Front-End Web & Mobile
Control GraphQL execution complexity, query depth, and introspection with AWS AppSync
This article is written by Erik Yang with contributions from Eric Robertson
AWS AppSync recently announced new configuration options that make it easier for customers to configure limits to how their APIs can be consumed. These options allow customers to set a maximum number of resolvers per query, a maximum depth of queried data, and allows to disable introspection queries. When APIs are deployed to production, it is important to put safeguards in place to prevent misuse, intentionally or otherwise, of the system that has been built. These new configurations are in line with AppSync’s goals to provide the best developer experience for interacting with your data.
In this blog, we will show how these configuration can be used with your AWS AppSync API.
Introspection
AppSync APIs, by default, allow special introspection queries to be run which provide consumers data about the schema itself. This can be a very helpful feature which enables a wide variety of use cases for both developers and end users, but can also raise security concerns when the content of the schema should remain hidden. When configuring your AppSync API, users can now determine if the introspection feature should be enabled.
This is now possible in the AWS Console, through the AWS Command Line Interface, AWS SDKs, and through AWS CloudFormation. Below is an example using the AWS Console. Introspection is enabled by default, but you can choose to disable it.
When introspection is disabled, a client which uses an introspection query to view the schema will receive validation errors on their query, like below.
When introspection is enabled, introspection queries are permitted to execute.
GraphQL Query Depth Limit
AWS AppSync now lets users set the maximum allowed query depth for a given API. Below, the setting is shown under an API’s configuration page for a given AWS AppSync GraphQL API. When not specified for an API, there is no enforced limit for how deep a query can be resolved.
Below, the depth limit has been set to 2. Any resolver on the 3th level or lower will return a query depth limit reached error.
Note that fields can be marked as either null-able or non-null-able in the AppSync Schema. If a field is marked as as non-null-able and receives an error, that error will propagate upwards to the first null-able field available.
Resolver Count Limit
AWS AppSync now lets users set the maximum number of allowed resolvers to invoke per query. Below is the setting on the the API’s configuration page for a given AWS AppSync GraphQL API. When not specified for an API, the limit falls back to the default 10,000 limit for the number of resolvers a query can invoke.
Similar to query depth, when a client sends a request that invokes more resolvers than the limit regulated by the customer, the query responds with a limit error. Below we have set the resolver count to 2, which means the third resolver below throws an error and does not run.
Summary
Today we demonstrated AWS AppSync’s new API configurations for schema introspection, query depth, and resolver count. Through these fields, customers now have more control over how their API is utilized and can put in place limits to prevent misuse. Try it out today in the AWS AppSync Console.