Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Rate limiting and Scoring #2151

Open
ozum opened this issue May 9, 2019 · 5 comments

Comments

Projects
None yet
5 participants
@ozum
Copy link

commented May 9, 2019

Would like to have rate limiting (# per user per second) and scoring of query cost (score per user per minute etc.).

Below points mentioned in https://blog.apollographql.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b seems to nice to have in Hasura.

  • Size Limiting
  • Depth Limiting
  • Query Cost Analysis

Kind Regards,

@kriswep

This comment has been minimized.

Copy link

commented May 13, 2019

I'd second this.

You could easily imagine malicious queries taking down APIs powered by Hasura.
For example, running the following query against the todo learning API takes some time, and you could easily extend the nesting there:

{
  todos {
    user {
      todos {
        id
        user {
          id
          todos {
            id
          }
        }
      }
    }
  }
}

For the record, there was some discussion around this in #346, #989 and #1283 but they don't seem to have lead anywhere.

@coco98

This comment has been minimized.

Copy link
Contributor

commented May 13, 2019

@kriswep Allowlists (#989) is ready for review and testing and should land soon. :)
#2075

The rest are fairly complicated and we're coming to it gradually!

@kriswep

This comment has been minimized.

Copy link

commented May 13, 2019

That's good to hear, haven't seen that before.
But there are uses cases which query whitelisting doesn't fulfill (having a public facing API with unknown clients).
Guess I hope other options like depth-limitng and costs analysis won't be forgetten.

@ozum

This comment has been minimized.

Copy link
Author

commented May 14, 2019

The rest are fairly complicated and we're coming to it gradually!

I agree. Maybe starting with depth limiting would be easier and have relatively great impact on stopping malicious queries.

@ptrobert

This comment has been minimized.

Copy link

commented May 20, 2019

Wish List
For rate limiting it will be good to have a per user per min/hour/ day/ month limits.
A list of blocked users has to be maintained and ability to unblock them.
Support for remote schemas as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.