Query Validation

GraphQL uses query validators to check if Query AST is valid and can be executed. Every GraphQL server implements standard query validators. For example, there is an validator that tests if queried field exists on queried type, that makes query fail with “Cannot query field on type” error if it doesn’t.

To help with common use cases, graphene provides a few validation rules out of the box.

Depth limit Validator

The depth limit validator helps to prevent execution of malicious queries. It takes in the following arguments.

  • max_depth is the maximum allowed depth for any operation in a GraphQL document.
  • ignore Stops recursive depth checking based on a field name. Either a string or regexp to match the name, or a function that returns a boolean
  • callback Called each time validation runs. Receives an Object which is a map of the depths for each operation.

Usage

Here is how you would implement depth-limiting on your schema.

Disable Introspection

the disable introspection validation rule ensures that your schema cannot be introspected. This is a useful security measure in production environments.

Usage

Here is how you would disable introspection for your schema.

Implementing custom validators

All custom query validators should extend the ValidationRule base class importable from the graphql.validation.rules module. Query validators are visitor classes. They are instantiated at the time of query validation with one required argument (context: ASTValidationContext). In order to perform validation, your validator class should define one or more of enter_* and leave_* methods. For possible enter/leave items as well as details on function documentation, please see contents of the visitor module. To make validation fail, you should call validator’s report_error method with the instance of GraphQLError describing failure reason. Here is an example query validator that visits field definitions in GraphQL query and fails query validation if any of those fields are blacklisted: