search

codu-code / codu

Codú's open-source codebase. A space for coders. Visit our community!
https://codu.co/
Apache License 2.0
141 stars 145 forks source link

API throttling #172

Closed NiallJoeMaher closed 2 months ago

NiallJoeMaher commented 1 year ago

Context

Currently, we do not have API throttling enabled, which we should enable to stop a mischievous user/bot from spamming the site to oblivion.

Expected Behavior

To be discussed here.

JeremiSz commented 1 year ago

From some quick research, I've gathered throttling can come in a few different levels. Just to clarify, this issue is just in reference to limiting the interactions a user can do per a unit of time?

JeremiSz commented 1 year ago

If that is what the goal is, Vercel seem to already have a solution. https://github.com/vercel/examples/blob/main/edge-functions/api-rate-limit/README.md However It appears to require a in memory DB.

NiallJoeMaher commented 1 year ago

Great find @JeremiSz! And yes, I was trying to figure out if we could rate limit at an API level. Example, someone can only leave one comment every few seconds but could refresh a request for an article a dozen times before rate limiting should ever hit it.

We use AWS for hosting, so I don't think we can leverage Edge functions (but I'm hoping I'm wrong).

JeremiSz commented 1 year ago

Is there a in memory database or would you be open to running one for this purpose. I don't see much difficulty in reimplementing our own version. Just a key value pair of a user token and a request count. Though that could be my college and Golang/C++ do it yourself mentality.

NiallJoeMaher commented 1 year ago

I've not had to use Redis, but maybe it's a good use case for it - https://redis.com/glossary/rate-limiting/

I have a CDK folder, so we can easily add more infrastructure as needed. Maybe an AWS service handles some of this I just haven't gone ahead and researched it enough 🤔

abhijeetgurle commented 1 year ago

Found this good article on this topic:- https://blog.logrocket.com/set-up-rate-limiting-next-js-redis/#:~:text=Token%20bucket%20rate%20limiting%20is,the%20client%20request%20ip%20address.

JeremiSz commented 1 year ago

That articles still relies on Redis or some other in memory DB. If it would be better to just use AWS services, WAF rules could be used. SRC: https://aws.amazon.com/blogs/architecture/rate-limiting-strategies-for-serverless-applications/ Descriptions on how to configure it are here: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-request-limiting.html

NiallJoeMaher commented 1 year ago

Oh dang this is a great find @JeremiSz! WAF might be the way to go