@graphile/pro
This is a PostGraphile server plugin that includes a number of optional protections for your production server. Unlike PostGraphile, this plugin is NOT open source software - see "License key" lower down.
Current protections:
- Force pagination caps (require user to supply a 'first' or 'last' argument to collections, customise or disable per table via
@paginationCap
smart comment) - omitting limits from collection fetches is the number one cause of slow queries in PostGraphile applications, this option forces you to use pagination - Ability to send queries to read replicas to increase scalability
- Limit GraphQL query depth
- GraphQL cost limit (experimental! Estimates the cost of a GraphQL query before sending it to the database, applies a limit)
To read about these protections, see:
https://www.graphile.org/postgraphile/production/
Usage
CLI:
yarn add postgraphile @graphile/pro
export GRAPHILE_LICENSE="MY_LICENSE_KEY_HERE"
yarn postgraphile --plugins @graphile/pro
Note: the --plugins
option must be the first option passed to postgraphile
.
Optional CLI flags:
-
--read-only-connection <string>
:: pass the PostgreSQL connection string to use for read-only queries (i.e. not mutations) - typically for connecting to replicas via PgBouncer or similar -
--default-pagination-cap [int]
:: Ensures all connections have first/last specified and are no large than this value (default: 50), set to ' -1' to disable; override via smart comment@paginationCap 50
-
--graphql-depth-limit [int]
:: Validates GraphQL queries cannot be deeper than the specified int (default: 16), set to ' -1' to disable -
--graphql-cost-limit [int]
:: [experimental] Only allows queries with a computed cost below the specified int (default: 30000), set to ' -1' to disable
Library:
Install:
yarn add postgraphile @graphile/pro
Add the pluginHook
and relevant options to your server:
// server.js
const http = require("http");
const { postgraphile, makePluginHook } = require("postgraphile");
const pluginHook = makePluginHook([require("@graphile/pro").default]);
http
.createServer(
postgraphile(process.env.DATABASE_URL, "public", {
license: process.env.GRAPHILE_LICENSE,
pluginHook,
// Same as CLI options:
readOnlyConnection: "postgres://user:pass@bouncer_host/db",
defaultPaginationCap: 50, // -1 to disable
graphqlDepthLimit: 16, // -1 to disable
graphqlCostLimit: 30000, // -1 to disable
// If true (default): reveal the query cost to clients to help them optimise queries
exposeGraphQLCost: true,
})
)
.listen(5000);
Set your GRAPHILE_LICENSE
environmental variable and run the server:
export GRAPHILE_LICENSE="MY_LICENSE_KEY_HERE"
node server.js
IMPORTANT: this plugin does not "phone home" so you'll need to update your license at least once every 9 months. You can check the expiry date of your current license in the Graphile Store validator and log in there to generate a new license code.
Overriding limits on a pre-request basis
Sometimes you may wish that certain requests have higher (or lower) limits than others. For example you might wish to have higher limits for requests originating from your own applications (vs third-party apps), or let logged in users run more complex queries, or allow raising the pre-request limits for users who are on a higher payment plan.
@graphile/pro
enables you to achieve this when you are using PostGraphile as
a library by providing the overrideOptionsForRequest
function:
app.use(
postgraphile(DATABASE_URL, SCHEMA_NAME, {
// ...
defaultPaginationCap: 10,
graphqlDepthLimit: 5,
graphqlCostLimit: 500,
exposeGraphQLCost: false,
overrideOptionsForRequest(req) {
if (req.user) {
/* Logged in; raise limits: */
return {
defaultPaginationCap: 100,
graphqlDepthLimit: 8,
graphqlCostLimit: 3000,
exposeGraphQLCost: true,
};
} else {
return null;
}
},
})
);
This function can only override certain options (see example); and it's synchronous. If you need to call asynchronous code to figure out what the limits should be, you should do that in a middleware before PostGraphile is mounted.
Smart comments
@paginationCap
To override the --default-pagination-cap
option for a specific table or function, you may add a @paginationCap
smart comment to the table/function specifying the replacement cap. Remember, set cap to -1
to disable. For example:
-- Disable pagination cap on my function
comment on function my_function() is E'@paginationCap -1';
-- Raise pagination cap on forums
comment on table forums is E'@paginationCap 500';
@unboundedAllCost
(default 100000)
Applies to tables. If you've disabled pagination caps and someone requests a
root {allForums{nodes{id}}}
, what's the worst cast for how many rows this
might return? Defaults to 100000, override with smart comment:
comment on table forums is E'@unboundedAllCost 200';
NOTE: collection costs are not factored into the query cost linearly.
@unboundedRelationCost
(default 1000)
Applies to tables. Similar to @unboundedAllCost
, but for filtered
collections (e.g. relations, such as
{currentUser{forumsByUserId{nodes{id}}}}
comment on table forums is E'@unboundedRelationCost 50';
@unboundedCost
Applies to functions. If the user supplies no limits what's the worst case for the number of records returned?
Defaults to 1000 for custom queries, 50 for computed columns.
Override via smart comment:
comment on function my_custom_query() is E'@unboundedCost 50';
GraphQL cost limit
This feature is experimental; it allows us to estimate the cost of a query before sending it to the database. It has been honed by timing a wide array of varied queries against a database and seeing how nested collections and function calls affect the performance of the query.
Besides being useful if you wish to open your GraphQL API up to the world in production, this feature is also useful in development as it allows you to see how expensive we estimate your query is whilst you compose it in GraphiQL or similar - it's a great way of determining that your query is too complex before you get performance issues in production.
We recommend that you benchmark queries on a full database and then come up
with a query cost that works for you. A value of 2000
should be high enough
for simple workloads that use pagination and don't nest large collections too
deeply.
The numbers produced by this may change slightly in different versions of
@graphile/pro
; we recommend that you ensure your queries remain well under
the limit you set, and that you have a test suite that ensures all your queries
are under the limit before you do a release.
License key
You must specify the license key in an environmental variable
GRAPHILE_LICENSE
, or pass it via the license
option to the library. You
can acquire the license key from https://store.graphile.com
If you fail to provide the license key, then the module will throw an error.
IMPORTANT: this plugin does not "phone home" so you'll need to update your license at least once every 9 months. You can check the expiry date of your current license in the Graphile Store validator and log in there to generate a new license code.
Read more: https://www.graphile.org/postgraphile/plugins/#first-party-premium-plugins
Changelog
1.0.4 - add missing error handling to readOnlyConnection
Pool
1.0.3 - support wider range of @types/pg
1.0.2 - adds support for overriding defaultPaginationCap
via overrideOptionsForRequest
1.0.1 - adds postgraphile
to peerDependencies
1.0.0 - fixes --read-only-connection integration with --allow-explain; bump to stable
0.11.0 - GraphQL v15 support (for PostGraphile ^4.10.0)
0.10.0 - behavior change from throwing error on invalid license to logging error and continuing without protections
0.9.1 - support pg@8.x, Node 14
0.9.0 - extend pagination limits and cost estimation to simple collections; add ability to override unbounded collection costs
0.8.1 - remove reference to package.json
to improve compatibility with rollup
0.8.0 - allow overriding limits on a per-request basis; fixes an issue where errors are raised with the raw (pre-scaling) cost rather than the final cost
0.7.0 - match library defaults to CLI defaults; update README with CLI flags/library options/changelog
0.6.1 - fix the TypeScript definition file locations
0.6.0 - moved license check to runtime; convert to TypeScript; add support for subscriptions/live queries; fix conflicts when handling GraphQL validation errors
0.5.0 - released on NPM