How to make DDPRateLimiter work with allow/deny methods


#1

Hi, I was looking for rate limiter documentation, but it is very poor. For example I have a collection with allow/deny rules, and want to limit on insert method and don’t really know how. I tried something like this:

var insertPostRule = {
type: ‘method’,
method: ‘Posts.insert’
}

// Add the rule, allowing up to 1 post every 5 seconds.
DDPRateLimiter.addRule(insertPostRule, 1, 5000);

However it doesn’t work. I am also interested if its possible to create some global rule per user connection (I use sikka for it now). I found this ticket: https://github.com/meteor/meteor/issues/6087 about improving DDPRateLimiter docs and @stubailo said there that its possible however docs are still lacking on this. Anyone have some hints/examples on how to use DDPRateLimiter?


#2

So no one uses DDPRateLimiter? How do you protect your methods then? This is an important feature with poor documentation, but its already available for quite some time. Someone must have figured it out even for advanced use cases no?


#3

You are trying to solve wrong problem.

DDPRateLimiter is intended for use against automated flood/security attacks.
Such as attack on password or server-side calculations abuse.

It doesn’t really matter if malicious user adds 500 posts or 5000, its still bad. So when you think about security, you rather check timestamp in user profile, defining his last post attempt, or, instead totally ignore such attempts for a trusted user. This approach would give you much more flexibility than a static, ‘heartless limit’.


#4

Thats what I want to solve (including spamming manually). I would be fine with this solution for now. It just doesn’t work. I don’t know how to use it with allow/deny insert as an example and documentation is not very clear. I though that it is used by everyone as it is important part of application security.