feat: graphql rate limiting directive

CHANGELOG.md

@@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Added Page Delete functionality
 - Dev locale .yml files in `server/locales` are now loaded
 - Added SQLite dependencies in Docker image
+- Added rate limiting to login mutations
 
 ### Fixed
 - Fixed root admin refresh token fail

package.json

@@ -68,6 +68,7 @@
     "getos": "3.1.1",
     "graphql": "14.1.1",
     "graphql-list-fields": "2.0.2",
+    "graphql-rate-limit-directive": "0.1.0",
     "graphql-subscriptions": "1.0.0",
     "graphql-tools": "4.0.4",
     "highlight.js": "9.14.2",

server/graph/index.js

@@ -6,6 +6,7 @@ const autoload = require('auto-load')
 const PubSub = require('graphql-subscriptions').PubSub
 const { LEVEL, MESSAGE } = require('triple-beam')
 const Transport = require('winston-transport')
+const { createRateLimitTypeDef, createRateLimitDirective } = require('graphql-rate-limit-directive')
 
 /* global WIKI */
 
@@ -17,7 +18,7 @@ WIKI.GQLEmitter = new PubSub()
 
 // Schemas
 
-let typeDefs = []
+let typeDefs = [createRateLimitTypeDef()]
 let schemas = fs.readdirSync(path.join(WIKI.SERVERPATH, 'graph/schemas'))
 schemas.forEach(schema => {
   typeDefs.push(fs.readFileSync(path.join(WIKI.SERVERPATH, `graph/schemas/${schema}`), 'utf8'))
@@ -33,7 +34,12 @@ resolversObj.forEach(resolver => {
 
 // Directives
 
-let schemaDirectives = autoload(path.join(WIKI.SERVERPATH, 'graph/directives'))
+let schemaDirectives = {
+  ...autoload(path.join(WIKI.SERVERPATH, 'graph/directives')),
+  rateLimit: createRateLimitDirective({
+    keyGenerator: (directiveArgs, source, args, context, info) => `${context.req.ip}:${info.parentType}.${info.fieldName}`
+  })
+}
 
 // Live Trail Logger (admin)
 

server/graph/schemas/authentication.graphql

@@ -29,12 +29,12 @@ type AuthenticationMutation {
     username: String!
     password: String!
     strategy: String!
-  ): AuthenticationLoginResponse
+  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)
 
   loginTFA(
     loginToken: String!
     securityCode: String!
-  ): DefaultResponse
+  ): DefaultResponse @rateLimit(limit: 5, duration: 60)
 
   register(
     email: String!