[refs #374] Add http headers for rate limit, restrict rate limit only for api calls.

2012-09-28 01:07:19 +04:00 · 2012-09-28 01:07:19 +04:00 · 7756f6200d
parent de21c6142b
commit 7756f6200d
2 changed files with 55 additions and 5 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -2,8 +2,7 @@
 require File.expand_path('../boot', __FILE__)

 require 'rails/all'
-require 'rack/throttle'
-require 'redis'
+require './lib/api_defender'

 # If you have a Gemfile, require the gems listed there, including any gems
 # you've limited to :test, :development, or :production.
@ -17,9 +16,7 @@ end
 module Rosa
  class Application < Rails::Application
    # Rate limit
-    config.middleware.use Rack::Throttle::Interval, :cache => Redis.new, :key_prefix => :throttle, :min => 0.1
-    config.middleware.use Rack::Throttle::Hourly,   :max => 500
-    #config.middleware.use Rack::Throttle::Daily,    :max => 500
+    config.middleware.insert_after Rack::Lock, ApiDefender

    config.action_view.javascript_expansions[:defaults] = %w(jquery rails)
    config.autoload_paths += %W(#{config.root}/lib)
--- a/lib/api_defender.rb
+++ b/lib/api_defender.rb
@ -0,0 +1,53 @@
+require 'rack/throttle'
+require 'redis'
+
+# Limit hourly API usage
+# http://martinciu.com/2011/08/how-to-add-api-throttle-to-your-rails-app.html
+class ApiDefender < Rack::Throttle::Hourly
+
+  def initialize(app)
+    options = {
+      :cache => Redis.new(:thread_safe => true),
+      :key_prefix => :throttle,
+      
+      # only 500 request per hour
+      :max => 500
+    }
+    @app, @options = app, options
+  end
+
+  # this method checks if request needs throttling. 
+  # If so, it increases usage counter and compare it with maximum 
+  # allowed API calls. Returns true if a request can be handled.
+  def allowed?(request)
+     need_defense?(request) ? cache_incr(request) <= max_per_window : true
+  end
+
+  def call(env)
+    status, heders, body = super
+    request = Rack::Request.new(env)
+    # just to be nice for our clients we inform them how many
+    # requests remaining does they have
+    if need_defense?(request)
+      heders['X-RateLimit-Limit']     = max_per_window.to_s
+      heders['X-RateLimit-Remaining'] = ([0, max_per_window - (cache_get(cache_key(request)).to_i rescue 1)].max).to_s
+    end
+    [status, heders, body]
+  end
+
+  # key increase and key expiration
+  def cache_incr(request)
+    key = cache_key(request)
+    count = cache.incr(key)
+    cache.expire(key, 1.day) if count == 1
+    count
+  end
+
+  protected
+
+    # only API calls should be throttled
+    def need_defense?(request)
+      request.env['PATH_INFO'] =~ /^\/api\/v1\//
+    end
+
+end