There are so many ways to identify requests in systems, the architecture should not enforce its own header for this purpose, but rather provide an interface to let the consuming application decide how a request identity is defined (from a header, or any mechanism of their choosing, such as identifying anonymous users)

Any reason why ThrottlePolicy's first argument, perSecond isn't an optional parameter like the rest of them? It's not a terrible inconvenience to use null when I only want rate limiting per-minute, but it looks a bit weird.

I am inheriting from ThrottlingHandler and override QuotaExceededResponse, so Ican return the response in the format i wish.
My policy has IpThrotthling, but I have also custom rates for a specific endpoint.
And in my response I want to add information about if quota has been exceeded because of the endpoint quota or because of IP quota, is there anyway i could do that?

The ThrottlePolicy class currently exposes three sets of rules: ClientRules, EndpointRules and IPRules, all of the of type Dictionary<string, RateLimit>. This means that I have to load all of the rules in memory in advance and that is not desirable for scalability.
What do you think of changing their type to IDictionary<string, RateLimit>, so the user could provide his own implementation of the dictionary? Rules could then be loaded when needed, from a remote key value store (for instance), and even change at runtime.

Is it possible to have multiple throttling-policies at the same time?

For example I want to add a generic throttling to two policies:

1.) ClientThrottling which limits all requests independent of the route so that one user can only perform lets say 30 requests per second in total.

2.) ClientThrottling + EndpointThrottling: Limit the number of requests / second for each endpoint to 5 requests per second.

The goal is to allow the user to perform 'many' different requests at the same time while at the same time preventing him from spamming a single route.

As far as I see this is only possible by adding two ThrottlingHandlers at the same time.

As soon as you enable EndpointThrottling there won´t be any throttling when you 'spam' different routes, right?

Please let me know if this is the best approach to achieve what I want or if I am missing something. If there are no big drawbacks to the approach of using two ThrottlingHandlers at the same time, I will go for that approach.

Surprised this typo has been out there for so long.

hi,

Our requirement is to limit the number of API calls regardless of it has been originated from the same IP address or different. We also do not want to limit by Client API key or Endpoint. How can it be done.? I tried ThrottlePolicy with global perWeek = 1 and setting all(IpThrottling, EndPointThrottling,ClientThrottling) to false, but it did not help because I beleive Throttling is disabled.

Do you have any suggestion?

I'm currently implementing the IThrottleRepository against Microsoft Azure Document DB. What's a bit of a shame is that the DocumentDB API is fully async whereas the IThrottleRepository is fully sync.

I was considering contributing to your project by adding async support for IThrottleRepository. However - does it make sense do you think? Of course, async await comes at a cost of building a state machine around the caller. So my question: do you think this could add to the library?

I'm trying to figure out if there is a better way to load client policies w/o loading all of them on startup. I can load all via IThrottlePolicyProvider, but I think as the number of clients grows it would be bit on the heavy side.

So far I've tried creating a middleware to read api key from Authorization-Token header and do a lookup on it to find the client and their rate limits stored in a database. I then store client's rate limits in OWIN context so it can be accessed later on.

        public override async Task Invoke(IOwinContext context)
        {
            var headers = context.Request.Headers;

            if (headers != null && headers.Any(header => header.Key.Equals("Authorization-Token")))
            {
                var apiKey = headers
                    .FirstOrDefault(pair => pair.Key.Equals("Authorization-Token"))
                    .Value
                    .FirstOrDefault();

                var client = await _clientsRetriever.GetByApiKey(apiKey);

                if (client != null)
                {
                    context.Set("client.AuthorizationToken", apiKey);
                    context.Set("client.RateLimits", new RateLimits
                    {
                        PerWeek = client.RateLimits.RequestsPerWeek ?? 0,
                        PerDay = client.RateLimits.RequestsPerDay ?? 0,
                        PerMinute = client.RateLimits.RequestsPerMinute ?? 0,
                        PerHour = client.RateLimits.RequestsPerHour ?? 0,
                        PerSecond = client.RateLimits.RequestsPerSecond ?? 0
                    });
                }
            }

            await Next.Invoke(context);
        }

I then implemented IPolicyRepository.FirstOrDefault which appears to be getting called for all requests. Here, I'm basically returning ThrottlePolicy with the rate limits for the current client in OWIN context only.

        public ThrottlePolicy FirstOrDefault(string id)
        {
            var token = HttpContext.Current.GetOwinContext().Get<string>("client.AuthorizationToken");
            var rateLimit = HttpContext.Current.GetOwinContext().Get<RateLimits>("client.RateLimits");

            var throttlePolicy = new ThrottlePolicy(perSecond: 0, perMinute: 0, perHour: 0, perDay: 0, perWeek: 0)
            {
                ClientThrottling = true
            };

            if (rateLimit != null)
            {
                throttlePolicy.ClientRules.Add(token, rateLimit);
            }

            return throttlePolicy;
        }

I'm not showing all of the code, but in general this works ok. Howevert, a little cumbersome and I feel like I may be missing a feature in the library. Any suggestions?

Hi

I understand you can set your policy like so:

Policy = new ThrottlePolicy(perSecond: 1, perMinute: 20, perHour: 200, perDay: 1500, perWeek: 3000)

Is it possible to set a policy that allows one request every 5 seconds?

If I set perMinute: 12 , that seems to allow 12 in the first few seconds of a minute and then nothing afterwards

What I would like is to only allow one request, then the next allowed one is five seconds later

I assume fractional values for perSecond dont work

thanks

If the code is compatible with owin (and it appears to be) this dependency should not be required for consumers.

First of all, thanks for this project. It really does the job.
Have you considered creating a throttling OWIN middleware?
There might be other endpoints such as the OAuth bearer token middleware, which exposes a /token endpoint, or SignalR endpoints that could be protected under the same throttling middleware as WebAPI.

Help me!
can't override the ThrottlingHandler.QuotaExceededResponse function
I need result Model

can you publish the nuget package with strong name signing?
We sign all our assemblies prior to release to our customers and we cant build our system without your assembly being signed

Hi. I like your implementation here, but our project is built under dotNET Core RC2 at the moment so I was wondering whether you are able to create a dotNET Core supported version?

Hi Guys,

In my project I have HttpMessageHandler for my API Key authentication and I'm using the ThrottleHandler too.

This cenarius forces me to have have 2 handlers stacked, what I think can decrease the performance of the api.

So I have been thinking if we could implement a simple API Key authentication on the project.

What do you think guys?

Best regards,

Gabriel Marquez

Provide a default implementation of the IThrottleLogger that logs to Diagnostic Trace or provide a default implementation of the ITraceWriter. This will allow the throttle messages to dump straight to the logging pipeline that might already be in place.

Presently, endpoint throttling can be bypassed by tweaking URL case after the limit is reached.

Contains() is case-sensitive by default, so I think the issue is here:

https://github.com/stefanprodan/WebApiThrottle/blob/master/WebApiThrottle/ThrottlingHandler.cs

     var rules = Policy.EndpointRules.Where(x => identity.Endpoint.Contains(x.Key)).ToList();

this module doesn't work properly in work networks and throttles all requests from different clients with same IP.
I mean this module doesn't care about sessions and looks at all users in workgroups with the same eye.
users don't need to login in my project so I didn't used Identity to have any client Key.
Is there any option to solve this problem ??

thanks
alireza

Can you provide a suggestion of best practise to pull client api's from a data store rather than the hard coded dictionary example? For example, (using MVC project) as a new user registers with the site an API is allocated to them (using an extension of the identity model) - subsequent api calls made by the user would then want to check the api key in the header against the list of api's (using EF/model)stored in SQL Server.

Hope that makes sense

many thanks

Hi stefan,

Currently i have same Endpoint name but it has the different HTTP Method,
this is my Endpoint example:
GET http://localhost:11625/api/userdetai?UserID=1
and
DELETE http://localhost:11625/api/userdetai?UserID=1

my question is: how to make this request has different rate limit for each HTTP method?

The documentation seems to suggest a depency on System.Web.Http 5.0.0.0 or greater. I have System.Web.Http version 5.2.2.0 and I'm blowing this exception:

Could not load file or assembly 'System.Web.Http, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'

Do you know of any issue while publishing Web Api Throttle on Azure? The role is restarting continuously.

Endpoint = request.RequestUri.AbsolutePath

Should be;

Endpoint = request.RequestUri.AbsolutePath.ToLowerInvariant()

I think there is problem at 130-133 rows in ThrottlePolicy.cs

if (whitelists != null)
{
    policy.EndpointWhitelist.AddRange(whitelists.Select(x => x.Entry));
}

White list not working for IP and ClientKey, this probably should be something like this

policy.IpWhitelist = new List<string>();
policy.ClientWhitelist = new List<string>();


if (whitelists != null)
{
    policy.IpWhitelist.AddRange(whitelists.Where(x => x.PolicyType == ThrottlePolicyType.IpThrottling).Select(x => x.Entry));
    policy.ClientWhitelist.AddRange(whitelists.Where(x => x.PolicyType == ThrottlePolicyType.ClientThrottling).Select(x => x.Entry));
    policy.EndpointWhitelist.AddRange(whitelists.Where(x => x.PolicyType == ThrottlePolicyType.EndpointThrottling).Select(x => x.Entry));
}

Hi,

Before i use PolicyCacheRepository, the RequestIdentity works fine, but after i add "PolicyRepository = new PolicyCacheRepository()", Why my RequestIdentity never get called ?

This is my requirement, my API Key is not stored in the "Authorization-Token" request header, and i need to update my ClientRules at runtime
Thanks

I'm using the Microsoft.Owin.Security.OAuth package to provide token generation in my app - is there a way to configure WebApiThrottle to limit requests to the "token" endpoint? I've tried doing so using endpoint rules in both the C# code and in the web.config but with no success.

It would be nice to have the ability to update the quota exceeded message on certain endpoints via an attribute or as part of the xml configuration.

My environment required that encryption algorithms are FIPS compliant. The ThrottlingCore.ComputeThrottleKey method is using Sha1Managed which is not FIPS compliant. This article documents more on the issue.

For now I will create my own build, but I'd love to see a FIPS compliant switch for the throttling handler. Thanks for considering it.

I am using the Throttle handler and right now it is return a http error 429 with the following body:

My api needs to return a very specific structure of response it is a requirement is there anyway to do that?

As stated in the documentation, to get the client API key from a custom header, one needs to override the ThrottlingHandler.SetIndentity function

However, if we use the ThrottlingMiddleware, how can this be done?

Per the ReadMe:

By default, rejected calls are not added to the throttle counter.
...
If you want rejected requests to count towards the other limits, you'll have to set StackBlockedRequests to true.

Looking at the code, I can see that Repository.Save is called within ThrottlingCore.ProcessRequest, which is called from ThrottlingFilter roughly 10 lines before the overlimit check is performed.

Screenshot from Redis showing a counter of 13 (this was with a perMinute limit of 10):

I've tried this with setting StackBlockedRequests explicitly to false as well as leaving the default, both with the same result.

Is it possible to specify a status code to return when the limit is reached?

I realize this would be a breaking change now but SetIndentity of ThrottlingHandler is misspelled. Should be Identity not Indentity.

Hello,

In the MvcThrottle project attributes are used to enable / disable throttling on a controller or action. Is it possible to add this functionality to the WebApiThrottle project as well?

Kind regards,
Marco Zuiderwijk

Hi,

I've been having a play with WebApiThrottle following your suggestion on SO.

No problems using it in Web API, however I'm having real problems from a unit testing perspective.

Basically all I'm trying to do is to set the "RemoteIpAddress" in OWIN as part of the unit test so the API will throttle (see line 88 of ThrottlingCore.cs).

I've tried a multitude of ways to try and set it and haven't go anywhere. The nearest I've got is the snippets below. It seems to setup correctly, but once we enter Web API land all the request properties get replaced.

I was wondering if you might be able to shed some light on how to unit test the throttling? I've added screenshots of the main parts of the code here:

Many thanks in advance,
Franz.

I'm using the ThrottlingMiddleware in OWIN pipeline. I need to log requests rejected when quota is exceeded.

Since I have my own separate logging middleware preceding the ThrottlingMiddleware in the pipeline (so I can log all failed requests), the first issue for me was to figure out why IOwinContext.Response has HTTP Status of 200 after coming back from ThrottlingMiddleware while I obviously receive 429 in the client. I guess it's because you use IOwinResponse.OnSendingHeaders to populate the response and that happens when all the middlewares are done with processing (correct me if I'm wrong here).

So I decided to go with implementing a separate IThrottleLogger logger. The problem is that as I can see in the source of ThrottlingMiddleware (line 191 in tag 1.4.3), the ThrottleLogEntry is built with null as request value:

// log blocked request
if (Logger != null)
{
    Logger.Log(core.ComputeLogEntry(requestId, identity, throttleCounter, rateLimitPeriod.ToString(), rateLimit, null));
}

I understand that this is probably because you can't build an HttpRequestMessage in OWIN context, but this makes the logger pretty useless for me (I am more interested in the contents of the incoming request rather than client's key or IP).

Is there any way to solve this? Right now it seems to me that simply populating the IOwinContext.Response on the spot would fix my issue but maybe it violates some other assumption.

Thanks in advance.

We ran into an interesting use case where the port number came through with the IP address.

Message: [FormatException: An invalid IP address was specified.]
 System.Net.IPAddress.InternalParse(String ipString, Boolean tryParse):0
 WebApiThrottle.ThrottlingCore.ContainsIp(List`1 ipRules, String clientIp):7
 WebApiThrottle.ThrottlingCore.IsWhitelisted(RequestIdentity requestIdentity):8
 WebApiThrottle.ThrottlingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken):128
 System.Web.Http.HttpServer+<SendAsync>d__0.MoveNext():285

The IP address coming through had port numbers on the end of it. For example:

127.0.0.1:8080

This doesn't get parsed. You may want to do some cleanup on IpAddress strings before attempting to parse them.

P.S. This happened in an Azure environment.

If you think this is an issue that should be handled in this project I wouldn't mind submitting a PR.

Hi - Awesome Library!

We have had someone abusing our API, mainly creating tonnes of user accounts (13 thousand over a period of 3 hours or so).

Here is what I am trying to achieve:

1. A global policy of 50 requests per second, per endpoint, per IP address
2. A endpoint policy "POST: Users" that limits to 150 new users per hour

Basically - this means that while we are sleeping (say 10 hours) the attacker could only create a maximum of 1500 accounts. It also means that their could only be 150 "Real" user accounts per hour... We can manage that number over time but for now thats more than required.

At this stage this is what I have:

1. A ThrottlingHandler with the global policy covering off number 1
2. A ThrottlingFilter - I'm not 100% sure if I need this for the attribute filter but have it anyway.
3. A [EnableThrottling] attribute on the "POST: Users" endpoint - which covers number 2.

My question:
Will the ThrottlingHandler & ThrottlingFilter work independent of each other? Or do they inherit each other's policies? And - does the above look ok?

Cheers,
Sam

ThrottlePolicy.cs doesn't convert all three types of rules into RateLimit objects, just the IP ones. Nor are the other ones initialized.

EndpointRules = new Dictionary<string, RateLimits>()

foreach (var item in rules.Where(r=> r.PolicyType == ThrottlePolicyType.IpThrottling))

Any chance you could add support for .Net 4.0? I've downloaded the project from Github and it was easy to migrate:

• Install a new version of WebApi.Core: 4.0.30506
• Change this line to use TaskCompletionSource instead of the more convenient Task.FromResult.

Would be nice to send the X-Rate-Limit-Limit, X-Rate-Limit-Remaining, X-Rate-Limit-Reset headers back on each response so users of the api can deal with it on their side before it becomes a problem.
Like https://dev.twitter.com/rest/public/rate-limiting

I want to support the proposed http://tools.ietf.org/html/rfc6585 status codes in my API. When requests are rate-limited, I would like to override the default 409 status code (which I left as the default status code if a different one is not supplied) with the proposed 429 - 'Too Many Requests' status code.

We have a load balancer in front of our web apps and the ipaddress throttle is all based on the load balancer ip. We have Forwarded_For http header which contains the source ip address but there is no easy way I can see to configure the throttle to use this.

How can I retrieving API Client Key from query string when using ThrottlingMiddleware?

Thanks,
Paresh

We're using the library to prevent scrapers doing too many calls. The library works really well for this ( blocking true positives ) but of course, every now and then, also throttles a power-user ( false positive ).

So - my question is: would it be possible to expose methods return wheter or not a client IsThrottled and one that ResetRequestCounter ?

I am using the ThrottlingMiddleware and I get the following error

The class 'WebApiThrottle.ThrottlingMiddleware' does not have a constructor taking 5 arguments.

app.Use(typeof(ThrottlingMiddleware),
                new ThrottlePolicy(perSecond: 5, perMinute: 120, perHour: 700, perDay: 10000)
                {
                    IpThrottling = true,
                    ClientThrottling = true,
                    EndpointThrottling = true,
                },
                new PolicyCacheRepository(),
                new CacheRepository(),
                null);