ChilliCream/graphql-platform

No option to disable Cost Analyzer

johan-lindqvist opened this issue · 9 comments

Product

Hot Chocolate

Version

14

Link to minimal reproduction

N/A

Steps to reproduce

We're using the AddGraphQLFunction() extension method in our project which in turn calls

but there's no option to configure if I want to disable the default security exposed through the AddGraphQLFunction() extension method.

Some way to override the cost analyzer and disable it would be nice since we don't have any use for the cost directives.

What is expected?

The option to disable cost analyzer exists

What is actually happening?

No option to disable the cost analyzer exists

Relevant log output

No response

Additional context

No response

Does this not have the desired effect?

services
   .AddGraphQLServer(...)
   .ModifyCostOptions(options => options.EnforceCostLimits = false)

Does this not have the desired effect?

services
.AddGraphQLServer(...)
.ModifyCostOptions(options => options.EnforceCostLimits = false)

The schema still has @cost on all the mutations and queries even with this code.

What is the issue you are facing with the cost spec?

The issue is that there's no simple way to opt out of the Cost Analyzer if using the Azure Functions extension method.

There's not really an issue with the cost directive, but what's the motivation of having it included if every query has the same cost and the default value it's given is not used by any client? Maybe I'm missing the benefit of having the cost directive on all the queries and mutations on by default?

Seems like it should be an opt-in feature rather than an opt-out?

The reason why its opt out is so users do not forget to enable it.

If you do not use persisted queries, the cost analyzer has to be enabled.

The reason why its opt out is so users do not forget to enable it.

If you do not use persisted queries, the cost analyzer has to be enabled.

What's the reason for it having to be enabled? I feel like I'm missing something here

The main reason is that it’s very easy to overwhelm an unsecured GraphQL server. If users can define any GraphQL request without limitations, a server can easily allocate 1-3 GB of memory per request, potentially causing instability or even crashes. We’ve frequently seen this in consulting scenarios, where clients with unsecured GraphQL servers were surprised by how quickly they became unresponsive under load.

Meta, the creator of GraphQL, addresses this risk with persisted operations. This approach only allows predefined requests from their applications to run on production servers, which is widely regarded as a best practice for secure and efficient GraphQL operation.

Similarly, companies with open GraphQL schemas, like GitHub or Shopify, employ complexity and cost analysis to ensure predictable and sustainable server performance under various load conditions.

Starting with Version 14, Hot Chocolate is preconfigured with default security settings for open GraphQL servers (like GitHub’s). This setup helps developers, even those new to GraphQL, run a secure server by default. The default policy in Hot Chocolate disables introspection in production, enforces cost limits, and restricts recursion depth to 3, providing a solid security baseline. While additional security measures can further strengthen an open GraphQL server, this default configuration offers strong initial protection.

I see, that makes sense. I missed that the values were enforced as well by default. Then I guess the issue is that there's no way to disable the cost analyzer when using the AddGraphQLFunction() extension method. There's a way to disable the enforcing but not the cost analyzer.

I can see if I can make a PR to expose the disableDefaultSecurity flag.