2017-08-20 19:28:59 +03:00
<!DOCTYPE html>
<!-- [if IE 8]><html class="no - js lt - ie9" lang="en" > <![endif] -->
<!-- [if gt IE 8]><! --> < html class = "no-js" lang = "en" > <!-- <![endif] -->
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1.0" >
< link rel = "shortcut icon" href = "../img/favicon.ico" >
< title > Security - graphql-php< / title >
< link href = 'https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel = 'stylesheet' type = 'text/css' >
< link rel = "stylesheet" href = "../css/theme.css" type = "text/css" / >
< link rel = "stylesheet" href = "../css/theme_extra.css" type = "text/css" / >
2018-11-27 16:06:49 +03:00
< link rel = "stylesheet" href = "//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/github.min.css" >
2017-08-20 19:28:59 +03:00
< script >
// Current page data
var mkdocs_page_name = "Security";
var mkdocs_page_input_path = "security.md";
2018-11-27 16:06:49 +03:00
var mkdocs_page_url = null;
2017-08-20 19:28:59 +03:00
< / script >
2018-11-27 16:06:49 +03:00
< script src = "../js/jquery-2.1.1.min.js" defer > < / script >
< script src = "../js/modernizr-2.8.3.min.js" defer > < / script >
< script src = "//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js" > < / script >
< script > hljs . initHighlightingOnLoad ( ) ; < / script >
2017-08-20 19:28:59 +03:00
< / head >
< body class = "wy-body-for-nav" role = "document" >
< div class = "wy-grid-for-nav" >
< nav data-toggle = "wy-nav-shift" class = "wy-nav-side stickynav" >
< div class = "wy-side-nav-search" >
< a href = ".." class = "icon icon-home" > graphql-php< / a >
< div role = "search" >
< form id = "rtd-search-form" class = "wy-form" action = "../search.html" method = "get" >
2018-11-27 16:06:49 +03:00
< input type = "text" name = "q" placeholder = "Search docs" title = "Type search term here" / >
2017-08-20 19:28:59 +03:00
< / form >
< / div >
< / div >
< div class = "wy-menu wy-menu-vertical" data-spy = "affix" role = "navigation" aria-label = "main navigation" >
< ul class = "current" >
< li class = "toctree-l1" >
< a class = "" href = ".." > About< / a >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../getting-started/" > Getting Started< / a >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../complementary-tools/" > Complementary Tools< / a >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > Type Definitions< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../type-system/" > Introduction< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/object-types/" > Object Types< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/scalar-types/" > Scalar Types< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/enum-types/" > Enumeration Types< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/lists-and-nonnulls/" > Lists and Non-Null< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/interfaces/" > Interfaces< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/unions/" > Unions< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/input-types/" > Mutations and Input Types< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/directives/" > Directives< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/schema/" > Schema< / a >
< / li >
< li class = "" >
< a class = "" href = "../type-system/type-language/" > Using Type Language< / a >
< / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../executing-queries/" > Executing Queries< / a >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../data-fetching/" > Fetching Data< / a >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../error-handling/" > Handling Errors< / a >
< / li >
< li class = "toctree-l1 current" >
< a class = "current" href = "./" > Security< / a >
< ul class = "subnav" >
< li class = "toctree-l2" > < a href = "#query-complexity-analysis" > Query Complexity Analysis< / a > < / li >
< li class = "toctree-l2" > < a href = "#limiting-query-depth" > Limiting Query Depth< / a > < / li >
< li class = "toctree-l2" > < a href = "#disabling-introspection" > Disabling Introspection< / a > < / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../how-it-works/" > How it works< / a >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../reference/" > Class Reference< / a >
< / li >
< / ul >
< / div >
< / nav >
< section data-toggle = "wy-nav-shift" class = "wy-nav-content-wrap" >
< nav class = "wy-nav-top" role = "navigation" aria-label = "top navigation" >
< i data-toggle = "wy-nav-top" class = "fa fa-bars" > < / i >
< a href = ".." > graphql-php< / a >
< / nav >
< div class = "wy-nav-content" >
< div class = "rst-content" >
< div role = "navigation" aria-label = "breadcrumbs navigation" >
< ul class = "wy-breadcrumbs" >
< li > < a href = ".." > Docs< / a > » < / li >
< li > Security< / li >
< li class = "wy-breadcrumbs-aside" >
< / li >
< / ul >
< hr / >
< / div >
< div role = "main" >
< div class = "section" >
< h1 id = "query-complexity-analysis" > Query Complexity Analysis< / h1 >
< p > This is a PHP port of < a href = "http://sangria-graphql.org/learn/#query-complexity-analysis" > Query Complexity Analysis< / a > in Sangria implementation.< / p >
< p > Complexity analysis is a separate validation rule which calculates query complexity score before execution.
Every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the
query is the sum of all field scores. For example, the complexity of introspection query is < strong > 109< / strong > .< / p >
< p > If this score exceeds a threshold, a query is not executed and an error is returned instead.< / p >
< p > Complexity analysis is disabled by default. To enabled it, add validation rule:< / p >
< pre > < code class = "php" > < ?php
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\QueryComplexity;
use GraphQL\Validator\DocumentValidator;
$rule = new QueryComplexity($maxQueryComplexity = 100);
DocumentValidator::addRule($rule);
GraphQL::executeQuery(/*...*/);
< / code > < / pre >
< p > This will set the rule globally. Alternatively, you can provide validation rules < a href = "../executing-queries/#custom-validation-rules" > per execution< / a > .< / p >
< p > To customize field score add < strong > complexity< / strong > function to field definition:< / p >
< pre > < code class = "php" > < ?php
use GraphQL\Type\Definition\Type;
use GraphQL\Type\Definition\ObjectType;
$type = new ObjectType([
'name' => 'MyType',
'fields' => [
'someList' => [
'type' => Type::listOf(Type::string()),
'args' => [
'limit' => [
'type' => Type::int(),
'defaultValue' => 10
]
],
'complexity' => function($childrenComplexity, $args) {
return $childrenComplexity * $args['limit'];
}
]
]
]);
< / code > < / pre >
< h1 id = "limiting-query-depth" > Limiting Query Depth< / h1 >
< p > This is a PHP port of < a href = "http://sangria-graphql.org/learn/#limiting-query-depth" > Limiting Query Depth< / a > in Sangria implementation.
For example, max depth of the introspection query is < strong > 7< / strong > .< / p >
< p > It is disabled by default. To enable it, add following validation rule:< / p >
< pre > < code class = "php" > < ?php
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\QueryDepth;
use GraphQL\Validator\DocumentValidator;
$rule = new QueryDepth($maxDepth = 10);
DocumentValidator::addRule($rule);
GraphQL::executeQuery(/*...*/);
< / code > < / pre >
< p > This will set the rule globally. Alternatively, you can provide validation rules < a href = "../executing-queries/#custom-validation-rules" > per execution< / a > .< / p >
< h1 id = "disabling-introspection" > Disabling Introspection< / h1 >
< p > < a href = "http://graphql.org/learn/introspection/" > Introspection< / a > is a mechanism for fetching schema structure.
It is used by tools like GraphiQL for auto-completion, query validation, etc.< / p >
< p > Introspection is enabled by default. It means that anybody can get a full description of your schema by
sending a special query containing meta fields < strong > __type< / strong > and < strong > __schema< / strong > .< / p >
< p > If you are not planning to expose your API to the general public, it makes sense to disable this feature.< / p >
< p > GraphQL PHP provides you separate validation rule which prohibits queries that contain
< strong > __type< / strong > or < strong > __schema< / strong > fields. To disable introspection, add following rule:< / p >
< pre > < code class = "php" > < ?php
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\DisableIntrospection;
use GraphQL\Validator\DocumentValidator;
DocumentValidator::addRule(new DisableIntrospection());
GraphQL::executeQuery(/*...*/);
< / code > < / pre >
< p > This will set the rule globally. Alternatively, you can provide validation rules < a href = "../executing-queries/#custom-validation-rules" > per execution< / a > .< / p >
< / div >
< / div >
< footer >
< div class = "rst-footer-buttons" role = "navigation" aria-label = "footer navigation" >
< a href = "../how-it-works/" class = "btn btn-neutral float-right" title = "How it works" > Next < span class = "icon icon-circle-arrow-right" > < / span > < / a >
< a href = "../error-handling/" class = "btn btn-neutral" title = "Handling Errors" > < span class = "icon icon-circle-arrow-left" > < / span > Previous< / a >
< / div >
< hr / >
< div role = "contentinfo" >
<!-- Copyright etc -->
< / div >
Built with < a href = "http://www.mkdocs.org" > MkDocs< / a > using a < a href = "https://github.com/snide/sphinx_rtd_theme" > theme< / a > provided by < a href = "https://readthedocs.org" > Read the Docs< / a > .
< / footer >
2018-04-20 12:39:52 +03:00
2017-08-20 19:28:59 +03:00
< / div >
< / div >
< / section >
2018-04-20 12:39:52 +03:00
2017-08-20 19:28:59 +03:00
< / div >
< div class = "rst-versions" role = "note" style = "cursor: pointer" >
< span class = "rst-current-version" data-toggle = "rst-current-version" >
< span > < a href = "../error-handling/" style = "color: #fcfcfc;" > « Previous< / a > < / span >
< span style = "margin-left: 15px" > < a href = "../how-it-works/" style = "color: #fcfcfc" > Next » < / a > < / span >
< / span >
< / div >
2018-04-20 12:39:52 +03:00
< script > var base _url = '..' ; < / script >
2018-11-27 16:06:49 +03:00
< script src = "../js/theme.js" defer > < / script >
< script src = "../search/main.js" defer > < / script >
2017-08-20 19:28:59 +03:00
< / body >
< / html >
