Enable custom headers in CLI GraphiQL

[amcaplan]

Summary

• Re-enables the GraphiQL header editor UI that was previously disabled
• Adds header filtering to block problematic browser/hop-by-hop headers
• Allows custom headers like Shopify-Search-Query-Debug=1 to pass through to the Admin API

Problem

The CLI's built-in GraphiQL didn't allow passing custom headers. This feature was explicitly disabled because the proxy couldn't distinguish between user-set headers and browser defaults, causing conflicts.

Solution

• Enable isHeadersEditorEnabled: true in the GraphiQL component
• Implement a blocklist of headers that should NOT be forwarded:
  • Hop-by-hop headers (RFC 7230): connection, keep-alive, transfer-encoding, etc.
  • Proxy-controlled headers: host, content-type, accept, authorization, cookie, etc.
• Filter incoming request headers and merge safe custom headers with required headers

Test plan

• All 9 new tests pass for header filtering logic
• Type-check passes
• Lint passes
• Manual testing: Run shopify app dev, open GraphiQL, add custom header, verify it reaches the API

Fixes: https://github.com/shop/issues-develop/issues/21688

🤖 Generated with Claude Code

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟡	Statements	79.51% (+0.28% 🔼)	14339/18035
🟡	Branches	73.71% (+0.61% 🔼)	7081/9606
🟡	Functions	79.64% (+0.27% 🔼)	3666/4603
🟡	Lines	79.88% (+0.3% 🔼)	13558/16973

Show new covered files 🐣

St.❔	File	Statements	Branches	Functions	Lines
🟢	... / admin-as-app.ts	100%	100%	100%	100%
🟢	... / metafield_definitions.ts	100%	100%	100%	100%
🟢	... / metaobject_definitions.ts	100%	100%	100%	100%
🟢	... / bulk-operation-cancel.ts	100%	100%	100%	100%
🟢	... / bulk-operation-run-mutation.ts	100%	100%	100%	100%
🟢	... / bulk-operation-run-query.ts	100%	100%	100%	100%
🟢	... / get-bulk-operation-by-id.ts	100%	100%	100%	100%
🟢	... / list-bulk-operations.ts	100%	100%	100%	100%
🟢	... / staged-uploads-create.ts	100%	100%	100%	100%
🟢	... / fetch_store_by_domain.ts	100%	100%	100%	100%
🔴	... / import-custom-data-definitions.ts	0%	100%	0%	0%
🔴	... / cancel.ts	0%	100%	0%	0%
🔴	... / execute.ts	0%	0%	0%	0%
🔴	... / status.ts	0%	0%	0%	0%
🔴	... / pull.ts	0%	100%	0%	0%
🟡	... / execute-operation.ts	75%	50%	100%	75%
🔴	... / pull.ts	0%	0%	0%	0%
🟢	... / bulk-operation-status.ts	96.55%	92.11%	100%	100%
🟢	... / cancel-bulk-operation.ts	100%	100%	100%	100%
🟢	... / constants.ts	100%	100%	100%	100%
🟢	... / download-bulk-operation-results.ts	100%	100%	100%	100%
🟢	... / execute-bulk-operation.ts	92.06%	86.05%	100%	93.55%
🟢	... / format-bulk-operation-status.ts	100%	100%	100%	100%
🟢	... / run-mutation.ts	100%	100%	100%	100%
🟢	... / run-query.ts	100%	100%	100%	100%
🟡	... / stage-file.ts	73.53%	62.5%	85.71%	72.73%
🟢	... / watch-bulk-operation.ts	100%	94.74%	100%	100%
🟢	... / utilities.ts	100%	100%	100%	100%
🟢	... / declarative-definitions.ts	98.54%	93.18%	100%	98.51%
🟢	... / common.ts	97.62%	95%	100%	97.06%
🟢	... / execute-command-helpers.ts	100%	100%	100%	100%
🟢	... / file-formatter.ts	100%	100%	100%	100%
🔴	... / promiseWithResolvers.ts	33.33%	50%	50%	33.33%

Show files with reduced coverage 🔻

St.❔	File	Statements	Branches	Functions	Lines
🔴	... / execute.ts	0%	0% (-100% 🔻)	0%	0%
🟢	... / loader.ts	94.06% (+0.2% 🔼)	86.41% (-0.42% 🔻)	97.17% (+0.11% 🔼)	94.85% (+0.18% 🔼)
🟢	... / extension-instance.ts	84.8% (+0.23% 🔼)	77.6% (-0.91% 🔻)	92.06% (+0.13% 🔼)	85.11% (+0.24% 🔼)
🟡	... / specification.ts	69.64% (+0.55% 🔼)	75.61% (+2.44% 🔼)	76.47% (-1.31% 🔻)	69.39% (+0.64% 🔼)
🟢	... / ui_extension.ts	87.9% (-6.93% 🔻)	77.19% (-4.06% 🔻)	85.19% (-14.81% 🔻)	90.07% (-6.39% 🔻)
🟢	... / deploy-release.ts	97.4% (-2.6% 🔻)	96.55% (-3.45% 🔻)	100%	100%
🟢	... / store-context.ts	100%	82.35% (-0.98% 🔻)	100%	100%
🟢	... / Logs.tsx	90%	90.91% (-5.97% 🔻)	100%	90%
🟢	... / fetch.ts	84.21% (+0.88% 🔼)	82.35% (-0.98% 🔻)	75%	85.29% (+1.42% 🔼)
🟢	... / app-event-watcher-handler.ts	86.36% (-4.11% 🔻)	75%	86.67%	85.71% (-5.19% 🔻)
🔴	... / server.ts	1.23% (-0.02% 🔻)	0%	0%	1.3% (-0.02% 🔻)
🟢	... / bundle.ts	93.22%	63.33% (-3.33% 🔻)	94.12% (+5.88% 🔼)	96.3%
🟢	... / developer-platform-client.ts	84.62% (-1.5% 🔻)	71.43% (+0.84% 🔼)	81.82% (+1.82% 🔼)	93.75% (+0.42% 🔼)
🔴	... / http-reverse-proxy.ts	58.97% (-4.91% 🔻)	37.04% (-2.96% 🔻)	58.33% (-5.3% 🔻)	59.46% (-5.25% 🔻)
🔴	... / app-management-client.ts	53.69% (-0.16% 🔻)	47.47%	50% (-0.45% 🔻)	52.53% (-0.17% 🔻)
🟢	... / api.ts	87.07% (-0.43% 🔻)	76.71% (-0.1% 🔻)	100%	86.49% (-0.43% 🔻)
🟢	... / SingleTask.tsx	84.21% (-15.79% 🔻)	50% (-50% 🔻)	80% (-20% 🔻)	84.21% (-15.79% 🔻)
🔴	... / environment.ts	35% (-5% 🔻)	41.18%	40% (-10% 🔻)	36.84% (-5.26% 🔻)
🔴	... / ui.tsx	50.82% (-0.79% 🔻)	42.86% (-5.53% 🔻)	54.55% (+1.42% 🔼)	50% (-0.82% 🔻)
🟢	... / console.ts	81.82% (+15.15% 🔼)	75% (-25% 🔻)	100% (+33.33% 🔼)	81.82% (+15.15% 🔼)
🟢	... / init.ts	88% (-0.89% 🔻)	71.43% (+4.76% 🔼)	86.67% (+4.85% 🔼)	88% (-0.89% 🔻)
🟢	... / storefront-renderer.ts	90.2% (-0.54% 🔻)	78.95%	81.82% (-1.52% 🔻)	90.2% (-0.54% 🔻)
🟡	... / theme-polling.ts	67.12% (-0.93% 🔻)	68.75%	78.57%	66.67% (-0.98% 🔻)

Test suite run success

3659 tests passing in 1430 suites.

Report generated by 🧪jest coverage report action from ca93396

[ravangen]

Should ideally also allow:

• Shopify-GraphQL-Cost-Debug (https://shopify.dev/docs/api/usage/limits#graphql-response)
• Shopify-Debug-Headers
• X-Shopify-Profile, X-Shopify-Profile-Auth
• Shopify-Force-Canary, Shopify-Force-Alternate-Backend (docs)

There are other ones, but not sure if they are applicable here.

[github-actions]

This PR seems inactive. If it's still relevant, please add a comment saying so. Otherwise, take no action.
→ If there's no activity within a week, then a bot will automatically close this.
Thanks for helping to improve Shopify's dev tooling and experience.