Is there any way to set up a whitelist of queries an external client could perform? Something like this. Or is there any other way to protect against malicious exponentially nested queries? @auth directives seems to be type-based and won’t protect against complex aggregations or deeply nested queries. Also I would prefer to keep the ability to call unrestricted GraphQL queries for authenticated backend.
No, currently we don’t have any support to restrict the exponentially nested queries.
Thank you for your answer. Is there any plan/timeline to implement this? I’m working on a hobby project and do not expect any attacks, but a little bit afraid to invest into using Dgraph and suddenly have unusable server with no easy way to fix it.