From 63712063156591ee538b02ae4201ab4a9898f541 Mon Sep 17 00:00:00 2001
From: Bryan Stitt <bryan@llamanodes.com>
Date: Fri, 14 Jul 2023 00:23:05 -0700
Subject: [PATCH] rate limit by ip if unknown key

---
 web3_proxy/src/frontend/authorization.rs  | 15 ++++-----------
 web3_proxy/src/frontend/rpc_proxy_http.rs |  2 ++
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/web3_proxy/src/frontend/authorization.rs b/web3_proxy/src/frontend/authorization.rs
index 9e96c2e6..597c45d4 100644
--- a/web3_proxy/src/frontend/authorization.rs
+++ b/web3_proxy/src/frontend/authorization.rs
@@ -821,15 +821,7 @@ pub async fn ip_is_authorized(
 ) -> Web3ProxyResult<(Authorization, Option<OwnedSemaphorePermit>)> {
     // TODO: i think we could write an `impl From` for this
     // TODO: move this to an AuthorizedUser extrator
-    let (authorization, semaphore) = match app
-        .rate_limit_by_ip(
-            &app.config.allowed_origin_requests_per_period,
-            ip,
-            origin,
-            proxy_mode,
-        )
-        .await?
-    {
+    let (authorization, semaphore) = match app.rate_limit_by_ip(ip, origin, proxy_mode).await? {
         RateLimitResult::Allowed(authorization, semaphore) => (authorization, semaphore),
         RateLimitResult::RateLimited(authorization, retry_at) => {
             // TODO: in the background, emit a stat (maybe simplest to use a channel?)
@@ -1076,7 +1068,6 @@ impl Web3ProxyApp {
     /// origin is included because it can override the default rate limits
     pub async fn rate_limit_by_ip(
         &self,
-        allowed_origin_requests_per_period: &HashMap<String, u64>,
         ip: &IpAddr,
         origin: Option<&Origin>,
         proxy_mode: ProxyMode,
@@ -1088,6 +1079,8 @@ impl Web3ProxyApp {
             return Ok(RateLimitResult::Allowed(authorization, None));
         }
 
+        let allowed_origin_requests_per_period = &self.config.allowed_origin_requests_per_period;
+
         // ip rate limits don't check referer or user agent
         // they do check origin because we can override rate limits for some origins
         let authorization = Authorization::external(
@@ -1333,7 +1326,7 @@ impl Web3ProxyApp {
 
         // if no rpc_key_id matching the given rpc was found, then we can't rate limit by key
         if authorization_checks.rpc_secret_key_id.is_none() {
-            return Ok(RateLimitResult::UnknownKey);
+            return self.rate_limit_by_ip(ip, origin, proxy_mode).await;
         }
 
         // only allow this rpc_key to run a limited amount of concurrent requests
diff --git a/web3_proxy/src/frontend/rpc_proxy_http.rs b/web3_proxy/src/frontend/rpc_proxy_http.rs
index 5118f507..fbfc7036 100644
--- a/web3_proxy/src/frontend/rpc_proxy_http.rs
+++ b/web3_proxy/src/frontend/rpc_proxy_http.rs
@@ -301,5 +301,7 @@ async fn _proxy_web3_rpc_with_key(
         );
     }
 
+    // TODO: user tier in the header
+
     Ok(response)
 }