Rate limiting DDP

masc123 · February 15, 2021, 7:53pm

I am working on an application that allows for the “public” to view a certain personal confirmation. This should be requested through a unique ID: http://localhost:3000/confirmations/9qqFkxHW5aK7xnyTZ

For now the 9qqFkxHW5aK7xnyTZ is actually the _id of a document in the collection “confirmations”. I created a ValidatedMethod, that uses this id from the rout, fetches the related document and returns it from the call:

getConfirmation.call(
      {
        confId: confId,
      },
      (err, res) => {
        if (err) {
          console.log(err);
        } else {
          console.log(res);
        }
      }
    );

It all works as expected, however for the sake of security I would like to limit the requests with the ddp-rate-limiter-mixin (GitHub - nlhuykhang/ddp-rate-limiter-mixin: A mixin for mdg:validated-method to add rate limitation support to Meteor's methods.).

Unfortunately it does not limit the requests, but i also read that this is only possible for logged in users (which is of course not the case here). Are there any other possibilities to limit the requests for such “public” data?

Thank you

peterfkruger · February 15, 2021, 8:13pm

I suggest to use the built-in DDPRateLimiter.

masc123 · February 15, 2021, 9:41pm

I am always impressed by the little helps: Thanks that is what i was looking for! - It should also be linked within the security article of the documentation

paulishca · February 16, 2021, 7:04pm

@masc123 you can always find implementation of security in Meteor open source projects like Vulcan, Rocket.Chat, Reaction-Admin