sdk-generator icon indicating copy to clipboard operation
sdk-generator copied to clipboard

Published 20 hours ago verified publisher icon appwrite

Adding custom limiter and caps interface/feature

Open Silfalion opened this issue 3 years ago • 6 comments

Following the discussion with Meldiron, this is the idea that came up.

IDEA:

Implementing a limit/cap custom Appwrite function and/or interface to put rules on tables. For example this table can’t be written to more than 10 times a day, or it can’t be written more than 1000 times a minute or as Meldiron mentioned more complex ones like you can only post as many comments as you created posts.

We could have at first a custom appwrite function then maybe an interface to write up to directly. On a side note, this would benefit greatly all the runtimes as one could edit directly to the webapp for example, or sshing into the Appwrite function and editing the function directly while keeping tags of the previous versions.

Motivation:

This stems from the fact that as of now it’s very easy for an attacker to flowed a table with fake data even it’s writeable to all users such as the order table for an e-commerce website, fake orders with fake geopoints could create quite the mayhem.

Silfalion avatar Aug 19 '21 08:08 Silfalion

The inspiration could be taken from Directus. Just like we have webhooks for document create or update events, Directus also has .before events for these. It waits for the function to execute and depending on the response, it can deny the write action.

Directus approach: https://docs.directus.io/guides/api-hooks/ Code example with .before: https://docs.directus.io/guides/api-hooks/#full-example

Meldiron avatar Aug 19 '21 08:08 Meldiron

That hits the nail on the head. Since it’s open source we can harness what’s relevant to us to implement on Appwrite or even use it directly with some tweaks.

Edit: since it only supports MySQL at the moment it seems the first option is more relevant.

Silfalion avatar Aug 19 '21 08:08 Silfalion

Mhh, this sounds to me like a middleware that could be hooked into any kind of API write action.

Meaning you can run any kind of logic (Cloud Functions) before the actual work is done and can decide if you wanna proceed or not. Maybe even manipulate the payload.

TorstenDittmann avatar Aug 20 '21 16:08 TorstenDittmann

So it'd be the equivalent of creating a cloud function with the on document created property turned on.

Silfalion avatar Aug 20 '21 17:08 Silfalion

@Silfalion, this looks like the same request as https://github.com/appwrite/appwrite/issues/2358. If so, can we close this one as that one has more 👍 and you can 👍 that one?

stnguyen90 avatar Oct 14 '22 15:10 stnguyen90

@stnguyen90 and more detailed. Sounds good and thank you:)

Silfalion avatar Oct 14 '22 15:10 Silfalion