feat(graphql): allow to change max_query_depth and max_query_complexity

api-platform · Dec 10, 2024 · 546c1c5 · 546c1c5
1 parent eb9bb47
commit 546c1c5
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/core/configuration.md b/core/configuration.md
@@ -155,7 +155,13 @@ api_platform:
 
         # The nesting separator used in the filter names.
         nesting_separator: _
-
+
+        # The maximum query depth. Look at http://webonyx.github.io/graphql-php/security/#limiting-query-depth
+        max_query_depth: 100
+
+        # The maximum query complexity. Look at http://webonyx.github.io/graphql-php/security/#query-complexity-analysis
+        max_query_complexity: 1000
+
         collection:
             pagination:
                 enabled: true

diff --git a/core/graphql.md b/core/graphql.md
@@ -254,6 +254,38 @@ return [
 ];
 ```
 
+## Change Max Query Depth
+
+For security reason, the max query depth should be limited to avoid deep queries. It's set to 100 by default.
+
+### Symfony config to change the Max Query Depth
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_depth: 7
+# ...
+```
+
+## Change Max Query Complexity
+
+For security reason, the max query complexity should be limited to avoid complex queries. It's set to 100 by default.
+
+### Symfony config to change the Max Query Complexity
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_complexity: 50
+# ...
+```
+
 ## Request with `application/graphql` Content-Type
 
 If you wish to send a [POST request using the `application/graphql` Content-Type](https://graphql.org/learn/serving-over-http/#post-request),