Open FluorescentHallucinogen opened 5 years ago
Cost analysis won't care if you receive one request per second or a thousand. A malicious actor could craft an operation that remains under a cost limit, but send a large number of requests.
You can grant a user N complexity points per hour and substract the cost value for each query, then deny resolving it after reaching the limit.
You can use teamplanes/graphql-rate-limit
(Using the base rate limiter function) in a middleware to attach the rate limiter to query/mutation.
@MichalLytek Is there an example of how to use graphql-rate-limit
in a federated graph?
Query cost/complexity validation/analysis is not enough. See the following thread for more info: https://github.com/ravangen/graphql-rate-limit/issues/48.
TL;DR: Cost analysis won't care if you receive one request per second or a thousand. A malicious actor could craft an operation that remains under a cost limit, but send a large number of requests.
@19majkel94 Could you please add an example how to use the fixed window rate limiting in addition to query cost/complexity validation/analysis in
type-graphql
?PTAL at https://github.com/ravangen/graphql-rate-limit and https://github.com/teamplanes/graphql-rate-limit.