Comments (5)
Thanks, @Seltyk . Rate limiting and pagination are on our road map. These are helpful points for us to keep in mind as we build them out. We of course would welcome contributions in pull request form as well! :)
from augur.
Glad we're on the same page. I'll continue developing my pagination implementation for now; hopefully I'll have a PR to present in the near future.
from augur.
@Ulincsys : Can you share your thoughts about rate limiting and pagination here. I know you did a bit of looking into this already.
from augur.
Yes, we've been discussing pagination and rate-limiting for the last several months.
Currently Augur does not keep track of requests made to the frontend or the backend. All requests are served blindly and without context as to what other requests a particular client has made within a given time period. My intent moving forward is for Augur to implement an event stream internally so that we can query the behavior patterns for clients while serving requests.
We have three levels of authentication for our endpoints at the moment:
- Unauthenticated
- These endpoints do not require an API key or user authorization to access.
- Most of our metrics endpoints fall into this category
- Client API key required
- These endpoints require a
Client [key]
authorization header to access - The Oauth endpoints fall into this category
- These endpoints require a
- User authorization required
- These endpoints require a
Client [key], Bearer [token]
authorization header to access - All endpoints that handle user data fall into this category
- These endpoints require a
For the authenticated endpoints, it shouldn't be too difficult to implement rate-limiting once the event system is in place, since we have identity information for the requester. We can set a limit per key per hour (like GitHub), or set limits per endpoint per key per hour. We have not decided on the particulars of the limits yet, but we're definitely open to input on what seems reasonable.
As for the unauthenticated endpoints, we need to find a system that can identify unique agents based solely on the information provided in basic HTTP requests. Is an IP address alone enough? What about multiple legitimate agents making requests from the same host?
- My thought is that we should strictly rate-limit unauthenticated endpoints based on IP address (and any other useful identifiers), and make it optional to pass an API key along with requests to these endpoints. This way, we can say that if an agent wants to make a large volume of requests to unauthenticated endpoints, then they will need to register their application so they can authenticate with an API key.
from augur.
My experience is in embedded development, so rate limiting is something I haven't thought very critically of before. OpenWeatherMap, if memory serves, enforces very strict rate limits on unauthenticated clients, but just making an account and generating an API key significantly loosens the limits. This seems to be the model you were describing in the last paragraph, and at a glance it looks like a simple yet effective way to stop bots from hogging the server while allowing legitimate clients to leverage Augur. The threat of an IP ban isn't going to stop the most malicious attackers, as they could simply hook their bot up to a VPN, but having to make a new account may slow them down enough to discourage that behavior.
I'll pass this thread along to some web and security guys I know, their input is far more valuable than mine.
from augur.
Related Issues (20)
- New API's for Allinopensource project badging
- Installing on EC2 22.04.1-Ubuntu instance: make install fails while trying to connect to rabbitmq HOT 2
- Slow GET requests for repos and groups HOT 4
- Add Person Who Closed Issue to Issues Table HOT 2
- Frontend 'Repos' list not filterable HOT 2
- Update Materialized View HOT 1
- Getting a UnicodeEncodeError and not sure how to fix it HOT 2
- Augur front end collection stats broken
- Augur frontend: repository not showing up in user group
- Unable to configure postgresql HOT 1
- Couldn't create server file HOT 2
- Missing/Incorrect Info Installation Instructions MacOSX HOT 4
- Augur front end delete button not working HOT 2
- Issue data cntrb_id null for closed issues HOT 1
- Augur front end not filling screen/folds up HOT 5
- ssl certificate is out of date for https HOT 1
- BUG: pull_request_reviews incorrect pull_request_id HOT 2
- Possible Bug: cntrb_id in contributor_repo table is a dictionary HOT 1
- New data field: Bot label on contributors HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from augur.