Expand description
Query Validator
This module provides query validation for GraphQL queries. It validates:
- Query size (maximum bytes, O(1) check — no parsing required)
- Query depth (maximum nesting levels) — via AST analysis
- Query complexity (weighted scoring of fields) — via AST analysis
- Alias count (alias amplification protection) — via AST analysis
§Architecture
The Query Validator acts as the third layer in the security middleware:
GraphQL Query String
↓
QueryValidator::validate()
├─ Check 1: Validate query size (O(1) byte count)
├─ Check 2: AST-based analysis (depth, complexity, alias count)
│ via `RequestValidator` from `graphql::complexity`
├─ Check 3: Check query depth
├─ Check 4: Check query complexity
└─ Check 5: Check alias count (alias amplification protection)
↓
Result<QueryMetrics> (validation passed or error)§Examples
use fraiseql_core::security::{QueryValidator, QueryValidatorConfig};
// Create validator with standard limits
let config = QueryValidatorConfig {
max_depth: 10,
max_complexity: 1000,
max_size_bytes: 100_000,
max_aliases: 30,
};
let validator = QueryValidator::from_config(config);
// Validate a query
let query = "{ user { posts { comments { author { name } } } } }";
let metrics = validator.validate(query).unwrap();
println!("Query depth: {}", metrics.depth);
println!("Query complexity: {}", metrics.complexity);
println!("Query aliases: {}", metrics.alias_count);Structs§
- Query
Validator - Query Validator
- Query
Validator Config - Query validation configuration