Front-End Web & Mobile

Control GraphQL execution complexity, query depth, and introspection with AWS AppSync

This article is written by Erik Yang with contributions from Eric Robertson

AWS AppSync recently announced new configuration options that make it easier for customers to configure limits to how their APIs can be consumed. These options allow customers to set a maximum number of resolvers per query, a maximum depth of queried data, and allows to disable introspection queries. When APIs are deployed to production, it is important to put safeguards in place to prevent misuse, intentionally or otherwise, of the system that has been built. These new configurations are in line with AppSync’s goals to provide the best developer experience for interacting with your data.

In this blog, we will show how these configuration can be used with your AWS AppSync API.

Introspection

AppSync APIs, by default, allow special introspection queries to be run which provide consumers data about the schema itself. This can be a very helpful feature which enables a wide variety of use cases for both developers and end users, but can also raise security concerns when the content of the schema should remain hidden. When configuring your AppSync API, users can now determine if the introspection feature should be enabled.

This is now possible in the AWS Console, through the AWS Command Line Interface, AWS SDKs, and through AWS CloudFormation. Below is an example using the AWS Console. Introspection is enabled by default, but you can choose to disable it.

Introspection Queries

When introspection is disabled, a client which uses an introspection query to view the schema will receive validation errors on their query, like below.

validation errors on their query

When introspection is enabled, introspection queries are permitted to execute.

When introspection is enabled, introspection queries are permitted to execute.

GraphQL Query Depth Limit

AWS AppSync now lets users set the maximum allowed query depth for a given API. Below, the setting is shown under an API’s configuration page for a given AWS AppSync GraphQL API. When not specified for an API, there is no enforced limit for how deep a query can be resolved.

query depth

Below, the depth limit has been set to 2. Any resolver on the 3th level or lower will return a query depth limit reached error.

query depth limit

Note that fields can be marked as either null-able or non-null-able in the AppSync Schema. If a field is marked as as non-null-able and receives an error, that error will propagate upwards to the first null-able field available.

Resolver Count Limit

AWS AppSync now lets users set the maximum number of allowed resolvers to invoke per query. Below is the setting on the the API’s configuration page for a given AWS AppSync GraphQL API. When not specified for an API, the limit falls back to the default 10,000 limit for the number of resolvers a query can invoke.

resolver count

Similar to query depth, when a client sends a request that invokes more resolvers than the limit regulated by the customer, the query responds with a limit error. Below we have set the resolver count to 2, which means the third resolver below throws an error and does not run.

resolver execution limit reached

Summary

Today we demonstrated AWS AppSync’s new API configurations for schema introspection, query depth, and resolver count. Through these fields, customers now have more control over how their API is utilized and can put in place limits to prevent misuse. Try it out today in the AWS AppSync Console.