From 63712063156591ee538b02ae4201ab4a9898f541 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Fri, 14 Jul 2023 00:23:05 -0700 Subject: [PATCH] rate limit by ip if unknown key --- web3_proxy/src/frontend/authorization.rs | 15 ++++----------- web3_proxy/src/frontend/rpc_proxy_http.rs | 2 ++ 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/web3_proxy/src/frontend/authorization.rs b/web3_proxy/src/frontend/authorization.rs index 9e96c2e6..597c45d4 100644 --- a/web3_proxy/src/frontend/authorization.rs +++ b/web3_proxy/src/frontend/authorization.rs @@ -821,15 +821,7 @@ pub async fn ip_is_authorized( ) -> Web3ProxyResult<(Authorization, Option)> { // TODO: i think we could write an `impl From` for this // TODO: move this to an AuthorizedUser extrator - let (authorization, semaphore) = match app - .rate_limit_by_ip( - &app.config.allowed_origin_requests_per_period, - ip, - origin, - proxy_mode, - ) - .await? - { + let (authorization, semaphore) = match app.rate_limit_by_ip(ip, origin, proxy_mode).await? { RateLimitResult::Allowed(authorization, semaphore) => (authorization, semaphore), RateLimitResult::RateLimited(authorization, retry_at) => { // TODO: in the background, emit a stat (maybe simplest to use a channel?) @@ -1076,7 +1068,6 @@ impl Web3ProxyApp { /// origin is included because it can override the default rate limits pub async fn rate_limit_by_ip( &self, - allowed_origin_requests_per_period: &HashMap, ip: &IpAddr, origin: Option<&Origin>, proxy_mode: ProxyMode, @@ -1088,6 +1079,8 @@ impl Web3ProxyApp { return Ok(RateLimitResult::Allowed(authorization, None)); } + let allowed_origin_requests_per_period = &self.config.allowed_origin_requests_per_period; + // ip rate limits don't check referer or user agent // they do check origin because we can override rate limits for some origins let authorization = Authorization::external( @@ -1333,7 +1326,7 @@ impl Web3ProxyApp { // if no rpc_key_id matching the given rpc was found, then we can't rate limit by key if authorization_checks.rpc_secret_key_id.is_none() { - return Ok(RateLimitResult::UnknownKey); + return self.rate_limit_by_ip(ip, origin, proxy_mode).await; } // only allow this rpc_key to run a limited amount of concurrent requests diff --git a/web3_proxy/src/frontend/rpc_proxy_http.rs b/web3_proxy/src/frontend/rpc_proxy_http.rs index 5118f507..fbfc7036 100644 --- a/web3_proxy/src/frontend/rpc_proxy_http.rs +++ b/web3_proxy/src/frontend/rpc_proxy_http.rs @@ -301,5 +301,7 @@ async fn _proxy_web3_rpc_with_key( ); } + // TODO: user tier in the header + Ok(response) }