Max Tokens
Limit the number of tokens in a GraphQL document.
It is used to prevent DOS attack, heap overflow or server overloading.
The token limit is often limited by the graphql parser, but this is not always the case and would lead to a fatal heap overflow.
Configuring for GraphQL Armor
GraphQLArmorConfig({
maxTokens: {
// Toogle the plugin | default: true
enabled?: boolean,
// Tokens threshold | default: 1000
n?: int,
/*
If this is set to true, details about the configured limit are included in the GraphQLError message when errors occur.
When set to false errorMessage is used as the GraphQLError message.
default: true
*/
exposeLimits?: boolean,
// The error message used when exposeLimits is set to false | default: 'Query validation error.'
errorMessage?: string,
// Callbacks that are ran whenever a Query is accepted
onAccept?: GraphQLArmorAcceptCallback[],
// Callbacks that are ran whenever a Query is rejected
onReject?: GraphQLArmorRejectCallback[],
// Do you want to propagate the rejection to the client? | default: true
propagateOnRejection?: boolean,
}
})
Standalone usage
Installation
note
If you want to use the maxTokens plugin out of GraphQL Armor, you can install it from npm:
# npm
npm install @escape.tech/graphql-armor-max-tokens
# yarn
yarn add @escape.tech/graphql-armor-max-tokens
With @graphql/graphql-js
You can directly use the maxTokens option:
import { parse } from '@graphql/graphql-js';
parse('{ foo }', { maxTokens: 2 }));
With @envelop/core from @the-guild-org
import { envelop } from '@envelop/core';
import { maxTokensPlugin } from '@escape.tech/graphql-armor-max-tokens';
const getEnveloped = envelop({
plugins: [
// ... other plugins ...
maxTokensPlugin({
n: 1000,
}),
]
});