search

codu-code / codu

Codú's open-source codebase. A space for coders. Visit our community!
https://codu.co/
Apache License 2.0
120 stars 92 forks source link

API throttling #172

Closed NiallJoeMaher closed 1 week ago

NiallJoeMaher commented 1 year ago

Context

Currently, we do not have API throttling enabled, which we should enable to stop a mischievous user/bot from spamming the site to oblivion.

Expected Behavior

To be discussed here.

JeremiSz commented 11 months ago

From some quick research, I've gathered throttling can come in a few different levels. Just to clarify, this issue is just in reference to limiting the interactions a user can do per a unit of time?

JeremiSz commented 11 months ago

If that is what the goal is, Vercel seem to already have a solution. https://github.com/vercel/examples/blob/main/edge-functions/api-rate-limit/README.md However It appears to require a in memory DB.

NiallJoeMaher commented 11 months ago

Great find @JeremiSz! And yes, I was trying to figure out if we could rate limit at an API level. Example, someone can only leave one comment every few seconds but could refresh a request for an article a dozen times before rate limiting should ever hit it.

We use AWS for hosting, so I don't think we can leverage Edge functions (but I'm hoping I'm wrong).

JeremiSz commented 11 months ago

Is there a in memory database or would you be open to running one for this purpose. I don't see much difficulty in reimplementing our own version. Just a key value pair of a user token and a request count. Though that could be my college and Golang/C++ do it yourself mentality.

NiallJoeMaher commented 11 months ago

I've not had to use Redis, but maybe it's a good use case for it - https://redis.com/glossary/rate-limiting/

I have a CDK folder, so we can easily add more infrastructure as needed. Maybe an AWS service handles some of this I just haven't gone ahead and researched it enough 🤔

abhijeetgurle commented 11 months ago

Found this good article on this topic:- https://blog.logrocket.com/set-up-rate-limiting-next-js-redis/#:~:text=Token%20bucket%20rate%20limiting%20is,the%20client%20request%20ip%20address.

JeremiSz commented 11 months ago

That articles still relies on Redis or some other in memory DB. If it would be better to just use AWS services, WAF rules could be used. SRC: https://aws.amazon.com/blogs/architecture/rate-limiting-strategies-for-serverless-applications/ Descriptions on how to configure it are here: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-request-limiting.html

NiallJoeMaher commented 10 months ago

Oh dang this is a great find @JeremiSz! WAF might be the way to go