Confusions about DDPRateLimiter rules

The DDPRateLimiter package is a very powerful rate limiter that provides protection from DDOS-like attacks, and security against brute-force attacks and also adds processing limitations to features. It is very flexible but just like many things, this flexibility can result in complexities.

Since the documentation is not explicit about a number of things on rules creation, can someone help confirm if the expected behavior of the rules is correct as stated below? For reference here is the documentation for the addRule() function: Methods | Meteor API Docs

Global limits rule

const matcherRule = {
  type: 'method',
  name: 'resourceIntensiveProcess'
};

I believe this is where most of the confusion starts. When done like this, the rule is applied to ALL calls of the method. This means that all clients share the limits. So a client can be limited even the first time it calls the method.

Per registered user rule

const loginRule = {
  userId(userId) {
    const user = Meteor.users.findOne(userId);
    return user && user.type !== 'admin';
  },

  type: 'method',
  name: 'login'
};

This is the example in the documentation. This means that the limit applies per registered user and only for registered users. There are NO limits for unregistered users.

Per connection rule

const connectionRule = {
  type: 'method',
  name: 'perConnectionProcess',
  connectionId() { return true; }
};

This means that the limit only applies to each unique connection. If the client refreshes and a reconnection happens, the limit is also refreshed.

Per IP Address

const connectionRule = {
  type: 'method',
  name: 'perIPProcess',
  clientAddress() { return true; }
};

This implements a limit per IP address. It can be used to temporarily add a limit to specific IP addresses when needed e.g. hitting initial limits, so that other processing will not be affected

No limits

const connectionRule = {
  type: 'method',
  name: 'perIPProcess',
  clientAddress() { return false; }
};

I also just like to confirm if returning false on any of the expected keys will result in the matcher not matching and therefore resulting in no limits. Is this correct?

I hope someone who knows this better can give confirmation on the functionalities of the DDPRateLimiter

Referring to the following read me file.
https://github.com/meteor/meteor/blob/master/packages/rate-limit/README.md

It appears to me that your “No limit” rule will keep count of the total number of method calls for the “perIPProcess” method. And it will be only cleared when the intervalTime is passed.

The default intervalTime is 1000ms, And the default numRequests allowed per time interval is 10.
So in your case rate limiter will prevent more than 10 calls in total to the perIPProcess method.

Default values.
https://github.com/meteor/meteor/blob/master/packages/ddp-rate-limiter/ddp-rate-limiter.js#L67

[Update] Reading the readme file you posted, it says

A rule is only said to apply to a given input if every key in the matcher matches to the input values.

Therefore, if the return value is false on one of the keys, then there is NO match. The rule is not matched at all instead of treating as if that particular key does not exist

1 Like