-
-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for query complexity #2988
Comments
nice idea. But maybe a proposal: why not extending graphene-protector? This extension works for strawberry as well as graphene as well as plain graphql-python And it is tested |
(side note: a project of mine) |
@devkral oh I forgot about it! I think we could use internally 😊 my reasoning around having this feature built-in is so that we have a great API (I quite the new argument on field/argument) and also we make sure it always works, especially if we change the core of Strawberry 😊 |
I see your point. Assigning arguments with costs is a cool idea. But how would an extension like mine retrieve the costs? It would be nice to have a function/property on every field which returns the accumulated costs |
I've been looking at this quite a bit as well. Here are some resources I've found and things I like about them that we could maybe take advantage of
I do like the I think being able to define your own Estimators and pass those into the Extension could be a great way to provide defaults and to give a lot of flexibility for clients to do things themselves So my overall thoughts on what I'd like to be able to do/have:
Something like
|
some parts I did already, for example you can exclude some path parts from adding complexity/depth. By default connections are reduced to one. Some parts which are missing, are:
|
Ariadne has similar features: https://ariadnegraphql.org/docs/query-validators#setting-fields-costs-in-schema |
Hello, I think this would be very cool as well to have as a feature. Me and my team would be more than happy to help if there is a draft or minimal working extension |
actually it is already implemented (graphene-protector) (except I don't check the arguments yet, bug). What I need is someone who can help me with a graphql parser in rust (see graphql-core discussion), I need some help integrating them in python but I am short in time to learn rust. Why? having some fancy protection algorithms is useless without a fast input parser which can handle the rough edges of graphql parsing. |
Ok so it's already working but it's not fast enough for production usage without rust if i understand correctly. For now this is ok for us as i want to use this to essentially monitor the query constructed by the front team. |
The issue is in graphql-core (which is the python port of the reference implementation and probably also in use by adriane). graphql-python/graphql-core#216 Of course it would be possible to build a stack free dfs in both languages. But this is double effort and still not as efficient as machine code. So my proposal is to remove these hacks and implement it right in rust, which can be used from both languages |
Hey @bradleyoesch and @patrick91, adding to your suggestion: IMO it would be nice if the implementation of the query complexity calculator was separate from the actual limiter. This way, users can implement the limiting in more creative ways such as.
I'm willing to implement a first version of this as a Strawberry extension that crawls nodes like Is there anything else I should consider before I get going with this? |
you can access the costs. You aren't required to block. You can even dynamically provide the limit. |
@devkral do you have any benchmarks or data about the GraphQL parsing performance? I'm wondering if the parser would be such a bottleneck that it's a blocker to this. Since we already parse the query with what exists and use tree traversal in other extensions such as the Of course, having a Rust parser would be sweet, I just don't think the parser is a blocker to this issue. Also, I understand you have your own plugin, but it would be nice to have this as a native Strawberry extension. |
@serramatutu the rust parser is almost ready for beta use 😉 +1 on separating cost calculation logic vs limitation logic, this would enable easy abstraction of both components |
Someone picked this up and build a rust parser for embedding? where do I find the rust parser? How can I test it? Or did I misunderstand? |
nice, thank you |
Sorry for the massive delay, life and work got in the way. I finally sat down to take a stab at this: #3721 |
Hey folks, I while ago I wrote down some ideas on how we can add support for query complexity. For this we'll need two things:
For customising costs on fields and arguments I was thinking about something like this:
Here we are saying that each individual item in the
expensive_list
field costs 2, and the total is a multiplication between the field cost and the limit, so the result would be:We can also have defaults like this:
default_argument_cost_multiplier
is a map between argument name and their multiplier, though I don't like the name that much.What do you think?
Upvote & Fund
The text was updated successfully, but these errors were encountered: