server/client - rate limiting for threads/replies

2026-01-09 00:42:47 +00:00 · 2018-01-22 22:03:22 -06:00
parent adbe3c6857
commit 66dd5d5b9a
4 changed files with 44 additions and 10 deletions
--- a/client/app/components/editor/editor.tsx
+++ b/client/app/components/editor/editor.tsx
@@ -80,6 +80,12 @@ export class Editor extends React.Component<Props, State> {
    }
  }

+  getErrorMessage(e: any) {
+    return get(e, 'response.status') === 429 ?
+      'You are doing that too much! Please try again in a few minutes.' :
+      'Server error. Please try again later.';
+  }
+
  async newReply() {
    const { content } = this.state;

@@ -99,7 +105,7 @@ export class Editor extends React.Component<Props, State> {
      this.props.editingReply ? await axios.put('/api/reply', data) : await axios.post('/api/reply', data);
      this.props.onClose(false);
    } catch (e) {
-      this.setState({ errorMessage: 'Server error. Please try again later.' });
+      this.setState({ errorMessage: this.getErrorMessage(e) });
    }
  }

@@ -121,7 +127,7 @@ export class Editor extends React.Component<Props, State> {
      await axios.post('/api/thread', data);
      this.props.onClose(false);
    } catch (e) {
-      this.setState({ errorMessage: 'Server error. Please try again later.' });
+      this.setState({ errorMessage: this.getErrorMessage(e) });
    }
  }

--- a/lib/myapp/rate_limiter.ex
+++ b/lib/myapp/rate_limiter.ex
@@ -0,0 +1,18 @@
+defmodule MyApp.RateLimiter do
+
+  # map keys to integers to save memory
+  def new_reply_key, do: 1
+  def new_thread_key, do: 2
+
+  @spec limit(String.t, integer, integer) :: {:ok, String.t} | {:error, String.t}
+  def limit(end_point, user_id, seconds) do
+    key = "rl#{end_point}:#{user_id}"
+    case Cachex.get(:myapp, key) do
+      {:missing, _} ->
+        Cachex.set(:myapp, key, true, ttl: :timer.seconds(seconds))
+        {:ok, "ok"}
+      {:ok, _} -> {:error, "limit reached"}
+    end
+  end
+
+end
--- a/lib/myapp_web/controllers/reply_controller.ex
+++ b/lib/myapp_web/controllers/reply_controller.ex
@@ -2,6 +2,7 @@ defmodule MyAppWeb.ReplyController do
  use MyAppWeb, :controller
  alias MyAppWeb.Response
  alias MyApp.Data
+  alias MyApp.RateLimiter

  @spec insert(map, map) :: any
  def insert(conn, params) do
@@ -9,10 +10,14 @@ defmodule MyAppWeb.ReplyController do
    |> MyApp.Guardian.Plug.current_claims
    |> Map.get("id")

-    {output, status} = params
-      |> Map.put("user_id",  user_id)
-      |> Data.Reply.insert
-      |> Response.put_resp
+    {output, status} = case RateLimiter.limit(RateLimiter.new_reply_key, user_id, 60) do
+      {:ok, _} -> params
+        |> Map.put("user_id",  user_id)
+        |> Data.Reply.insert
+        |> Response.put_resp
+
+      {:error, error} -> {error, 429}
+    end

    conn
    |> put_status(status)
--- a/lib/myapp_web/controllers/thread_controller.ex
+++ b/lib/myapp_web/controllers/thread_controller.ex
@@ -2,6 +2,7 @@ defmodule MyAppWeb.ThreadController do
  use MyAppWeb, :controller
  alias MyAppWeb.Response
  alias MyApp.Data
+  alias MyApp.RateLimiter

  @spec insert(map, map) :: any
  def insert(conn, params) do
@@ -9,10 +10,14 @@ defmodule MyAppWeb.ThreadController do
    |> MyApp.Guardian.Plug.current_claims
    |> Map.get("id")

-    {output, status} = params
-      |> Map.put("user_id",  user_id)
-      |> Data.Thread.insert
-      |> Response.put_resp
+    # every 5 minutes user can submit new thread
+    {output, status} = case RateLimiter.limit(RateLimiter.new_thread_key, user_id, 300) do
+      {:ok, _} -> params
+        |> Map.put("user_id",  user_id)
+        |> Data.Thread.insert
+        |> Response.put_resp
+      {:error, error} -> {error, 429}
+    end

    conn
    |> put_status(status)