Rate limiter implementation

[romkatsu]

Q	A
Is bugfix?	❌
New feature?	✔️
Breaks BC?	❌
Tests pass?	✔️
Fixed issues	#63

[rustamwin]

Without a database repository implementation?

[romkatsu]

Without a database repository implementation?

I didn't plan on it, but I can try. What tasks can this be useful for?

[rustamwin]

I didn't plan on it, but I can try. What tasks can this be useful for?

See https://github.com/yiisoft/yii2/blob/master/framework/filters/RateLimiter.php and https://github.com/yiisoft/yii2/blob/master/framework/filters/RateLimitInterface.php

[romkatsu]

I didn't plan on it, but I can try. What tasks can this be useful for?

See https://github.com/yiisoft/yii2/blob/master/framework/filters/RateLimiter.php and https://github.com/yiisoft/yii2/blob/master/framework/filters/RateLimitInterface.php

added storage implementation, now it will be possible to add storage in the database

[samdark]

While it makes code simple, this rate limiter implementation (fixed window) results in possibility of traffic spikes on the edge of the interval. The behavior for interval = 360 (6 minutes) and limit = 10000 is that after 10000 requests there will be 504 HTTP response for exactly 6 minutes. Then there could be quick 10000 requests again and another 6 minute pause etc. So you'll still have traffic spikes this way. That's a no go for a good rate limiter.

Good algorithms preventing traffic spikes are:

1. Leaky bucket https://en.wikipedia.org/wiki/Leaky_bucket. That one is in Yii 2.
2. Sliding window.

See:

1. https://blog.cloudflare.com/counting-things-a-lot-of-different-things/
2. https://habr.com/ru/post/448438/

[samdark]

I'd implement GCRA:

• https://brandur.org/rate-limiting
• https://blog.ian.stapletoncordas.co/2018/12/understanding-generic-cell-rate-limiting.html

[kamarton]

And counts are lost. for example

1. A request get counter value (X)
2. B request get counter value (X)
3. A requrest set counter value (X+1)
4. B request set counter value (X+1)

In fact, X + 2. In multi server environments, this can mean a lot of lost counting.
I recommend that the storage interface have a incrementAndGet() method. Redis, mysql allow counting in atomic.

[samdark]

Yes, increment operation should be atomic.

[rustamwin]

All setters should be void or with prefixed

public function withLimit(int $limit): self
{
    $new = clone $this
    $new->limit = $limit;
    return $new;
}

[rustamwin]

I'd suggest naming class/interface without Storage

[samdark]

The purpose of it is to store counter data. How would you name it?

[kamarton]

It's not about storage, it's about counting.

[samdark]

Nope. https://github.com/yiisoft/yii-web/pull/203/files#diff-e94ff4fb5bda21fe7b12afa594018f4c is about counting. This one is about storage. If these should be separate is another question.

[kamarton]

Why storage? There is no need to read it, it is always only increment, if the result is higher than the limit then it is too many requests

CacheCounter implements CounterInterface // or CounterServiceInterface

[kamarton]

Counter in current implementation is useless. Currently, a single Counter can be specified for middleware -> can be implemented to middleware.

[kamarton]

3 layers:

• LimiterDescriptor
• CounterInterface
• LimiterMiddlerware

[romkatsu]

I think the Counter class is not needed. Each counter should be individually

we've already discussed this.

What are possible examples?

[romkatsu]

Counter in current implementation is useless. Currently, a single Counter can be specified for middleware -> can be implemented to middleware.

Why useless? You can also use multiple instances of middleware.

$counter1 = (new Counter($storage))->setInterval(60);
$counter2 = (new Counter($storage))->setInterval(86400);

$middleware1 = (new RateLimiter($counter1, $responseFactory))
    ->withLimit(10);

$middleware2 = (new RateLimiter($counter2, $responseFactory))
    ->withLimit(100);

Route::get('/')
    ->prepend($middleware1)
    ->to(new ActionCaller(SiteController::class, 'index', $container))
    ->name('site/index')

Route::get('/')
   ->prepend($middleware2)
   ->to(new ActionCaller(SiteController::class, 'index', $container))
   ->name('site/test')

[kamarton]

Why useless? You can also use multiple instances of middleware.

the current implementation is the same as:

$counter = new CacheCounter();
$middleware1 = (new RateLimiter($counter, $responseFactory))
    ->withLimit(10)
    ->withInterval(60);
$middleware1 = (new RateLimiter($counter, $responseFactory))
    ->withLimit(100)
    ->withInterval(86400);

[kamarton]

I suggest simplify it

interface CounterInterface
{
  public function incrementAndGet(string $id, int $interval): int;
}

[kamarton]

generate is not public, the strtolower() can be omitted.

[romkatsu]

Query request parameters can be anything, I just want the ID to be the same in terms of case.

[kamarton]

Does the default value make sense?

[kamarton]

This is already the task of CounterInterface.

[kamarton]

I don't really understand the point of leaving auto-increment. If autoincrement is disabled, it is more like just a "checker".

[kamarton]

Current implementation not allow multiple limit descriptor in a single middleware. It is necessary to record more intervals and more limits, eg.

ID                    interval  limit
sms/user/12             60s     2
sms/user/12           3600s     10
sms/users               60s     40
sms/users             3600s     250

[romkatsu]

Created a new pull request with the implementation of the GCRA.

I'm closing this one.