feat(graphql): enable configurable max_query_depth and max_query_complexity (#2128)

vinceAmstoutz · mauriau · web-flow · commit f13161a835ae · 2025-01-15T14:00:27.000+01:00
* feat(graphql): allow to change max_query_depth and max_query_complexity

* docs(graphql): support laravel for max_query_depth &amp; max_query_complexity

---------

Co-authored-by: mauriau &lt;m.auriau@toovalu.com&gt;
diff --git a/core/configuration.md b/core/configuration.md
@@ -155,7 +155,13 @@ api_platform:
 
         # The nesting separator used in the filter names.
         nesting_separator: _
-
+        
+        # The maximum query depth. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#limiting-query-depth
+        max_query_depth: 20
+        
+        # The maximum query complexity. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#query-complexity-analysis
+        max_query_complexity: 500
+        
         collection:
             pagination:
                 enabled: true
@@ -545,6 +551,12 @@ return [
 
         // The nesting separator used in the filter names.
         'nesting_separator' => '_',
+        
+        // The maximum query depth. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#limiting-query-depth
+        'max_query_depth' => 20,
+        
+        // The maximum query complexity. Set to 0 to disable it. Look at https://webonyx.github.io/graphql-php/security/#query-complexity-analysis
+        'max_query_complexity' => 500,
 
         'collection' => [
             'pagination' => [
diff --git a/core/graphql.md b/core/graphql.md
@@ -254,6 +254,68 @@ return [
 ];
 ```
 
+## Change Max Query Depth
+
+For security reason, the max query depth should be limited to avoid deep queries. **It's set to 100 by default**.
+
+### Symfony config to change the Max Query Depth
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_depth: 7
+# ...
+```
+
+### Laravel config to change the Max Query Depth
+
+If you need to change it, it can be done in the configuration:
+
+```php
+<?php
+// config/api-platform.php
+return [
+    // ....
+    'graphql' => [
+        'max_query_depth' => 7,
+    ],
+];
+```
+
+## Change Max Query Complexity
+
+For security reason, the max query complexity should be limited to avoid complex queries. **It's set to 100 by default**.
+
+### Symfony config to change the Max Query Complexity
+
+If you need to change it, it can be done in the configuration:
+
+```yaml
+# api/config/packages/api_platform.yaml
+api_platform:
+  graphql:
+    max_query_complexity: 50
+# ...
+```
+
+### Laravel config to change the Max Query Complexity
+
+If you need to change it, it can be done in the configuration:
+
+```php
+<?php
+// config/api-platform.php
+return [
+    // ....
+    'graphql' => [
+        'max_query_complexity' => 50,
+    ],
+];
+```
+
 ## Request with `application/graphql` Content-Type
 
 If you wish to send a [POST request using the `application/graphql` Content-Type](https://graphql.org/learn/serving-over-http/#post-request),
