Rate Limiting By IP

[AlexGilleran]

Description

Currently it's possible for anyone to hit any API as fast as they want. This has been mostly fine so far because the public APIs we expose aren't really that expensive (they just retrieve info which can be cached anyway), but it'd be wise to build this in, especially as we start exposing other, more expensive operations via API keys.

Acceptance Criteria

• If logged out, rate limits should be per IP address. If logged in, rate limit should be per user. (NOTE: If doing it by user id turns out to be an order of magnitude harder than doing just by IP, we can split this ticket up and do by IP then figure out how to do by user id).
• Rate limits should be configurable without changing the code, by number of requests / time. i.e. you should be able to configure both the number of requests and the time period in that equation
• If rate limit is exceeded, all requests after that point should return 429 with an indication of when the next request can be made (try to do this in the most standard way possible).
• Needs to be able to work behind a CDN - i.e. all requests might come in from exactly the same IP, so it needs to be able to look at a configurable header in order to rate-limit unauthenticated requests
• Needs to work with multiple gateways instances... i.e. keeping state in the gateway memory itself isn't a great idea, because that means that the rate limit is effectively doubled/tripled/etc as you add more instances, and if an instance restarts so does the limit.
  • Probably the best way to engineer around this is to use a new postgres database as the store of limits, we'll have to monitor how this affects performance though
• Needs to be fully disable-able - if you don't turn this on, it shouldn't rate-limit and it shouldn't set up any new database or other infrastructure until you do

Technical Notes

• There are a few node libraries that do this: https://www.npmjs.com/package/rate-limiter-flexible for instance
• The rate limiting should happen in the gateway

[sajidanower23]

Adding my note on rate limiting in #2883

Rate Limiting

Rate limiting is important to prevent the abuse of our API, since API keys are being provided for free.

Express has a library express-rate-limit. that can be used to rate-limit endpoints as express middleware.

Code for that would look like this:

import rateLimit from 'express-rate-limit';

export const rateLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute, in milliseconds
  max: 1000,
  message: 'You have exceeded the API rate limit',
  headers: true,
});

router.get('/endpoint', rateLimiter, function(req, res) {
    return "Woah";
})

This will result in denial of requests if the limit is exceeded.

To go into more depth, check out these articles:

https://nordicapis.com/everything-you-need-to-know-about-api-rate-limiting

https://blog.logrocket.com/rate-limiting-node-js