GraphQL Tokkyo LT
Traversing the GraphQL AST and
Calculating Query Costs
▸ X: @joe_re
▸ GitHub: @joe-re
▸ Tech Lead at CureApp Inc.
▸ One of the organizer of GraphQL
What are I am talking about today
▸ How GraphQL rate limiting differs from REST API
▸ Walking through the GraphQL AST by using graphql-js
▸ Introduce three examples to walk through GraphQL API based on actual use
cases from graphql-cost-calculator
1. I believe the basic concept is not signi
cantly different from other languages. However, this assumes
NodeJS environment, as I'm not familiar with GraphQL tooling in other languages.
2. There’s some other libraries to provide a way to calculate a GraphQL cost but I am not talking about
The GraphQL API rate limiting is different from REST API’s
▸ We can’t simply count the number of queries for GraphQL rate limiting
because GraphQL query can replace multiple REST API calls.
▸ Small queries only consume minimal server resources, but a single complex
GraphQL query could be equivalent to thousands of REST API calls.
▸ Until the server executes actual GraphQL calls, we can’t determine their true
Static analysis is important for blocking queries before they are executed
▸ It’s the popular way to calculate GraphQL queries cost to use rate limit instead
of counting number of requests call.
▸ This should be done statically by analyzing the query's AST before execution.
▸ Because if some huge queries are executed once, it could consume huge
A rate limiting score on GitHub GraphQL API
3. Although we're returning 60 labels, the API has to connect to each of
the 5,000 potential total issues to get the list of labels. So, requests for labels
2. Although we're returning 50 issues, the API has to connect to each of
the 100 repositories to get the list of issues. So, requests for issues
4. Total = 5,101
1. Although we're returning 100 repositories, the API has to connect to the
viewer's account once to get the list of repositories. So, requests for repositories
5. Dividing by 100 and rounding gives us the
nal score of the query: 51
▸ It walks through GraphQL queries AST and estimate a cost statically.
▸ This library offers means to calculate the cost of query, facilitating rate limiting
similar to the GiHub GraphQL API.
GraphQL queries AST
Root is OperationDe
elds have “kind” property to provide own node type
Using visitor pattern to walk through an AST
▸ Refer: https://graphql.org/graphql-js/language/#visitor
▸ graphql-js offers a visitor pattern for traversing the GraphQL AST through the
▸ With the visit function, you can use the enter/leave
steps to traverse the AST.
▸ By specifying named visitors,
you can target and traverse speci
c kinds of nodes.
Three examples to introduce how to walk through GraphQL AST
▸ I will introduce three use cases that explain how to walk through a GraphQL
▸ 1. Counting requests for each unique connection
2: Resolving Fragment
3: Identifying Object Type
▸ Each example is based on an actual use case from the library, but it has been
ed for easy understanding.
Example1: Counting requests for each unique connection
1. When it enters SelectionSet, get
2. If it has a
rst/last argument, the multiplier
is incremented and pushed to the stack
3. If it lacks a
the current multiplier value is pushed to the
4. If it’s a connection node, calculates a cost
based on current multiplier
5. When it leaves SelectionSet,
the current multiplier value is reduced from
Example2: Resolving Fragment
1. First, store all fragment de
2. Upon encountering a FragmentSpread, it is
replaced with the fragment de
Example3: Identifying Object Type
1. Retrieve the parent type because a parent
know what type is for each
While the AST doesn't recognize the actual
eld type, the GraphQL Schema does. With
this combination, you can obtain the actual
2. Obtain the node's
eld class from the
This class includes a `.type` attribute that
provides the actual type name of the
▸ It’s easy to walk through GraphQL AST more than you thought.
▸ And it’s really fun. 😉
▸ Thanks for listening. 🙏