NextQL plugin for protect against excessive calls. NextQL, GraphQL or any data query layer; vulnerable for exessive or abusive calls ( or denial of service attacks ) when used to provide service for third-parties.
There are some solutions:
- Rate limiting: limit how many api calls per time could be deploy at transport layer for example HTTP calls.
- Persisted query: only allow predefined queries.
- Resource quotas: limit how many information could be return. The solution could be deploy at bussiness logic layer.
- Limit request size: limit based on query shape.
The plugin implemented based on the last solution. The idea is very simple, it calculate query's metric: how many method calls and how many fields requested. If those metric out of limit, it stop execution and throw execptions. Nextql-limit iterate through javascript object properties, it should be very fast.
$ npm install --save nextql-limit
const = require('nextql-limit');
const NextQL = require("../../nextql");
const nextql = new NextQL();
nextql.use(nextqlLimit, {
calls: 2, // how many method calls allow
fields: 20 // how many fields query allow (for the sake of performance [$params] not filtered )
});
MIT © Giap Nguyen Huu