GraphQL Operation Time Limit in Hasura Cloud

Hasura Cloud supports a slew of advanced security and performance features. One of the recent additions is the ability to time limit/timeout an operation if it takes more than n seconds.

GraphQL Operation Time Limit
GraphQL Operation Time Limit

Why do you need an operation time limit or timeout?

Operation timeouts are not new. They have been used in REST APIs to prevent large POST requests from being sent and abused. GraphQL is pretty flexible in that, it allows clients to query arbitrarily for large amount of data. Though this power is useful, it can be used with malicious intent. By making a large query, which hits the database, it can cause the underlying database to slow down, despite your frontend application not needing data from such a complex query and thus slowing down the experience of all users.

An operation time limit basically ensures that each operation only gets a certain configured time to process the request successfully.

Imagine a single GraphQL query hitting the database with many operations and statements internally being executed in a transaction. Multiply that with number of GraphQL requests being sent. The database will become the bottleneck due to this intent.

Global Time Limit

Hasura Cloud supports adding a time limit for operation globally. This will be a base to which the server falls back in case the specific role doesn't have a time limit configured.

Any upstream database queries are also cancelled for supported sources. Note that it currently supports only Postgres.

API Limits Global Timeout
API Limits Global Timeout

Time Limit per role

You can also configure a timeout per role. Lets say your project has a role called user, you can configure timeout for that particular role.

The metadata spec for enabling time limit look like this:

      user: 10
    global: 5

Long running Database Queries

Long running queries may interfere on the overall database performance. You can find the ones which are long running by executing the following SQL statement on the Data->SQL tab of the Console.

  now() - pg_stat_activity.query_start AS duration,
FROM pg_stat_activity
WHERE (now() - pg_stat_activity.query_start) > interval '1 minute';

The above statement shows the list of queries running for more than a minute. If the time limit was configured on Cloud, you can see that these queries will not go through Hasura Cloud and will error out with a time limit error.

What happens on an error?

The server responds with the following error object:

  "errors": [
      "extensions": {
        "path": "$",
        "code": "not-supported"
      "message": "The operation exceeded the time limit allowed for this project"

The underlying query execution to postgres will also be cancelled.

Things to note

  • The operation timeout applies to websocket protocol as well, if you are making queries and mutations through that.
  • The timeout also works with remote schemas and action requests.

The operation time limit feature is quite useful in cases where the underlying database (postgres) is affected with a long running query, bringing down the experience for all users of the application.

06 Jan, 2022
Subscribe to stay up-to-date on all things Hasura. One newsletter, once a month.
Accelerate development and data access with radically reduced complexity.