ScandiPWA
Create Magento AppCreate ScandiPWA AppUser ManualGitHub
  • Why Scandi
  • πŸš€Quick-start Guide
  • πŸ—ΊοΈRoadmap
  • Introduction to the Stack
    • CMA, CSA, and ScandiPWA
    • Challenges
  • Setting up Scandi
    • Storefront Mode Setup
      • Proxying requests to server
    • Magento Mode Setup
    • Existing Magento 2 setup
    • Magento Commerce Cloud setup
    • Updating to new releases
      • Storefront mode upgrade
      • Magento mode upgrade
      • CMA upgrade
      • CSA upgrade
      • Custom ScandiPWA composer dependency update
      • Local ScandiPWA Composer Package Setup
    • Docker Setup [deprecated]
      • Legacy Docker setup
      • Migrating to CMA & CSA
  • Developing with Scandi
    • Override Mechanism
      • Overriding JavaScript
        • Overriding classes
        • Overriding non-classes
      • Overriding Styles
      • Overriding the HTML / PHP
      • Parent Themes
    • Extensions
      • Creating an extension
      • Installing an extension
      • Migrating from 3.x to 4.x
      • Publishing an extension
      • Extension Terminology
    • Working With Magento
      • Magento troubleshooting
      • Working with Magento modules
      • Working with GraphQL
      • GraphQL Security
      • Working with "granular cache"
    • Developer Tools
      • Debugging in VSCode
      • ScandiPWA CLI
      • Configuring ESLint
      • CSA Commands
    • Deploying Your App
      • Build & Deploy Android app
      • Build & Deploy iOS app
  • Structure
    • Directory Structure
    • Building Blocks
      • Components
        • Styling Components
      • Routes
      • Redux Stores
      • GraphQL Queries
      • Global Styles
      • The Util Directory
      • Type Checking
    • Application assets
    • Code Style
      • JavaScript Code Style
      • SCSS Code Style
  • Tutorials
    • Customizing Your Theme
      • Styling
        • Customizing the Global Styles
        • Adding a New Font
        • Overriding a Components Styles
        • Extending a Component's Styles
      • Customizing JavaScript
        • Customizing the Footer Copyright
        • Adding a New Page
        • Adding a Section in My Account
        • Adding a Tab on the Product Page
        • Creating a New Redux Store
    • Payment Method Integration
      • Setting Up for Development
      • Redirecting to the Payment Provider
      • Handling the Customer's Return
    • Creating a Custom Widget
      • Scandi CMS System Overview
      • Creating a Magento Widget
      • Implementing the Rendering
    • Video Tutorials
      • #1 Setting up and talking theory
      • #2 Templating in React
      • #3 Overriding a file
      • #4 Styling the application
      • #5 Patterns of ScandiPWA
    • Dark Mode Extension
    • Deploying Native Apps
    • Product 3D Model Extension
      • Part 1: Magento 3D Model Uploads
      • Part 2: GraphQL API
      • Part 3: Scandi Frontend
    • Social Share, Full Extension Development
      • STEP-1 and 2 Creating Magento 2 Module
      • STEP-3 Backend Configurations Settings
      • STEP-4 Simple GraphQl and Resolver
      • STEP-5 Creating Extension, Base Redux Store
      • STEP-6 Extension plugins
      • STEP-7 GraphQL types, Helpers
      • STEP-8 Query Field and FieldList
      • STEP-9 render Plugins and MSTP Plugin, Component creation
      • STEP-10 SocialShare Component Development
      • STEP-11 SocialShare for CategoryPage
      • TASK-1 Changing LinkedIn to Twitter
      • STEP-12 Comments for Admin Users
      • STEP-13 Final, bugfixes
    • Accessing Magento 2 Controllers
      • STEP-1 Creating Magento 2 Module
      • STEP-2 - Create Magento 2 Frontend Route and Basic Controller
      • STEP-3 Accessing Magento 2 Controller, Bypassing ScandiPWA frontend
      • STEP-4 Creating ScandiPWA Extension with additional dependencies
      • STEP-5 Creating Plugin and Axios request
  • About
    • Support
    • Release notes
    • Technical Information
    • Data Analytics
    • Contributing
      • Installation from Fork
      • Repository structure
      • Code contribution process
      • Submitting an Issue
      • Publishing ScandiPWA
Powered by GitBook
On this page
  • Query Complexity
  • How to increase Query Complexity limits
  • How to troubleshoot

Was this helpful?

  1. Developing with Scandi
  2. Working With Magento

GraphQL Security

PreviousWorking with GraphQLNextWorking with "granular cache"

Last updated 3 years ago

Was this helpful?

Webonyx-GraphQL provides query analysis to reject complex queries to your GraphQL server. This is used to protect GraphQL servers against resource exhaustion and DoS attacks.

Query Complexity

Query complexity is one of the possible ways to reject GraphQL requests. The idea is to define how complex each field is by using a simple number. By default, each field has a query complexity of 1.

type StoreList {           # complexity: 1
    name: String           # complexity: 1
    is_active: Boolean     # complexity: 1
    base_link_url : String # complexity: 1
    base_url : String      # complexity: 1
    code: String           # complexity: 1
}

In the example, we can see that if the request contains all fields from type StoreList, then it will consume 6 of query complexity. For this case, if the GraphQL server is set to limit query complexity to 3, it will return a response with the message: "Max query complexity should be 3 but got 6."

How to increase Query Complexity limits

It is strongly recommended to not increase Query Complexity limits because it will weaken the security of your website.

Sometimes we need to get new fields in the same request to implement a new feature on the website. This leads to situations where it would be very complex to implement the feature without increasing limits. In this case, it is necessary to slightly increase the limit in the Query Complexity rule. In ScandiPWA, the Query Complexity rule number is set in the module. It can be checked in the file '/src/etc/di.xml' .

<type name="Magento\Framework\GraphQl\Query\QueryComplexityLimiter">
    <arguments>
        <argument name="queryComplexity" xsi:type="number">VALUE</argument>
    </arguments>
</type>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
    <module name="ScandiPWA_GraphQlQueryComplexity">
        <sequence>
            <module name="ScandiPWA_CatalogGraphQl"/>
        </sequence>
    </module>
</config>

3. Create the file 'etc/di.xml' where the Query Complexity rule will be changed.

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
    <type name="Magento\Framework\GraphQl\Query\QueryComplexityLimiter">
        <arguments>
            <argument name="queryComplexity" xsi:type="number">YOUR VALUE</argument>
        </arguments>
    </type>
</config>

How to troubleshoot

To get beyond Query Complexity Rule limits, it is necessary to detect this problem at the stage of developing the project. By default, Magento enables query complexity rule only on production mode, which means that when the project is in development mode GraphQL won't reject a request even if it is above the set rule.

For this reason, ScandiPWA changes Magento's default behavior by enabling query complexity rule in development mode and showing query complexity in each response that the user sends to the server.

To see how much Query complexity is requested, we need to open browser tools and check the response of the request. In the section of "Response Headers", it is easy to find a field with the name "query-complexity" where its value is the "cost" of your request.

This will help to check the query complexity before getting errors about it and see how close it is to limits.

To increase limits, we need to create Magento module and extend where it will be possible to set a new rule.

If the project already includes an extended , it is better to increase the query complexity value there.

Steps to create and increase limits: 1. with the name "GraphQLQueryComplexity" or any other you wish. 2. In the file 'etc/module.xml' , add as below:

Starting only from version "3.0.2" of module is it possible to see query complexity on request and enabled rule in development mode.

ScandiPWA_CatalogGraphQL
ScandiPWA_CatalogGraphQL
ScandiPWA_CatalogGraphQL
Create a simple Magento module
ScandiPWA_CatalogGraphQL
ScandiPWA_PersistedQuery
GraphQl Response Headers