Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Postman

Transcript

1. All rights reserved by Postman Inc Not Your Grandma’s Rate

   Limiting Meenakshi Dhanani Developer Relations Engineer, GraphQL

2. Bonjour de l’Inde Meenakshi Dhanani (aka Meena) 󰏝 @mdhananii DEVELOPER

   RELATIONS ENGINEER, GRAPHQL Likes: - Yoga, strength training 󰙥 - Spanish 󰎼 “ @getpostman @mdhananii

3. Introduction to Rate Limiting APIs Challenges with Rate Limiting GraphQL

   APIs Optimization Techniques for GraphQL APIs Real world examples Road Ahead 1 2 3 4 5 Overview @getpostman @mdhananii

4. Introduction to Rate Limiting THE CONTEXT @getpostman @mdhananii

5. Rate Limiting • Minimize load Rate limiting enforces a controlled

   flow of requests, preventing system congestion and downtime due to excessive demand. • Ensure fair usage Rate limiting ensures fair usage by setting predefined limits on how often each client or user can access resources, preventing any single entity from monopolizing the system's resources. Safeguards against bursts of incoming traffic @getpostman @mdhananii

6. An API rate limit is essentially a way for Shopify

   to ensure stability of the platform Zameer Masjedee Office of the President, Technology Lead at Shopify “ @getpostman @mdhananii

7. Challenges with Rate Limiting GraphQL APIs THE PROBLEM @getpostman @mdhananii

8. @getpostman @mdhananii

9. Optimizing for GraphQL THE SOLUTION @getpostman @mdhananii

10. @getpostman @mdhananii Query Cost Analysis • Type complexity Type complexity

    reflects the size of the data retrieved by a query. • Resolve complexity Resolve complexity reflects the server’s query execution cost Shopify Engineering Blog

11. @getpostman @mdhananii Benefits of Cost Analysis for Service Providers •

    Inform load balancing Distribute incoming queries across server instances based on their complexity, ensuring even processing and preventing overloading of resources. • Resolver resource allocation Developers can allocate resources more effectively, optimize resolver functions, and prioritize high-impact queries, resulting in better overall performance and efficient use of server resources. • Threat prevention Attackers are discouraged from crafting overly complex or deeply nested queries that could degrade server performance or cause denial-of-service attacks. • Monetization Pricing based on the execution cost or response size.

12. @getpostman @mdhananii Query Cost vs Execution Time

13. Query Cost Analysis Techniques THE HOW @getpostman @mdhananii

14. @getpostman @mdhananii Static Cost Analysis Blocks queries above a certain

    complexity, before they execute

15. @getpostman @mdhananii Dynamic Cost Analysis Block queries above a certain

    complexity, during execution

16. @getpostman @mdhananii Response Cost Analysis Calculates complexity after the execution,

    based on the response.

17. @getpostman @mdhananii Key Considerations • Introspection Queries Ensuring that introspection

    queries are subject to rate limiting or handled separately is crucial for security. • Pagination Pagination arguments significantly impact cost calculation. The same field with different pagination sizes can have vastly different costs. • Upper Bound vs Actual Response When clients request a large number of items, but the actual response contains fewer items, there's a potential mismatch between the charged cost and the delivered value • Complexity Calculation Overhead The process of calculating query complexity itself can introduce overhead, especially for deeply nested queries.

18. Examples REAL WORLD SCHEMAS @getpostman @mdhananii

19. @getpostman @mdhananii Shopify Query Cost Analysis

20. @getpostman @mdhananii GitHub Query Cost Analysis

21. @getpostman @mdhananii Yelp Query Cost Analysis

22. @getpostman @mdhananii No Right Answer Examples illustrate a good rate

    limiting strategy consists of not one but a combination of all these techniques.

23. @getpostman @mdhananii Traditional Architecture for Rate Limiting • Gateways/Routers API

    gateways can centralize the management of APIs, making it easier to control access, monitor traffic, and troubleshoot problems.

24. Road Ahead @getpostman @mdhananii SNEAK PEEK INTO THE FUTURE

25. @getpostman @mdhananii Implementation Strategies • Compilers A compiler transforms GraphQL

    queries into an optimized representation. This representation can then be used to implement rate limiting more efficiently. • Machine Learning Approach Machine learning can be used to learn the patterns of legitimate and malicious traffic. This information can then be used to optimize the rate limiting rules to better protect the API from abuse.

26. During this session, we learned: • What is rate limiting

    APIs? • Why is rate limiting for GraphQL different from other APIs? • Query cost analysis - techniques, examples • Peek into future strategies Recap @getpostman @mdhananii

27. GraphQL Concepts @getpostman @mdhananii

28. API Rate Limits and Working with GraphQL https://www.shopify.com/partners/blog/graphql-rate-limits A Guide

    to GraphQL Rate Limiting and Security https://xuorig.medium.com/a-guide-to-graphql-rate-limiting-security-e62a86ef8114 Why does GraphQL need cost analysis? | Morris Matsa https://mmatsa.com/blog/why-cost-analysis/ A Principled Approach to GraphQL Query Cost Analysis https://arxiv.org/pdf/2009.05632.pdf Additional Resources @getpostman @mdhananii

29. Q&A Please tell us about your experience! @getpostman @mdhananii

30. Thank You @getpostman @mdhananii