如何防止对我的 Laravel/Lumen api 的自动请求? [英] How to prevent automated requests to my Laravel/Lumen api?

问题描述

因此，我打算将后端与前端完全分开.我正在学习 Laravel/Lumen API，我打算以 JSON 格式返回我的数据库数据，以供我的前端开发人员使用.

So, I intend to completely separate my back-end from my front-end. I am learning about Laravel/Lumen API and I intend to return my database data in JSON format to be used by my front-end developers.

我在 Stack Overflow 上阅读了几个类似的主题，并观看了一些 YouTube 视频.他们中的大多数人建议我应该为授权"生成一个令牌.用户.但是，问题是我的项目没有登录系统.我所有的用户都是访客用户.所以，我不能先授权一个人，然后为他们生成一个令牌.

I have read several similar threads on Stack Overflow and watched some YouTube videos. Most of them suggested that I should generate a token for "authorized" users. However, the problem is that my project does not have a login system. All of my users are guest users. So, I can't first authorize a person and then generate a token for them.

据我所知(可能有缺陷)，Laravel API 遵循 RESTful 系统.所以，它是无状态的，我不能使用 CSRF 令牌来检查请求是否来自提交的表单并且它不是自动的.那么，我还有什么其他选择?

From what I have understood (which could be flawed), Laravel API follows a RESTful system. So, it is stateless and I can't use CSRF token to check if a request comes from a submitted form and it is not automated. So, what other options do I have?

我想将自动请求与来自表单的请求分开的原因是，有时我必须对某些请求进行大量处理，而且我不希望自动脚本发送大量请求并导致 DOS 攻击.

The reason that I want to separate automated requests from requests coming from forms is that sometimes I have to do heavy processing on some requests and I don't want an automated script to send mass requests and causes a DOS attack.

感谢任何帮助.

推荐答案

速率限制有助于防止脚本自动化.Laravel 默认通过 Throttle 中间件实现了这一点.默认油门为 60:1，throttle:60,1，如果在 1 分钟内注册 60 次尝试，则转换为油门.

Rate limiting can help prevent automated scripts. Laravel has this implemented by default via the Throttle middleware. Default throttle is 60:1, throttle:60,1, translating to throttle if 60 attempts are registered within 1 minute.

此中间件适用于所有路由，但是，您可以为单个路由覆盖此中间件，并为尝试次数和时间定义自定义值.如果在 1 分钟内有 30 次尝试，以下改编自文档的示例将路由配置为节流:

This middleware is applied to all routes, however, you can override this for individual routes and define custom values for number of attempts and time. Following example adapted from documentation configures the route to throttle if there's 30 attempts within 1 minute:

Route::middleware('auth:api', 'throttle:30,1')->group(function () {
    Route::get('/user', function () {
        //
    });
});

还有其他配置选项，请参阅文档以获取更多信息.

There are other configuration options, please do refer to the documentation for more information on that.

https://laravel.com/docs/7.x/routing#rate-limiting

Laravel 如何检查访客用户是否发送了过多请求?

How does Laravel check that a guest user has sent too many requests?

用非常基本的术语来说，Laravel 通过应用程序缓存中的特定 IP 跟踪特定端点/域上的命中.请求域和 IP 用作缓存键.每次命中端点时，存储在缓存中的尝试次数都不会增加.如果尝试次数达到路由上应用的 throttle 配置中指定的时间窗口内允许的最大尝试次数，则该 IP 将被锁定一段时间.

In very basic terms, Laravel keeps track of hits on a particular endpoint/domain by a particular IP in the application cache. The request domain and the IP are used as the cache key. Every time an endpoint is hit, no of attempts, stored in the cache, is incremented. If the no of attempts reaches the maximum number of allowed attempts within the time window specified in the throttle config applied on the route, that IP will be locked out for a while.

如果时间窗口中没有新的命中，尝试会自动清除.

Attempts are automatically cleared if there's no new hit in the time window.

这篇关于如何防止对我的 Laravel/Lumen api 的自动请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！