3

I'm worried about Yii2 Rate limiting api?

What is Rate limiting api, why this used?

Here are some methods from Yii2 Can a yii guru explain in simple words about these methods, where and when I should use rate limiting in my api?

public function getRateLimit($request, $action)
{
    return [$this->rateLimit, 1]; // $rateLimit requests per second
}

public function loadAllowance($request, $action)
{
    return [$this->allowance, $this->allowance_updated_at];
}

public function saveAllowance($request, $action, $allowance, $timestamp)
{
    $this->allowance = $allowance;
    $this->allowance_updated_at = $timestamp;
    $this->save();
}
Muhammad Shahzad
  • 9,340
  • 21
  • 86
  • 130

5 Answers5

12

THE METHODS

getRateLimit(), loadAllowance() and saveAllowance() are three methods contained in the \yii\filters\RateLimitInterface Inteface that the user identity class should implement for enable rate limiting of your api.

getRateLimit() is the first method and it returns the maximum number of api calls that you can do in x seconds:

public function getRateLimit($request, $action) {
    return [1,20]; // There can be 1 api call every 20 seconds
}

loadAllowance() return the number of the remaining allowed requests with the corresponding UNIX timestamp of the last time these where checked.

public function loadAllowance($request, $action)
{
    return [$this->allowance, $this->allowance_updated_at]; 
}

saveAllowance() assign to $this->allowance the value of remaining allowed requests and save the timestamp in $this->allowance_updated_at.

public function saveAllowance($request, $action, $allowance, $timestamp)
{
    $this->allowance = $allowance; //Saving Remaining Requests
    $this->allowance_updated_at = $timestamp; // Saving Timestamp
    $this->save(); //Save the model
}

IMPLEMENTATION

This is how implemented the Rate Limiting in my example application (using advanced template):

1 Set the user identity class

In the config/main.php of your api application set the user component.

'user' => [
        'identityClass' => 'api\models\User', // User Model for your api
        'enableSession' => false, 
        'loginUrl' => null,        
    ],

2 Create a user model

This is model should implement the \yii\filters\RateLimitInterface:

This is mine:

class User extends \common\models\User implements \yii\filters\RateLimitInterface
{

    public $rateLimit = 1;
    public $allowance;
    public $allowance_updated_at;

    public function getRateLimit($request, $action) {
        return [$this->rateLimit,1];
    }

    public function loadAllowance($request, $action)
    {
        return [$this->allowance, $this->allowance_updated_at];
    }

    public function saveAllowance($request, $action, $allowance, $timestamp)
    {
        $this->allowance = $allowance;
        $this->allowance_updated_at = $timestamp;
        $this->save();
    }

}

After these two step Yii will automatically use yii\filters\RateLimiter configured as an action filter for yii\rest\Controller to perform rate limiting check (as cited in the documentation).

The last thing you have to do is disable the Rate limit header in your rest controller behaviors:

public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors['rateLimiter']['enableRateLimitHeaders'] = false;
    return $behaviors;
}

WHEN YOU SHOULD USE RATE LIMITING IN YOUR APPLICATION

Api calls return data (with your filters) from your database so when they're called the server execute queries. More are the calls more are also the number of queries that are execute,

You must limit the number of the calls in order to prevent Server heavy works and a resulting fallout of your system.

Hope this will help. I'm not going far from the Yii2 Guide, but i don't think i can explain this in a simplier way.

giovaZ
  • 1,432
  • 3
  • 20
  • 62
  • @giovaz, what is difference between rate limit via yii2 versus using nginx for example as reverse proxy and rate limiter ? – fortm Dec 27 '16 at 05:02
  • @fortm this is a huge question that cannot be answered in a comment, because they are lot different ( there are two completely different things ). I suggest you to open a question about it, i'll be glad to answer it – giovaZ Jan 10 '17 at 14:12
  • thanks @giovaZ, created a question http://stackoverflow.com/questions/41571660/rate-limit-in-yii2-vs-using-nginx-for-rate-limiting – fortm Jan 10 '17 at 14:52
  • Is it possible to apply rate limiting for POST requests only? – Oleg Dec 17 '22 at 10:23
2

Maybe Yii2 document could help you a lot,and link following, http://www.yiiframework.com/doc-2.0/guide-rest-rate-limiting.html you need to alter your user table in Database.The rate limiting takes effect for user loginned

cui cui
  • 71
  • 5
1

I implemented each step but not show the headers

X-Rate-Limit-Limit, the maximum number of requests allowed with a time period X-Rate-Limit-Remaining, the number of remaining requests in the current time period X-Rate-Limit-Reset, the number of seconds to wait in order to get the maximum number of allowed requests `

John Parra T
  • 11
  • 1
0

you can use rate limithing composer.

add :"ethercreative/yii2-ip-ratelimiter": "1.*"

public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors['rateLimiter'] = [
        // Use class
        'class' => RateLimiter::className(),

        'rateLimit' => 1,
        'timePeriod' => 2,

        'separateRates' => false,
        'enableRateLimitHeaders' => false,
    ];
    return $behaviors;
}
Vijay Makwana
  • 911
  • 10
  • 24
-1
public function getRateLimit($request, $action) {
    $id = $action->getUniqueId();
    $limits = [
          'user/login' => [20,10],
          'article/index' => [100,10],
          .......
           'other' => [50,10]
    ];
   if(!array_key_existe($id,$limits)) $id = 'other';
    return $limits[$id];
}
barry white
  • 1