Fix threshold behavior to allow N requests instead of N-1

README.md

@@ -18,7 +18,7 @@ class QueryType < GraphQL::Schema::Object
 end
 ```
 
-This would block requests starting from the 15th attempt within a 60-second window by the same IP address. That is, if 15 requests are made, the first 14 will succeed and the 15th will fail.
+This would allow 15 requests per minute by the same IP address, blocking the 16th and subsequent requests within that 60-second window.
 
 ## Requirements
 

lib/graph_attack/rate_limit.rb

@@ -27,8 +27,12 @@ def key
     def calls_exceeded_on_query?(rate_limited_field)
       with_redis_client do |redis_client|
         rate_limit = Ratelimit.new(rate_limited_field, redis: redis_client)
-        rate_limit.add(key)
-        rate_limit.exceeded?(key, threshold: threshold, interval: interval)
+        if rate_limit.exceeded?(key, threshold: threshold, interval: interval)
+          true
+        else
+          rate_limit.add(key)
+          false
+        end
       end
     end
 

spec/graph_attack/rate_limit_spec.rb

@@ -42,6 +42,10 @@ class QueryType < GraphQL::Schema::Object
       extension GraphAttack::RateLimit
     end
 
+    field :field_with_threshold_one, String, null: false do
+      extension GraphAttack::RateLimit, threshold: 1, interval: 60
+    end
+
     def inexpensive_field
       'result'
     end
@@ -69,6 +73,10 @@ def field_with_on_option
     def field_with_defaults
       'result'
     end
+
+    def field_with_threshold_one
+      'result'
+    end
   end
 
   class Schema < GraphQL::Schema
@@ -120,7 +128,7 @@ class Schema < GraphQL::Schema
       end
 
       it 'returns data until rate limit is exceeded' do
-        4.times do
+        5.times do
           result = schema.execute(query, context: context)
 
           expect(result).not_to have_key('errors')
@@ -130,7 +138,7 @@ class Schema < GraphQL::Schema
 
       context 'when rate limit is exceeded' do
         before do
-          4.times do
+          5.times do
             schema.execute(query, context: context)
           end
         end
@@ -196,7 +204,7 @@ class Schema < GraphQL::Schema
         end
 
         it 'returns an error when the default rate limit is exceeded' do
-          2.times do
+          3.times do
             result = schema.execute(query, context: context)
 
             expect(result).not_to have_key('errors')
@@ -229,7 +237,7 @@ class Schema < GraphQL::Schema
         end
 
         before do
-          5.times do
+          6.times do
             schema.execute(query, context: context)
           end
         end
@@ -259,7 +267,7 @@ class Schema < GraphQL::Schema
         end
 
         before do
-          10.times do
+          11.times do
             schema.execute(query, context: context)
           end
         end
@@ -310,7 +318,7 @@ class Schema < GraphQL::Schema
       end
 
       it 'returns data until rate limit is exceeded' do
-        9.times do
+        10.times do
           result = schema.execute(query, context: context)
 
           expect(result).not_to have_key('errors')
@@ -320,7 +328,7 @@ class Schema < GraphQL::Schema
 
       context 'when rate limit is exceeded' do
         before do
-          9.times do
+          10.times do
             schema.execute(query, context: context)
           end
         end
@@ -351,6 +359,27 @@ class Schema < GraphQL::Schema
         end
       end
     end
+
+    describe 'field with threshold: 1' do
+      let(:query) { '{ fieldWithThresholdOne }' }
+
+      it 'allows exactly 1 request before blocking the 2nd' do
+        # First request should succeed
+        result = schema.execute(query, context: context)
+        expect(result).not_to have_key('errors')
+        expect(result['data']).to eq('fieldWithThresholdOne' => 'result')
+
+        # Second request should be blocked
+        result = schema.execute(query, context: context)
+        expected_error = {
+          'locations' => [{ 'column' => 3, 'line' => 1 }],
+          'message' => 'Query rate limit exceeded',
+          'path' => ['fieldWithThresholdOne'],
+        }
+        expect(result['errors']).to eq([expected_error])
+        expect(result['data']).to be_nil
+      end
+    end
   end
 
   context 'when context has not IP key' do