Graphene-django: What's the best way to rate limit specific graphql endpoints?

Created on 10 Dec 2018 · 7Comments · Source: graphql-python/graphene-django

Is there a way to limit graphql endpoints? What are the current workarounds for this?

As a feature request, it might be a good idea to have something like https://django-ratelimit.readthedocs.io/en/v1.0.0/, where you can use decorators to ratelimit your APIs.

question wontfix

Source

charlesverdad

Most helpful comment

Hi @zbyte64 haven't tried it yet but doesn't that require a view class though? I was hoping I could do it on a per-mutation/query basis. i.e., I want to limit only my graphql/signup endpoint and not all graphql endpoints.

charlesverdad on 13 Dec 2018

👍2

All 7 comments

Why not just use django-ratelimit? You can use the graphql endpoint with decorators, this is how I did it with csrf exemption:

url(r'^graphql/$', csrf_exempt(GraphQLView.as_view(graphiql=True))),

zbyte64 on 12 Dec 2018

charlesverdad on 13 Dec 2018

👍2

I see, in that case you would embed the is_ratelmited call in each mutation or resolver: https://django-ratelimit.readthedocs.io/en/v1.0.0/usage.html#is_ratelimited ; where info.context is the request object the function needs

zbyte64 on 13 Dec 2018

hmm, one solution could be a decorator that gets the class and resolver function
than uses that as a key with the users pk
in redis with an auto expire provision ..

japrogramer on 23 Feb 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.