Rejecting costly or malicious queries

Is there currently a way to determine how costly a query will be to run? I have been looking at the code and I think there isn’t, correct me and close this issue if I’m wrong!

It would be important to add some protections against this kind of thing. When thinking of ways to do this I found that I settled on a way that sangria is already doing. i.e. assign a complexity score to each field and add up the scores, rejecting the query if it’s too complex.

With this in mind I’d propose the following:

1. Add an optional cost/complexity function to the GraphQLFieldDefinition and its inner Builder class. The interface would be something like:

public interface ComplexityFunction {
   Double calculate(ValidationContext validationContext, List<GraphQLArgument> args, Double childScore);
}

with java 8 usage like

newFieldDefinition()
.name("field")
.dataFetcher(env -> "result")
.complexity((validationContext, fieldDef, childScore) -> 2.0 * getArgument("size", args) * childScore)

1. Add a way to specify the complexity limit on queries to run. This will likely take the form of adding a List of validations as an argument to the graphql.execute method. It would be nice to be able to use the RulesVisitor and another validation for this but I’m not sure it can be done that way yet.

What do you think? I’m willing to implement this feature myself, so I’d like to know if this is wanted and if this is a good approach.