[Feature request] rate limiting on field arguments

[felamaslen]

Love this plugin! It works really well for the described use case and is flexible enough for different implementations.

However, one thing which doesn't seem to be supported is rate limiting a single field argument. Is there a reason for this?

It would be nice if you could do this:

extend type Mutation {
  myMutation(
    argWithRateLimit: Int
      @rateLimit(limit: 3, duration: 3600)
    argWithoutRateLimit: Bool
  ): MyMutation
}

Rate limiting would then be effective only when passing argWithRateLimit (either as null or an integer, in this case). When omitting the argument, rate limiting would not apply.

An example use case is in a login mutation, where you can optionally claim a resource during login (such as a coupon). You do not want to rate limit logins in general, but those which intend to claim a voucher should be rate limited (to prevent voucher code enumeration attacks, brute forcing, etc.).

Implementation

I don't think this would be that tricky to implement. Make the directive apply on ARGUMENT_DEFINITION, and add a mapper over the fieldConfig.args in [MapperKind.OBJECT_FIELD]. Any arg with the given directive should trigger rate limiting.

[ravangen]

👋 Thanks for the feedback ❤️

Given you've closed your PR and have a workaround, I'm inclined to keep it simple and not support applying to arguments.

I haven't done it, but a custom pointsCalculator for mutation field would have access to args such that you could have different outcomes based on input values. When its result is 0, it will not trigger any rate limit logic.