Skip to content

Limit query depth and convert state change schema to interface #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 30 commits into from
Sep 23, 2025
Merged

Limit query depth and convert state change schema to interface #304

merged 30 commits into from
Sep 23, 2025

Conversation

@aditya1702
Copy link
Contributor

@aditya1702 aditya1702 commented Aug 27, 2025
edited
Loading

What

Major GraphQL API improvements focusing on security, performance, and maintainability:

  1. Query Complexity Analysis & Limiting: Implements GraphQL query complexity calculation and logging to prevent DoS attacks through overly complex queries (ref:
    https://gqlgen.com/reference/complexity/)
  2. State Change Schema Refactoring: Converts from monolithic StateChange type to extensible BaseStateChange interface with concrete implementations, enabling polymorphic state change models
  3. Performance Optimizations:
    - Introduces AccountModel.BatchGetByStateChangeIDs for efficient batch loading to eliminate N+1 queries
    - Refactors pagination logic with baseStateChangeWithCursor for consistency across resolvers
  4. Code Quality Improvements: Adds shared resolver helper functions for common patterns (nullable strings, JSONB fields, arrays) and breaks down large GraphQL structs into focused objects

The state change query is now converted to the following design:

stateChanges(first: 1) {
				edges {
					node {
						stateChangeCategory
						ingestedAt
						ledgerCreatedAt
						ledgerNumber
						
						... on StandardBalanceChange {
							amount
							tokenId
						}
						... on ReservesChange {
							stateChangeReason
							sponsoredAccountId
							sponsorAccountId
						}
						... on SignerChange {
							stateChangeReason
							signerAccountId
							signerWeights
						}
						... on SignatureThresholdsChange {
							stateChangeReason
							thresholds
						}
						... on FlagsChange {
							stateChangeReason
							flags
						}
						... on MetadataChange {
							stateChangeReason
							keyValue
						}
						... on BalanceAuthorizationChange {
							stateChangeReason
							flags
						}
					}
				}
}

Why

  • Security: GraphQL's flexible query structure can be exploited for DoS attacks through deeply nested or complex queries. Query complexity limits provide essential protection.
  • Performance: The existing state change resolvers suffered from N+1 query problems when loading associated accounts. Batch loading addresses this scalability issue.
  • Maintainability: The monolithic state change approach made extending functionality difficult. The interface pattern provides better extensibility and type safety.
  • Code Quality: Duplicated resolver logic across state change types created maintenance overhead and inconsistency risks.

Issue that this PR addresses

#250 #305

@aditya1702 aditya1702 changed the base branch from main to graphql-main August 27, 2025 20:32
@aditya1702
break state change graphql struct into individual objects
595876b
@aditya1702
Refactor state change resolvers for code reuse
f47f228 
Introduces shared resolver helper functions for common field resolution patterns in state change GraphQL resolvers, reducing duplication and improving maintainability. Updates all state change resolvers to use these helpers for nullable/required strings, JSONB fields, and arrays. Also updates account resolution logic to use accountID directly and makes minor import and type declaration cleanups.
@aditya1702
Update statechange.resolvers.go
e184b8f
@aditya1702
Refactor StateChangeEdge to use BaseStateChange interface
e69b536 
Updated StateChangeEdge's node field to use the BaseStateChange interface instead of the StateChange type in GraphQL schema, models, and resolvers. Added type conversion logic to resolve the correct concrete type for BaseStateChange based on StateChangeCategory. This improves extensibility and supports polymorphic state change models in the API.
@aditya1702
Remove amount from sponsorship change
36e8d4a
@aditya1702
Refactor state change pagination and test helpers
1223899 
Introduces baseStateChangeWithCursor and refactors pagination logic to use converted state changes for account, operation, transaction, and query resolvers. Updates test assertions to use a new extractStateChangeIDs helper for cursor extraction, improving type safety and consistency across resolver and test code.
@aditya1702
make check
f6371e3
@aditya1702
Remove old state change model from graphql
35a25af
@aditya1702 aditya1702 changed the title Limit query depth by calculating the complexity Limit query depth and convert state change schema to interface Aug 28, 2025
@aditya1702
Update utils.go
f7efe8d
@aditya1702
Update types.go
62f5861
@aditya1702
Add batched account loading by state change ID
76314ec 
Introduces AccountModel.BatchGetByStateChangeIDs and supporting types to efficiently batch-load accounts associated with state changes. Updates GraphQL dataloaders and resolvers to use this method, reducing N+1 queries for state change account resolution. Includes tests for the new batch loading logic.
@aditya1702 aditya1702 marked this pull request as ready for review August 29, 2025 15:43
JakeUrban
JakeUrban reviewed Aug 29, 2025
View reviewed changes
Copy link
Contributor

@JakeUrban JakeUrban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just dug into the schema to start and will follow up with a review of the implementation once we align on any schema changes. Super excited to see this!

aristidesstaffieri
aristidesstaffieri reviewed Sep 2, 2025
View reviewed changes
internal/data/accounts.go
start := time.Now()
err := m.DB.SelectContext(ctx, &accountsWithStateChanges, query)
duration := time.Since(start).Seconds()
m.MetricsService.ObserveDBQueryDuration("SELECT", "accounts", duration)
Copy link
Contributor

@aristidesstaffieri aristidesstaffieri Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

metric collection can be pulled out into a helper/util

aristidesstaffieri
aristidesstaffieri reviewed Sep 2, 2025
View reviewed changes
@aditya1702
Rename PaymentStateChange to BalanceStateChange in GraphQL
3d9e4c6 
Refactors GraphQL schema, Go models, and resolvers to rename PaymentStateChange to BalanceStateChange and SignatureThresholdsStateChange to SignerThresholdsStateChange. Updates related field names for consistency (e.g., spenderAccountId to spenderAddress, signerAccountId to signerAddress, sponsorAccountId to sponsorAddress) and adjusts type mappings in gqlgen.yml and generated code accordingly.
@aditya1702
make check
9c9a55e
@aditya1702
Rename StateChange GraphQL fields to 'type' and 'reason'
931415f 
Replaces 'stateChangeCategory' with 'type' and 'stateChangeReason' with 'reason' in GraphQL schema and resolvers for all StateChange types. Updates Go model methods and generated code to match new field names, ensuring consistency and explicit resolver usage for these fields.
@aditya1702
Remove allowance state change struct
4e36993
@socket-security
Copy link

socket-security bot commented Sep 10, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub.com/​basemachina/​gqlgen-complexity-reporter@​v0.1.2100100100100100

View full report

@aditya1702
Merge branch 'graphql-main' into query-depth
fc845fd
@aditya1702
Refactor state change models and GraphQL schema
d227aee 
Removed unused LiabilityStateChange and AllowanceStateChange models and related GraphQL types. Added AccountStateChange, TrustlineStateChange, and BalanceAuthorizationStateChange models and schema types. Updated enums and resolvers to match new state change categories and reasons, improving clarity and maintainability of state change handling.
@aditya1702
Refactor state change reason usage and resolver types
e616e94 
Updated usage of StateChangeReason in test utilities to use variables instead of pointers to constants. Refactored resolver type definitions in statechange.resolvers.go to use a type group for improved readability. Fixed test cases to use StateChangeCategoryBalance instead of StateChangeCategoryCredit. Adjusted extractStateChangeIDs to handle correct model types.
@aditya1702
Refactor StateChange cursor extraction logic
a824f9c 
Introduced StateChangeCursorGetter interface and implemented GetCursor method for StateChange. Updated extractStateChangeIDs to use the interface, reducing repetitive type assertions and improving code maintainability.
@aditya1702
Refactor sponsorship to reserves state change model
fe52cdb 
Renamed SponsorshipStateChange to ReservesStateChange across GraphQL schema, types, and resolvers for clarity. Updated state change category and reasons to use 'RESERVES', 'SPONSOR', and 'UNSPONSOR'. Refactored effect processor logic to create separate state changes for sponsoring and sponsored accounts, improving accuracy and maintainability.
@aditya1702
Fix sponsorship effect processing and update tests
1825586 
Removed unused targetChange from processSponsorshipEffect and adjusted the return value to only include sponsorChanges. Updated tests to expect the correct number and type of state changes for sponsorship updates, reflecting the new logic.
@aditya1702
Rename SponsorshipStateChange to ReservesStateChange
cd80b6c 
Refactors GraphQL schema and resolvers to replace SponsorshipStateChange with ReservesStateChange, updating all related types, interfaces, and field resolvers for clarity and consistency. Also updates the effects processor to remove unused parameters from processSponsorshipEffect.
@aditya1702
Implement state change GraphQL resolvers
c1f3fe4 
Replaces panic placeholders with actual resolver implementations for various state change models in statechange.resolvers.go. Removes unused resolveStringArray helper from resolver.go. This enables proper GraphQL responses for state change queries.
@aditya1702
Rename state change GraphQL types for clarity
f2421d1 
Renames various GraphQL types and resolvers related to state changes for improved clarity and consistency. For example, BalanceStateChange becomes StandardBalanceChange, AccountStateChange becomes AccountChange, and similar updates are made for other state change types across gqlgen.yml, Go models, resolvers, tests, and the GraphQL schema.
@aditya1702 aditya1702 merged commit 05da5d6 into graphql-main Sep 23, 2025
8 checks passed
@aditya1702 aditya1702 deleted the query-depth branch September 23, 2025 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JakeUrban JakeUrban JakeUrban left review comments

@aristidesstaffieri aristidesstaffieri aristidesstaffieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aditya1702 @aristidesstaffieri @JakeUrban