search

osu-tournament-rating / otr-api

API powering osu! Tournament Rating
https://otr.stagec.xyz/
GNU General Public License v3.0
4 stars 2 forks source link

Introduce rate limits #198

Closed myssto closed 3 months ago

myssto commented 3 months ago

Introduce rate limits to the API

Uses a Fixed Window rate limit with a default of 30 requests per minute. The configuration uses a partitioned scheme, where each User / OAuthClient has their own limit, and all anonymous requests share a limit. Each partition is identified by the Issuer field (we assign from User.Id or OAuthClient.Id) of our JWT access tokens.

The configuration supports encoding rate limit override values into the JWT access tokens. The overrides enable us to grant a modified token limit and refresh window on a per User / OAuthClient basis. The overrides are stored in the users and oauth_clients tables as JSON representations of the new RateLimitOverrides entity to the rate_limit_overrides column. To conserve space in the JWT, they are serialized by excluding null values.

If you are interested in reading about how this is all configured, some good articles are here (1, 2, 3)

myssto commented 3 months ago

Closes #128

hburn7 commented 3 months ago

Each partition is identified by the Issuer field (we assign from User.Id or OAuthClient.Id) of our JWT access tokens.

Does your implementation handle the case where the user and client ids are the same?

myssto commented 3 months ago

That is a very valid question that I had made a reminder to check on, but never actually did lol. I have a fix in mind, Ill implement real quick

myssto commented 3 months ago

Make sure to update project status and close #128 after merging :)

hburn7 commented 3 months ago

Configs updated.