Skip to content

Define and implement an anti-DoS policy for graph visits using the max_edges parameter

In order to allow public access to the graph API, we need to prevent external users to DoS the graph service with resource intensive queries. For that, the graph API supports (or will support once swh-graph#3161 (closed) is deployed) a max_edges parameter to limit the number of edges traversed by the graph.

By default, the max_edges parameter is set at 0 (no limit) in the graph service. The Web API should enforce stricter limits when proxying the requests to the graph service.

I think it makes sense to define three different policies for max_edges:

  • One for internal staff users (unlimited?)
  • One for logged in users (100000 edges/query?)
  • One for external users (1000 edges/query?)

For reference, a big repository like CPython has an order of magnitude of around a few million edges.

Migrated from T3836 (view on Phabricator)