search

pgjones / quart-rate-limiter

Quart-Rate-Limiter is an extension for Quart to allow for rate limits to be defined and enforced on a per route basis.
MIT License
22 stars 6 forks source link

how the counting process actually works? #10

Open rafaelcapucho opened 3 months ago

rafaelcapucho commented 3 months ago

Hi @pgjones , First thank you for all your effort to maintain a impressive amount of source projects/initiatives in the same time, I'm basically using your whole suite (Quart, Schema, Redis, Cors, Limiter) hehehe

I was configuring the limiter, it looks to work well when I test with small values, like the following:

@app.route('/ip')
@rate_limit(2, timedelta(seconds=5))
async def ip() -> str:
    return request.remote_addr

but I applied the limiter to some of my views, and I start to get a considerable amount of Denies from the clients using the API, so I started to increase its amount, currently I'm having my defined as @rate_limit(21000, timedelta(seconds=20) and I'm still getting too much denies to be true, I think that for real I shouldn't having being receiving not even 2% of it.

I just moved it to the Redis Store to be able to debug it a bit to understand where the problem might live, but I'm not really understand it how it counts.

I understand that the Redis' keys are formed by the function name + the maximum number of requests + period in seconds + IP:

I have 3 rules:

  1. 5000 reqs each 5 seconds (global)
  2. 5000 reqs each 60 seconds (global)
  3. 21000 reqs each 20 seconds (local decorator)

image

My question is: how does it counts? because looks like that it simply stores a timestamp as value, I didn't figured out how you managed to count the amount of requests within a period. Thank you!

pgjones commented 2 months ago

I wrote this up some time ago here it uses the GCRA algorithm