Query Depth Limit

Since GraphQL schemas often have circular relationships, the depth can grow without bounds. this means a client could craft a query as follows:

GraphQL Depth Limitation

This relationship allows a bad actor to construct an expensive nested query. WSO2 API-Manager introduces GraphQL Query Depth Limitation to avoid such cyclic relationships.

The request allowed or rejected based on the depth of the requested query, and the maximum depth value which has been configured to the corresponding subscription policy of the API.

For example, assume an API configured with the GraphQL Max Depth value of 5. The depth value of the following requested query is 7. Therefore, the request query will be rejected from the Gateway before reaching the backend.

      query{                                      # depth 0
          allFilms{                               # depth 1
              id                                  # depth 2
              Species{
                  id                              # depth 3
                  films{
                      title                       # depth 4
                      planets{
                          id                      # depth 5
                          residents{
                              eyeColor            # depth 6
                              films{
                                  director        # depth 7
                                  producers
                              }
                          }
                      }
                  }
              }
          }
      }

      # depth value of query : 7

Let's see how GraphQL Query Depth Limitation can be managed with your GraphQL API.

Adding a new Subscription policy with GraphQL Max Depth value

  1. Sign in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials (admin/admin by default).
  2. Click Subscription Policies under the Rate Limiting Policies section to see the set of existing subscription policies.
  3. To add a new Subscription Policy, click Add Policy . Add new Subscription Policy
  4. Fill in the required details. Add new Subscription Policy with Max Depth
  5. click Save Button Add Subscription Policy

Design a GraphQL API

To design a GraphQL API, see Create a GraphQL API.

Note

Instead of giving Business Plans of GraphQL API related details in Create a GraphQL API, Use Business Plans that you create in the previous steps.

Invoke a GraphQL API

To invoke a GraphQL API, see Invoke a GraphQL API.

To perform GraphQL Query Depth Limitation:

Enter the following sample query. Then click on execute button as follows.

     query{                          
         allFilms{                       
             id                          
             species{
                 id                      
                 films{
                     title                   
                     planets{
                         id                  
                         residents{
                             eyeColor            
                             films{
                                 director        
                                 producers
                             }
                         }
                     }
                 }
             }
         }
     }

GraphQL Depth Limitation

You have now successfully blocked a GraphQL API query using the Max Depth value that you assigned before.

Top