-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specification for cost calculation algorithm #167
Comments
Hello ! We will use this issue to centralize discussions about query complexity and related rate-limiting. Holidays went by but we discussed internally with @c3b5aw about this matter. Ideally, our course of action regarding query complexity assessment would have two parts:
We would like a consensual method for evaluating the complexity to be discussed and defined at the specification level. Only on this project, there are many influent folks involved in the discussion and we feel like it might be "bigger" than the maintainers of This is even more important to us, as some tools intend to provide Another major concern that we would like to tackle doing this, is that as far as I deeply agree with you @hayes about QC to be handled at the schema level, it involves that we work with the dynamic schema, and eventually its parser. We already have to consider two engines in order to be relevant in
GraphQL-Gate seems really nice for doing the limitation, but it involves that we start instrumenting the dynamic schema ourselves, which we would like not to do, ideally. Mostly, I am not sure that I want this instrumentation to be done magically under the radar by On many aspects to me, complexity analysis appears like a different topic than pure security, and I am puzzled not handling it like it deserves. I am keeping this issue opened and closing the other ones about complexity, so that we can talk this through in a single space :) |
Note: our position on this matter is definitely not a steady one and should be expected to be both plastic and likely to evolve. Note (1): Two papers that we could leverage moving forward. |
Hello ! A quick update on where we stand, and what our first level of implementation will look like:
Reasons:
|
It would be handy to have a specification of the cost calculation algorithm so it can easily be implemented in other languages or other tooling for auditing/analyzing existing GraphQL operations.
The text was updated successfully, but these errors were encountered: