bvtterfly / sliding-window-rate-limiter
a sliding window rate limiter for laravel
Requires
- php: ^8.0
- illuminate/contracts: ^9.0
- spatie/laravel-package-tools: ^1.9.2
Requires (Dev)
- nunomaduro/collision: ^6.0
- nunomaduro/larastan: ^2.0.1
- orchestra/testbench: ^7.0
- pestphp/pest: ^1.21
- pestphp/pest-plugin-laravel: ^1.1
- phpstan/extension-installer: ^1.1
- phpstan/phpstan-deprecation-rules: ^1.0
- phpstan/phpstan-phpunit: ^1.0
- phpunit/phpunit: ^9.5
- predis/predis: ^1.1
Suggests
- ext-redis: Required to use the Redis PHP driver.
- predis/predis: Required when not using the Redis PHP driver (^1.1).
This package is auto-updated.
Last update: 2024-03-05 14:48:31 UTC
README
🚨 THIS PACKAGE HAS BEEN ABANDONED 🚨
I no longer use Laravel and cannot justify the time needed to maintain this package. That's why I have chosen to abandon it. Feel free to fork my code and maintain your own copy.
Laravel Sliding Window Rate Limiter
This package provides an easy way to limit any action during a specified time window. You may be familiar with Laravel's Rate Limiter, It has a similar API, but it uses the Sliding Window algorithm and requires Redis.
Installation
You can install the package via composer:
composer require bvtterfly/sliding-window-rate-limiter
You can publish the config file with:
php artisan vendor:publish --tag="sliding-window-rate-limiter-config"
This is the contents of the published config file:
return [ 'use' => 'default', ];
The package relies on Redis and requires a Redis connection, and you choose which Redis connection to use.
Usage
The Bvtterfly\SlidingWindowRateLimiter\Facades\SlidingWindowRateLimiter
facade may be used to interact with the rate limiter.
The simplest method offered by the rate limiter is the attempt
method, which rate limits an action for a given number of seconds.
The attempt
method returns a result object that specifies if an attempt was successful and how many attempts remain. If the attempt is unsuccessful, you can get the number of seconds until the action is available again.
use Bvtterfly\SlidingWindowRateLimiter\Facades\SlidingWindowRateLimiter; $result = SlidingWindowRateLimiter::attempt( 'send-message:'.$user->id, $maxAttempts = 5, $decayInSeconds = 60 ); if ($result->successful()) { // attempt is successful, do awesome thing... } else { // attempt is failed, you can get when you can retry again // use $result->retryAfter for getting the number of seconds until the action is available again // or use $result->availableAt() for getting UNIX timestamp instead. }
You can call the following methods on the SlidingWindowRateLimiter
:
tooManyAttempts
/** * Determine if the given key has been "accessed" too many times. * * @param string $key * @param int $maxAttempts * @param int $decay * * @return bool */ public function tooManyAttempts(string $key, int $maxAttempts, int $decay = 60): bool
attempts
/** * Get the number of attempts for the given key for decay time in seconds. * * @param string $key * @param int $decay * * @return int */ public function attempts(string $key, int $decay = 60): int
resetAttempts
/** * Reset the number of attempts for the given key. * * @param string $key * * @return mixed */ public function resetAttempts(string $key): mixed
remaining
/** * Get the number of retries left for the given key. * * @param string $key * @param int $maxAttempts * @param int $decay * * @return int */ public function remaining(string $key, int $maxAttempts, int $decay = 60): int
clear
/** * Clear the number of attempts for the given key. * * @param string $key * * @return void */ public function clear(string $key)
availableIn
/** * Get the number of seconds until the "key" is accessible again. * * @param string $key * @param int $maxAttempts * @param int $decay * * @return int */ public function availableIn(string $key, int $maxAttempts, int $decay = 60): int
retriesLeft
/** * Get the number of retries left for the given key. * * @param string $key * @param int $maxAttempts * @param int $decay * * @return int */ public function retriesLeft(string $key, int $maxAttempts, int $decay = 60): int
Route Rate Limiting
This package comes with a throttle
middleware for Route Rate Limiting. It can replace the default Laravel's throttle
middleware to use this package rate limiter. The only difference is it tries to get a named rate limiter from the SlidingWindowRateLimiter
or, as a fallback, it will take them from Laravel RateLimiter.
You may wish to change the mapping of throttle
middleware in your application's HTTP kernel(App\Http\Kernel
) to use \Bvtterfly\SlidingWindowRateLimiter\Http\Middleware\ThrottleRequests
class.
Rate Limiters must be configured for route rate-limiting to work. Laravel Rate Limiter comes with a RateLimiting class(Illuminate\Cache\RateLimiting\Limit
) that works in a minutes-based system. But This package is designed to allow rate limit actions in a seconds-based system, so it comes with its rate limiters classes and lets you configure rate limiters for less than a minute. Still, for ease of usage of this package, It supports default Laravel's Rate Limiters.
Defining Rate Limiters
SlidingWindowRateLimiter
rate limiters are heavily based on Laravel's rate limiters. It only differs in the fact that it is seconds-based. So, before getting started, be sure to read about them on Laravel docs.
Limit configurations are instances of the Bvtterfly\SlidingWindowRateLimiter\RateLimiting\Limit
class, and It contains helpful "builder" methods to define your rate limits quickly. The rate limiter name may be any string you wish.
For limiting to 500 requests in 45 seconds:
use Bvtterfly\SlidingWindowRateLimiter\RateLimiting\Limit; use Bvtterfly\SlidingWindowRateLimiter\Facades\SlidingWindowRateLimiter; /** * Configure the rate limiters for the application. * * @return void */ protected function configureRateLimiting() { SlidingWindowRateLimiter::for('global', function (Request $request) { return Limit::perSeconds(45, 500); }); }
If the incoming request exceeds the specified rate limit, a response with a 429 HTTP status code will automatically be returned by Laravel. If you would like to define your response that a rate limit should return, you may use the response
method:
SlidingWindowRateLimiter::for('global', function (Request $request) { return Limit::perSeconds(45, 500)->response(function () { return response('Custom response...', 429); }); });
You can have multiple rate limits. This configuration will limit only 100 requests per 30 seconds and 1000 requests per day:
SlidingWindowRateLimiter::for('global', function (Request $request) { return [ Limit::perSeconds(30, 100), Limit::perDay(1000) ]; });
Incoming HTTP request instances are passed to rate limiter callbacks, and the rate limit may be calculated dynamically depending on the user or request:
SlidingWindowRateLimiter::for('uploads', function (Request $request) { return $request->user()->vipCustomer() ? Limit::none() : Limit::perMinute(100); });
There may be times when you wish to segment rate limits by some arbitrary value. For example, you may want to allow users to access a given route with 100 requests per minute per authenticated user ID and 10 requests per minute per IP address for guests. Using the by
a method, you can create your rate limit as follows:
SlidingWindowRateLimiter::for('uploads', function (Request $request) { return $request->user() ? Limit::perMinute(100)->by($request->user()->id) : Limit::perMinute(10)->by($request->ip()); });
Attaching Rate Limiters To Routes
Rate limiters can be attached to routes or route groups using the throttle
middleware. The throttle
middleware accepts the name of the rate limiter you wish to assign to the route:
Route::middleware(['throttle:media'])->group(function () { Route::post('/audio', function () { // })->middleware('throttle:uploads'); Route::post('/video', function () { // })->middleware('throttle:uploads'); });
Testing
composer test
Changelog
Please see CHANGELOG for more information on what has changed recently.
Security Vulnerabilities
Please review our security policy on how to report security vulnerabilities.
Credits
License
The MIT License (MIT). Please see License File for more information.