A way to compute/limit query complexity

[MeRuslan]

A basic protection against malicious requests / scraping.

I'd love to see some means to:

1. Set / control field/resolver complexity.
2. Limit whole query complexity (no idea on what to do in such a case, fail or limit response, maybe have it configured by the developer).

[MeRuslan]

Let's say a default field complexity is 1.
For a custom field a user can annotate its complexity using absolute values, and in terms of the query complexity down the line (i.e. children might be ORM's related objects, thus leaving the current node as a source of complexity truth for them).

Seems to me that we'll have to understand pagination at the step of complexity computation. I don't think there's a defined pagination API yet.

[MeRuslan]

I'm a new one here, might be completely wrong ：D

[jokull]

Good article on this topic: https://www.apollographql.com/blog/securing-your-graphql-api-from-malicious-queries-16130a324a6b/

[jkimbo]

Closing this in favour of #960

[MeRuslan]

Closing this in favour of #960

Depth limiting would certainly help, but it does not really secure you.
Perhaps I should have worded it better.

I would also like to be able to reject a query that would result in returning thousands of objects.
For that we'd need proper query analysis, not just a simple depth limit.

I.e.
query { user(id: 1) { chats(first: 100) { message(first: 100) { ... } } } }
would pass any reasonable depth limit, but I'd like to reject a query that complex.

I imagined something like https://github.com/pa-bru/graphql-cost-analysis

[jkimbo]

Sorry @MeRuslan , by closing this issue I didn't mean to imply that we shouldn't implement cost query limits, just that I wanted to consolidate the different approaches to handling malicious queries into one issue. I've included your comment there.