From 478270817ae2bb7f7093259c4090d21e7aa585f3 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Thu, 14 May 2020 10:20:05 -0400
Subject: [PATCH] api: make complexity limit configurable

---
 api/server.go      | 13 ++++++++++++-
 config.example.ini | 14 ++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/api/server.go b/api/server.go
index cd8ef07..e02c244 100644
--- a/api/server.go
+++ b/api/server.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strconv"
 
 	"git.sr.ht/~sircmpwn/getopt"
 	"git.sr.ht/~sircmpwn/gqlgen/handler"
@@ -75,9 +76,19 @@ func main() {
 	}
 	graph.ApplyComplexity(&gqlConfig)
 
+	var complexity int
+	if limit, ok := config.Get("git.sr.ht::api", "max-complexity"); ok {
+		complexity, err = strconv.Atoi(limit)
+		if err != nil {
+			panic(err)
+		}
+	} else {
+		complexity = 200
+	}
+
 	srv := handler.GraphQL(
 		api.NewExecutableSchema(gqlConfig),
-		handler.ComplexityLimit(100))
+		handler.ComplexityLimit(complexity))
 
 	router.Handle("/query", srv)
 
diff --git a/config.example.ini b/config.example.ini
index 81b3992..cb8e385 100644
--- a/config.example.ini
+++ b/config.example.ini
@@ -113,6 +113,20 @@ repos=/var/lib/git/
 s3-bucket=
 s3-prefix=
 
+[git.sr.ht::api]
+#
+# Maximum complexity of GraphQL queries. The higher this number, the more work
+# that API clients can burden the API backend with. Complexity is equal to the
+# number of discrete fields which would be returned to the user. 200 is a good
+# default.
+max-complexity=200
+
+#
+# The maximum time the API backend will spend processing a single API request.
+#
+# See https://golang.org/pkg/time/#ParseDuration
+max-duration=3s
+
 [git.sr.ht::dispatch]
 #
 # The authorized keys hook uses this to dispatch to various handlers
-- 
2.38.4