Fixed window rate limiting

[FluorescentHallucinogen]

Query cost/complexity validation/analysis is not enough. See the following thread for more info: ravangen/graphql-rate-limit#48.

TL;DR: Cost analysis won't care if you receive one request per second or a thousand. A malicious actor could craft an operation that remains under a cost limit, but send a large number of requests.

@19majkel94 Could you please add an example how to use the fixed window rate limiting in addition to query cost/complexity validation/analysis in type-graphql?

PTAL at https://github.com/ravangen/graphql-rate-limit and https://github.com/teamplanes/graphql-rate-limit.

[MichalLytek]

Cost analysis won't care if you receive one request per second or a thousand. A malicious actor could craft an operation that remains under a cost limit, but send a large number of requests.

You can grant a user N complexity points per hour and substract the cost value for each query, then deny resolving it after reaching the limit.

You can use teamplanes/graphql-rate-limit (Using the base rate limiter function) in a middleware to attach the rate limiter to query/mutation.

[sbilello]

@MichalLytek Is there an example of how to use graphql-rate-limit in a federated graph?