mirror of
https://github.com/retailcrm/graphql-php.git
synced 2024-11-22 04:46:04 +03:00
Docs on security
This commit is contained in:
parent
4f374bca83
commit
99356f7faf
89
docs/security.md
Normal file
89
docs/security.md
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
# Query Complexity Analysis
|
||||||
|
|
||||||
|
This is a PHP port of [Query Complexity Analysis](http://sangria-graphql.org/learn/#query-complexity-analysis) in Sangria implementation.
|
||||||
|
|
||||||
|
Complexity analysis is a separate validation rule which calculates query complexity score before execution.
|
||||||
|
Every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the
|
||||||
|
query is the sum of all field scores. For example, the complexity of introspection query is **109**.
|
||||||
|
|
||||||
|
If this score exceeds a threshold, a query is not executed and an error is returned instead.
|
||||||
|
|
||||||
|
Complexity analysis is disabled by default. To enabled it, add validation rule:
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use GraphQL\GraphQL;
|
||||||
|
use GraphQL\Validator\Rules\QueryComplexity;
|
||||||
|
use GraphQL\Validator\DocumentValidator;
|
||||||
|
|
||||||
|
$rule = new QueryComplexity($maxQueryComplexity = 100);
|
||||||
|
DocumentValidator::addRule($rule);
|
||||||
|
|
||||||
|
GraphQL::executeQuery(/*...*/);
|
||||||
|
```
|
||||||
|
This will set the rule globally. Alternatively you can provide validation rules [per execution](executing-queries/#custom-validation-rules).
|
||||||
|
|
||||||
|
To customize field score add **complexity** function to field definition:
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use GraphQL\Type\Definition\Type;
|
||||||
|
use GraphQL\Type\Definition\ObjectType;
|
||||||
|
|
||||||
|
$type = new ObjectType([
|
||||||
|
'name' => 'MyType',
|
||||||
|
'fields' => [
|
||||||
|
'someList' => [
|
||||||
|
'type' => Type::listOf(Type::string()),
|
||||||
|
'args' => [
|
||||||
|
'limit' => [
|
||||||
|
'type' => Type::int(),
|
||||||
|
'defaultValue' => 10
|
||||||
|
]
|
||||||
|
],
|
||||||
|
'complexity' => function($childrenComplexity, $args) {
|
||||||
|
return $childrenComplexity * $args['limit'];
|
||||||
|
}
|
||||||
|
]
|
||||||
|
]
|
||||||
|
]);
|
||||||
|
```
|
||||||
|
|
||||||
|
# Limiting Query Depth
|
||||||
|
|
||||||
|
This is a PHP port of [Limiting Query Depth](http://sangria-graphql.org/learn/#limiting-query-depth) in Sangria implementation.
|
||||||
|
For example max depth of the introspection query is **7**.
|
||||||
|
|
||||||
|
It is disabled by default. To enable it, add following validation rule:
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use GraphQL\GraphQL;
|
||||||
|
use GraphQL\Validator\Rules\QueryDepth;
|
||||||
|
use GraphQL\Validator\DocumentValidator;
|
||||||
|
|
||||||
|
$rule = new QueryDepth($maxDepth = 10);
|
||||||
|
DocumentValidator::addRule($rule);
|
||||||
|
|
||||||
|
GraphQL::executeQuery(/*...*/);
|
||||||
|
```
|
||||||
|
|
||||||
|
This will set the rule globally. Alternatively you can provide validation rules [per execution](executing-queries/#custom-validation-rules).
|
||||||
|
|
||||||
|
# Disabling Introspection
|
||||||
|
|
||||||
|
This is a PHP port of [graphql-disable-introspection](https://github.com/helfer/graphql-disable-introspection).
|
||||||
|
It is a separate validation rule which prohibits queries that contain **__type** or **__schema** fields.
|
||||||
|
|
||||||
|
Introspection is enabled by default. To disable it, add following validation rule:
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
use GraphQL\GraphQL;
|
||||||
|
use GraphQL\Validator\Rules\DisableIntrospection;
|
||||||
|
use GraphQL\Validator\DocumentValidator;
|
||||||
|
|
||||||
|
DocumentValidator::addRule(new DisableIntrospection());
|
||||||
|
|
||||||
|
GraphQL::executeQuery(/*...*/);
|
||||||
|
```
|
||||||
|
This will set the rule globally. Alternatively you can provide validation rules [per execution](executing-queries/#custom-validation-rules).
|
@ -15,10 +15,10 @@ pages:
|
|||||||
- Schema: type-system/schema.md
|
- Schema: type-system/schema.md
|
||||||
- Using Type Language: type-system/type-language.md
|
- Using Type Language: type-system/type-language.md
|
||||||
- Executing Queries: executing-queries.md
|
- Executing Queries: executing-queries.md
|
||||||
- Fetching Data (resolving fields): data-fetching.md
|
- Fetching Data: data-fetching.md
|
||||||
- Handling Errors: error-handling.md
|
- Handling Errors: error-handling.md
|
||||||
# - Mutations: mutations.md
|
# - Mutations: mutations.md
|
||||||
# - Security: security.md
|
- Security: security.md
|
||||||
# - Performance tips: performance.md
|
# - Performance tips: performance.md
|
||||||
- How it works: how-it-works.md
|
- How it works: how-it-works.md
|
||||||
- Class Reference: reference.md
|
- Class Reference: reference.md
|
||||||
|
Loading…
Reference in New Issue
Block a user