Search
My Cart

yireo / magento2-graph-ql-rate-limiting

yireo/magento2-graph-ql-rate-limiting

Magento 2 module to add rate limiting to GraphQL resources

  • Jisse Reitsma (Yireo)
magento2-module Compatibility: Not yet tested Code Quality: Warning Tests: N/A Security: Pass OSL-3.0

Yireo GraphQlRateLimiting

Magento 2 module to add rate limiting to GraphQL resources

WARNING: As of yet, the sunspikes/php-ratelimiter library is no longer being maintained. And because of this, this module is dead, until it is refactored to use another rate limiting tool.

This module implements the sunspikes/php-ratelimiter in Magento 2. It checks how many GraphQL mutations and/or GraphQL queries are sent from a specific client to a Magento instance and if the number of these requests exceeds a configured maximum, a GraphQL error is generated.

This module is specifically recommended for limiting mutations, so that your Magento shop is not flooded with fake requests to create sessions, customers or other data. Usually, in a headless environment, the amount of mutations is limited.

Usage

Install this extension:

composer require yireo/magento2-graph-ql-rate-limiting
bin/magento module:enable Yireo_GraphQlRateLimiting
bin/magento setup:upgrade

Next, login to the Magento Admin Panel, navigate to Store Configuration and then Yireo > Yireo GraphQlRateLimiting > Settings and modify the settings to your needs. The default might be fine though. The settings Enabled and Limit Mutations are definitely to be enabled, otherwise this extension is kind of pointless. Whether Limit Queries is useful up to you. The settings Maximum Queries and Maximum Mutations refer to the maximum amount of queries or mutations to be made within a certain timeframe (Timeframe) before a connection is denied for the remainder of that timeframe.

Finally, navigate to Cache Management and enable the cache GraphQL Rate Limiting:

bin/magento cache:enable graphql_rate_limiting

Testing to see if this works

Open up GraphiQL or some other client and create a simple request like the following:

query {
  products(filter: {name: {match: "jacket"}}) {
    items {
      sku
    }
  }
}

Configure the following settings in this Magento module (under the Store Configuration):

  • Enabled: Yes
  • Limit Queries: Yes
  • Maximum Queries: 3

After running the same query three-times an error should popup up:

{
  "errors": [
    {
      "message": "A maximum of 3 queries has been reached.",
      "extensions": {
        "category": "graphql"
      }
    }
  ]
}

Testing of the cache type

This extension adds a Cache Type GRAPHQL_RATE_LIMITING to the Magento cache frontends. To test whether the Cache Type is working, you can run the following Functional Test:

bin/magento cache:status
bin/magento cache:enable graphql_rate_limiting
vendor/bin/phpunit --bootstrap=app/bootstrap.php app/code/Yireo/GraphQlRateLimiting/Test/Functional/CacheTypeTest.php

Other functional tests

To run other functional tests, the following can be used:

bin/magento cache:enable graphql_rate_limiting
vendor/bin/phpunit --bootstrap=app/bootstrap.php app/code/Yireo/GraphQlRateLimiting/Test/Functional/

Please note that this resets your configuration. Do not do this on a live Magento site.

Todo

  • Make compatible with PHP 8
  • Allow saving data in Redis
  • Check what Adobe Commerce uses for backpressure-logger
  • Add integation tests
  • Add MovingWindowSettings and FixedWindowSettings
  • Allow for specific endpoints to be limited
  • Make sure to reply with HTTP/1.1 429 Too Many Requests

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[Unreleased]

[0.0.4] - 12 April 2024

Added

  • Limit to PHP 7.4 because sunspikes/php-ratelimiter is dead

[0.0.3] - 29 July 2020

Added

  • Magento 2.4 compatibility

[0.0.2] - Undocumented

Versions
Version Stability QA Status Compatibility Released
0.0.5 stable Pass Not yet tested Details 2024-04-12 13:49:56
0.0.4 stable Not tested Not yet tested Details 2024-04-12 09:36:56
0.0.3 stable Not tested Not yet tested Details 2020-07-29 09:47:40
0.0.2 stable Not tested Not yet tested Details 2020-04-19 19:30:26
0.0.1 stable Not tested Not yet tested Details 2020-04-18 13:00:29

Requires 5

Package Constraint
magento/framework ^100.1|^101.0|^102.0|^103.0
magento/module-checkout ^100.1
magento/module-quote ^100.1|^101.0
php 7.4.*
sunspikes/php-ratelimiter 1.2.1

Requires-dev 4

Package Constraint
ext/json *
laminas/laminas-http *
phpunit/phpunit *
yireo/magento2-integration-test-helper @dev

Compatibility

Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.

Compatibility matrix (Magento × PHP)
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 not tested not tested
2.4.8 not tested not tested
2.4.9 not tested not tested

Code Quality

Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.

Static analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

Static analysis results
Tool Status Findings Summary
PHPCS Warning 4 4 warnings (ruleset: Magento2)
PHPMD Warning 1 1 rule violation (UnusedFormalParameter:1)
Cpd Pass 0
Composer validate Warning 2 valid with 2 warnings (composer validate --strict)

PHPStan

Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.

PHPStan results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Tests

Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.

Unit tests

Unit tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Integration tests

Integration tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A not tested
2.4.9 N/A not tested

Security

Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.

Security results
Tool Status Findings Summary
Composer audit N/A 0 no resolvable dependency tree to audit — Your requirements could not be resolved to an installable set of packages. Problem 1
Malware scan Pass 0
License
OSL-3.0
Homepage
https://github.com/yireo/Yireo_GraphQlRateLimiting
Authors

More from yireo

View vendor
yireo/magento2-replace-bundled Free
magento2-module

Replace bundled third party packages from Magento

v4.3.4 1yr ago
0
yireo/yireo_extensionvalidationtools Free
magento2-module
v0.0.2 3yr ago
0
yireo/magento2-auto-invoice-zero-subtotal-orders Free
magento2-module
v1.0.0 1yr ago
0
yireo/magento2-customer-commands Free
magento2-module

N/A

v1.0.1 2mo ago
0
Make it pay

Turn an existing module into recurring revenue.

If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.

List your module