diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 0000000..8919e38 --- /dev/null +++ b/docs/security.md @@ -0,0 +1,89 @@ +# Query Complexity Analysis + +This is a PHP port of [Query Complexity Analysis](http://sangria-graphql.org/learn/#query-complexity-analysis) in Sangria implementation. + +Complexity analysis is a separate validation rule which calculates query complexity score before execution. +Every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the +query is the sum of all field scores. For example, the complexity of introspection query is **109**. + +If this score exceeds a threshold, a query is not executed and an error is returned instead. + +Complexity analysis is disabled by default. To enabled it, add validation rule: + +```php + 'MyType', + 'fields' => [ + 'someList' => [ + 'type' => Type::listOf(Type::string()), + 'args' => [ + 'limit' => [ + 'type' => Type::int(), + 'defaultValue' => 10 + ] + ], + 'complexity' => function($childrenComplexity, $args) { + return $childrenComplexity * $args['limit']; + } + ] + ] +]); +``` + +# Limiting Query Depth + +This is a PHP port of [Limiting Query Depth](http://sangria-graphql.org/learn/#limiting-query-depth) in Sangria implementation. +For example max depth of the introspection query is **7**. + +It is disabled by default. To enable it, add following validation rule: + +```php +