GraphAttack

GraphQL analyser for blocking & throttling.

Usage

This gem adds a method to limit access to your GraphQL fields by IP:

class QueryType < GraphQL::Schema::Object
  field :some_expensive_field, String, null: false do
    extension(GraphAttack::RateLimit, threshold: 15, interval: 60)
  end

  # …
end

If using GraphQL::Ruby's legacy schema definition

```rb QueryType = GraphQL::ObjectType.define do name 'Query' field :someExpensiveField do rate_limit threshold: 15, interval: 60 # … end end ```

This would allow only 15 calls per minute by the same IP.

Requirements

Requires GraphQL Ruby and a running instance of Redis.

Installation

Add these lines to your application's Gemfile:

# GraphQL analyser for blocking & throttling by IP.
gem 'graph_attack'

And then execute:

$ bundle

If using GraphQL::Ruby's legacy schema definition

Add the query analyser to your schema: ```rb ApplicationSchema = GraphQL::Schema.define do query_analyzer GraphAttack::RateLimiter.new # … end ```

Finally, make sure you add the current user's IP address as ip: to the GraphQL context. E.g.:

class GraphqlController < ApplicationController
  def create
    result = ApplicationSchema.execute(
      params[:query],
      variables: params[:variables],
      context: {
        ip: request.ip,
      },
    )
    render json: result
  end
end

Configuration

Use a custom Redis client instead of the default:

  field :some_expensive_field, String, null: false do
    extension(
      GraphAttack::RateLimit,
      threshold: 15,
      interval: 60,
      redis_client: Redis.new(url: "…"),
    )
  end

If using GraphQL::Ruby's legacy schema definition

```rb query_analyzer GraphAttack::RateLimiter.new( redis_client: Redis.new(url: "…") ) ```

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake to run the tests and the linter. You can also run bin/console for an interactive prompt that will allow you to experiment.

Versionning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Releasing

To release a new version, update the version number in version.rb, commit, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/sunny/graph_attack. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

Code of Conduct

Everyone interacting in the GraphAttack project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

License

This project is licensed under the MIT License - see the LICENSE.md file for details.

Authors

• Fanny Cheung - KissKissBankBank
• Sunny Ripert - KissKissBankBank

Acknowledgments

Hat tip to Rack::Attack for the the name.