% 100% 100%
🟢
... / run-query.ts
 100% 100% 100% 100%
🟡
... / stage-file.ts
 72.73% 62.5% 83.33% 71.88%
🟢
... / watch-bulk-operation.ts
 100% 100% 100% 100%
🟢
... / utilities.ts
 100% 100% 100% 100%
🟢
... / common.ts
 95.24% 90% 100% 94.12%
🟢
... / execute-command-helpers.ts
 100% 100% 100% 100%
🔴
... / promiseWithResolvers.ts
 33.33% 50% 50% 33.33%
Show files with reduced coverage 🔻
St.
 File Statements Branches Functions Lines
🔴
... / execute.ts
 0%
0% (-100% 🔻)
 0% 0%
🟢
... / extension-instance.ts
84.8% (+0.23% 🔼)
77.6% (-0.91% 🔻)
92.06% (+0.13% 🔼)
85.11% (+0.24% 🔼)
🟡
... / specification.ts
 69.09%
75.61% (+2.44% 🔼)
76.47% (-1.31% 🔻)
 68.75%
🟢
... / ui_extension.ts
85.38% (-9.44% 🔻)
72.34% (-8.91% 🔻)
84% (-16% 🔻)
88% (-8.46% 🔻)
🔴
... / server.ts
1.23% (-0.02% 🔻)
 0% 0%
1.3% (-0.02% 🔻)
🟢
... / developer-platform-client.ts
84.62% (-1.5% 🔻)
73.68% (+3.1% 🔼)
81.82% (+1.82% 🔼)
90.63% (-2.71% 🔻)
🟢
... / api.ts
87.07% (-0.43% 🔻)
76.71% (-0.1% 🔻)
 100%
86.49% (-0.43% 🔻)
🟢
... / ConcurrentOutput.tsx
98.36% (-1.64% 🔻)
92% (-4% 🔻)
 100%
98.33% (-1.67% 🔻)
🟢
... / SingleTask.tsx
84.21% (-15.79% 🔻)
50% (-50% 🔻)
80% (-20% 🔻)
84.21% (-15.79% 🔻)
🔴
... / ui.tsx
50.82% (-0.79% 🔻)
42.86% (-5.53% 🔻)
54.55% (+1.42% 🔼)
50% (-0.82% 🔻)
🟢
... / console.ts
81.82% (+15.15% 🔼)
75% (-25% 🔻)
100% (+33.33% 🔼)
81.82% (+15.15% 🔼)
🔴
... / dev.ts
14.29% (+0.95% 🔼)
3.13% (+0.18% 🔼)
50% (-7.14% 🔻)
14.29% (+0.95% 🔼)
🟢
... / init.ts
88% (-0.89% 🔻)
71.43% (+4.76% 🔼)
86.67% (+4.85% 🔼)
88% (-0.89% 🔻)
🟢
... / storefront-renderer.ts
90.2% (-0.54% 🔻)
 78.95%
81.82% (-1.52% 🔻)
90.2% (-0.54% 🔻)
🟡
... / theme-polling.ts
67.12% (-0.93% 🔻)
 68.75% 78.57%
66.67% (-0.98% 🔻)

Test suite run success

3491 tests passing in 1408 suites.

Report generated by 🧪jest coverage report action from 73a3833

ravangen
ravangen reviewed Dec 10, 2025
View reviewed changes
Copy link

@ravangen ravangen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should ideally also allow:

There are other ones, but not sure if they are applicable here.

@amcaplan amcaplan marked this pull request as ready for review December 10, 2025 15:13
@amcaplan amcaplan requested review from a team as code owners December 10, 2025 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravangen ravangen ravangen left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

claudeception Pull request created by Claudeception agents

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amcaplan @ravangen