Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warning: Apollo Server >= 2.4 caches validation result #32

Open
ravangen opened this issue Aug 13, 2019 · 1 comment
Open

Warning: Apollo Server >= 2.4 caches validation result #32

ravangen opened this issue Aug 13, 2019 · 1 comment

Comments

@ravangen
Copy link

A feature added to Apollo Server 2.4 (apollographql/apollo-server#2111) introduces a document store that caches successfully parsed and validated documents for future requests (LRU).

This can lead to a case where a query with good variables passes the dynamic validation cost check (see #12) and subsequent requests with the same query but different, larger variables would not trigger the validation rule due to the usage of the cache.

I don't have a sample reproduction repository, but here is an example with maximumCost: 10:

Schema:

type Query {
  "List businesses."
  businesses(page: Int! = 1, pageSize: Int! = 10): BusinessConnection
    @cost(complexity: 1, multipliers: ["pageSize"])
}

Query:

query ($pageSize: Int! = 10) {
  businesses(pageSize: $pageSize) {
    edges {
      node {
        id
        name
      }
    }
  }
}

First request query variables (validation is run) - passes validation:

{
  "pageSize": 10
}

Second request query variables (validation is skipped) - should fail validation but passes

{
  "pageSize": 100
}
@ellispritchard
Copy link

ellispritchard commented Aug 27, 2019

Verified.

Since you can't disable this cache in ApolloServer (perhaps a PR?), you have to subclass ApolloServer and set the documentStore property to undefined, via createGraphQLServerOptions.

NB you have to subclass ApolloServer to get graphql-cost-analysis working with variables in Apollo Server 2 anyway, see #12.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants