Add rate limiting to the logger API #1123
Comments
adamziel
pushed a commit
that referenced
this issue
Mar 26, 2024
Fixes #1123 ## What is this PR doing? It adds rate limiting to the logger API. ## What problem is it solving? Increases protection from spam requests. ## How is the problem addressed? By tracking the number of requests in `$_SESSION` and returning early if the limit was reached. ## Testing Instructions - Checkout this branch - Copy the `logger.php` file to a PHP local server or start a Docker server ``` cd packages/playground/website/public/ docker run -d -p 8787:80 --name playground-website -v "$PWD":/var/www/html php:8.0-apache ``` - Open the [API endpoint link](http://127.0.0.1:8787/logger.php) - Reload 5 times and confirm that the error message changed to _Too many requests_ **Known limitations** Because this is implemented using `$_SESSION` it can easily be worked around using `curl` or by removing session data. To improve rate limiting we would need support for storing request counts by IP on the server and there is currently no storage support except for files.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The logger API currently checks the structure of a log message before submitting it but doesn't limit the number of messages a user (IP) is allowed to submit.
To prevent spam, we should add rate limiting to the API.
There is an ongoing conversation in #1113 about caching on the WordPress.net server which is a requirement for rate limiting if we want to implement it from scratch.
Alternative solutions would include using a file for storing request counts or using an existing rate limiter solution that our server supports.
The text was updated successfully, but these errors were encountered: