I was working on something and found batching to be really useful for my use case but then realised that it is disabled by default. Enabling it very easy but I’m trying to understand the reason for disabling it by default in v4.
I found an issue #5686 that talks about how if batching is allowed then an attacker can send a large number of graphql operations in a single http request to validate OTPs and get around the rate limit. And then there is a pr apollographql/apollo-server/pull/5778 that introduced the option to disable it if we don’t want this feature. And then it was disabled by default in 25fbc7a (packages/server/src/ApolloServer.ts L262) with no explanation.
Let’s talk about this issue #5686. I don’t understand how disabling batching would help. Couldn’t the attacker send a query like this and bypass the limit anyway?
query validateOTPs(
$input1: ValidateOTPRequest!,
$input2: ValidateOTPRequest!,
) {
firstResult: validateOTP(input: $input1) {
success
}
secondResult: ValidateOTP(input: $input2) {
success
}
}
The number of attempts to validate OTP should be properly tracked in a database. That sort of thing should not be handled at the graphql layer.
That being said I’m trying to understand the risks of enabling it and I don’t really see any. Can someone please let me know the risks of enabling it?
(copy pasta from this github discussion since this board seems more lively)