appwrite/tests/e2e/Services/GraphQL/TablesDB/AbuseTest.php

<?php

namespace Tests\E2E\Services\GraphQL\TablesDB;

use Tests\E2E\Client;
use Tests\E2E\Scopes\ProjectCustom;
use Tests\E2E\Scopes\Scope;
use Tests\E2E\Scopes\SideServer;
use Tests\E2E\Services\GraphQL\Base;
use Utopia\Database\Helpers\ID;
use Utopia\Database\Helpers\Permission;
use Utopia\Database\Helpers\Role;
use Utopia\System\System;

class AbuseTest extends Scope
{
    use ProjectCustom;
    use SideServer;
    use Base;

    protected function setUp(): void
    {
        parent::setUp();

        if (System::getEnv('_APP_OPTIONS_ABUSE') === 'disabled') {
            $this->markTestSkipped('Abuse is not enabled.');
        }
    }

    public function testRateLimitEnforced()
    {
        $data = $this->createTable();
        $databaseId = $data['databaseId'];
        $tableId = $data['tableId'];
        $projectId = $this->getProject()['$id'];
        $query = $this->getQuery(self::CREATE_ROW);
        $max = 120;

        for ($i = 0; $i <= $max + 1; $i++) {
            $gqlPayload = [
                'query' => $query,
                'variables' => [
                    'databaseId' => $databaseId,
                    'tableId' => $tableId,
                    'rowId' => ID::unique(),
                    'data' => [
                        'name' => 'John Doe',
                    ],
                ],
            ];

            $response = $this->client->call(Client::METHOD_POST, '/graphql', [
                'content-type' => 'application/json',
                'x-appwrite-project' => $projectId,
            ], $gqlPayload);

            if ($i < $max) {
                $this->assertArrayNotHasKey('errors', $response['body']);
            } else {
                $this->assertArrayHasKey('errors', $response['body']);
            }
        }
    }

    public function testComplexQueryBlocked()
    {
        $projectId = $this->getProject()['$id'];
        $query = $this->getQuery(self::COMPLEX_QUERY_TABLE);
        $graphQLPayload = [
            'query' => $query,
            'variables' => [
                'userId' => 'user',
                'email' => 'user@appwrite.io',
                'password' => 'password',
                'databaseId' => 'database',
                'databaseName' => 'database',
                'tableId' => 'table',
                'tableName' => 'table',
                'tablePermissions' => [
                    Permission::read(Role::users()),
                    Permission::create(Role::users()),
                    Permission::update(Role::users()),
                    Permission::delete(Role::users()),
                ],
                'rowSecurity' => false,
            ],
        ];

        $response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([
            'content-type' => 'application/json',
            'x-appwrite-project' => $projectId,
        ], $this->getHeaders()), $graphQLPayload);

        $max = System::getEnv('_APP_GRAPHQL_MAX_QUERY_COMPLEXITY', 250);

        $this->assertEquals('Max query complexity should be ' . $max . ' but got 259.', $response['body']['errors'][0]['message']);
    }

    public function testTooManyQueriesBlocked()
    {
        $projectId = $this->getProject()['$id'];
        $maxQueries = System::getEnv('_APP_GRAPHQL_MAX_QUERIES', 10);

        $query = [];
        for ($i = 0; $i <= ((int) $maxQueries) + 1; $i++) {
            $query[] = ['query' => $this->getQuery(self::LIST_COUNTRIES)];
        }

        $response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([
            'content-type' => 'application/json',
            'x-appwrite-project' => $projectId,
        ], $this->getHeaders()), $query);

        $this->assertEquals('Too many queries.', $response['body']['message']);
    }

    private function createTable(): array
    {
        $projectId = $this->getProject()['$id'];
        $query = $this->getQuery(self::CREATE_DATABASE);
        $gqlPayload = [
            'query' => $query,
            'variables' => [
                'databaseId' => 'actors',
                'name' => 'AbuseDatabase',
            ]
        ];

        $response = $this->client->call(Client::METHOD_POST, '/graphql', [
            'content-type' => 'application/json',
            'x-appwrite-project' => $projectId,
            'x-appwrite-key' => $this->getProject()['apiKey'],
        ], $gqlPayload);

        $databaseId = $response['body']['data']['databasesCreate']['_id'];

        $query = $this->getQuery(self::CREATE_TABLE);
        $gqlPayload = [
            'query' => $query,
            'variables' => [
                'databaseId' => $databaseId,
                'tableId' => 'actors',
                'name' => 'Actors',
                'rowSecurity' => false,
                'permissions' => [
                    Permission::read(Role::any()),
                    Permission::write(Role::any()),
                ],
            ]
        ];

        $response = $this->client->call(Client::METHOD_POST, '/graphql', [
            'content-type' => 'application/json',
            'x-appwrite-project' => $projectId,
            'x-appwrite-key' => $this->getProject()['apiKey'],
        ], $gqlPayload);

        $tableId = $response['body']['data']['tablesDBCreateTable']['_id'];

        $query = $this->getQuery(self::CREATE_STRING_COLUMN);
        $gqlPayload = [
            'query' => $query,
            'variables' => [
                'databaseId' => $databaseId,
                'tableId' => $tableId,
                'key' => 'name',
                'size' => 256,
                'required' => true,
            ]
        ];

        $this->client->call(Client::METHOD_POST, '/graphql', [
            'content-type' => 'application/json',
            'x-appwrite-project' => $projectId,
            'x-appwrite-key' => $this->getProject()['apiKey'],
        ], $gqlPayload);

        $this->assertEventually(function () use ($databaseId, $tableId) {
            $response = $this->client->call(Client::METHOD_GET, '/tablesdb/' . $databaseId . '/tables/' . $tableId . '/columns/name', array_merge([
                'content-type' => 'application/json',
                'x-appwrite-project' => $this->getProject()['$id'],
                'x-appwrite-key' => $this->getProject()['apiKey'],
            ]));
            $this->assertEquals('available', $response['body']['status']);
        }, 30000, 250);

        return [
            'databaseId' => $databaseId,
            'tableId' => $tableId,
        ];
    }
}
Add abuse test 2022-07-14 08:11:39 +00:00			`<?php`

Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`namespace Tests\E2E\Services\GraphQL\TablesDB;`
Add abuse test 2022-07-14 08:11:39 +00:00
			`use Tests\E2E\Client;`
			`use Tests\E2E\Scopes\ProjectCustom;`
			`use Tests\E2E\Scopes\Scope;`
			`use Tests\E2E\Scopes\SideServer;`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`use Tests\E2E\Services\GraphQL\Base;`
Helpers GraphQL 2023-01-16 09:25:40 +00:00			`use Utopia\Database\Helpers\ID;`
			`use Utopia\Database\Helpers\Permission;`
			`use Utopia\Database\Helpers\Role;`
Updated getEnv to use system lib 2024-04-01 11:02:47 +00:00			`use Utopia\System\System;`
Add abuse test 2022-07-14 08:11:39 +00:00
Remove redundant test class prefixes 2022-09-22 08:29:42 +00:00			`class AbuseTest extends Scope`
Add abuse test 2022-07-14 08:11:39 +00:00			`{`
			`use ProjectCustom;`
			`use SideServer;`
Remove redundant test class prefixes 2022-09-22 08:29:42 +00:00			`use Base;`
Add abuse test 2022-07-14 08:11:39 +00:00
Fix tests for union and none types 2022-10-10 23:34:43 +00:00			`protected function setUp(): void`
			`{`
			`parent::setUp();`

Updated getEnv to use system lib 2024-04-01 11:02:47 +00:00			`if (System::getEnv('_APP_OPTIONS_ABUSE') === 'disabled') {`
Use abuse status instead of dev/prod for graphql abuse check 2022-10-28 07:12:11 +00:00			`$this->markTestSkipped('Abuse is not enabled.');`
Fix tests for union and none types 2022-10-10 23:34:43 +00:00			`}`
			`}`

Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`public function testRateLimitEnforced()`
			`{`
fix: method name. 2025-05-10 06:09:46 +00:00			`$data = $this->createTable();`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$databaseId = $data['databaseId'];`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`$tableId = $data['tableId'];`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$projectId = $this->getProject()['$id'];`
Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`$query = $this->getQuery(self::CREATE_ROW);`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$max = 120;`

			`for ($i = 0; $i <= $max + 1; $i++) {`
			`$gqlPayload = [`
			`'query' => $query,`
			`'variables' => [`
			`'databaseId' => $databaseId,`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'tableId' => $tableId,`
			`'rowId' => ID::unique(),`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`'data' => [`
			`'name' => 'John Doe',`
			`],`
			`],`
			`];`

			`$response = $this->client->call(Client::METHOD_POST, '/graphql', [`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $projectId,`
			`], $gqlPayload);`

			`if ($i < $max) {`
			`$this->assertArrayNotHasKey('errors', $response['body']);`
			`} else {`
			`$this->assertArrayHasKey('errors', $response['body']);`
			`}`
			`}`
			`}`

Add abuse test 2022-07-14 08:11:39 +00:00			`public function testComplexQueryBlocked()`
			`{`
			`$projectId = $this->getProject()['$id'];`
Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`$query = $this->getQuery(self::COMPLEX_QUERY_TABLE);`
Add abuse test 2022-07-14 08:11:39 +00:00			`$graphQLPayload = [`
			`'query' => $query,`
			`'variables' => [`
			`'userId' => 'user',`
			`'email' => 'user@appwrite.io',`
			`'password' => 'password',`
			`'databaseId' => 'database',`
			`'databaseName' => 'database',`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'tableId' => 'table',`
fix: abuse tests! 2025-05-10 06:27:32 +00:00			`'tableName' => 'table',`
			`'tablePermissions' => [`
More 1.0 migrations 2022-09-20 08:25:05 +00:00			`Permission::read(Role::users()),`
			`Permission::create(Role::users()),`
			`Permission::update(Role::users()),`
			`Permission::delete(Role::users()),`
			`],`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'rowSecurity' => false,`
Add abuse test 2022-07-14 08:11:39 +00:00			`],`
			`];`

			`$response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $projectId,`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`], $this->getHeaders()), $graphQLPayload);`
Add abuse test 2022-07-14 08:11:39 +00:00
Updated getEnv to use system lib 2024-04-01 11:02:47 +00:00			`$max = System::getEnv('_APP_GRAPHQL_MAX_QUERY_COMPLEXITY', 250);`
Use statics for anonymous functions 2022-07-18 02:53:49 +00:00
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$this->assertEquals('Max query complexity should be ' . $max . ' but got 259.', $response['body']['errors'][0]['message']);`
Add abuse test 2022-07-14 08:11:39 +00:00			`}`

			`public function testTooManyQueriesBlocked()`
			`{`
			`$projectId = $this->getProject()['$id'];`
Updated getEnv to use system lib 2024-04-01 11:02:47 +00:00			`$maxQueries = System::getEnv('_APP_GRAPHQL_MAX_QUERIES', 10);`
Add abuse test 2022-07-14 08:11:39 +00:00
			`$query = [];`
chore: remove phpstan baseline 2026-04-01 17:31:11 +00:00			`for ($i = 0; $i <= ((int) $maxQueries) + 1; $i++) {`
Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`$query[] = ['query' => $this->getQuery(self::LIST_COUNTRIES)];`
Add abuse test 2022-07-14 08:11:39 +00:00			`}`

			`$response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $projectId,`
			`], $this->getHeaders()), $query);`

			`$this->assertEquals('Too many queries.', $response['body']['message']);`
			`}`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00
fix: method name. 2025-05-10 06:09:46 +00:00			`private function createTable(): array`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`{`
			`$projectId = $this->getProject()['$id'];`
Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`$query = $this->getQuery(self::CREATE_DATABASE);`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$gqlPayload = [`
			`'query' => $query,`
			`'variables' => [`
			`'databaseId' => 'actors',`
			`'name' => 'AbuseDatabase',`
			`]`
			`];`

			`$response = $this->client->call(Client::METHOD_POST, '/graphql', [`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $projectId,`
			`'x-appwrite-key' => $this->getProject()['apiKey'],`
			`], $gqlPayload);`

fix: graphql test for complex queries. 2025-06-19 13:06:32 +00:00			`$databaseId = $response['body']['data']['databasesCreate']['_id'];`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00
Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`$query = $this->getQuery(self::CREATE_TABLE);`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$gqlPayload = [`
			`'query' => $query,`
			`'variables' => [`
			`'databaseId' => $databaseId,`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'tableId' => 'actors',`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`'name' => 'Actors',`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'rowSecurity' => false,`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`'permissions' => [`
			`Permission::read(Role::any()),`
			`Permission::write(Role::any()),`
			`],`
			`]`
			`];`

			`$response = $this->client->call(Client::METHOD_POST, '/graphql', [`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $projectId,`
			`'x-appwrite-key' => $this->getProject()['apiKey'],`
			`], $gqlPayload);`

Update tablesDb -> tablesDB 2025-08-20 14:20:05 +00:00			`$tableId = $response['body']['data']['tablesDBCreateTable']['_id'];`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00
Remove weird static/const mix 2025-08-19 11:03:18 +00:00			`$query = $this->getQuery(self::CREATE_STRING_COLUMN);`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`$gqlPayload = [`
			`'query' => $query,`
			`'variables' => [`
			`'databaseId' => $databaseId,`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'tableId' => $tableId,`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`'key' => 'name',`
			`'size' => 256,`
			`'required' => true,`
			`]`
			`];`

			`$this->client->call(Client::METHOD_POST, '/graphql', [`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $projectId,`
			`'x-appwrite-key' => $this->getProject()['apiKey'],`
			`], $gqlPayload);`

Timing updates 2026-02-24 01:00:07 +00:00			`$this->assertEventually(function () use ($databaseId, $tableId) {`
			`$response = $this->client->call(Client::METHOD_GET, '/tablesdb/' . $databaseId . '/tables/' . $tableId . '/columns/name', array_merge([`
			`'content-type' => 'application/json',`
			`'x-appwrite-project' => $this->getProject()['$id'],`
			`'x-appwrite-key' => $this->getProject()['apiKey'],`
			`]));`
			`$this->assertEquals('available', $response['body']['status']);`
			`}, 30000, 250);`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00
			`return [`
			`'databaseId' => $databaseId,`
update: model; add\|update: graphql tests [wip]. 2025-05-09 14:34:02 +00:00			`'tableId' => $tableId,`
Add test for rate limit enforced when using graphql 2022-10-28 07:13:48 +00:00			`];`
			`}`
Add abuse test 2022-07-14 08:11:39 +00:00			`}`