Pothos GraphQL 实现基于Redis的速率限制插件

2025-07-01 14:14:24作者：袁立春Spencer

在GraphQL API开发中，速率限制是保护服务免受滥用和拒绝服务攻击的重要机制。本文将介绍如何在Pothos GraphQL框架中实现一个基于Redis的速率限制插件，类似于Nexus框架中的实现方式。

插件设计思路

Pothos提供了灵活的插件系统，允许开发者扩展字段级别的功能。速率限制插件的核心思想是：

在字段定义时添加速率限制配置
在执行解析器前检查请求频率
使用Redis作为分布式计数器存储

实现步骤

1. 定义类型扩展

首先需要扩展Pothos的类型系统，为字段添加速率限制配置选项：

declare global {
  export namespace PothosSchemaTypes {
    export interface Plugins<Types extends SchemaTypes> {
      rateLimit: RateLimitPlugin<Types>;
    }

    export interface SchemaBuilderOptions<Types extends SchemaTypes> {
      rateLimit: {
        redis: Redis;
      };
    }

    export interface FieldOptions<
      Types extends SchemaTypes = SchemaTypes,
      ParentShape = unknown,
      Type extends TypeParam<Types> = TypeParam<Types>,
      Nullable extends FieldNullability<Type> = FieldNullability<Type>,
      Args extends InputFieldMap = InputFieldMap,
      ResolveShape = unknown,
      ResolveReturnShape = unknown,
    > {
      rateLimit?: {
        max: number;
        window: number;
        message?: string;
        identity?: (context: Types['Context']) => string;
      };
    }
  }
}

2. 实现插件核心逻辑

创建插件类，重写wrapResolve方法来包装解析器：

export class RateLimitPlugin<Types extends SchemaTypes> extends BasePlugin<Types> {
  override wrapResolve(
    resolver: GraphQLFieldResolver<unknown, Types['Context'], object>,
    fieldConfig: PothosOutputFieldConfig<Types>,
  ): GraphQLFieldResolver<unknown, Types['Context'], object> {
    const options = fieldConfig.pothosOptions.rateLimit;
    if (!options) {
      return resolver;
    }

    const { redis } = this.builder.options.rateLimit;

    return async (parent, args, context, info) => {
      if (context.isAuthenticated) {
        return resolver(parent, args, context, info);
      }

      const identity = options.identity?.(context) ?? context.ip;
      const key = `rateLimit:${info.fieldName}:${identity}`;

      const current = await redis.incr(key);
      if (current === 1) {
        await redis.expire(key, options.window);
      }

      if (current > options.max) {
        throw new Error(options.message ?? "Limit reached, try again later.");
      }

      return resolver(parent, args, context, info);
    };
  }
}

3. 注册插件

最后需要注册插件到Pothos系统中：

SchemaBuilder.registerPlugin('rateLimit', RateLimitPlugin);

使用示例

在构建schema时，可以这样使用速率限制插件：

const builder = new SchemaBuilder<{
  Plugins: {
    rateLimit: true;
  };
  Context: {
    ip: string;
    isAuthenticated: boolean;
  };
}>({
  plugins: ['rateLimit'],
  rateLimit: {
    redis: new Redis(),
  },
});

builder.queryType({
  fields: (t) => ({
    publicData: t.string({
      rateLimit: {
        max: 10,
        window: 60,
        message: 'Too many requests, please wait',
        identity: (ctx) => ctx.ip,
      },
      resolve: () => 'Sensitive data',
    }),
  }),
});