Allow disabling batched queries

[MichaelDao]

We are trying to disable batched queries using the provided config setting: 'batched_queries' = false,. The app still process all incoming queries, however, seemingly ignoring the setting. ​ I would expect to be thrown an error, for there to be an error message for each subsequent batched request, or for the additional requests to have been ignored entirely. ​ Steps to reproduce ​

1. Set 'batched_queries' => false in the config/lighthouse.php file
2. Rebuild containers and/or clear caches as appropriate
3. Send the below JSON as the body of a POST request to the graphql endpoint
4. Receive a response containing an array of two results instead of denying the request ​

   [
   {
       "query": "query { batchOne: me { uuid } }"
   },
   {
       "query": "query { batchTwo: user(uuid: \"{UNIQUE_ID}\") { first_name } }"
   }
   ]

   ​ Output/Logs ​ ​ Lighthouse Version ^5.38

[spawnia]

Looking through the commit history, I found that this setting was ignored since mid-2019. The need for this appears to be very slim, so I am reformulating this issue as a feature request.

I am genuinely curious: why do you need this?

[MichaelDao]

Batched requests are a vulnerability in the app. Since they are not a technical requirement, disabling them would help protect the app from username enumeration and denial of service attacks.

I am happy to aid in the development of this feature.

[spawnia]

protect the app from username enumeration

I think this has nothing to do with batched queries.

denial of service attacks

Those are somewhat related, but I reckon you will need other sorts of protection for heavy attacks.

[k0ka]

One can enumerate/ddos without batched queries. Like this:

mutation {
  try1: login(name: "try1", password: "try1password"){
    __typename
  }
  try2: login(name: "try2", password: "try2password"){
    __typename
  }
}