Skip to content

Add API rate limiting#3118

Open
kimadactyl wants to merge 4 commits intomainfrom
feature/api-rate-limiting
Open

Add API rate limiting#3118
kimadactyl wants to merge 4 commits intomainfrom
feature/api-rate-limiting

Conversation

@kimadactyl
Copy link
Copy Markdown
Member

@kimadactyl kimadactyl commented Apr 2, 2026

Summary

  • Adds rack-attack gem for IP-based request throttling (100 req/min on /api/*)
  • Adds GraphQL max_depth (10) and max_complexity (1500) limits to prevent expensive queries
  • Returns JSON 429 responses for throttled API requests

Closes #2607

Test plan

  • Rate limiting specs pass (spec/requests/rate_limiting_spec.rb)
  • All existing GraphQL specs pass (34 examples, 0 failures)
  • Verified Trans Dimension queries are well within complexity limits (~100 each vs 1500 cap)

🤖 Generated with Claude Code

@kimadactyl
Add API rate limiting and GraphQL query complexity protection
e5a1a99 
Mitigates API abuse that could take down the site by adding:
- rack-attack gem with IP-based throttling (100 req/min for API)
- GraphQL max_depth (10) and max_complexity (1500) limits
@kimadactyl kimadactyl requested a review from idkidk000 April 2, 2026 19:46
@kimadactyl
Copy link
Copy Markdown
Member Author

kimadactyl commented Apr 2, 2026

more gentle tidyup of things which shouldn't be quite as open as they are :)

@kimadactyl
Add comments explaining GraphQL complexity and depth limits
dcf1fb8
@kimadactyl
Exempt introspection queries from complexity limit
6a36378 
GraphQL::Client.load_schema fires an introspection query (__schema)
that exceeds the complexity cap. Move max_complexity into the
controller so introspection queries are exempt while regular
queries remain protected.
@kimadactyl
Move depth and complexity limits to controller
188138c 
Both max_depth and max_complexity need to be exempt for
introspection queries (__schema), which are inherently deep
and complex. Moving both limits to per-query execution in the
controller fixes the system test failures.
@kimadactyl
Copy link
Copy Markdown
Member Author

kimadactyl commented Apr 3, 2026

@james-collapse just a headsup that when this hits prod fruit salad might hit the rate limit if youve not pulled the recent changes from trans-dimension in - previously it was doing a query per-event and splatting the server for a second

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@idkidk000 idkidk000 Awaiting requested review from idkidk000

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: API requests can take down whole site

1 participant

@kimadactyl