graphql-rate-limit icon indicating copy to clipboard operation
graphql-rate-limit copied to clipboard

Published 20 hours ago • verified publisher icon ravangen

[Feature request] rate limiting on field arguments

Open felamaslen opened this issue 4 months ago • 1 comments

Love this plugin! It works really well for the described use case and is flexible enough for different implementations.

However, one thing which doesn't seem to be supported is rate limiting a single field argument. Is there a reason for this?

It would be nice if you could do this:

extend type Mutation {
  myMutation(
    argWithRateLimit: Int
      @rateLimit(limit: 3, duration: 3600)
    argWithoutRateLimit: Bool
  ): MyMutation
}

Rate limiting would then be effective only when passing argWithRateLimit (either as null or an integer, in this case). When omitting the argument, rate limiting would not apply.

An example use case is in a login mutation, where you can optionally claim a resource during login (such as a coupon). You do not want to rate limit logins in general, but those which intend to claim a voucher should be rate limited (to prevent voucher code enumeration attacks, brute forcing, etc.).

Implementation

I don't think this would be that tricky to implement. Make the directive apply on ARGUMENT_DEFINITION, and add a mapper over the fieldConfig.args in [MapperKind.OBJECT_FIELD]. Any arg with the given directive should trigger rate limiting.

felamaslen avatar Oct 15 '24 05:10 felamaslen