Implementation Plan: Proxying frontend API requests through the Nuxt server

[obulat]

Due date:

2024-01-11

Assigned reviewers

• [ ] @krysal
• [ ] @dhruvkb

Description

Related to #3473

Current round

This discussion is following the Openverse decision-making process. Information about this process can be found on the Openverse documentation site. Requested reviewers or participants will be following this process. If you are being asked to give input on a specific detail, you do not need to familiarise yourself with the process and follow it.

This discussion is currently in the Decision round. The deadline for review of this round is 2024-01-11

Revision details

[2024-01-08] I updated the plan based on the comments. The main changes are:

1. Proxy All Frontend Traffic: Updated the plan to proxy all frontend routes, not just the /api routes. This will make the rate-limiting setup easier and eliminate the need to integrate modules like Nuxt Turnstile. Handling Cloudflare challenges directly in the Nuxt server avoids the complexity of requiring the Pinia media store to process challenge responses instead of result responses.
2. Use h3 session for identifying users: The plan now uses h3 sessions to create a verifiable session header/cookie. Cloudflare will validate that the header/cookie exists, allowing requests to pass even if the cookie is invalid (e.g., generated by automated requests). The Nuxt server will then decode the cookie using the secret and verify its validity. Invalid cookies will trigger a 401 Unauthorized response from the Nuxt server, preventing these requests from reaching the Django API. This ensures robust protection against automated abuse.
3. Shared IP scenario testing: Detailed a method to test shared IP scenarios using two different browsers or an incognito window to simulate multiple users. This approach demonstrates how authenticated users bypass stricter limits while anonymous users face challenges if limits are exceeded.
4. Excluding static asset routes: Explicitly stated that static asset requests (e.g., /_nuxt/, .css, .jpg) are excluded from rate limiting to streamline traffic and reduce unnecessary challenges.

Here's a branch with a draft of changes implementing this project (single commit for all changes): https://github.com/WordPress/openverse/tree/add/api-proxying

[github-actions[bot]]

Full-stack documentation: https://docs.openverse.org/_preview/5265

Please note that GitHub pages takes a little time to deploy newly pushed code, if the links above don't work or you see old versions, wait 5 minutes and try again.

You can check the GitHub pages deployment action list to see the current status of the deployments.

New files :heavy_plus_sign::

• https://docs.openverse.org/_preview/5265/projects/proposals/proxy_frontend_api_requests/20241202-implementation_plan_proxy_frontend_api_requests_ip.html
• https://docs.openverse.org/_preview/5265/projects/proposals/proxy_frontend_api_requests/index.html

[krysal]

I'm glad the proposal has been simplified by removing the Nuxt Turnstile module requirement 😄 I have a small question about the number of sessions, other than that, there are minor comments/suggestions. Once clarified, I expect a quick approval. Thanks for writing this, @obulat. It looks very promising.

[openverse-bot]

Based on the high urgency of this PR, the following reviewers are being gently reminded to review this PR:

@sarayourfriend @dhruvkb This reminder is being automatically generated due to the urgency configuration.

Excluding weekend[^1] days, this PR was ready for review 23 day(s) ago. PRs labelled with high urgency are expected to be reviewed within 2 weekday(s)[^2].

@obulat, if this PR is not ready for a review, please draft it to prevent reviewers from getting further unnecessary pings.

[^1]: Specifically, Saturday and Sunday. [^2]: For the purpose of these reminders we treat Monday - Friday as weekdays. Please note that the operation that generates these reminders runs at midnight UTC on Monday - Friday. This means that depending on your timezone, you may be pinged outside of the expected range.