Open MichaelDao opened 2 years ago
Looking through the commit history, I found that this setting was ignored since mid-2019. The need for this appears to be very slim, so I am reformulating this issue as a feature request.
I am genuinely curious: why do you need this?
Batched requests are a vulnerability in the app. Since they are not a technical requirement, disabling them would help protect the app from username enumeration and denial of service attacks.
I am happy to aid in the development of this feature.
protect the app from username enumeration
I think this has nothing to do with batched queries.
denial of service attacks
Those are somewhat related, but I reckon you will need other sorts of protection for heavy attacks.
One can enumerate/ddos without batched queries. Like this:
mutation {
try1: login(name: "try1", password: "try1password"){
__typename
}
try2: login(name: "try2", password: "try2password"){
__typename
}
}
We are trying to disable batched queries using the provided config setting:
'batched_queries' = false,
. The app still process all incoming queries, however, seemingly ignoring the setting. I would expect to be thrown an error, for there to be an error message for each subsequent batched request, or for the additional requests to have been ignored entirely. Steps to reproduce 'batched_queries' => false
in theconfig/lighthouse.php
file Output/Logs Lighthouse Version
^5.38