rate limit by ip if unknown key

This commit is contained in:
Bryan Stitt 2023-07-14 00:23:05 -07:00
parent 6f28f7c337
commit 6371206315
2 changed files with 6 additions and 11 deletions

@ -821,15 +821,7 @@ pub async fn ip_is_authorized(
) -> Web3ProxyResult<(Authorization, Option<OwnedSemaphorePermit>)> {
// TODO: i think we could write an `impl From` for this
// TODO: move this to an AuthorizedUser extrator
let (authorization, semaphore) = match app
.rate_limit_by_ip(
&app.config.allowed_origin_requests_per_period,
ip,
origin,
proxy_mode,
)
.await?
{
let (authorization, semaphore) = match app.rate_limit_by_ip(ip, origin, proxy_mode).await? {
RateLimitResult::Allowed(authorization, semaphore) => (authorization, semaphore),
RateLimitResult::RateLimited(authorization, retry_at) => {
// TODO: in the background, emit a stat (maybe simplest to use a channel?)
@ -1076,7 +1068,6 @@ impl Web3ProxyApp {
/// origin is included because it can override the default rate limits
pub async fn rate_limit_by_ip(
&self,
allowed_origin_requests_per_period: &HashMap<String, u64>,
ip: &IpAddr,
origin: Option<&Origin>,
proxy_mode: ProxyMode,
@ -1088,6 +1079,8 @@ impl Web3ProxyApp {
return Ok(RateLimitResult::Allowed(authorization, None));
}
let allowed_origin_requests_per_period = &self.config.allowed_origin_requests_per_period;
// ip rate limits don't check referer or user agent
// they do check origin because we can override rate limits for some origins
let authorization = Authorization::external(
@ -1333,7 +1326,7 @@ impl Web3ProxyApp {
// if no rpc_key_id matching the given rpc was found, then we can't rate limit by key
if authorization_checks.rpc_secret_key_id.is_none() {
return Ok(RateLimitResult::UnknownKey);
return self.rate_limit_by_ip(ip, origin, proxy_mode).await;
}
// only allow this rpc_key to run a limited amount of concurrent requests

@ -301,5 +301,7 @@ async fn _proxy_web3_rpc_with_key(
);
}
// TODO: user tier in the header
Ok(response)
}