Security - Implement query complexity analysis

[fproulx-dfuse]

Add something like https://github.com/pa-bru/graphql-cost-analysis to detect and protect against malicious resource hogging queries.

[pavelnikolov]

PRs are welcome! I'd be happy if this is added somehow as an opt-in feature as it might not be applicable to all users of the library. The library needs to remain as minimalistic as possible.

[romshark]

Query cost analysis is a really tough thing to get right and I thus prefer query whitelisting now. It may be a bit off-topic but I'd like to mention the GraphQL Shield middleware that I've introduced in v1.3.0 of my Dgraph + GraphQL + Go tech demo.

The shield implements a dynamic radix-tree based query whitelist. It normalizes incoming queries, checks if they're whitelisted and then checks if all expected arguments are present and valid. It doesn't parse the query and thus provides better DoS protection. It's basically a performance-for-convenience trade-off.

I think I'll move it to a separate repo later.

[pavelnikolov]

@romshark I completely agree with you. Being able to add this as a middleware would be a better solution. This way only people who need it can add it.

[macwilko]

@romshark do you have plans to create a middle-ware library of GraphQL Shield? I'm very interested!