search

marius-wieschollek / passwords

A simple, yet feature rich password manager for Nextcloud
GNU Affero General Public License v3.0
214 stars 46 forks source link

Fix 429 response in ServiceApiController.php #690

Open HolgerHees opened 3 days ago

HolgerHees commented 3 days ago

In my setup I have ~ 300 passwords. During initial load most of the favicon requests are answered with a 429.

In the documentation of nextcloud the description of Rate limit is "Rate limiting should be used on expensive or security sensitive functions (e.g. password resets) to increase the overall security of your application.". I think favicon is not expensive and security sensitive. So I believe, increasing the rate limit should not be a problem.

A rate limit of 500 should also be fine, because the browser itself is not requesting more then 5 per second.

marius-wieschollek commented 3 days ago

A rate limit of 500 is more than enough to completely bring down a raspberry pi. Favicons are also not only requested by the browser but also by other apps. Several of them load all icons at once which is the reason why this limit was added.

HolgerHees commented 3 days ago

But what is the solution. Not loading 80% of the favicons can't be the solution.

I mean also that a raspberry pi is not a perfect fit to a full cloud service. Just a entry level hardware to get something running.

and if you have a lot of data like ~100-300 of passwords, you should think about better hardware. The same happens for photos and file previews. Just imagine if we would also introduce a rate limit there, just to make it run on a raspberry pi.

everyone should be aware that a raspberry pi is just a entry level for nextcloud.

currently, every time I open passwords, my access logs a spammed with >250 lines of 429 error messages.

a solution like throttling on client side will also not work. This would mean the loading will take 5 minutes.

marius-wieschollek commented 3 days ago

The solution will have to be to implement the same throttling here in the favicon service: https://github.com/marius-wieschollek/passwords/blob/master/src/js/Services/FaviconService.js

marius-wieschollek commented 3 days ago

I have worked a bit on this today, i will see if i can finish support for throttled endpoints in the client tomorrow.

HolgerHees commented 2 days ago

Thank you for addressing this issue