create rate limits for anonymous users
I would like to know if is there any helper or built in feature to limit calls to the db for a single user without workarounds?
I have two forms that call an api mutation and create new entries on two different tables. That entries will be created after a successful submit event, and can be from anonymous users, I want to limit the spam and possible vulnerabilities caused by that.
One option is to add captcha when calling the handler but just to play safe it would be awesome if there was any kind of restriction on the db.
Can anyone give me some help with this?
5 Replies
I don't have much expertise on this, but limiting by ip address should be effective for most cases. May not stop folks that are determined to abuse your api, though. If you can have users authenticate while allowing them to retain anonymity, limits become a lot simpler to enforce.
thank you for your reply, In this case the issue is that the user will not be logged in, is a section of the application that is public and doesn't enforce log in.
thanks you @Michal Srb will check it out.
@RicardoGEsteves about anonymous users:
As in my answer, it depends on what incentives the "bad actors" have.
For example you might be worried about real logged-out users clicking aruond accidentally causing too much traffic. You can handle this with sessions (generate session ID on the client, pass it to the Convex backend, use it in place of real auth for the rate limiting).
Of course this would not work if you're worried about malicious users who control the client entirely ("hacker" type) - they can generate a new session ID for each request. In this case you do need real auth to protect whatever valuable resource you have.
And if you're worried about pure DDOS, that's something we should take care of on our side, and not bill you if you're under attack.
I just added a helper for rate limiting in
convex-helpers@0.1.38. More info in this new Stack post: https://stack.convex.dev/rate-limitingImplementing Rate Limiting with only two numbers
Implementing application rate limiting when you have fast access to a database with strong ACID guarantees. Token bucket and fixed window, with fairne...