I am using Firebase to develop an app that uses Cloud Functions as a REST API internally. My question is, is there an easy way to implement per-IP/per-user rate-limiting similar to what slack uses, except on a per-IP and per-user basis, rather than per-app (since it's all one app). Optional support for small bursts is preferable as well.
Example code (see the // TODO: comments):
exports.myCoolFunction = functions.https.onRequest((req, res) => {
// TODO: implement IP rate-limiting here
unpackToken(req).then((token) => { // unpackToken resolves with a response similar to verifyIdToken based on the "Authorization" header contents
// TODO: implement user-based rate-limiting here (based on token.uid)
if (!req.body) return res.status(400).end();
if (typeof req.body.name !== "string") return res.status(400).end();
if (typeof req.body.user !== "string") return res.status(400).end();
// more input sanitization and function logic here
return res.status(501).end(); // fallback in all requests, do not remove
}).catch(() => res.status(403).end());
});
I want to terminate the request simply with a 529 Too Many Requests status code if the rate limit is exceeded. This is to prevent application errors from flooding the network and to prevent abuse of the REST API.
This should take into account Firebase spinning up/down server instances and having multiple instances running simultaneously.
I am also using a Firestore database and can use the legacy real-time database if necessary.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
