apply
rate limitpattern to CAP nodejs application
package.json
{
"cds": {
"plugins": ["cds-rate-limit"]
}
}cds definition
using {cuid, managed} from '@sap/cds/common';
@path : '/sample3'
service Sample3Service {
// define rate limit for entity CRUD events and actions
// accepts 1000 requests in 120 seconds
// other requests will be rejected by HTTP 429 status
@cds.rate.limit : {
duration : 120,
points : 1000,
}
entity People : cuid, managed {
Name : String(255);
Age : Integer;
}
// share global quota
entity Other: cuid, managed {
Name : String(255);
}
}Retry-After- reset after seconds laterX-RateLimit-Reset- reset timestamp (unix timestamp)X-RateLimit-Limit- total quota for each windowX-RateLimit-Remaining- remaining quota for current window
the
RateLimiterconfiguration will apply restriction by order, if you do not annotate@cds.rate.limiton entity/action/function level, it will share the quota of the globalRateLimiter
- Event/Action/Function
- Entity
- Service
- Global
keyParts: use to generated the keyremote_ip- req._.req.ip - please ref express document to setuptrust proxyuser_id- ctx.user.idtenant- ctx.tenant
points: quota for each key (user, ip, tenant or combined)duration: quota for each key in duration (reset duration for quota)
if there is no annotation on CDS Service/Entity/Action/Function, it will use the global configuration
{
impl: "memory", // use in-memory
keyParts: ["tenant"], // generate key from tenant
keyPrefix: GLOBAL_RATE_LIMITER_PREFIX, // default prefix
duration: 60, // 60 seconds
points: 200 * 60, // 200 requests per seconds
// for anonymous requests (without authorization header)
anonymous: {
// per seconds per remote ip allow 1000 requests
keyPrefix: GLOBAL_ANONYMOUS_RATE_LIMITER_PREFIX,
duration: 10,
points: 10 * 100,
},
}configuration global default configuration, each user could call API 6000 times in 1 minute duration
{
"cds": {
"plugins": ["cds-rate-limit"],
"config": {
"rateLimit": {
"impl": "memory",
"duration": 60,
"points": 6000,
"keyParts": ["user_id"]
}
}
}
}each user in each tenant could use the API 300 times in 5 seconds duration
{
"cds": {
"plugins": [
"cds-rate-limit"
],
"config": {
"rateLimit": {
"impl": "redis",
"duration": 5,
"points": 300,
"keyParts": ["tenant", "user_id"],
"redisOptions": {
"enableOfflineQueue": false
}
}
}
}
}- for redis connection options, please check ioredis document or RedisOptions type
- Global Rate Limit
- Event Rate Limit
- Inner event ignore
- Anonymous Request Rate Limit
- Custom key
- Global Env Configuration
- Redis store
- Dynamic quota configuration
- Sampling store to reduce remote store network consumption
- How to process anonymous requests
- Documents for microservice
- Performance