Feature Request

Create a new Access Control rule to deny access to resolve a field or directive when, within a certain amount of time, the number of requests from the same IP goes beyond the specified limit.

The block must receive inputs:

• time: Amount of time (milliseconds)
• limit: Number of times that the field/directive can be accessed in the amount of time

Context

It avoids malicious actors from bringing the GraphQL server down with DDoS attacks, avoids spammers, and other threats.

Implementation details

To implement, the request's data must be stored to the DB, including the originating IP, the timestamp, and the requested fields and directives. It can be distributed into two tables:

1. Table gqlapi_requests, containing columns:

• id
• ip
• timestamp
• endpoint (optional)

2. Table gqlapi_request_entities, containing columns:

• id
• request_id
• field_or_directive

The value in column field_or_directive is:

• If it is a field, the tuple Type.fieldName (eg: Post.title)
• If it is a directive, the directive name starting with @ (eg: `@translate)

Then, to find out if the rate limiting must be applied, we can execute SQL query:

SELECT 
  count(r.id)
FROM
  gqlapi_request_entities re
INNER JOIN
  gqlapi_requests r
ON
  re.request_id = r.id
WHERE
  re.field_or_directive = ${field_or_directive}
AND  
  r.ip = ${ip}
AND
  r.timestamp > ${time_now} - ${time}

If the number of results is above input limit, then deny access