Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow customization of weight per request for rate limiting #505

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ Throttle state is stored in a [configurable cache](#cache-store-configuration) (

#### `throttle(name, options, &block)`

Name your custom throttle, provide `limit` and `period` as options, and make your ruby-block argument return the __discriminator__. This discriminator is how you tell rack-attack whether you're limiting per IP address, per user email or any other.
Name your custom throttle, provide `limit`, `period` and `weight` as options, and make your ruby-block argument return the __discriminator__. This discriminator is how you tell rack-attack whether you're limiting per IP address, per user email or any other.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: may worth mention weight is an optional option


The request object is a [Rack::Request](http://www.rubydoc.info/gems/rack/Rack/Request).

Expand Down Expand Up @@ -275,6 +275,14 @@ period_proc = proc { |req| req.env["REMOTE_USER"] == "admin" ? 1 : 60 }
Rack::Attack.throttle('request per ip', limit: limit_proc, period: period_proc) do |request|
request.ip
end

# Weight can be used to make some requests cost more than others while
# sharing the same limit.
weight_proc = proc { |req| req.path.start_with?('/search') ? 10 : 1 }

Rack::Attack.throttle('request per ip', limit: 10, period: 1, weight: weight_proc) do |request|
request.ip
end
```

### Tracks
Expand Down
12 changes: 6 additions & 6 deletions lib/rack/attack/cache.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ def store=(store)
end
end

def count(unprefixed_key, period)
def count(unprefixed_key, period, weight = 1)
key, expires_in = key_and_expiry(unprefixed_key, period)
do_count(key, expires_in)
do_count(key, expires_in, weight)
end

def read(unprefixed_key)
Expand Down Expand Up @@ -73,19 +73,19 @@ def key_and_expiry(unprefixed_key, period)
["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
end

def do_count(key, expires_in)
def do_count(key, expires_in, weight)
enforce_store_presence!
enforce_store_method_presence!(:increment)

result = store.increment(key, 1, expires_in: expires_in)
result = store.increment(key, weight, expires_in: expires_in)

# NB: Some stores return nil when incrementing uninitialized values
if result.nil?
enforce_store_method_presence!(:write)

store.write(key, 1, expires_in: expires_in)
store.write(key, weight, expires_in: expires_in)
end
result || 1
result || weight
end

def enforce_store_presence!
Expand Down
10 changes: 8 additions & 2 deletions lib/rack/attack/throttle.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class Attack
class Throttle
MANDATORY_OPTIONS = [:limit, :period].freeze

attr_reader :name, :limit, :period, :block, :type
attr_reader :name, :limit, :period, :weight, :block, :type

def initialize(name, options, &block)
@name = name
Expand All @@ -15,6 +15,7 @@ def initialize(name, options, &block)
end
@limit = options[:limit]
@period = options[:period].respond_to?(:call) ? options[:period] : options[:period].to_i
@weight = options[:weight].respond_to?(:call) ? options[:weight] : (options[:weight] || 1).to_i
@type = options.fetch(:type, :throttle)
end

Expand All @@ -28,7 +29,8 @@ def matched_by?(request)

current_period = period_for(request)
current_limit = limit_for(request)
count = cache.count("#{name}:#{discriminator}", current_period)
current_weight = weight_for(request)
count = cache.count("#{name}:#{discriminator}", current_period, current_weight)

data = {
discriminator: discriminator,
Expand Down Expand Up @@ -66,6 +68,10 @@ def limit_for(request)
limit.respond_to?(:call) ? limit.call(request) : limit
end

def weight_for(request)
weight.respond_to?(:call) ? weight.call(request) : weight
end

def annotate_request_with_throttle_data(request, data)
(request.env['rack.attack.throttle_data'] ||= {})[name] = data
end
Expand Down
73 changes: 73 additions & 0 deletions spec/acceptance/throttling_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,79 @@
end
end

it "supports a non-1 constant weight" do
Rack::Attack.throttle("by ip", limit: 4, period: 60, weight: 2) do |request|
request.ip
end

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 429, last_response.status
assert_nil last_response.headers["Retry-After"]
assert_equal "Retry later\n", last_response.body

get "/", {}, "REMOTE_ADDR" => "5.6.7.8"

assert_equal 200, last_response.status

Timecop.travel(60) do
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status
end
end

it "supports a dynamic weight" do
weight_proc = lambda do |request|
if request.env["X-APIKey"] == "private-secret"
3
else
2
end
end
Rack::Attack.throttle("by ip", limit: 4, period: 60, weight: weight_proc) do |request|
request.ip
end

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 429, last_response.status
assert_nil last_response.headers["Retry-After"]
assert_equal "Retry later\n", last_response.body

Copy link

@jamiemccarthy jamiemccarthy Dec 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's a good place to test that a weight of zero also returns a 429. (Add request.env["X-Lightweight"] to the lambda?)

Test suggestion: jamiemccarthy@6ec96eb

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiemccarthy Thank you for the suggestion and sorry for the delay! I missed all these notifications. I'll take a look soon and get back!

get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"

assert_equal 200, last_response.status

get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"

assert_equal 429, last_response.status
assert_nil last_response.headers["Retry-After"]
assert_equal "Retry later\n", last_response.body

Timecop.travel(60) do
get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

assert_equal 200, last_response.status
end
end

it "returns correct Retry-After header if enabled" do
Rack::Attack.throttled_response_retry_after_header = true

Expand Down
Loading