docs(router): Operation Complexity #7544
Conversation
Summary of ChangesHello @ardatan, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request primarily focuses on enhancing the documentation for the GraphQL router by introducing detailed guides on query complexity limiting features. It covers how to configure Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
📚 Storybook DeploymentThe latest changes are available as preview in: https://pr-7544.hive-storybook.pages.dev |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds documentation for the new query complexity limiting features in the router. The changes are well-structured, adding a new configuration page for limits and a security guide on query complexity. I've found a few typos and minor inconsistencies in the documentation content that should be addressed for clarity.
packages/web/docs/src/content/router/security/query_complexity.mdx
Outdated
Show resolved
Hide resolved
packages/web/docs/src/content/router/security/query_complexity.mdx
Outdated
Show resolved
Hide resolved
packages/web/docs/src/content/router/security/query_complexity.mdx
Outdated
Show resolved
Hide resolved
|
🐋 This PR was built and pushed to the following Docker images: Targets: Platforms: Image Tag: |
|
🐋 This PR was built and pushed to the following Docker images: Targets: Platforms: Image Tag: |
💻 Website PreviewThe latest changes are available as preview in: https://pr-7544.hive-landing-page.pages.dev |
| @@ -0,0 +1,210 @@ | |||
| --- | |||
| title: 'Query Complexity' | |||
There was a problem hiding this comment.
The Query Complexity title sounds a bit vague, and also too specific 😄
Should this just be Router Limits or Security Hardening?
There was a problem hiding this comment.
That was the name of the task actually 🤷♂️. Limits sound too broad. The idea of this section is to prevent malicious requests. Security Hardening is also too broad because the category of this section is also called Security so it sounds a bit weird to duplicate "Security" here, no?
There was a problem hiding this comment.
Good point. In any way, I think Query Complexity is a bit weird here. I'm not sure what's the better name so let's have an internal discussion.
There was a problem hiding this comment.
Sure maybe the title should focus on preventing the malicious/unwanted operations. So disabling introspection as in one of your comments can fit in.
There was a problem hiding this comment.
Maybe Query Cost Analysis? It implies the what (Query) why (cost) how (by analysing it)
Query Cost Analysis Rate Limiting, might be an option. Though it seems there is no real rate limiting solution provided here.
| cors: 'Configuring CORS', | ||
| csrf: 'CSRF Prevention', | ||
| 'jwt-authentication': 'JWT Authentication', | ||
| query_complexity: 'Query Complexity', |
There was a problem hiding this comment.
same as the other comment on the title
| GraphQL by design allows clients to request exactly the data they need. However, this flexibility | ||
| can be exploited to create overly complex queries that can strain server resources, leading to | ||
| performance degradation or denial of service. To mitigate these risks, it's essential to implement | ||
| query complexity limits in your GraphQL router configuration. |
There was a problem hiding this comment.
your GraphQL router configuration, especially in production environments
| performance degradation or denial of service. To mitigate these risks, it's essential to implement | ||
| query complexity limits in your GraphQL router configuration. | ||
|
|
||
| This guide explains how to configure the GraphQL router to enforce query complexity limits to |
There was a problem hiding this comment.
again here on query complexity, it's too specific and i think we should name it better.
| query complexity limits in your GraphQL router configuration. | ||
|
|
||
| This guide explains how to configure the GraphQL router to enforce query complexity limits to | ||
| prevent abusive queries. For the complete configuration options, |
There was a problem hiding this comment.
queries -> GraphQL operations
| In that example, any incoming GraphQL query that exceeds 1000 tokens will be rejected with an error. | ||
| ## Prevent deeply nested queries |
| ## Prevent deeply nested queries | ||
| If you build an API that is available to the 3rd-party users, it is recommended to limit the maximum |
There was a problem hiding this comment.
Maybe not 3rd-party here? but mention instead that this is useful in case your GraphQL is open (either for the public, third-party, or in general).
| } | ||
| ``` | ||
|
|
||
| The above query has a depth of 3 (`user` -> `posts` -> `comments`), so it would be accepted. If a |
There was a problem hiding this comment.
It's duplicated, written above as well
|
|
||
| {/* TODO: Rate Limiting here */} | ||
|
|
||
| ## Why both `max_depth` and `max_tokens`? |
There was a problem hiding this comment.
Maybe "Using max_depth along with max_tokens"?
| @@ -0,0 +1,210 @@ | |||
| --- | |||
| title: 'Query Complexity' | |||
| --- | |||
There was a problem hiding this comment.
@ardatan should we also include a section here and mention disabling introspection? and then link to https://github.com/graphql-hive/console/pull/7483/changes when it lands
There was a problem hiding this comment.
I think they have different aspects. This section is mostly about numeric limitations on incoming operations like depth, tokens, rate limits(in the future). So I didn't want to bloat this section with all limitations.
There was a problem hiding this comment.
Yeah, it's related to my previous suggestion, where we treat this page as "Security Hardening" and then things like persisted docs, rate-limit and also disabling introspection can fit in.
There was a problem hiding this comment.
The category of this page is Security already;
So Security Hardening under Security sounds weird. Also my point with this page is not to cover everything about limiting. It is about the story of preventing the malicious requests, starting from depth, tokens, rate limits then persisted operations. Disabling introspection might be fitting but calling all those as Security Hardening doesn't sound like specific enough for these.
There was a problem hiding this comment.
Yeah it's a different page with a different context (Secuity in the context of HTTP mostly, right?), while this new page is about hardening and "make it ready for prod" in the context of GraphQL
ardatan
changed the title
ardatan
changed the title
ardatan
changed the title
3 participants
Documentation of graphql-hive/router#623