Ratelimit Queries
I would like to ratelimit queries and action, not only mutations. Is it possible?
3 Replies
what is your goal in rate limiting queries? cost savings? when parameters don't change, they are cached and don't incur database bandwidth.
for actions you can call a mutation at the start - ideally at the same time you're fetching other data and doing any logic around authorizing the action, so you have a green light after that to do all the work. If you are scheduling the action, you can rate limit before you schedule it, so it doesn't even happen if you didn't want to allow it
Is there a way to add a ratelimit middleware to queries? One malicious user could spam queries with unique parameters. Converting all our queries to actions seems off.
You can check rate limiting from queries, but not consume tokens.
If you check auth immediately, then you can deny users that are spamming. You could add an alert in Axiom on your Log Stream to catch individual users being malicious, and individually block them until their token expires, e.g. setting a flag on their user.
If you start getting attacked reach out and we can work on it, but note that a malicious user could send millions of such requests and you'd only pay a few dollars.