api.webmaker.org icon indicating copy to clipboard operation
api.webmaker.org copied to clipboard

Published 20 hours ago verified publisher icon mozilla

Rate Limiting

Open cadecairos opened this issue 9 years ago • 9 comments

We should apply rate limits to most API routes to prevent abuse and spam. I'm not sure what kind of rate limiting tools are available for Hapi, but they're sure to be out there.

cadecairos avatar May 12 '15 14:05 cadecairos

Not sure if this helps, but here is the token-bucket based throttle I worked on for a few other projects: https://github.com/thisandagain/micron-throttle

Allows you to specify any arbitrary tokenTable so connecting to redis, memcached, etc. is trivial.

thisandagain avatar May 12 '15 15:05 thisandagain

That looks useful, but it looks like it won't work in Hapi

cadecairos avatar May 12 '15 16:05 cadecairos

@thisandagain, @jbuck do these seem like reasonable limits? (I'm picking these arbitrarily)

Method Path Limit Period(min) Key On
GET /discover 2500 15 IP
GET /projects 2500 15 IP
GET /users/{user} 25 15 User ID
PATCH /users/{user} 25 15 User ID
DELETE /users/{user} 25 15 User ID
GET /users/{user}/projects 2500 15 IP
POST /users/{user}/projects 25 15 User ID
GET /users/{user}/projects/{project} 2500 15 IP
PATCH /users/{user}/projects/{project} 100 15 User ID
DELETE /users/{user}/projects/{project} 25 15 User ID
PATCH /users/{user}/projects/{project}/feature 100 15 User ID
GET /users/{user}/projects/{project}/pages 1000 15 IP
POST /users/{user}/projects/{project}/pages 100 15 User ID
GET /users/{user}/projects/{project}/pages/{page} 1000 15 IP
PATCH /users/{user}/projects/{project}/pages/{page} 100 15 User ID
DELETE /users/{user}/projects/{project}/pages/{page} 100 15 User ID
GET /users/{user}/projects/{project}/pages/{page}/elements 1000 15 IP
POST /users/{user}/projects/{project}/pages/{page}/elements 250 15 User ID
GET /users/{user}/projects/{project}/pages/{page}/elements/{element} 1000 15 IP
PATCH /users/{user}/projects/{project}/pages/{page}/elements/{element} 250 15 User ID
DELETE /users/{user}/projects/{project}/pages/{page}/elements/{element} 250 15 User ID
GET /users/{user}/projects/{project}/remixes 1000 15 IP
POST /users/{user}/projects/{project}/remixes 25 15 User ID

cadecairos avatar May 28 '15 15:05 cadecairos

That seems kinda complicated. Could we simplify it by just setting it to x requests over a 60 minute period for all of them?

jbuck avatar May 28 '15 15:05 jbuck

I don't think it should be the same for all of them. Some routes should allow for more (pages, elements), some less (projects), and non-authed routes need to allow for lots from one IP (/discover, /projects)

cadecairos avatar May 28 '15 15:05 cadecairos

I also don't think it's complicated, it's just configuration

cadecairos avatar May 28 '15 15:05 cadecairos

hey! i'm taking over this. i think i agree with both @jbuck and @cadecairos. what i'd like is to create a small, medium, and large limit, and just assign each endpoint as small medium or large. this will be a temporary config until we have data to really decide what the numbers should be. thoughts?

ashleygwilliams avatar Jul 13 '15 17:07 ashleygwilliams

@ashleygwilliams sounds good to me!

jbuck avatar Jul 13 '15 17:07 jbuck

:+1:

cadecairos avatar Jul 13 '15 17:07 cadecairos