The GraphQL API has a complexity evaluation system (https://github.com/rpitv/glimpse-api/blob/master/src/gql/gql-complexity.plugin.ts), however this is only applied per-query. There is nothing stopping users from submitting thousands of queries per second, in effect bypassing the complexity limit. Additional stateful checks need to be added to prevent users from spamming requests.
Guest users also need to be taken into account. Storing things in sessions will not suffice, as this could have it's own performance implications, and users are not guaranteed to keep their session cookie in subsequent requests.
The GraphQL API has a complexity evaluation system (https://github.com/rpitv/glimpse-api/blob/master/src/gql/gql-complexity.plugin.ts), however this is only applied per-query. There is nothing stopping users from submitting thousands of queries per second, in effect bypassing the complexity limit. Additional stateful checks need to be added to prevent users from spamming requests.
Guest users also need to be taken into account. Storing things in sessions will not suffice, as this could have it's own performance implications, and users are not guaranteed to keep their session cookie in subsequent requests.