It is a small backend for a graphql schema which protects against malicious requests.
The current logic is simple and efficient (early bail out)
pip install graphene-protector
This adds to django following settings:
- GRAPHENE_PROTECTOR_DEPTH_LIMIT: max depth
- GRAPHENE_PROTECTOR_SELECTIONS_LIMIT: max selections
- GRAPHENE_PROTECTOR_COMPLEXITY_LIMIT: max (depth * selections)
Integrate with:
# schema.py
# replace normal Schema import with:
from graphene_protector.django import Schema
schema = Schema(query=Query, mutation=Mutation)
and add in django settings to GRAPHENE
GRAPHENE = {
...
"SCHEMA": "path.to.schema",
}
manual way
from graphene import Schema
from graphene_protector.django import ProtectorBackend
backend = ProtectorBackend()
schema = graphene.Schema(query=Query)
result = schema.execute(query_string, backend=backend)
Following extra keyword arguments are supported:
- depth_limit: max depth (default: 20, None disables feature)
- selections_limit: max selections (default: None, None disables feature)
- complexity_limit: max (depth subtree * selections subtree) (default: 100, None disables feature)
they overwrite django settings if specified
from graphene_protector import ProtectorBackend
backend = ProtectorBackend(depth_limit=20, selections_limit=None, complexity_limit=100)
schema = graphene.Schema(query=Query)
result = schema.execute(query_string, backend=backend)
I am open for new ideas. If you want some new or better algorithms integrated just make a PR
- secure-graphene: lacks django integration, some features and has a not so easy findable name. But I accept: it is the "not invented here"-syndrome