chore: cr changes

i-love-flamingo · Dec 22, 2023 · a01d2ca · a01d2ca
1 parent 68892f4
commit a01d2ca
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 18 deletions.
diff --git a/Readme.md b/Readme.md
@@ -117,6 +117,16 @@ We recommend to namespace your Types and Type extensions with the Project name.
 For Flamingo Core Framework GraphQL Schema we use the prefix `Core_` and for Flamingo Commerce we use `Commerce_`
 
 
+## Config
+
+You can enable `LimitOperationAmountMiddleware` to prevent batching attack by setting `graphql.security.limitQueryAmountMiddleware.enable` to true. 
+
+`graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold` option can be used to set a threshold for the same operations called in a single request.
+
+`graphql.security.limitQueryAmountMiddleware.allOperationsThreshold` option can be used to set a threshold for all the operations called in a single request.
+
+
+
 ## Resources
 
 Learn GraphQL: https://graphql.org/learn/

diff --git a/limitQueryAmountMiddleware.go → limit_operation_amount.go b/limitQueryAmountMiddleware.go → limit_operation_amount.go
@@ -12,10 +12,12 @@ const (
 	allOperationsDefaultThreshold  = 10
 )
 
-func LimitQueryAmountMiddleware(
+var _ gql.OperationMiddleware = LimitOperationAmountMiddleware(nil)
+
+func LimitOperationAmountMiddleware(
 	cfg *struct {
-		SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-		AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+		SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+		AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 	},
 ) func(ctx context.Context, next gql.OperationHandler) gql.ResponseHandler {
 	return func(ctx context.Context, next gql.OperationHandler) gql.ResponseHandler {

diff --git a/limitQueryAmountMiddleware_test.go → limit_operation_amount_test.go b/limitQueryAmountMiddleware_test.go → limit_operation_amount_test.go
@@ -13,7 +13,7 @@ import (
 	"flamingo.me/graphql"
 )
 
-func Test_LimitQueryAmountMiddleware(t *testing.T) {
+func Test_LimitOperationAmountMiddleware(t *testing.T) {
 	t.Parallel()
 
 	t.Run("deny when there is too many same operations called", func(t *testing.T) {
@@ -24,10 +24,10 @@ func Test_LimitQueryAmountMiddleware(t *testing.T) {
 		srv.AddTransport(transport.GET{})
 		srv.AddTransport(transport.POST{})
 
-		srv.AroundOperations(graphql.LimitQueryAmountMiddleware(
+		srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
 			&struct {
-				SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-				AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+				SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+				AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 			}{
 				SameOperationsThreshold: 2,
 				AllOperationsThreshold:  10,
@@ -50,10 +50,10 @@ func Test_LimitQueryAmountMiddleware(t *testing.T) {
 		srv.AddTransport(transport.GET{})
 		srv.AddTransport(transport.POST{})
 
-		srv.AroundOperations(graphql.LimitQueryAmountMiddleware(
+		srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
 			&struct {
-				SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-				AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+				SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+				AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 			}{
 				SameOperationsThreshold: 27,
 				AllOperationsThreshold:  0,
@@ -76,10 +76,10 @@ func Test_LimitQueryAmountMiddleware(t *testing.T) {
 		srv.AddTransport(transport.GET{})
 		srv.AddTransport(transport.POST{})
 
-		srv.AroundOperations(graphql.LimitQueryAmountMiddleware(
+		srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
 			&struct {
-				SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-				AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+				SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+				AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 			}{
 				SameOperationsThreshold: 10,
 				AllOperationsThreshold:  10,

diff --git a/module.go b/module.go
@@ -45,7 +45,7 @@ func (m *Module) Configure(injector *dingo.Injector) {
 	injector.BindMulti(new(cobra.Command)).ToProvider(command)
 
 	if m.enableLimitQueryAmountMiddleware {
-		injector.BindMulti(new(graphql.OperationMiddleware)).ToProvider(LimitQueryAmountMiddleware)
+		injector.BindMulti(new(graphql.OperationMiddleware)).ToProvider(LimitOperationAmountMiddleware)
 	}
 
 	web.BindRoutes(injector, new(routes))
@@ -154,10 +154,12 @@ graphql: {
 	multipartForm: {
 		uploadMaxSize: (int | *1.5M) & > 0
 	}
-	limitQueryAmountMiddleware: {
-		enable: bool | *false
-		sameOperationsThreshold: number | *2
-		allOperationsThreshold: number | *10
+	security: {
+		limitQueryAmountMiddleware: {
+			enable: bool | *false
+			sameOperationsThreshold: number | *2
+			allOperationsThreshold: number | *10
+		}
 	}
 }
 `