Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow customization of weight per request for rate limiting #505

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Allow customization of weight per request for rate limiting #505

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3310261
Allow customization of weight per request for rate limiting
jiang925 Nov 16, 2020
1ba3c5f
Merge pull request #1 from jiang925/jiang925/dynamic-weight
jiang925 Nov 17, 2020
f75d902
Update README.md to include the weight for throttle
jiang925 Nov 18, 2020
1c02f54
Merge remote-tracking branch 'upstream/master' into master
jiang925 Jan 4, 2021
531679d
Merge branch 'main' into jiang925/dynamic-weight
grzuy Nov 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ Throttle state is stored in a [configurable cache](#cache-store-configuration) (

#### `throttle(name, options, &block)`

Name your custom throttle, provide `limit` and `period` as options, and make your ruby-block argument return the __discriminator__. This discriminator is how you tell rack-attack whether you're limiting per IP address, per user email or any other.
Name your custom throttle, provide `limit`, `period` and `weight` as options, and make your ruby-block argument return the __discriminator__. This discriminator is how you tell rack-attack whether you're limiting per IP address, per user email or any other.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: may worth mention weight is an optional option


The request object is a [Rack::Request](http://www.rubydoc.info/gems/rack/Rack/Request).

Expand Down Expand Up @@ -275,6 +275,14 @@ period_proc = proc { |req| req.env["REMOTE_USER"] == "admin" ? 1 : 60 }
Rack::Attack.throttle('request per ip', limit: limit_proc, period: period_proc) do |request|
request.ip
end

# Weight can be used to make some requests cost more than others while
# sharing the same limit.
weight_proc = proc { |req| req.path.start_with?('/search') ? 10 : 1 }

Rack::Attack.throttle('request per ip', limit: 10, period: 1, weight: weight_proc) do |request|
request.ip
end
```

### Tracks
Expand Down
12 changes: 6 additions & 6 deletions lib/rack/attack/cache.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ def store=(store)
end
end

def count(unprefixed_key, period)
def count(unprefixed_key, period, weight = 1)
key, expires_in = key_and_expiry(unprefixed_key, period)
do_count(key, expires_in)
do_count(key, expires_in, weight)
end

def read(unprefixed_key)
Expand Down Expand Up @@ -67,19 +67,19 @@ def key_and_expiry(unprefixed_key, period)
["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
end

def do_count(key, expires_in)
def do_count(key, expires_in, weight)
enforce_store_presence!
enforce_store_method_presence!(:increment)

result = store.increment(key, 1, expires_in: expires_in)
result = store.increment(key, weight, expires_in: expires_in)

# NB: Some stores return nil when incrementing uninitialized values
if result.nil?
enforce_store_method_presence!(:write)

store.write(key, 1, expires_in: expires_in)
store.write(key, weight, expires_in: expires_in)
end
result || 1
result || weight
end

def enforce_store_presence!
Expand Down
10 changes: 8 additions & 2 deletions lib/rack/attack/throttle.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class Attack
class Throttle
MANDATORY_OPTIONS = [:limit, :period].freeze

attr_reader :name, :limit, :period, :block, :type
attr_reader :name, :limit, :period, :weight, :block, :type

def initialize(name, options, &block)
@name = name
Expand All @@ -15,6 +15,7 @@ def initialize(name, options, &block)
end
@limit = options[:limit]
@period = options[:period].respond_to?(:call) ? options[:period] : options[:period].to_i
@weight = options[:weight].respond_to?(:call) ? options[:weight] : (options[:weight] || 1).to_i
@type = options.fetch(:type, :throttle)
end

Expand All @@ -28,7 +29,8 @@ def matched_by?(request)

current_period = period_for(request)
current_limit = limit_for(request)
count = cache.count("#{name}:#{discriminator}", current_period)
current_weight = weight_for(request)
count = cache.count("#{name}:#{discriminator}", current_period, current_weight)

data = {
discriminator: discriminator,
Expand Down Expand Up @@ -65,6 +67,10 @@ def limit_for(request)
limit.respond_to?(:call) ? limit.call(request) : limit
end

def weight_for(request)
weight.respond_to?(:call) ? weight.call(request) : weight
end

def annotate_request_with_throttle_data(request, data)
(request.env['rack.attack.throttle_data'] ||= {})[name] = data
end
Expand Down
73 changes: 73 additions & 0 deletions spec/acceptance/throttling_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,79 @@
end
end

it "supports a non-1 constant weight" do
Rack::Attack.throttle("by ip", limit: 4, period: 60, weight: 2) do |request|
request.ip
end

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 429, last_response.status
assert_nil last_response.headers["Retry-After"]
assert_equal "Retry later\n", last_response.body

get "/", {}, "REMOTE_ADDR" => "5.6.7.8"

assert_equal 200, last_response.status

Timecop.travel(60) do
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status
end
end

it "supports a dynamic weight" do
weight_proc = lambda do |request|
if request.env["X-APIKey"] == "private-secret"
3
else
2
end
end
Rack::Attack.throttle("by ip", limit: 4, period: 60, weight: weight_proc) do |request|
request.ip
end

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 429, last_response.status
assert_nil last_response.headers["Retry-After"]
assert_equal "Retry later\n", last_response.body

Copy link

@jamiemccarthy jamiemccarthy Dec 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's a good place to test that a weight of zero also returns a 429. (Add request.env["X-Lightweight"] to the lambda?)

Test suggestion: jamiemccarthy@6ec96eb

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiemccarthy Thank you for the suggestion and sorry for the delay! I missed all these notifications. I'll take a look soon and get back!

get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"

assert_equal 429, last_response.status
assert_nil last_response.headers["Retry-After"]
assert_equal "Retry later\n", last_response.body

Timecop.travel(60) do
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status
end
end

it "returns correct Retry-After header if enabled" do
Rack::Attack.throttled_response_retry_after_header = true

Expand Down