-
Notifications
You must be signed in to change notification settings - Fork 441
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No error thrown when query value first exceeds max query amount #3012
Comments
Two thoughts:
Which brings me to the expectation case:
I'm not sure what the context is of If it's anybody hitting the WPGraphQL then I don't think we can solve this (for the above reasons) let alone the security implications (is it better to tell an API abuser that they need to lower their connection amount to optimally flood the server without getting rate limited? Should we error on a bad connection amount instead of returning the first 100 - even if those repeat calls are cached the second time around - just in case)? If it's just the site developers, then maybe a debug message provides a good guardrail. It's additive, hidden behind the debug flag, and doesn't break back-compat. Thoughts? cc #2749 |
These are good points! I'm really talking about the DX working with the API, by "user".
You still get errors for incorrect types, right? Like querying
I'm not really sure what's implemented in terms of rate limiting. With the current behavior, they could just request I would say that high level, it's better to have an error than no error because it's better DX. If I'm asking for 200, but I'm only allowed 100 and getting 100 back, then my request isn't succeeding, it's silent failing, and I should be getting some kind of feedback so I can properly handle the failure. Getting a different result from what I asked for is the opposite of predictability. Practically speaking, we had this issue come up because we were missing data in parts of our app, because the published resource count had grown higher than 100! One of our devs had written some code requesting 200 resources, got 80 some back, and assumed we had a high query amount. |
By "obscured" I mean that the error pattern for sensitive infor is to throw a generic GraphQL error when unauthenticated (e.g. The larger question though is whether a value over node limit is an "inappropriate value". It's a server limitation not a schema limitation, and as far as GraphQL is concerned the server returned everything it was allowed to for the query and it all (pagination, filters, etc) still works as expected. Similar to how querying
With proper caching, calling the same IRL, script kiddies are smart enough to use pagination. I'm betting the real intent of this limit is to prevent site owners from doing something stupid like they would in PHP with
Agreed. Which brings me back to the question:
The latter is the approach I'm leaning towards (also because it would maintain back-compat), but if there's a strong use case for truly erroring out and/or providing guidance to any API consumer, then maybe the behavior change is justified 🤔 |
Hey @hsdonkin #3013 approach uses the Please let me know what you think. |
@hsdonkin there could be any number of reasons fewer items than what was asked for will be returned. The feedback you get is in the You can query for So, if you ask for I believe an error in this case would actually be WORSE DX than better because there are many reasons a server's logic might determine a lower number of nodes to process than the client asked for. Using the |
If you query for The server can make whatever decisions it needs to to fulfill whatever number of nodes it feels "right" to return. Of course the default In any case, the logic the server applies to determine this can be different for every WP install and even every query, so the standard "logically expected" results is for the query to return however many nodes it deemed appropriate to return, and communicate via "hasNextPage" whether there are or are not more pages of data. |
You can also use filters to return a GraphQL Error if you believe that's the best experience for your specific use case. I believe it's a worse DX compared to |
Thanks for these thoughts, it's not my ideal, but I appreciate you guys looking at it! |
Description
When a query is made exceeding the max query amount, no error is thrown to indicate that the value of
first
exceeds the amount. Instead, the query succeeds, but returns only the max query amount.We expected some type of error, since the max query amount is not visible for a user of the API.
https://www.wpgraphql.com/filters/graphql_connection_max_query_amount
Steps to reproduce
Reproducible in repl:
Additional context
This could be part of a larger conversation around query costs, which is how Shopify handles this issue with their GraphQL API.
https://shopify.engineering/rate-limiting-graphql-apis-calculating-query-complexity
WPGraphQL Version
1.19.0
WordPress Version
N/A
PHP Version
N/A
Additional environment details
No response
Please confirm that you have searched existing issues in the repo.
Please confirm that you have disabled ALL plugins except for WPGraphQL.
The text was updated successfully, but these errors were encountered: