graphql-spring-boot icon indicating copy to clipboard operation
graphql-spring-boot copied to clipboard

Published 20 hours ago verified publisher icon graphql-java-kickstart

Usage of graphql.servlet.max-query-complexity

Open nidomiro opened this issue 5 years ago • 6 comments

I want to secure my GraphQL endpoint in therms of serverload. I read this article and wanted to implement some methods.

With some searching I found the property graphql.servlet.max-query-complexity in #105. My Question is, how to use this Method? Especially where and how do I annotate the schema?

nidomiro avatar Sep 02 '19 10:09 nidomiro

That is a property to be used in the application.properties file.

MFoster avatar Sep 12 '19 15:09 MFoster

Thanks for your Answer. Unfortunately hat's the part I already know. The real question is how do I define the complexity of each instruction in my schema? Or is everything predefined with a default complexity?

nidomiro avatar Sep 14 '19 14:09 nidomiro

I believe that is evaluated prior to reaching your resolver functions. Try testing by setting a very low complexity and sending it a very complex query to ensure that is the case.

MFoster avatar Sep 18 '19 13:09 MFoster

@nidomiro The approach @MFoster suggested sounds sensible to me. Alternative would be following the code to see how it works, since I don't think anybody else currently has the answer readily available. If you've found the answer kindly comment it here for future reference.

oliemansm avatar Apr 04 '20 06:04 oliemansm

The instrumentation class MaxQueryComplexityInstrumentation implements the graph complexity functionality and is added by the GraphQLInstrumentationAutoConfiguration

@Bean
@ConditionalOnMissingBean
@ConditionalOnProperty(value = "graphql.servlet.max-query-complexity")
public MaxQueryComplexityInstrumentation maxQueryComplexityInstrumentation() {
   return new MaxQueryComplexityInstrumentation(maxQueryComplexity);
}

The standard calculation for each field is 1. I would be interested in how to assign a different complexity to individual fields. There is a FiledComplexityCalculator Interface wich can be implemented by the user. We could write a calculator that checks whether there is a @GraphQLComplexity - A new Annotation - annotation on the field and return this value. I could provide this function as PR if it makes sense for this project?

Thinkenterprise avatar Oct 17 '20 21:10 Thinkenterprise

The configuration property graphql.servlet.max-query-complexity works like a charm with servlets but does not have any effect with WebFlux. Is it a known issue? Any plans to implement it?

sam701 avatar Mar 11 '21 16:03 sam701