Separate limits for authenticated users
MartinKolarik opened this issue · comments
Martin Kolárik commented
Part of jsdelivr/dash-directus#18
- Rename the current "rate limit" mentions in config/code to "anonymous rate limit", e.g.,
measurement.rateLimit
->measurement.anonymousRateLimit
. It will keep working as it does but apply only to unauthenticated requests. - Add a new
measurement.authenticatedRateLimit
option with the default value 250. - Users can send a header in the format
Authorization: Bearer TOKEN
- If the token doesn't exist, is expired, or fails the origin check, the response is a
401
error. - If the token is valid, the anonymous rate limit is not applied; instead, the authenticatedRateLimit applies with the user account id being used as the key.
- If the token doesn't exist, is expired, or fails the origin check, the response is a
Requirements:
- new tokens must work instantly, without any delay
- deleted/revoked tokens should stop working reasonably fast
- don't query the DB on every single request
- the first time the token is used each day, its
date_last_used
value is updated in the DB
Suggestion:
- query the DB once a minute for all tokens; for each token found, store it in process memory as valid for the next two minutes
- if a request comes with a token that isn't in memory - query the DB for the specific token and store the result - valid/invalid - for the next two minutes
Note that the same token will also make it possible to use credits if the user reaches their hourly quota, but I'll open a separate task for that.
I've made some small changes related to this in https://github.com/jsdelivr/globalping/tree/gh-473 so please continue there.