Security and rate limiting

[dcheung2]

One barrier I have when onboarding GraphQL to our technology stack is security.
It is not the security about authentication or authorization / permission / ACL which can be solved by Spring.

I mean more about SRE/DoS attack protection,

• timeout
• rate limiting
• throttling
• Query depth
• QoS

The other side, REST API, they claim that it could solved simply on an external API gateway.

Few thing I've read and seem that graph-java support it.

Is DGS support it already ? If yes, where could I find an example of it ?

[srinivasankavitha]

One of the common techniques to limit is to check the Query depth by instrumenting the datafetchers for each field. There is already a `MaxQueryComplexityInstrumentation` class in `graphql-java` that you can use to add that functionality: https://www.javadoc.io/doc/com.graphql-java/graphql-java/10.0/graphql/analysis/MaxQueryComplexityInstrumentation.html The DGS Framework supports adding your own instrumentation classes to add additional checks or instrumentation. So you can add one that implements the `MaxQueryComplexityInstrumentation` and add any additional logic that you need. Here is an example that adds tracing: https://netflix.github.io/dgs/advanced/instrumentation/ Hope this helps.

…

On Sun, Feb 7, 2021 at 5:37 AM Dennis Cheung ***@***.***> wrote: One barrier I have when onboarding GraphQL to our technology stack is security. It is not the security about authentication or authorization / permission / ACL which can be solved by Spring. I mean more about SRE/DoS attack protection, - timeout - rate limiting - throttling - Query depth - QoS The other side, REST API, they claim that it could solved simply on an external API gateway. Few <https://www.howtographql.com/advanced/4-security/> thing <graphql-java/graphql-java#291> I've read <https://medium.com/in-the-weeds/graphql-and-resource-limitations-442c3bd72358> and seem that graph-java support it <graphql-java/graphql-java#655>. Is DGS support it already ? If yes, where could I find an example of it ? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#31>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJ5JPXODER3S4BOD5TAVYD3S52JRTANCNFSM4XHOVRLA> .

[paulbakker]

DGS doesn’t support this out of the box, because it’s hard to come up with something that works for different usage scenarios. The only place we need this kind of functionality such as rate limiting at Netflix is in a federated context, where the gateway is responsible for these concerns.

I think such concerns are typically better handled by a gateway before your DGS instances are even hit, but definitely open to other ideas.