Comments (5)
Can you post the signature of the action where you want to limit the http error rate?
from play-guard.
Hi Simon, this is the original action where I implemented the rate limiter:
private val httpErrorRateLimited = HttpErrorRateLimitAction(new RateLimiter(3, 1f / 30, "test failure rate limit")) { _ => BadRequest(Json.obj("status" -> Messages("rate.limited.30"))) }
/**
* The login function uses silhouette's unsecured action which checks if there is a non-authenticated user.
* If user is authenticated, it should return the CustomUnsecuredErrorHandler functions.
*
* @return The result to display.
*/
def adminLogin = (httpErrorRateLimited andThen silhouette.UnsecuredAction).async(parse.json) { implicit request =>
request.body.validate[UserLogin] match { // validate the user login object declared in user model
case s: JsSuccess[UserLogin] => // validation checks passed
val userName = (request.body \ "userName").as[String]
val password = (request.body \ "password").as[String]
val rememberMe = (request.body \ "rememberMe").as[Boolean]
val credentials = Credentials(userName.toLowerCase(), password)
credentialsProvider.authenticate(credentials).flatMap { loginInfo =>
userService.retrieve(loginInfo).flatMap { // check if username exists by querying login info
...
Thanks so much for your help!
from play-guard.
ok, the problem is, that the Action's BodyParser comes first, and if parsing fails, the limiter is not even reached. If you really want to limit the parsing error rate, too, you could do the parsing in your Action's code. E.g.:
def test = httpErrorRateLimited(parse.raw) { request =>
val jsO = request.body.asBytes().flatMap(b => Try(Json.parse(b.iterator.asInputStream)).toOption)
jsO.fold(BadRequest("invalid json")) { js =>
// ....
Ok("test")
}
}
Just an example, but the the parsing errors get caught by the limiter.
from play-guard.
Thanks Simon! May I know if there is a way to implement the limiter globally such that all requests and errors can be "caught" prior to code execution? (e.g. in the error handler)
I am building a rest api and although the application is yet to be in production, I am seeing many strange requests and attempts (probably by bots) randomly hitting un-named routes.
from play-guard.
these limit actions like HttpErrorRateLimitAction are actually meant to be used for application specific errors. If you want to do global rate limiting, take a look at https://github.com/sief/play-guard#1-guardfilter.
This global filter currently doesn't limit error rates, but take a look at the source code, it shouldn't be too difficult to implement this. I'll add this feature to my backlog ;)
from play-guard.
Related Issues (9)
- the limit action cannot compotion other play actions HOT 1
- Whitelist IP when using IpRateLimitFilter HOT 2
- RateLimiter rate type does not match TocketBucketGroup rate HOT 16
- Does play-guard support rate-limit control based on request body/url HOT 1
- Read access for bucket values for Rate Limit Headers HOT 1
- X-Forwarded-For parsing does not support more than one proxy, is a dangerous default HOT 1
- Max global rate limit HOT 3
- Make TokenBucketGroup a trait to allow easier customization HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from play-guard.