Ability to disable batch request processing #5686
Comments
|
I agree that this would be reasonable. Frankly perhaps you should have to opt in to allowing batch requests, although I don't want to do that for backwards-compatibility reasons. (I find the whole feature to be not very compelling — it's arguably a performance feature, but it means that every operation is as slow as the slowest among them... would rather work on making sure that pipelining/http2 works instead.) Adding a new |
glasser
added
⛲️ feature
|
That's a nice suggestion that could prove very useful. I'd like to pick this up - @glasser could you assign this to me please? |
|
We don't typically use the GitHub assignment feature for folks outside of the core team, but feel free to work on this and send a PR! Looking forward to it. |
|
Implemented in #5778. |
|
This is released in v3.5.0. |
It would be great to have a built-in ability to disable batch request processing and only allow one mutation/query per request. While batch queries can definitely be helpful in some cases to limit number of round-trips from client to server, they open major vulnerability to DDOS attacks and allow bad actors to make graphql server do their job for them.
One example that comes to mind is 2FA validation code. Let's say your server sends and SMS with 4 digit validation code and you have to enter that code to log into the site. With batch queries, you could create a script that would generate a batch of 9999 mutations with every permutation of 2FA code and one of them is going to be correct. Obviously, things like that should be protected in the code itself, but having an ability to disable batch requests would significantly simplify resolution of this issue, by using standard rate-limiting proxy server such as envoy rate limiter, for example.
The text was updated successfully, but these errors were encountered: