From e2a20d37a10efd936f686a8ed31b49582c7a80e5 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Fri, 3 Apr 2026 21:46:29 +0530
Subject: [PATCH] fix(graphql): add query complexity limit

No query complexity or depth limiting existed, enabling resource
exhaustion and batch brute-force attacks via deeply nested or
complex queries.

Adds FixedComplexityLimit(300) using gqlgen's built-in extension.

Fixes: H10 (High)
---
 internal/http_handlers/graphql.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/http_handlers/graphql.go b/internal/http_handlers/graphql.go
index a32c02b2..165ecbfd 100644
--- a/internal/http_handlers/graphql.go
+++ b/internal/http_handlers/graphql.go
@@ -71,6 +71,8 @@ func (h *httpProvider) GraphqlHandler() gin.HandlerFunc {
 	srv.Use(extension.AutomaticPersistedQuery{
 		Cache: lru.New[string](100),
 	})
+	// Limit query complexity to prevent resource exhaustion
+	srv.Use(extension.FixedComplexityLimit(300))
 
 	return func(c *gin.Context) {
 		// Create a custom handler that ensures gin context is available