There's a lot to say about security, some useful links about that:
- GraohQL.org Security
- https://chillicream.com/docs/hotchocolate/v10/security/security
- https://chillicream.com/docs/hotchocolate/security/operation-complexity
In this intro I configured basic settings to face long execution time and maximum allowed query cost:
public static IRequestExecutorBuilder SetSecurity(this IRequestExecutorBuilder builder)
{
var options = new HotChocolate.Execution.Options.RequestExecutorOptions
{
ExecutionTimeout = TimeSpan.FromSeconds(3),
IncludeExceptionDetails = true,
};
options.Complexity.MaximumAllowed = 1000;
options.Complexity.Enable = true;
builder.SetRequestOptions(_ => options);
return builder;
}Now the GraphQL schema will change this way, e.g.:
type Book implements Node {
id: ID!
authors: [Author!]!
publisher: Publisher
relatedBooks: [Book!]!
authors: [Author!]! @cost(complexity: 5)
publisher: Publisher @cost(complexity: 5)
relatedBooks: [Book!]! @cost(complexity: 5)
title: String
abstract: String
editionVersion: Int
publicationDate: DateTime
categories: [String!]
}and if I try to run a very complex query:
query {
books(first: 30, where: { title: { startsWith: "Reconstituirea" } }) {
nodes {
id
title
authors {
firstName
surnName
}
relatedBooks {
id
title
publicationDate
relatedBooks {
id
title
relatedBooks {
id
title
}
}
}
}
}
}The server result is:
{
"errors": [
{
"message": "The maximum allowed operation complexity was exceeded.",
"extensions": {
"complexity": 1110,
"allowedComplexity": 1000
}
}
]
}