go-chi / httprate Goto Github PK

The headers output by this middleware "X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset", "Retry-After" should be output depending on a configuration for it.

c.lastEvict field used to amortize the cost of local counter's eviction doesn't seem to be ever updated.

Hi,

We were testing this library for use as we already use Chi and found an issue with the current implementation.

Currently's it first checks the status and then increments. This will create an error in the following scenario which can be replicated with a unit test.

If the request limit is say 25/sec If I get 50 requests simultaneously in the first second then it will let them through as for every request the initial value will be 0.

Instead, if we can have a way in which the current window can be incremented and retrieved along with the previous window then this can be fixed.

type LimitCounter interface {
    // IncrAndGet is an atomic operation
    IncrAndGet(key string, inc time.Time, get time.Time) (inc int64, get int64, err error)
}

We wanted to use Redis and the example which I stated is doable using INCR command.

Please let me know your thoughts.

Is there an easy way to use the existing httprate functionality but push it to the end resolution of the request/response chain instead of at the beginning.

We want to create a couple of open ended mutation endpoints that could be used maliciously so we want to limit the total number of bad requests in a short period of time, but not limit penalize a user who is submitted good data that returns 2XX responses.

https://github.com/go-chi/httprate/blob/master/httprate.go#L101

Please, add examples with negative and zero limits and describe what they do.

@pkieltyka will you add a license file to this repo? As a practical matter, documentation on pkg.go.dev isn't viewable unless a suitable license is detected. It looks like, from the readme, that httprate is intended to be licensed under MIT. Thanks!

lets build github.com/go-chi/httprate-redis package name httprateredis which implements the LimitCounter interface so a counter may be shared across servers

LimitCounter requireswindowLength to determine whether to evict the key expired. The external counter implementation needs to hold the same duplicatewindowLength as the Limit(_ , windowLength)

So far this middleware doesn't allow for custom limit handling like changing the response body and code, additional logging etc. Some other tools like https://github.com/didip/tollbooth have this feature. I think it would be nice to add it here. I can come up with a PR if the idea doesn't sound bad.

P.S. And thanks for the great work on Chi!