AspNetCoreRateLimit icon indicating copy to clipboard operation
AspNetCoreRateLimit copied to clipboard

Published 20 hours ago verified publisher icon stefanprodan

use jwt in rate limiting

Open MajidDehnamaki opened this issue 6 years ago • 5 comments

hi how can I use jwt as client id fir client rate limiting? i thing i should "ClientIdHeader": "Authorization" in my appsetting.json

MajidDehnamaki avatar Apr 07 '18 09:04 MajidDehnamaki

I have the same question. As a workaround i've used "ClientIdHeader": "Authorization", however the API can be configured to accept JWT tokens via query strings.

The problem is that the client rate limiting middleware is executed before MVC authorisation handles parse JWT token, and so httpContext.User is not set.

It would be nice to have an option for ClientRateLimitMiddleware to be executed after user context is set.

muxa avatar Feb 03 '19 22:02 muxa

I had a similar problem with wanting to use claims-based ratelimiting. My solution was to register the ratelimiting middleware after authentication. In Startup.cs#Configure:

			app.UseAuthentication();
			app.UseClientRateLimiting();

Then using a custom configuration and resolver:

public class ClientIdResolver : IClientResolveContributor
	{
		private readonly IHttpContextAccessor _httpContextAccessor;

		public ClientIdResolver(IHttpContextAccessor httpContextAccessor)
		{
			_httpContextAccessor = httpContextAccessor;
		}
		
		public string ResolveClient()
		{
			return _httpContextAccessor.HttpContext.User.GetPlayerId().ToString();
		}
	}

	{
		public CustomRateLimitConfiguration(IHttpContextAccessor httpContextAccessor,
											IOptions<IpRateLimitOptions> ipOptions,
											IOptions<ClientRateLimitOptions> clientOptions) : base(
			httpContextAccessor, ipOptions, clientOptions)
		{
		}
		
		protected override void RegisterResolvers()
		{
			ClientResolvers.Add(new ClientIdResolver(HttpContextAccessor));
		}
	}```

register the custom configuration using services in `Startup.cs#ConfigureServices`:
`services.AddSingleton<IRateLimitConfiguration, CustomRateLimitConfiguration>();`

Kantis avatar Oct 03 '19 09:10 Kantis

@Kantis What do you use as Authorization? Custom middleware? I have custom AuthenticationHandler and a custom AuthorizationHandler and they execute before IClientResolveContributor. Maybe because they are MVC filters, which required to be executed after rate limiter.

Seems like I need to write middleware for Authentication then and use actual handlers just to confirm user.

CurlyBraceTT avatar Oct 01 '20 12:10 CurlyBraceTT

@Kantis What do you use as Authorization? Custom middleware? I have custom AuthenticationHandler and a custom AuthorizationHandler and they execute before IClientResolveContributor. Maybe because they are MVC filters, which required to be executed after rate limiter.

Seems like I need to write middleware for Authentication then and use actual handlers just to confirm user.

We used claim based authentication using an auth header. We tried to use as much out-of-the-box as possible, so it shouldn't have been any custom middleware, but I'm not active in the project anymore so can't say for sure.

Kantis avatar Oct 01 '20 17:10 Kantis

This helped me: https://github.com/stefanprodan/AspNetCoreRateLimit/issues/82#issuecomment-555065072

awatertrevi avatar Aug 22 '21 22:08 awatertrevi