Add rate limiting #16
Conversation
See https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit?view=aspnetcore-9.0 for more information on this. I've never really tried this in production anywhere, but given it's in ASP.NET Core built-in, I'd hope it should be solid enough? Limits mostly taken out of rear, and likely are much too lenient anyway.
|
|
||
| return RateLimitPartition.GetSlidingWindowLimiter(userId, _ => new SlidingWindowRateLimiterOptions | ||
| { | ||
| PermitLimit = 30, |
There was a problem hiding this comment.
If anything, I'd agree at this being too lenient, and it could be dropped as low as 5 per minute. Maybe we start stringent and wait for issues to occur (because let's be honest: the most likely case is going to be a runaway client stuck in an infinite retry death spiral as opposed to someone trying to abuse the service).
| PermitLimit = 30, | |
| PermitLimit = 5, |
There was a problem hiding this comment.
Sure, although I've done a bit of a different change, see 592b035. The rate limit is now 6 req/min with 2 requests being replenished to the pool every 20sec.
The reason why I want that specific sort of thing is that a full upload flow takes 2 requests (the initial one to set up the beatmaps and get the file listing, and the second one to either do a full .osz upload or a differential update). So I want these rate limits to not be odd numbers, to prevent half-failing submissions because the client ran out of ratelimit between one request and the other.
See https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit?view=aspnetcore-9.0 for more information on this.
I've never really tried this in production anywhere, but given it's in ASP.NET Core built-in, I'd hope it should be solid enough?
Limits mostly taken out of rear, and likely are much too lenient anyway. The hard limit is 30 requests/min, with 5 requests being replenished back to the tally every 10 seconds. The limit is enforced per user.