servant-rate-limit: Rate limiting for Servant

[ library, mit, security ] [ Propose Tags ] [ Report a vulnerability ]

A Haskell library which implements rate limiting for Servant


[Skip to Readme]

Flags

Manual Flags

NameDescriptionDefault
client

Enable servant-client support.

Enabled
server

Enable servant-server support.

Enabled

Use -f <flag> to enable a flag, or -f -<flag> to disable that flag. More info

Downloads

Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees

Candidates

  • No Candidates
Versions [RSS] 0.1.0.0, 0.2.0.0
Change log CHANGELOG.md
Dependencies base (>=4.8 && <5), bytestring, http-types (<1), servant, servant-client, servant-server, time-units (>=1.0 && <2), time-units-types (>=0.2 && <1), wai (>=3.0 && <4), wai-rate-limit (>=0.3 && <1) [details]
License MIT
Copyright Copyright (c) Michael B. Gale
Author Michael B. Gale
Maintainer github@michael-gale.co.uk
Category Security
Home page https://github.com/mbg/wai-rate-limit#readme
Bug tracker https://github.com/mbg/wai-rate-limit/issues
Source repo head: git clone https://github.com/mbg/wai-rate-limit
Uploaded by mbg at 2022-03-30T16:12:27Z
Distributions LTSHaskell:0.2.0.0, Stackage:0.2.0.0
Reverse Dependencies 2 direct, 1 indirect [details]
Downloads 430 total (9 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2022-03-30 [all 1 reports]

Readme for servant-rate-limit-0.2.0.0

[back to package description]

Rate limiting for Servant and as WAI middleware

MIT CI stackage-nightly

Package Version
wai-rate-limit Hackage
wai-rate-limit-redis Hackage
servant-rate-limit Hackage

This repository contains WAI middleware for rate limiting as well as a library which provides Servant combinators for including rate limiting strategies in API type specifications. The main library is wai-rate-limit which provides the WAI middleware as well as implementations of different rate limiting strategies. For use with Servant, the servant-rate-limit library provides the required combinators as well as type class instances.

To limit dependencies introduced by wai-rate-limit, storage backends are split up into their own packages:

  • A Redis backend is provided by wai-rate-limit-redis

To limit dependencies for servant-rate-limit, build flags control the inclusion of different Servant dependencies and modules. All flags are on by default, but can be toggled off:

  • servant-rate-limit:server is the flag that controls the inclusion of a dependency on servant-server and the Servant.RateLimit.Server module.
  • servant-rate-limit:client is the flag that controls the inclusion of a dependency on servant-client and the Servant.RateLimit.Client module.

Usage as Middleware

Sliding Window

The following example demonstrates how to use the middleware with a sliding window strategy and a Redis backend. The resulting middleware will limit requests to 50 requests per sliding window of 29 seconds based on keys derived from the client's IP address. In other words, if we receive a request, we check whether the limit of 50 has been exceed for the client based on their IP and if not, the request is allowed, the request count is increased, and the window is extended by 29 seconds. If the limit is exceeded, the client will always have to wait 29 seconds before making another request.

import qualified Data.ByteString.Char8 as C8

import Database.Redis as Redis

import Network.Wai.RateLimit
import Network.Wai.RateLimit.Strategy
import Network.Wai.RateLimit.Redis

middleware :: Redis.Connection -> Middleware
middleware conn = rateLimiting strategy
    where backend = redisBackend conn
          getKey = pure . C8.pack . show . remoteHost
          strategy = slidingWindow backend 29 50 getKey

The behaviour described above can be changed by altering the parameters to slidingWindow accordingly. In particular, for e.g. REST APIs, you may wish to use e.g. API keys or other user identifiers in place of IP addresses.

Fixed Window

The following example demonstrates how to use the middleware with a fixed window strategy and a Redis backend. The resulting middleware will limit requests to 50 requests per window of 29 seconds based on keys derived from the client's IP address.

import qualified Data.ByteString.Char8 as C8

import Database.Redis as Redis

import Network.Wai.RateLimit
import Network.Wai.RateLimit.Strategy
import Network.Wai.RateLimit.Redis

middleware :: Redis.Connection -> Middleware
middleware conn = rateLimiting strategy
    where backend = redisBackend conn
          getKey = pure . C8.pack . show . remoteHost
          strategy = fixedWindow backend 29 50 getKey

The behaviour described above can be changed by altering the parameters to fixedWindow accordingly. In particular, for e.g. REST APIs, you may wish to use e.g. API keys or other user identifiers in place of IP addresses.

Custom strategies

In addition to the provided strategies, you can implement your own Strategy values or customise existing ones. The Strategy type is currently defines as follows, so a custom strategy is essentially a function Request -> IO Bool which should return True if the request should proceed or False if it should be rejected:

-- | Represents rate limiting strategies.
data Strategy = MkStrategy {
    -- | 'strategyOnRequest' @request@ is a computation which determines
    -- whether the request should be allowed or not, based on the rate
    -- limiting strategy.
    strategyOnRequest :: Request -> IO Bool
}

Modifying existing strategies makes it relatively easy to e.g. selectively apply rate limiting to some paths:

import qualified Data.ByteString.Char8 as C8

import Database.Redis as Redis

import Network.Wai.RateLimit
import Network.Wai.RateLimit.Strategy
import Network.Wai.RateLimit.Redis

middleware :: Redis.Connection -> Middleware
middleware conn = rateLimiting strategy{ strategyOnRequest = customHandler }
    where backend = redisBackend conn
          getKey = pure . C8.pack . show . remoteHost
          strategy = fixedWindow backend 29 50 getKey
          customHandler req =
              if rawPathInfo req == "/index.html"
              then pure True -- always allow access to /index.html
              else strategyOnRequest strategy req

Usage with Servant

The Servant.RateLimit module exports types for describing rate-limiting strategies and policies at the type-level. Consider the following API type specification:

import Servant
import Servant.RateLimit

type TestAPI
    = RateLimit (FixedWindow 2 50) (IPAddressPolicy "fixed:") :>
      "fixed-window" :>
      Get '[JSON] String
 :<|> RateLimit (SlidingWindow 2 50) (IPAddressPolicy "sliding:") :>
      "sliding-window" :>
      Get '[JSON] String
 :<|> "unrestricted" :>
      Get '[JSON] String

We have three API endpoints:

  • /fixed-window to which we apply a fixed window strategy which ensures that no more than 50 requests are made in a 2 second window.
  • /sliding-window to which we apply a sliding window strategy which extends the window during which up to 50 requests may be made by 2 seconds every time there is a successful request.
  • /unrestricted to which no rate limiting strategy is applied.

For the two restricted endpoints, we use IPAddressPolicy to identify clients. This is a rate limiting policy which identifies client by their IP address. The string parameter is used to identify different scopes. I.e. the rate limits for each of the two endpoints are separate. This policy is OK for testing purposes, but for use in production you may wish to implement a more sophisticated policy which applies the rate limit based on identifiers that are available as a result of authentication. For example:

import qualified Data.Vault.Lazy as V

type UserId = ByteString -- for simplicity

{-# NOINLINE userKey #-}
userKey :: V.Key UserId
userKey = unsafePerformIO newKey

data MyPolicy

instance HasRateLimitPolicy MyPolicy where
    type RateLimitPolicyKey MyPolicy = ByteString

    policyGetIdentifier req =
        fromMaybe (error "expected to have a user id in the vault") $
        V.lookup userKey (vault req)