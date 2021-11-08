GraphQL Query Complexity Analysis for graphql-js

This library provides GraphQL query analysis to reject complex queries to your GraphQL server. It can be used to protect your GraphQL servers against resource exhaustion and DoS attacks.

This library was originally developed as part of the Slicknode GraphQL Framework + Headless CMS.

Works with graphql-js reference implementation.

Installation

Install the package via npm

npm install -S graphql-query-complexity

Usage

Create the rule with a maximum query complexity:

import { createComplexityRule, simpleEstimator } from 'graphql-query-complexity' ; const rule = createComplexityRule({ maximumComplexity : 1000 , variables : {}, operationName?: string, onComplete : ( complexity: number ) => { console .log( 'Determined query complexity: ' , complexity)}, createError : ( max: number, actual: number ) => { return new GraphQLError( `Query is too complex: ${actual} . Maximum allowed complexity: ${max} ` ); }, estimators : [ simpleEstimator({ defaultComplexity : 1 }) ] });

Configuration / Complexity Estimators

The complexity calculation of a GraphQL query can be customized with so called complexity estimators. A complexity estimator is a simple function that calculates the complexity for a field. You can add any number of complexity estimators to the rule, which are then executed one after another. The first estimator that returns a numeric complexity value determines the complexity for that field.

At least one estimator has to return a complexity value, otherwise an exception is raised. You can for example use the simpleEstimator as the last estimator in your chain to define a default value.

You can use any of the available estimators to calculate the complexity of a field or write your own:

simpleEstimator : The simple estimator returns a fixed complexity for each field. Can be used as last estimator in the chain for a default value.

The simple estimator returns a fixed complexity for each field. Can be used as last estimator in the chain for a default value. directiveEstimator : Set the complexity via a directive in your schema definition (for example via GraphQL SDL)

Set the complexity via a directive in your schema definition (for example via GraphQL SDL) fieldExtensionsEstimator : The field extensions estimator lets you set a numeric value or a custom estimator function in the field config extensions of your schema.

The field extensions estimator lets you set a numeric value or a custom estimator function in the field config extensions of your schema. PRs welcome...

Consult the documentation of each estimator for information about how to use them.

Creating Custom Estimators

An estimator has the following function signature:

type ComplexityEstimatorArgs = { type : GraphQLCompositeType; field: GraphQLField< any , any >; node: FieldNode; args: { [key: string ]: any }; childComplexity: number ; }; type ComplexityEstimator = ( options: ComplexityEstimatorArgs ) => number | void ;

Usage with express-graphql

To use the query complexity analysis validation rule with express-graphql, use something like the following:

import { simpleEstimator, createComplexityRule, } from 'graphql-query-complexity' ; import express from 'express' ; import graphqlHTTP from 'express-graphql' ; import schema from './schema' ; const app = express(); app.use( '/api' , graphqlHTTP( async (request, response, { variables }) => ({ schema, validationRules : [ createComplexityRule({ estimators : [ simpleEstimator({ defaultComplexity : 1 }), ], maximumComplexity : 1000 , variables, onComplete : ( complexity: number ) => { console .log( 'Query Complexity:' , complexity); }, }), ], })) );

Calculate query complexity

If you want to calculate the complexity of a GraphQL query outside of the validation phase, for example to return the complexity value in a resolver, you can calculate the complexity via getComplexity :

import { getComplexity, simpleEstimator } from 'graphql-query-complexity' ; import { parse } from 'graphql' ; import schema from './schema' ; const query = parse( ` query Q($count: Int) { some_value some_list(count: $count) { some_child_value } } ` ); try { const complexity = getComplexity({ estimators : [simpleEstimator({ defaultComplexity : 1 })], schema, query, variables : { count : 10 , }, }); console .log(complexity); } catch (e) { console .error( 'Could not calculate complexity' , e.message); }

Prior Art

This project is inspired by the following prior projects: