GraphQL analyser for blocking & throttling.
This gem adds a method to limit access to your GraphQL fields by IP address:
class QueryType < GraphQL::Schema::Object
field :some_expensive_field, String, null: false do
extension GraphAttack::RateLimit, threshold: 15, interval: 60
end
# …
end
This would allow only 15 calls per minute by the same IP address.
Requires GraphQL Ruby and a running instance of Redis.
Add these lines to your application’s Gemfile:
# GraphQL analyser for blocking & throttling by IP.
gem "graph_attack"
And then execute:
$ bundle
Finally, make sure you add the current user’s IP address as ip: to the
GraphQL context. E.g.:
class GraphqlController < ApplicationController
def create
result = ApplicationSchema.execute(
params[:query],
variables: params[:variables],
context: {
ip: request.ip,
},
)
render json: result
end
end
If that key is nil, throttling will be disabled.
If you want to throttle using a different value than the IP address, you can
choose which context key you want to use with the on option. E.g.:
extension GraphAttack::RateLimit,
threshold: 15,
interval: 60,
on: :client_id
Use a custom Redis client instead of the default with the redis_client option:
extension GraphAttack::RateLimit,
threshold: 15,
interval: 60,
redis_client: Redis.new(url: "…")
To have a default configuration for all rate-limited fields, you can create an initializer:
GraphAttack.configure do |config|
# config.threshold = 15
# config.interval = 60
# config.on = :ip
# config.redis_client = Redis.new
end
After checking out the repo, run bin/setup to install dependencies. Then, run
bin/rake to run the tests and the linter. You can also run bin/console for
an interactive prompt that will allow you to experiment.
We use SemVer for versioning. For the versions available, see the tags on this repository.
To release a new version, update the version number in version.rb and in the
CHANGELOG.md. Update the README.md if there are missing segments, make sure
tests and linting are pristine by calling bundle && bin/rake, then create a
commit for this version, for example with:
git add --patch
git commit -m v`ruby -rbundler/setup -rgraph_attack/version -e "puts GraphAttack::VERSION"`
You can then run bin/rake release, which will assign a git tag, push using
git, and push the gem to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/sunny/graph_attack. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
Everyone interacting in the GraphAttack project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.
This project is licensed under the MIT License - see the LICENSE.md file for details.
Hat tip to Rack::Attack for the the name.
Sponsored by Cults.
FAQs
Unknown package
We found that graph_attack demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.
Security News
CISA’s 2025 draft SBOM guidance adds new fields like hashes, licenses, and tool metadata to make software inventories more actionable.
Security News
A clarification on our recent research investigating 60 malicious Ruby gems.