Description
spring-graphql auto-configuration already supports picking Instrumentation beans and registering them in the GraphQlSource.
So it's just a matter of creating an instrumentation bean and it works 👍
One of the important (security) aspects to consider when developing a GraphQL server, is to make sure clients will not exhaust it by querying too many levels or fields.
E.g. when having a circular model a bad client could request many many levels deep almost causing an infinite loop.
So a good practice is:
- to have a limit on the length of the GraphQL query passed to the engine itself
- to have a limit on query depth
- to have a limit on query complexity (number of fields requested)
For the latter 2 graphql-java provides 2 instrumentation already.
I would be nice if user could enable these instrumentation by just providing an application property like:
spring.graphql.instrumentation.max-query-complexity=200
spring.graphql.instrumentation.max-query-depth=20
The starter could then contain something like below to register the beans:
(this is actually what I have now in my own application)
@Bean
@ConditionalOnMissingBean
@ConditionalOnProperty(prefix = "spring.graphql.instrumentation", name = "max-query-complexity")
public MaxQueryComplexityInstrumentation maxQueryComplexityInstrumentation(@Value("${spring.graphql.instrumentation.max-query-complexity}") int maxComplexity) {
return new MaxQueryComplexityInstrumentation(maxComplexity);
}
@Bean
@ConditionalOnMissingBean
@ConditionalOnProperty(prefix = "spring.graphql.instrumentation", name = "max-query-depth")
public MaxQueryDepthInstrumentation maxQueryDepthInstrumentation(@Value("${spring.graphql.instrumentation.max-query-depth}") int maxDepth) {
return new MaxQueryDepthInstrumentation(maxDepth);
}(off course better to add the instrumentation properties to the actual GraphQlProperties class)
If interested I could create a PR for this?