type-graphql icon indicating copy to clipboard operation
type-graphql copied to clipboard
verified publisher icon MichalLytek

Fixed window rate limiting

Open FluorescentHallucinogen opened this issue 6 years ago • 2 comments

Query cost/complexity validation/analysis is not enough. See the following thread for more info: https://github.com/ravangen/graphql-rate-limit/issues/48.

TL;DR: Cost analysis won't care if you receive one request per second or a thousand. A malicious actor could craft an operation that remains under a cost limit, but send a large number of requests.

@19majkel94 Could you please add an example how to use the fixed window rate limiting in addition to query cost/complexity validation/analysis in type-graphql?

PTAL at https://github.com/ravangen/graphql-rate-limit and https://github.com/teamplanes/graphql-rate-limit.

FluorescentHallucinogen avatar May 19 '19 17:05 FluorescentHallucinogen

Cost analysis won't care if you receive one request per second or a thousand. A malicious actor could craft an operation that remains under a cost limit, but send a large number of requests.

You can grant a user N complexity points per hour and substract the cost value for each query, then deny resolving it after reaching the limit.

You can use teamplanes/graphql-rate-limit (Using the base rate limiter function) in a middleware to attach the rate limiter to query/mutation.

MichalLytek avatar May 19 '19 19:05 MichalLytek

@MichalLytek Is there an example of how to use graphql-rate-limit in a federated graph?

sbilello avatar Jun 22 '21 23:06 sbilello