Ability to disable batch request processing #5686
Labels
🧞♂️ enhancement
⛲️ feature
New addition or enhancement to existing solutions
📚 good-first-issue
Issues that are more approachable for first-time contributors.
It would be great to have a built-in ability to disable batch request processing and only allow one mutation/query per request. While batch queries can definitely be helpful in some cases to limit number of round-trips from client to server, they open major vulnerability to DDOS attacks and allow bad actors to make graphql server do their job for them.
One example that comes to mind is 2FA validation code. Let's say your server sends and SMS with 4 digit validation code and you have to enter that code to log into the site. With batch queries, you could create a script that would generate a batch of 9999 mutations with every permutation of 2FA code and one of them is going to be correct. Obviously, things like that should be protected in the code itself, but having an ability to disable batch requests would significantly simplify resolution of this issue, by using standard rate-limiting proxy server such as envoy rate limiter, for example.
The text was updated successfully, but these errors were encountered: