Add support for estimating and limiting max allowed query cost #40
Assignees
Labels
roadmap
Feature that we want to have included
Comments
|
For what it's worth, I think supporting "persisted queries" (a form of query whitelisting) is a simple, robust alternative that satisfies a large proportion of non-public-facing needs. https://github.com/apollographql/persistgraphql#server-side I think making that easy to support in Ariadne would go a long way. |
|
@ajhyndman We already have a working query cost limiter, it's a matter of incorporating it into Ariadne. |
|
Wow, cool! |
|
This feature is already available in ariadne via |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is the white whale of GraphQL server implementation - the way to detect maliciously constructed queries and reject their execution before even touching the data.
We haven't moved on to implementing anything yet, but current idea for achieving this is creating copy of "real" schema, but replacing all scalars with
Int. We could then re-use the existing query execution logic to get data structure containing the price of each individual field in the result. One of potential issues I'm seeing here would be counting fields returning types.The alternative approach would involve implementing custom query executor which would traverse the fields defined in query, keeping track of its position, depth, and counting the score on the fly. It may be that this approach may not be as scary as it appears, due to us not needing to implement entire execution flow - just walk the fields in query.
The text was updated successfully, but these errors were encountered: