feat: graphql rate limiting directive

040f8408 · Nick · 2b54f659 · 040f8408 · 040f8408 · 040f8408
Commit 040f8408 authored Feb 15, 2019 by Nick
Showing with 12 additions and 4 deletions

CHANGELOG.md CHANGELOG.md +1 -0

package.json package.json +1 -0

index.js server/graph/index.js +8 -2

authentication.graphql server/graph/schemas/authentication.graphql +2 -2

yarn.lock yarn.lock +0 -0

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Added Page Delete functionality
 - Dev locale .yml files in `server/locales` are now loaded
 - Added SQLite dependencies in Docker image
+- Added rate limiting to login mutations
 ### Fixed
 - Fixed root admin refresh token fail

--- a/package.json
+++ b/package.json
@@ -68,6 +68,7 @@
    "getos": "3.1.1",
    "graphql": "14.1.1",
    "graphql-list-fields": "2.0.2",
+    "graphql-rate-limit-directive": "0.1.0",
    "graphql-subscriptions": "1.0.0",
    "graphql-tools": "4.0.4",
    "highlight.js": "9.14.2",

--- a/server/graph/index.js
+++ b/server/graph/index.js
@@ -6,6 +6,7 @@ const autoload = require('auto-load')
 const PubSub = require('graphql-subscriptions').PubSub
 const { LEVEL, MESSAGE } = require('triple-beam')
 const Transport = require('winston-transport')
+const { createRateLimitTypeDef, createRateLimitDirective } = require('graphql-rate-limit-directive')
 /* global WIKI */
@@ -17,7 +18,7 @@ WIKI.GQLEmitter = new PubSub()
 // Schemas
-let typeDefs = []
+let typeDefs = [createRateLimitTypeDef()]
 let schemas = fs.readdirSync(path.join(WIKI.SERVERPATH, 'graph/schemas'))
 schemas.forEach(schema => {
  typeDefs.push(fs.readFileSync(path.join(WIKI.SERVERPATH, `graph/schemas/${schema}`), 'utf8'))
@@ -33,7 +34,12 @@ resolversObj.forEach(resolver => {
 // Directives
-let schemaDirectives = autoload(path.join(WIKI.SERVERPATH, 'graph/directives'))
+let schemaDirectives = {
+  ...autoload(path.join(WIKI.SERVERPATH, 'graph/directives')),
+  rateLimit: createRateLimitDirective({
+    keyGenerator: (directiveArgs, source, args, context, info) => `${context.req.ip}:${info.parentType}.${info.fieldName}`
+  })
+}
 // Live Trail Logger (admin)

--- a/server/graph/schemas/authentication.graphql
+++ b/server/graph/schemas/authentication.graphql
@@ -29,12 +29,12 @@ type AuthenticationMutation {
    username: String!
    password: String!
    strategy: String!
-  ): AuthenticationLoginResponse
+  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)
  loginTFA(
    loginToken: String!
    securityCode: String!
-  ): DefaultResponse
+  ): DefaultResponse @rateLimit(limit: 5, duration: 60)
  register(
    email: String!

--- a/yarn.lock
+++ b/yarn.lock