Do functions that throw errors cost ? (e.g. not authenticated, ratelimited)
Hi there,
so the point of rate limiting is to prevent overloading the db yes, but also to prevent bots from causing too much cost for the developers. Yet to me it seems like the rate liimited functions still cost right ?
Whats a better way, to prevent this ? serverside ?
Maybe delete users complete from the db ? But also functions throwing "not authenticated" cost ...
8 Replies
Yeah, a function run is a function run, whether it throws or not. But rate limiting does work - it limits how many functions can be run within a given time frame or for a given user. Check out the rate limit component if you haven't seen it https://www.convex.dev/components/rate-limiter
Convex
Rate Limiter
Define and use application-layer rate limits. Type-safe, transactional, fair, safe, and configurable sharding to scale.
i used this component, but against a malicious attacker, there is no point doing it clientside, since it can be removed from javascript easily, and from serverside it works throwing errors thats good, but still can quickly cost looots of money.... I wish there was a feature that would ban the IP of the attacker after 30 hit ratelimits within a day or so....
like
myCustomLimit: { kind: "fixed window", rate: 3, period: MINUTE, { banAfter: 30, within: DAY }}
and then there is a "bannedIPs" table in convex where I can manualy unban if something was an accident ..,
do you know who to talk to about this feature ?i used this component, but against a malicious attacker, there is no point doing it clientsideThis component doesn't run client side at all Unless your limited function is an action you don't have an ip address to ban, and if it is an action, the ip address can still be spoofed I also realize this can be used client side, but it's enforceable server side. Client side is just to help message/ui around active rate limits for your general users
I believe MietzeKatze may be referring to this - it's part of convex's pricing, and rate limiting will not defend against a malicious attacker calling functions and upping your bill.
It will also not defend against (e.g.) an inadvertent loop where the frontend calls the backend errounously over and over
Yeah fair point. Ian's guidance (he wrote this component) is relevant here: https://discord.com/channels/1019350475847499849/1263944459666591755/1402032116526743604
Idealy it would go like this:
-developer can mark functions as "for users only"
- thos functions can only be called by Ips that are added to the whitelist in convex-firewall and show correct authToken
- On every signIn userIP gets added to whitelist, on every logout userIP gets deleted from whitelist
- if function call comes from not logged in IP it gets reject by firewall without hitting the infrastructure
- if ratelimits are hit too hard by a userIp, as defined in the ratelimiterconfig (here 30 ratelimithits within a day)
ip gets added on blacklist in convex firewall
- spoofing wont work, because the singIn only works if the attacker also receives the package back, with the signIn token, but since its a fake ip adress it will land anywhere, but not at the attacker
- so an attacker would be forced to use a correct ip adress to signIn, and If he wanted his spam to hit the infrastructure then needed to continue using this real IP, and therefore burn one Ip after another of his botArmy in the process 👍 keeping all of convex customers clean in the future
- could be another salespoint for convex
does that make sense, or did I miss something ? 😅
In the short term, I'd say you can leverage CloudFlare as a proxy in front of Convex wherever you want to get into IP-based / network-layer rate-limiting territory. You can have a custom domain proxy through CF for http actions (convex.site) and/or websocket traffic (convex.cloud), as well as your frontend in general.
Unfortunately IPs are pretty lossy here - if a bad actor is on an IP from an ISP, there's no IP-based way to block them and not the rest of the customers of that ISP behind that IP. Also, users from mobile devices will be switching IPs as they move around / go on/off wifi/ cell network. Nifty idea though
I secretly hope that in case one would get ddos attacked and functions error like crazy, as soon it goes over a 50 bucks we dont have to pay ... because if I use paylimit on the project it will shut down the service which is a succussful ddos attack in my book 😅