# yireo/magento2-graph-ql-rate-limiting > Magento 2 module to add rate limiting to GraphQL resources `composer require yireo/magento2-graph-ql-rate-limiting` Canonical URL: https://packagento.com/yireo/magento2-graph-ql-rate-limiting ## At a glance - **Vendor**: yireo (https://packagento.com/yireo.md) - **Latest version**: 0.0.5 — released 2024-04-12 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/yireo/magento2-graph-ql-rate-limiting and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require yireo/magento2-graph-ql-rate-limiting:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Magento 2 module to add rate limiting to GraphQL resources ## README **Magento 2 module to add rate limiting to GraphQL resources** **WARNING: As of yet, the sunspikes/php-ratelimiter library is no longer being maintained. And because of this, this module is dead, until it is refactored to use another rate limiting tool.** This module implements the [sunspikes/php-ratelimiter](https://packagist.org/packages/sunspikes/php-ratelimiter) in Magento 2. It checks how many GraphQL mutations and/or GraphQL queries are sent from a specific client to a Magento instance and if the number of these requests exceeds a configured maximum, a GraphQL error is generated. This module is specifically recommended for limiting mutations, so that your Magento shop is not flooded with fake requests to create sessions, customers or other data. Usually, in a headless environment, the amount of mutations is limited. ### Usage Install this extension: composer require yireo/magento2-graph-ql-rate-limiting bin/magento module:enable Yireo_GraphQlRateLimiting bin/magento setup:upgrade Next, login to the Magento Admin Panel, navigate to **Store Configuration** and then **Yireo > Yireo GraphQlRateLimiting > Settings** and modify the settings to your needs. The default might be fine though. The settings **Enabled** and **Limit Mutations** are definitely to be enabled, otherwise this extension is kind of pointless. Whether **Limit Queries** is useful up to you. The settings **Maximum Queries** and **Maximum Mutations** refer to the maximum amount of queries or mutations to be made within a certain timeframe (**Timeframe**) before a connection is denied for the remainder of that timeframe. Finally, navigate to **Cache Management** and enable the cache **GraphQL Rate Limiting**: bin/magento cache:enable graphql_rate_limiting ### Testing to see if this works Open up GraphiQL or some other client and create a simple request like the following: ```graphql query { products(filter: {name: {match: "jacket"}}) { items { sku } } } ``` Configure the following settings in this Magento module (under the **Store Configuration**): - **Enabled**: *Yes* - **Limit Queries**: *Yes* - **Maximum Queries**: *3* After running the same query three-times an error should popup up: ```json { "errors": [ { "message": "A maximum of 3 queries has been reached.", "extensions": { "category": "graphql" } } ] } ``` ### Testing of the cache type This extension adds a Cache Type `GRAPHQL_RATE_LIMITING` to the Magento cache frontends. To test whether the Cache Type is working, you can run the following Functional Test: ```bash bin/magento cache:status bin/magento cache:enable graphql_rate_limiting vendor/bin/phpunit --bootstrap=app/bootstrap.php app/code/Yireo/GraphQlRateLimiting/Test/Functional/CacheTypeTest.php ``` ### Other functional tests To run other functional tests, the following can be used: ```bash bin/magento cache:enable graphql_rate_limiting vendor/bin/phpunit --bootstrap=app/bootstrap.php app/code/Yireo/GraphQlRateLimiting/Test/Functional/ ``` Please note that this resets your configuration. Do not do this on a live Magento site. ### Todo - Make compatible with PHP 8 - Allow saving data in Redis - Check what Adobe Commerce uses for `backpressure-logger` - Add integation tests - Add `MovingWindowSettings` and `FixedWindowSettings` - Allow for specific endpoints to be limited - Make sure to reply with HTTP/1.1 429 Too Many Requests ## Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ### [Unreleased] ### [0.0.4] - 12 April 2024 #### Added - Limit to PHP 7.4 because sunspikes/php-ratelimiter is dead ### [0.0.3] - 29 July 2020 #### Added - Magento 2.4 compatibility ### [0.0.2] - Undocumented ## Recent Versions | Version | Released | |---|---| | 0.0.5 | 2024-04-12 | | 0.0.4 | 2024-04-12 | | 0.0.3 | 2020-07-29 | | 0.0.2 | 2020-04-19 | | 0.0.1 | 2020-04-18 | ## Dependencies ### Require | Package | Constraint | |---|---| | magento/framework | ^100.1\|^101.0\|^102.0\|^103.0 | | magento/module-checkout | ^100.1 | | magento/module-quote | ^100.1\|^101.0 | | php | 7.4.* | | sunspikes/php-ratelimiter | 1.2.1 | ### Require (dev) | Package | Constraint | |---|---| | ext/json | * | | laminas/laminas-http | * | | phpunit/phpunit | * | | yireo/magento2-integration-test-helper | @dev | ## Quality Latest release (0.0.5) passes the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | not tested | not tested | – | – | | 2.4.8 | – | not tested | not tested | – | | 2.4.9 | – | – | not tested | not tested | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Warning | 4 | 4 warnings (ruleset: Magento2) | | PHPMD | Warning | 1 | 1 rule violation (UnusedFormalParameter:1) | | Cpd | Pass | 0 | | | Composer validate | Warning | 2 | valid with 2 warnings (composer validate --strict) | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | not tested | – | | 2.4.9 | – | – | N/A | not tested | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | N/A | 0 | no resolvable dependency tree to audit — Your requirements could not be resolved to an installable set of packages. Problem 1 | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["yireo/magento2-graph-ql-rate-limiting"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor yireo is a Magento 2 vendor on Packagento. See https://packagento.com/yireo.md for their full catalogue.