GraphQLquery~30 mins

Why securing GraphQL is critical - See It in Action

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Securing a GraphQL API: Why It Is Critical

📖 Scenario: You are building a GraphQL API for a small online bookstore. The API allows clients to query book details, authors, and user reviews. Since this API will be publicly accessible, it is important to secure it to protect sensitive data and ensure reliable service.

🎯 Goal: Learn why securing a GraphQL API is critical by setting up a simple GraphQL schema, adding a configuration for query complexity limit, implementing a query complexity check, and completing the setup to prevent overly complex queries that could harm the service.

📋 What You'll Learn

Create a basic GraphQL schema with types for Book and Query

Add a configuration variable for maximum query complexity

Implement a function to calculate and check query complexity

Complete the setup by applying the complexity check to incoming queries

💡 Why This Matters

🌍 Real World

Securing GraphQL APIs is essential to protect sensitive data and maintain service reliability by preventing malicious or overly complex queries.

💼 Career

Understanding how to secure GraphQL APIs is a valuable skill for backend developers and API engineers working with modern web services.

Progress0 / 4 steps

Create a basic GraphQL schema

Create a GraphQL schema with a Book type that has title and author fields, both of type String. Also create a Query type with a field books that returns a list of Book.

GraphQL

# Define the GraphQL schema with Book and Query types
# Your code here

Hint

Use the gql template literal to define the schema with type Book and type Query.

Add a maximum query complexity configuration

Add a constant variable called MAX_QUERY_COMPLEXITY and set it to 100. This will be used to limit how complex a query can be.

GraphQL

const { gql } = require('apollo-server');

const typeDefs = gql`
  type Book {
    title: String
    author: String
  }

  type Query {
    books: [Book]
  }
`;

// Define max query complexity
// Your code here

Hint

Define MAX_QUERY_COMPLEXITY as a constant number 100.

Implement query complexity calculation function

Write a function called calculateQueryComplexity that takes a query string and returns a number representing its complexity. For simplicity, count the number of fields requested by counting occurrences of { in the query string.

GraphQL

const { gql } = require('apollo-server');

const typeDefs = gql`
  type Book {
    title: String
    author: String
  }

  type Query {
    books: [Book]
  }
`;

const MAX_QUERY_COMPLEXITY = 100;

// Implement calculateQueryComplexity function
// Your code here

Hint

Use query.match(/{/g) to count how many fields are requested.

Apply complexity check to incoming queries

Write a function called validateQuery that takes a query string, uses calculateQueryComplexity to get its complexity, and throws an error if the complexity is greater than MAX_QUERY_COMPLEXITY. Otherwise, it returns true.

GraphQL

const { gql } = require('apollo-server');

const typeDefs = gql`
  type Book {
    title: String
    author: String
  }

  type Query {
    books: [Book]
  }
`;

const MAX_QUERY_COMPLEXITY = 100;

function calculateQueryComplexity(query) {
  return (query.match(/{/g) || []).length;
}

// Implement validateQuery function
// Your code here

Hint

Compare the complexity to MAX_QUERY_COMPLEXITY and throw an error if it is too high.