对具有特殊例外的 API 进行速率限制 [英] Rate limiting an API with a special exception
问题描述
我有一个使用 REST API 的网络应用程序.我想与更广泛的世界共享 API,但在此之前,我需要添加速率限制以防止错误客户端的滥用/高负载.我想为我自己的网络应用程序设置一个例外,以便它具有更高的限制.
I have a webapp that consumes a REST API. I'd like share the API with the wider world, but before doing so, I need to add rate limiting to prevent abuse / high load from buggy clients. I'd like to make an exception for my own webapp so it has a higher limit.
有没有合理的方法来做到这一点?不是在寻找 100% 万无一失的解决方案,但可能只是使 API 更难以利用的东西.
Is there a reasonable way to do this? Not looking for a 100% bulletproof solution, but maybe something that just makes the API a little more difficult to exploit.
请记住,webapp 是公开的,所以我不能仅仅依赖 API 令牌的速率限制,因为有人可以使用相同的令牌.
Bear in mind that the webapp is publicly exposed, so I can't just rely on rate limiting by API token, since someone could just use the same token.
推荐答案
由于 web 应用程序无法对其用户隐藏任何内容,我认为没有办法确保与您的 API 通信的应用程序是您的.
Since a webapp cannot hide anything to its users, I don't think there is a way to ensure that the application talking to your API is yours.
>
你能做的一切都是通过默默无闻来确保安全,这根据定义是不安全的.
Everything you can do is security through obscurity, which is by definition unsecure.
编辑
我会有一个解决方案,但仍然不安全,但那将是一个想法.
I would have a solution, still not secure, but that would be an idea.
首先要有两个认证系统.
The first thing is to have two authentication system.
- 第三方身份验证(API 令牌)
- 网络应用身份验证(API 令牌 + 网络令牌)
那就有点像你的想法了.您为每个 HTTP 会话生成一个令牌.不同之处在于网络应用(调用身份验证)将具有下限.(例如,第 3 方为 10k,Web 应用程序为 1k).您应该减少授权调用次数的原因是因为单个 HTTP 会话(背后有 1 个人)应该比第三方应用程序生成更少的 API 调用.是你的情况吗?
Then it's a bit like your idea. You generate a token for each HTTP session. The difference would be that web app (calls authenticate as such) would have a lower limit. (eg. 10k for 3rd party and 1k for web app). The reason why you should decrease the number of calls authorized is because a single HTTP session (1 person behind it) should generates less API calls than a third party app. Is it your case?
当然,第三方应用程序可以轻松地将自己验证为网络应用程序,但随后它必须更快地更新其会话,因此您可以监控每个 IP 的会话数.请注意,大学和公司通常在很大程度上支持单个 IP.
Of course the third party application could easily authenticate itself as a web app, but then it would have to renew its session more quickly, so you can monitor the number of sessions per IP. Just be aware that universities and companies are often a lot behind a single IP.
这篇关于对具有特殊例外的 API 进行速率限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
