rrd108
commented
1 week ago Sure. It is quite easy to implement. The only problem is that you will rely on a header coming from the API consumer, so it is easy to remove it by the consumer.
Open corepay opened 1 week ago
rrd108
commented
1 week ago Sure. It is quite easy to implement. The only problem is that you will rely on a header coming from the API consumer, so it is easy to remove it by the consumer.
This may not be a thing or there is a good reason why this is not a good idea but I'm looking for an answer on rate limiting only 'specific' endpoints...by IP address origin AND by an extra header value for client.
The specific endpoints are my login endpoints the issue I am trying to address are API requests from say an ISV that uses my APIs programmatically through their backend server. In my case, the ISV has to pass specific header information to me on login so I can identify the client in my system. I want to provide SMS one-time passwords and am afraid if this endpoint is not rate limited I can get hammered with OTP requests costing me trillions of dollars per month in SMS fees. Easy enough to limit say 1 request per minute per IP, but the integrated server sending me login requests on behalf of their clients is....a single IP address, so I can't really rate limit on IP address only and need a second identifier. For me it would be rate limit 1 request every 60 seconds by (IP && header x-client-key)
Am I lost here this seems to be an issue many SaaS providers may have and an easy issue to solve but I cannot find anybody in nuxt world so far allowing a second filter to the rate limiter...