Query complexity check causes wrong GraphQL error response

Question

Query complexity check causes wrong GraphQL error response

mgruner opened this issue a year ago · 0 comments

mgruner commented a year ago

Describe the bug

In case of exceptions raised by input types, query complexity is calculated wrong, causing misleading error responses.

Versions

graphql version: 2.1.3
rails (or other framework): 7.0.8

GraphQL query

Example GraphQL query and response (if query execution is involved)

query {
  description: ticketArticles(
  ticket: {ticketId: "gid://zammad/Ticket/1"},
  first: 1
) {
  edges {
    node {
      ...
    }
  }
}

Expected behavior

We have a query with an input type referring to a DB entity (Ticket). This is validated for user permissions, an exception is raised in case of unauthorized access.

This query fetches only the first ticket article. In case of authorized access, the article should be returned, in case of unauthorized access a GraphQL error response about unauthorized access.

Actual behavior

Authorized access works, but in case of unauthorized access there is a GraphQL error response about exceeded max query complexity, instead of the expected authorization error.

Additional context

It seems that GraphQL::Schema::Field.calculate_complexity gets it wrong when calculating the complexity of the connection? type. The reason is probably that it does not receive any input arguments for the field (specifically also not the limit: argument), but instead only the GraphQL::ExecutionError object. This means the limit: 1 is no longer respected, so that the default page size is used to calculate the complexity instead, which leads to the exceeding of the configured max complexity.