Implement Server Connect API rate limiting

Apple · August 11, 2022, 8:04am

/me waiting for JonL’s NodeJS rate limiter

JonL · August 11, 2022, 8:02am

You really need it? The apps that I am currently working on don’t have public endpoint so I don’t need it at the moment but you should be able to create a middleware extension and use:

JonL · August 11, 2022, 8:02am

Yeah. Eff it.

Here you are:

npm install express-rate-limit

/extensions/server_connect/routes/rateLimiter.js

const rateLimit = require('express-rate-limit')

exports.before = function (app) {
    const limiter = rateLimit({
        windowMs: 15 * 60 * 1000, // 15 minutes
        max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
        standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
        legacyHeaders: false, // Disable the `X-RateLimit-*` headers
    })
    app.use(limiter)
}

Result after spamming my endpoint:

429 Too Many Requests

George · August 11, 2022, 8:03am

Moved to feature request as this is something we should implement in the core @patrick

George · August 11, 2022, 8:03am

George · August 11, 2022, 8:17am

This is also a good explanation of rate limiting techniques:

JonL · August 11, 2022, 8:27am

I would suggest at least having 2 types of limiters:

A global one for SC as a whole(similar to my middleware extension). Options could be added here.
A SC flow one. Options could be added in the settings. Default values would be the ones specified for global limiter.

Safari 11-08-2022 10.23.02 0000691134×239 12.6 KB

The SC flow one should be able to override the global one.

Apple · August 11, 2022, 10:46pm

Since this is now a feature request, I’m listing the options I’m looking forward:

Rate limiter SC step
Ability to select a custom key for the rate limiter through the data binding picker (e.g.: so I can pick something from $_SESSION, or the default $_SERVER.REMOTE_ADDR for regular IP address limiting)
Ability to define window time (or equivalent) of the rate limiter (data binding picker)
Ability to define max requests in window time (or equivalent) of the rate limiter (data binding picker)
Ability to use Redis for rate-limiting (for distributed rate-limiting)

If it reduces complexity, we could skip the global rate limiter, because one could put a rate limiter in the Globals steps:

And one might want to use several rate limiting steps simultaneously (e.g.: IP address based, and then session based), and these should not void one another

Notum · August 12, 2022, 9:05am

A bit off topic :

Could you please tell a bit more about this? Are you securing some how your API calls or there is an option so that API call would be possible only while visiting the website, not just via curl or Postman?

JonL · August 12, 2022, 11:23am

All the SC flows(except auth SC flows) are secured so nobody can run them if they are not logged in or don’t have permission to do it. First step is a library flow with a security restrict action.

JonL · August 12, 2022, 10:57am

Do you need to apply some sort of logic in the SC flow before running the limiter step?

Apple · August 12, 2022, 2:24pm

Yes, different rate limits depending on the user’s role/plan/subscription

JonL · August 12, 2022, 2:24pm

Got it. Makes sense.

karh · February 10, 2023, 2:45pm

Bump, please vote

htatd · November 27, 2023, 5:34pm

Hi! Any news about this? Need to create some public endpoints for end users right now.
Anyone any tips to keep in mind?

TMR · November 27, 2023, 9:26pm

Me too, public endpoints are on my agenda, rate limiting for this is critical.