ensure it is not possible to severely harm instances with a single GraphQL query

Created by: slimsag

Today, it is possible to do real harm to a Sourcegraph instance by constructing a GraphQL query that requests lots of work be done, and we do not have anything in place to prevent this.

Currently, we rely on good-faith that users won't do this, but at larger organizations this becomes a real problem as more and more users make use of our GraphQL API.

Surfacing which users make these queries is a step in the right direction, but preventing this from happening in the first place would be better. This issue is for tracking how we can do this.