-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GraphQL API rate/complexity limits #381
Comments
graphql-query-complexity looks to be a good solution for limiting too-deeply-nested queries. It looks well-maintained, only has 1 tiny dependency, and is quite widely downloaded on npm (80k / week) There is an example here of integrating it with Apollo Server 2 as an ApolloServerPlugin We could build a similar plugin and ship it with core, and users can import it as needed. It would have to be well-documented in the "deployment" docs as a recommendation for production deploys. |
For rate-limiting and timeouts we can make use of the vast Express ecosystem, since Vendure allows you to plug in any Express middleware quite trivially. So now I'm thinking it makes sense to keep all of this out of
|
Added docs on this for now, and will defer any other implementation to a later point. |
This is handled by the HardenPlugin. |
Is your feature request related to a problem? Please describe.
Due to the flexible nature of GraphQL, it is possible to create queries that end up being very expensive for the server to execute, for example:
The above query takes 15 seconds to resolve on my fairly beefy laptop (and also returns a 825kb response)
Imagine now we have
take: 100
rather thantake: 1
. There goes the whole server!So the problem comes down to 2 potential risks:
Describe the solution you'd like
There several strategies to mitigate these risks, which are well-described in this StackOverflow answer and thread.
Also see suggestions here: apollographql/apollo-server#1310
The measures range from fairly simple (timeouts) to more complex, e.g. analyzing individual queries to compute a complexity score.
This thread will track further research into the topic and proposals on what to build in to Vendure core to give at least some protection from the above by default.
The text was updated successfully, but these errors were encountered: