Logger API: Add rate limiting #1142
Conversation
Yeah... I guess we can revisit this with Systems if this is insufficient. It's more of a defense against unintentional overuse than it is against abuse. Still... very good to have. |
| $_SESSION[$rate_limit_key]++; | ||
|
|
||
| if ($_SESSION[$rate_limit_key] > $max_requests_per_hour) { | ||
| response(false, 'Too many requests'); |
There was a problem hiding this comment.
would it be helpful to send a 429 here instead of what I presume is a 200?
also, these response() responses seem quite sparse. maybe we could help clue-in the browsers to what is happening?
header( 'Content-type: application/json', true, 429 );Do we expect the clients to heed this response and wait to send new logs?
There was a problem hiding this comment.
This API is currently used only by one modal and it shows the same error message whenever a request fails, so it's not needed today.
If the API gets used more in the future, using the correct response code and improving errors would be good.
Do we expect the clients to heed this response and wait to send new logs?
No, users might click on the form again and if it fails, it would result in the same error.
Thinking about it now, the UX isn't great, but let's see how much it will be used before investing more time into it.
Fixes #1123
What is this PR doing?
It adds rate limiting to the logger API.
What problem is it solving?
Increases protection from spam requests.
How is the problem addressed?
By tracking the number of requests in
$_SESSIONand returning early if the limit was reached.Testing Instructions
logger.phpfile to a PHP local server or start a Docker serverKnown limitations
Because this is implemented using
$_SESSIONit can easily be worked around usingcurlor by removing session data.To improve rate limiting we would need support for storing request counts by IP on the server and there is currently no storage support except for files.