From a01d2ca3ea7635564fab24564cd4e3070d93f130 Mon Sep 17 00:00:00 2001
From: Karol Nowak <karol.nowak@omnevo.net>
Date: Fri, 22 Dec 2023 10:58:09 +0100
Subject: [PATCH] chore: cr changes

---
 Readme.md                                     | 10 ++++++++++
 ...Middleware.go => limit_operation_amount.go |  8 +++++---
 ..._test.go => limit_operation_amount_test.go | 20 +++++++++----------
 module.go                                     | 12 ++++++-----
 4 files changed, 32 insertions(+), 18 deletions(-)
 rename limitQueryAmountMiddleware.go => limit_operation_amount.go (82%)
 rename limitQueryAmountMiddleware_test.go => limit_operation_amount_test.go (70%)

diff --git a/Readme.md b/Readme.md
index 1076405..da1128c 100644
--- a/Readme.md
+++ b/Readme.md
@@ -117,6 +117,16 @@ We recommend to namespace your Types and Type extensions with the Project name.
 For Flamingo Core Framework GraphQL Schema we use the prefix `Core_` and for Flamingo Commerce we use `Commerce_`
  
 
+## Config
+
+You can enable `LimitOperationAmountMiddleware` to prevent batching attack by setting `graphql.security.limitQueryAmountMiddleware.enable` to true. 
+
+`graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold` option can be used to set a threshold for the same operations called in a single request.
+
+`graphql.security.limitQueryAmountMiddleware.allOperationsThreshold` option can be used to set a threshold for all the operations called in a single request.
+
+
+
 ## Resources
 
 Learn GraphQL: https://graphql.org/learn/
diff --git a/limitQueryAmountMiddleware.go b/limit_operation_amount.go
similarity index 82%
rename from limitQueryAmountMiddleware.go
rename to limit_operation_amount.go
index 4fd4c5a..ef0bf7a 100644
--- a/limitQueryAmountMiddleware.go
+++ b/limit_operation_amount.go
@@ -12,10 +12,12 @@ const (
 	allOperationsDefaultThreshold  = 10
 )
 
-func LimitQueryAmountMiddleware(
+var _ gql.OperationMiddleware = LimitOperationAmountMiddleware(nil)
+
+func LimitOperationAmountMiddleware(
 	cfg *struct {
-		SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-		AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+		SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+		AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 	},
 ) func(ctx context.Context, next gql.OperationHandler) gql.ResponseHandler {
 	return func(ctx context.Context, next gql.OperationHandler) gql.ResponseHandler {
diff --git a/limitQueryAmountMiddleware_test.go b/limit_operation_amount_test.go
similarity index 70%
rename from limitQueryAmountMiddleware_test.go
rename to limit_operation_amount_test.go
index 92e0c1f..8ce0156 100644
--- a/limitQueryAmountMiddleware_test.go
+++ b/limit_operation_amount_test.go
@@ -13,7 +13,7 @@ import (
 	"flamingo.me/graphql"
 )
 
-func Test_LimitQueryAmountMiddleware(t *testing.T) {
+func Test_LimitOperationAmountMiddleware(t *testing.T) {
 	t.Parallel()
 
 	t.Run("deny when there is too many same operations called", func(t *testing.T) {
@@ -24,10 +24,10 @@ func Test_LimitQueryAmountMiddleware(t *testing.T) {
 		srv.AddTransport(transport.GET{})
 		srv.AddTransport(transport.POST{})
 
-		srv.AroundOperations(graphql.LimitQueryAmountMiddleware(
+		srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
 			&struct {
-				SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-				AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+				SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+				AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 			}{
 				SameOperationsThreshold: 2,
 				AllOperationsThreshold:  10,
@@ -50,10 +50,10 @@ func Test_LimitQueryAmountMiddleware(t *testing.T) {
 		srv.AddTransport(transport.GET{})
 		srv.AddTransport(transport.POST{})
 
-		srv.AroundOperations(graphql.LimitQueryAmountMiddleware(
+		srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
 			&struct {
-				SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-				AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+				SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+				AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 			}{
 				SameOperationsThreshold: 27,
 				AllOperationsThreshold:  0,
@@ -76,10 +76,10 @@ func Test_LimitQueryAmountMiddleware(t *testing.T) {
 		srv.AddTransport(transport.GET{})
 		srv.AddTransport(transport.POST{})
 
-		srv.AroundOperations(graphql.LimitQueryAmountMiddleware(
+		srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
 			&struct {
-				SameOperationsThreshold int `inject:"config:graphql.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
-				AllOperationsThreshold  int `inject:"config:graphql.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
+				SameOperationsThreshold int `inject:"config:graphql.security.limitQueryAmountMiddleware.sameOperationsThreshold,optional"`
+				AllOperationsThreshold  int `inject:"config:graphql.security.limitQueryAmountMiddleware.allOperationsThreshold,optional"`
 			}{
 				SameOperationsThreshold: 10,
 				AllOperationsThreshold:  10,
diff --git a/module.go b/module.go
index b6168da..c6276b6 100644
--- a/module.go
+++ b/module.go
@@ -45,7 +45,7 @@ func (m *Module) Configure(injector *dingo.Injector) {
 	injector.BindMulti(new(cobra.Command)).ToProvider(command)
 
 	if m.enableLimitQueryAmountMiddleware {
-		injector.BindMulti(new(graphql.OperationMiddleware)).ToProvider(LimitQueryAmountMiddleware)
+		injector.BindMulti(new(graphql.OperationMiddleware)).ToProvider(LimitOperationAmountMiddleware)
 	}
 
 	web.BindRoutes(injector, new(routes))
@@ -154,10 +154,12 @@ graphql: {
 	multipartForm: {
 		uploadMaxSize: (int | *1.5M) & > 0
 	}
-	limitQueryAmountMiddleware: {
-		enable: bool | *false
-		sameOperationsThreshold: number | *2
-		allOperationsThreshold: number | *10
+	security: {
+		limitQueryAmountMiddleware: {
+			enable: bool | *false
+			sameOperationsThreshold: number | *2
+			allOperationsThreshold: number | *10
+		}
 	}
 }
 `