Jiwa

Does the web api currently support rate limits and if not how could this be implemented?

You can use request filters and the built-in session cache management to do this.

Attached is an example which uses a global request filter to impose a limit of 30 requests in a 10 second interval for all routes for any session.

When the limit is exceeded, a 429 is returned.

All responses, even if not limited, add header information telling the consumer how many requests they have left and when the limit expires.

EDIT: Removed extraneous document attachment to plugin.

Updated to limit by IP address when there is no session info (e.g.: routes not requiring authentication such as the /auth route).

This has also been added as a standard (but disabled) plugin in 07.02.03 - DEV-7900

Thanks Mike as always,

Could it be possible to have an ip exclusion from rates range as well only so that if you are running a web store of the same api you don't wack yourself with the rate limits?

SBarnes wrote:Could it be possible to have an ip exclusion from rates range as well only so that if you are running a web store of the same api you don't wack yourself with the rate limits?

Sure - was something like the attached what you had in mind?

Basically we just allow an array of CIDR addresses to be provided, and if the caller of the API has their IP address within any of those blocks we skip the rate limit check altogether.

Code: Select all

public void RateLimitRequestFilter(IRequest req, IResponse res, object dto)
{
   // check if we've exceeded the rate limit for the users sessionId or IP Address and throw a 429      
   string[] exclusionIPAddresses = {"14.202.205.230/32", "189.40.31.0/24"};  // array of CIDR addressing scheme addresses to skip the rate limit checks for
   
   if (req.RemoteIp.InCIDRExclusions(exclusionIPAddresses))
      return;
   ....


Looks good, thanks Mike

SBarnes wrote:Looks good, thanks Mike

No worries - I should caution you that I've not tested this whitelisting aspect thoroughly yet - so don't deploy to a production environment until you've tested it yourself or we release 07.02.03 (which will have this as a standard plugin and we will have tested it properly by then).

Hi Mike,

I have updated it now include the system settings, as well as the following code to overcome the load/compile issue we were having before. Basically the exclusion range is a comma separated string.

NOTE: I haven't tested this as yet.

Code: Select all

Plugin.PluginReferenceCollection.Read();
AppDomain.CurrentDomain.AssemblyResolve += delegate(object sender, System.ResolveEventArgs args) { return AssemblyResolve(sender, args, Plugin); };


SBarnes wrote:I have updated it now include the system settings, as well as the following code to overcome the load/compile issue we were having before. Basically the exclusion range is a comma separated string.

Thanks! I've incorporated your changes into the plugin we will ship with 07.02.03.