Rate Limit by specific Queries or Mutations
In many cases, you have certain mutations or queries that are more expensive than others.
To account for that, we provide you with a helper called byField, which will create a few rate limiting rules for you.
import { Config } from 'stellate'
import { byField } from 'stellate/rate-limiting'
const config: Config = {
config: {
rateLimits: (req) => {
return byField(req, {
name: 'Limit queries and mutations',
state: 'enabled',
groupBy: 'ip',
queryFields: {
// Allow querying `products` 10 times per minute per consumer
products: { budget: 10, window: '1m' },
product: { budget: 10, window: '1m' },
},
mutationFields: {
// Only allow adding three products to the cart per five seconds
addToCart: { budget: 3, window: '5s' },
},
})
},
},
}
export default config
This can be combined together with the baseline protection of limiting requests per second as well:
import { Config } from 'stellate'
import { byField } from 'stellate/rate-limiting'
const config: Config = {
config: {
rateLimits: (req) => [
...byField(req, {
name: 'Limit queries and mutations',
state: 'enabled',
groupBy: 'ip',
queryFields: {
// Allow querying `products` 10 times per minute per consumer
products: { budget: 10, window: '1m' },
product: { budget: 10, window: '1m' },
},
mutationFields: {
// Only allow adding three products to the cart per second
addToCart: { budget: 3, window: '1s' },
},
}),
// fall back to request count to make sure the consumer is not abusing the rest of the API
{
name: 'IP limit',
// Requests will be grouped by ip
groupBy: 'ip',
state: 'enabled',
// Limit consumers that do more than 50 requests in the last 60 seconds
limit: {
type: 'RequestCount',
window: '1m',
budget: 50,
},
},
],
},
}
export default config