Giters

artisansdk / ratelimiter

A leaky bucket rate limiter and corresponding middleware with route-level granularity compatible with Laravel.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

All routes and users are spammed with response error 429

EnelKyss opened this issue · comments

commented

Installed into laravel 9, used this class in one route group, where I used these middlewares. After the setup, I ran my own node js instance to spam my website, then at one moment 2 requests passed through in 1 second eventhough there is a limit of 1 request per 10 seconds like so :

use ArtisanSdk\RateLimiter\Resolvers\User;
Route::group(['middleware' => ['auth:sanctum','throttle:'.User::class.',1,0.1,10']], function () {
   // my routes
});

and the strange behaviour started... Now every user and every route is getting rate limited for no reason... eventhough only 1 user (me) was spamming.
Not even command : php artisan cache:clear is working

commented

I see that you updated your comment and it originally had rate=0.5 and that would have likely been the culprit since that's one new request every 2 seconds.

Your current comment's settings are max=1 (burst limit), rate=0.1 (1 leak every 10s), and duration=10 (minutes).

  • If you made a request at T0 then made a request at T1-9 you should have exceeded your burst limit of max=1.
  • If you made a request at T10 then you should have been able to make another request.
  • Your timeout duration=10 should mean that after 10 minutes normal behavior should continue again.
  • Depending on which caching driver you're using cache:clear might not do anything but that is how you'd clear it if you were using file driver.

It's hard to know for sure what's going on in your particular case, also because your burst rate is quite small. Most use cases I've seen where the desired value is small, it's set to something like 3 and in a space of 30 seconds (based on your rate=0.1) of idle requests, the user's full max=3 requests should be available again. In the odd case that there's a race condition, you won't hit the quota by accident.

The User resolver uses IP addresses when the user is not authenticated and that can lead to shared IPs causing all users to be blocked, especially if using a load balancer where the load balancer's IP is what's being used instead of the X-Requestor-IP address. You may have to create a custom resolver for your application's unique situation.

If you can provide a specific repo I can install that's all configured and has the NodeJS tester in it then I might be able to figure out if there's a problem with the rate limiter or something else going on.