- Notifications
You must be signed in to change notification settings - Fork41
GraphQL query complexity analysis and validation for graphql-js
License
slicknode/graphql-query-complexity
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This library provides GraphQL query analysis to reject complex queries to your GraphQL server.It can be used to protect your GraphQL servers against resource exhaustion and DoS attacks.
This library was originally developed as part of theSlicknode GraphQL Framework + Headless CMS.
Works withgraphql-js reference implementation.
Install the package via npm
npm install -S graphql-query-complexity
Create the rule with a maximum query complexity:
import{createComplexityRule,simpleEstimator}from'graphql-query-complexity';construle=createComplexityRule({// The maximum allowed query complexity, queries above this threshold will be rejectedmaximumComplexity:1_000,// The query variables. This is needed because the variables are not available// in the visitor of the graphql-js libraryvariables:{},// The context object for the request (optional)context:{}// Specify operation name when evaluating multi-operation documentsoperationName?:string,// The maximum number of query nodes to evaluate (fields, fragments, composite types).// If a query contains more than the specified number of nodes, the complexity rule will// throw an error, regardless of the complexity of the query.//// Default: 10_000maxQueryNodes?:10_000,// Optional callback function to retrieve the determined query complexity// Will be invoked whether the query is rejected or not// This can be used for logging or to implement rate limitingonComplete:(complexity:number)=>{console.log('Determined query complexity: ',complexity)},// Optional function to create a custom errorcreateError:(max:number,actual:number)=>{returnnewGraphQLError(`Query is too complex:${actual}. Maximum allowed complexity:${max}`);},// Add any number of estimators. The estimators are invoked in order, the first// numeric value that is being returned by an estimator is used as the field complexity.// If no estimator returns a value, an exception is raised.estimators:[// Add more estimators here...// This will assign each field a complexity of 1 if no other estimator// returned a value.simpleEstimator({defaultComplexity:1})]});
The complexity calculation of a GraphQL query can be customized with so called complexity estimators.A complexity estimator is a simple function that calculates the complexity for a field. You can addany number of complexity estimators to the rule, which are then executed one after another.The first estimator that returns a numeric complexity value determines the complexity for that field.
At least one estimator has to return a complexity value, otherwise an exception is raised. You canfor example use thesimpleEstimator as the last estimatorin your chain to define a default value.
You can use any of the available estimators to calculate the complexity of a fieldor write your own:
simpleEstimator: The simple estimator returns a fixed complexity for each field. Can be used aslast estimator in the chain for a default value.directiveEstimator: Set the complexity via a directive in yourschema definition (for example via GraphQL SDL)fieldExtensionsEstimator: The field extensions estimator lets you set a numeric value or a custom estimatorfunction in the field config extensions of your schema.- PRs welcome...
Consult the documentation of each estimator for information about how to use them.
An estimator has the following function signature:
typeComplexityEstimatorArgs={// The composite type (interface, object, union) that the evaluated field belongs totype:GraphQLCompositeType;// The GraphQLField that is being evaluatedfield:GraphQLField<any,any>;// The GraphQL node that is being evaluatednode:FieldNode;// The input arguments of the fieldargs:{[key:string]:any};// The complexity of all child selections for that fieldchildComplexity:number;// The context object for the request if it was providedcontext?:Record<string,any>;};typeComplexityEstimator=(options:ComplexityEstimatorArgs)=>number|void;
To use the query complexity analysis validation rule with express-graphql, use something like thefollowing:
import{simpleEstimator,createComplexityRule,}from'graphql-query-complexity';importexpressfrom'express';importgraphqlHTTPfrom'express-graphql';importschemafrom'./schema';constapp=express();app.use('/api',graphqlHTTP(async(request,response,{ variables})=>({ schema,validationRules:[createComplexityRule({estimators:[// Configure your estimatorssimpleEstimator({defaultComplexity:1}),],maximumComplexity:1000, variables,onComplete:(complexity:number)=>{console.log('Query Complexity:',complexity);},}),],})));
If you want to calculate the complexity of a GraphQL query outside of the validation phase, for example toreturn the complexity value in a resolver, you can calculate the complexity viagetComplexity:
import{getComplexity,simpleEstimator}from'graphql-query-complexity';import{parse}from'graphql';// Import your schema or get it form the info object in your resolverimportschemafrom'./schema';// You can also use gql template tag to get the parsed queryconstquery=parse(` query Q($count: Int) { some_value some_list(count: $count) { some_child_value } }`);try{constcomplexity=getComplexity({estimators:[simpleEstimator({defaultComplexity:1})], schema, query,variables:{count:10,},});console.log(complexity);// Output: 3}catch(e){// Log error in case complexity cannot be calculated (invalid query, misconfiguration, etc.)console.error('Could not calculate complexity',e.message);}
This project is inspired by the following prior projects:
- Query complexity analysis in theSangria GraphQL implementation.
- graphql-cost-analysis - Multipliers and directiveEstimator
About
GraphQL query complexity analysis and validation for graphql-js
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
Uh oh!
There was an error while loading.Please reload this page.