(API) Rate limiting requests in CakePHP
This plugin allows you to limit the number of requests a client can make to your app in a given time frame.
composer require muffin/throttle
To make your application load the plugin either run:
./bin/cake plugin load Muffin/Throttle
In your config/app.php
add a cache config named throttle
under the Cache
key
with required config. For e.g.:
'throttle' => [
'className' => 'Apcu',
'prefix' => 'throttle_'
],
Add the middleware to the queue and pass your custom configuration:
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
// Various other middlewares for error handling, routing etc. added here.
$throttleMiddleware = new \Muffin\Throttle\Middleware\ThrottleMiddleware([
// Data used to generate response with HTTP code 429 when limit is exceeded.
'response' => [
'body' => 'Rate limit exceeded',
],
// Time period as number of seconds
'period' => 60,
// Number of requests allowed within the above time period
'limit' => 100,
// Client identifier
'identifier' => function ($request) {
if (!empty($request->getHeaderLine('Authorization'))) {
return str_replace('Bearer ', '', $request->getHeaderLine('Authorization'));
}
return $request->clientIp();
}
]);
$middlewareQueue->add($throttleMiddleware);
return $middlewareQueue;
}
The above example would allow 100 requests/minute/token and would first try to identify the client by JWT Bearer token before falling back to (Throttle default) IP address based identification.
The middleware also dispatches following event which effectively allows you to have multiple rate limits:
This is the first event that is triggered before a request is processed by the middleware. All rate limiting process will be bypassed if this event is stopped.
\Cake\Event\EventManager::instance()->on(
\Muffin\Throttle\Middleware\ThrottleMiddleware::EVENT_BEFORE_THROTTLE,
function ($event, $request) {
if (/* check for something here, most likely using $request */) {
$event->stopPropagation();
}
}
);
Instead of using the indentifer
config you can also setup a listener for the
Throttle.getIdentifier
event. The event's callback would receive a request
instance as argument and must return an identifier string.
The Throttle.getThrottleInfo
event allows you to customize the period
and limit
configs for a request as well as the cache key used to store the rate limiting info.
This allows you to set multiple rate limit as per your app's needs.
Here's an example:
\Cake\Event\EventManager::instance()->on(
\Muffin\Throttle\Middleware\ThrottleMiddleware::EVENT_GET_THROTTLE_INFO,
function ($event, $request, \Muffin\Throttle\ValueObject\ThrottleInfo $throttle) {
// Set a different period for POST request.
if ($request->is('POST')) {
// This will change the cache key from default "{identifer}" to "{identifer}.post".
$throttle->appendToKey('post');
$throttle->setPeriod(30);
}
// Modify limit for logged in user
$identity = $request->getAttribute('identity');
if ($identity) {
$throttle->appendToKey($identity->get('role'));
$throttle->setLimit(200);
}
}
);
The Throtttle.beforeCacheSet
event allows you to observe result of middleware configuration and previous
Throtttle.getIdentifier
and Throttle.getThrottleInfo
events results.
You can also use this event to modify cached $rateLimit
and $ttl
values,
modifying $throttleInfo
in this event has no effect.
Example:
\Cake\Event\EventManager::instance()->on(
\Muffin\Throttle\Middleware\ThrottleMiddleware::EVENT_BEFORE_CACHE_SET,
function ($event, \Muffin\Throttle\ValueObject\RateLimitInfo $rateLimit, int $ttl, \Muffin\Throttle\ValueObject\ThrottleInfo $throttleInfo) {
\Cake\Log\Log::debug(sprintf("key(%s) remaining(%d) resetTimestamp(%d) ttl(%d)", $throttleInfo->getKey(), $rateLimit->getRemaining(), $rateLimit->getResetTimestamp(), $ttl));
}
);
By default Throttle will add X-headers with rate limiting information to all responses:
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 7
X-RateLimit-Reset: 1438434161
To customize the header names simply pass (all of them) under headers
key in
your configuration array:
'headers' => [
'limit' => 'X-MyRateLimit-Limit',
'remaining' => 'X-MyRateLimit-Remaining',
'reset' => 'X-MyRateLimit-Reset',
]
To disable the headers set headers
key to false
.
You may use type
and headers
subkeys of the response
array (as you would do
with a Response
object) if you want to return a different message as the default one:
new \Muffin\Throttle\Middleware\ThrottleMiddleware([
'response' => [
'body' => json_encode(['error' => 'Rate limit exceeded']),
'type' => 'json',
'headers' => [
'Custom-Header' => 'custom_value',
]
],
'limit' => 300,
]);
- Fork
- Mod, fix
- Test - this is important, so it's not unintentionally broken
- Commit - do not mess with license, todo, version, etc. (if you do change any, bump them into commits of their own that I can ignore when I pull)
- Pull request - bonus point for topic branches
To ensure your PRs are considered for upstream, you MUST follow the CakePHP coding standards.
http://github.com/usemuffin/throttle/issues
Copyright (c) 2015-Present, [Use Muffin] and licensed under The MIT License.