Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add query limits for array results

See original GitHub issue

When doing a query such as:

query {
  allPosts(first: 10){
    id
  }
}

All is ok 👍

But what happens when someone does a query like:

query {
  allPosts(first: 10000000){
    id
  }
}

We need to have a way to set limits on the total results, perhaps like:

keystone.createList('Post', {
  fields: {},
  limits: {
    maxResults: 100
  }
});

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:14 (14 by maintainers)

Top GitHub Comments

1reaction

sarneaudcommented, Oct 22, 2019

Update: most of the features in the report have been added. The two that are still missing are

Function-based limits
Whitelisting of fields used in where clauses, etc.

The query limits haven’t been integrated with the (relatively) new multi-schema system. Maybe we don’t need the function-based limits if we have schema-aware limits.

I’m not doing any work on this at the moment.

1reaction

jesstelfordcommented, Aug 19, 2019

why not let them?

To stop people launching DoS attacks against a KS5 instance, and to also catch the case where the developer accidentally does a query such as:

query {
  allPosts {
    id
  }
}

(ie; with no first arg).

These limits should additionally be by passable how do you control them at runtime?

Good points! We could accept a function like we already do for access control:

keystone.createList('Post', {
  fields: {},
  limits: {
    maxResults: ({ authentication: { item } }) => {
      if (item.isAdmin) {
        return null;
      }
      return 100;
    }
  }
});