How to implement ratelimiting
I want that the user can't spam my API. What is the recommended way of ratelimiting?
7 Replies
From here, I found a couple of articles
https://search.convex.dev/?q=rate+limit
https://stack.convex.dev/throttling-requests-by-single-flighting - good info on client side limiting
https://stack.convex.dev/waitlist - good insight into high-contention algorithms.
Convex Developer Search
Search Docs, Stack, Discord all at once
Throttling Requests by Single-Flighting
For write-heavy applications, use single flighting to dynamically throttle requests. See how we implement this with React hooks for Convex.
Wait a minute, won't you? (Add a waitlist to your product)
Does your app need to limit the amount of users that can use it at a time? You might need to add a waitlist, which you will learn to build in this pos...
I don't have a specific recommendation, but this does seem certainly possible to implement within Convex.
Could have something like a token bucket algorithm with the algorithmic state persisted into a table in your database. You can call that library function at the top of your important endpoints.
Note that the most trivial version of this algorithm will probably create a lot of write contention on the database table. In order to do rate limiting well at scale, it requires some nontrivial logic.
Seems like a great opportunity for a library.
Here's an example of rate limiting:
https://github.com/get-convex/convex-nextjs-app-router-demo/blob/main/convex/posts.ts#L84-L86
From this template:
https://www.convex.dev/templates/nextjs-app-router
Templates
The backend application platform with everything you need to build your product.
GitHub
convex-nextjs-app-router-demo/convex/posts.ts at main ยท get-convex/...
Demo showing a Next.js App Router app powered by Convex backend - get-convex/convex-nextjs-app-router-demo
Hi you two @Michal Srb @nipunn . Thank your for your answers, but I need something like @upstash/ratelimit for convex, so I can prevent someone for example by IP Adress from spamming my service and costing many DB Calls
Hey @FleetAdmiralJakob ๐ ๐ ๐, we don't expose IP address inside functions, but you could do this in an HTTP action maybe? Request IP addresses are anyway unreliable for this use case.
Note that with Upstash you're hitting upstash before hitting your endpoint. There is no way to rate limit without storing some information somewhere - in the approach I linked you're using Convex for this instead of Upstash.
I would say there are generally 2 scenarios to worry about:
1. Attacker exploits resources (API calls, storage, DB bandwidth) - in this scenario attacker must be getting some value from the endpoint you provide. You can prevent this via auth and the approach I shared.
2. Attacker is trying to take you down (for political etc. reason) - in this scenario the attacker is just trying to inflict pain on you without getting any value out of the endpoint. I think you should not really have to worry about this: We worry about DDOS on our side, and we can handle one-off scenarios of malicious access patterns.
Another relaed thread: https://discord.com/channels/1019350475847499849/1230976450015006751
I just added a helper for rate limiting in
convex-helpers@0.1.38. More info in this new Stack post: https://stack.convex.dev/rate-limitingImplementing Rate Limiting with only two numbers
Implementing application rate limiting when you have fast access to a database with strong ACID guarantees. Token bucket and fixed window, with fairne...