Introduction

In this lesson, we'll focus on enhancing the security of your GraphQL API by implementing Rate Limiting.

Rate limiting is a mechanism to control the number of requests a client can make to your API within a specific time frame. It is essential for:

  • Preventing Abuse: Protects your server from malicious users sending excessive requests, which could overload the system.
  • Ensuring Fair Usage: Limits access to resources, ensuring equitable distribution among users.
  • Enhancing Security: Acts as a defense mechanism against denial-of-service (DoS) attacks.
  • Improving Performance: Maintains consistent performance under high traffic by throttling excessive requests.

We'll use the graphql-rate-limit package along with graphql-shield for this task, integrating with Apollo Server 4. By the end of this lesson, you'll know how to apply rate limiting to your GraphQL API, improving its security, performance, and reliability.

Defining the GraphQL Schema

The schema defines the data structure and allowable queries. Here's a simple schema for a books example without direct rate limiting directives:

  • This schema includes a Book type and a books query to fetch book data.
Creating the GraphQL Server and Applying Rate Limiting

We'll use graphql-shield to apply rate limiting middleware to our schema, enabling fine-grained control over each query:

The code starts by creating an executable schema using makeExecutableSchema, combining the defined type definitions and resolvers. A context interface, MyContext, is defined to capture the client's IP address, which is vital for identifying request sources. We use identifyContext with the client's IP address to differentiate users here, as there are no user's session or user's id in this particular demo example.

Rate limiting is enforced using createRateLimitRule, which tracks requests based on the client's IP. This rule is integrated into a permission layer via shield, applying a constraint on the books query to allow a maximum of 3 requests every 15 seconds per IP address. This limits how frequently a client can access the books data.

These constraints are applied to the schema through applyMiddleware, generating a schema with built-in rate limiting. An instance of ApolloServer is initialized with this schema, incorporating the defined rate limiting. The server is started using startStandaloneServer, listening on port 4000, and includes context configuration to correctly identify client IPs for rate limiting. A console message confirms server readiness.

Testing the Implementation

You can verify the rate limiting setup by running queries against the GraphQL API and ensuring limits are enforced:

Running this script demonstrates rate limiting in action, enforcing a maximum of three requests every 15 seconds with excess requests returning a 429 Too Many Requests response.

Lesson Summary

In this lesson, we demonstrated:

  • Creating a GraphQL schema and server with Apollo Server 4.
  • Integrating rate limiting using graphql-shield and the graphql-rate-limit rule.
  • Testing to confirm rate limits are effectively applied to queries by IP address.

By following these steps, you can better secure your GraphQL API against abuse and manage load efficiently.

Sign up
Join the 1M+ learners on CodeSignal
Be a part of our community of 1M+ users who develop and demonstrate their skills on CodeSignal