Rate limit ai action GraphQL mutation

The current rate limit is hard-set to 10 times per minute It shouldn't be inconvenient while protects from abuse

Rate limit ai action GraphQL mutation
72876a30 · Igor Drozdov · e2ff33c5 · 72876a30 · 72876a30 · 72876a30
Verified Commit 72876a30 authored 1 year ago by Igor Drozdov
--- a/doc/security/rate_limits.md
+++ b/doc/security/rate_limits.md
@@ -148,6 +148,14 @@ There is a rate limit for the endpoint `project/:id/jobs`, which is enforced to

 The **rate limit** is 600 calls per minute per authenticated user.

+### AI action
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118010) in GitLab 16.0.
+
+There is a rate limit for the GraphQL `aiAction` mutation, which is enforced to prevent from abusing this endpoint.
+
+The **rate limit** is 20 calls per hour per authenticated user.
+
 ## Troubleshooting

 ### Rack Attack is denylisting the load balancer

--- a/ee/app/graphql/mutations/ai/action.rb
+++ b/ee/app/graphql/mutations/ai/action.rb
@@ -22,6 +22,7 @@ def ready?(**args)

      def resolve(**attributes)
        check_feature_flag_enabled!
+        verify_rate_limit!

        resource_id, method, options = extract_method_params!(attributes)
        resource = authorized_find!(id: resource_id)
@@ -41,6 +42,13 @@ def check_feature_flag_enabled!
        raise Gitlab::Graphql::Errors::ResourceNotAvailable, '`openai_experimentation` feature flag is disabled.'
      end

+      def verify_rate_limit!
+        return unless Gitlab::ApplicationRateLimiter.throttled?(:ai_action, scope: [current_user])
+
+        raise Gitlab::Graphql::Errors::ResourceNotAvailable,
+          'This endpoint has been requested too many times. Try again later.'
+      end
+
      def methods(args)
        args.slice(*Llm::ExecuteMethodService::METHODS.keys)
      end

--- a/ee/spec/graphql/mutations/ai/action_spec.rb
+++ b/ee/spec/graphql/mutations/ai/action_spec.rb
@@ -49,6 +49,16 @@
        end
      end

+      context 'when the action is called too many times' do
+        it 'raises error' do
+          expect(Gitlab::ApplicationRateLimiter).to(
+            receive(:throttled?).with(:ai_action, scope: [user]).and_return(true)
+          )
+
+          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable, /too many times/)
+        end
+      end
+
      context 'when user cannot read resource' do
        it 'raises error' do
          allow(Ability)

--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -56,6 +56,7 @@ def rate_limits # rubocop:disable Metrics/AbcSize
          namespace_exists: { threshold: 20, interval: 1.minute },
          fetch_google_ip_list: { threshold: 10, interval: 1.minute },
          project_fork_sync: { threshold: 10, interval: 30.minutes },
+          ai_action: { threshold: 20, interval: 1.hour },
          jobs_index: { threshold: 600, interval: 1.minute },
          bulk_import: { threshold: 6, interval: 1.minute },
          projects_api_rate_limit_unauthenticated: {