Ep34 - How do Throttle and Rate limiting Protect You | Laravel API Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey there sam in the first few episodes of this series we briefly talked about the throttle middleware but what is it anyway in short throttle means to strangle someone in web development now actually i'm just kidding what it actually means is to limit the number of requests that are allowed in a certain period of time for example most web servers will only allow 60 api requests from the same user per minute the reason is because if we allow unlimited requests to come into our web server we'll get some malicious user who will send in a million requests per minute in an attempt to bring down our web server the idea is to overwhelm our app with api request so that our app will crash or just to hijack our app so that it won't serve the other users this is known as denial of service attack or doors for short luckily for us laravel has a built-in middleware code throttle that will give us a basic protection against this attack and it is extremely easy to set this up what we need to do is to go to our http kernel class and load the throttle middleware inside the api middleware group which is already set for us out of the box the throttle middleware is really a mapping to the shuttle request middleware class as defined in the routes middleware array down here now by default we're passing in an argument called api to our throttle middleware class this api argument is a predefined configuration that is provided by laravel it is a named throttle configuration that is defined inside our routes service provider now inside the route service provider that's a method called configure rate limiting an insider method is where we can define our own right limiter and as you can see here laravel has already defined an entry called api and this is exactly what we used in the throttle middleware just now so as you can see in the code here the api rate limiter is really limiting a maximum of 60 requests per minute we can define our own rank limiter with a different name here by using the rate limiter facade the four method is how we can add a rate limiter to laravel and the first argument is the name of a limiter and a second argument is a callback function that allows us to define the logic of the rate limiter the callback function accepts the incoming request as his argument and it should return an instance of the limit class which basically defines the configuration of our rate limiter the per minute method defines how many requests we can allow per minute and calling the buy method will let us set a key to differentiate the request so that we can identify the source of the incoming request if the user is log in we'll use the id of the user otherwise we'll use the ip address of the sender as the key now if you don't want to use a name rate limiter we can also pass in the parameters manually so let's go back to our kernel to tell laravel that we only want 60 requests per minute what we need to do is to pass in the argument 60 and 1 to the throttle middleware how do i know these two numbers the answer is in the source code let's dive into the throttle request middleware and as you can see in the handle method the arguments that it is expecting is max attempt and decay minutes max time stands for the maximum request that is allowed and decay minutes means the duration for the rate limiting to reset and as you can see here laravel has an if statement here to check if max attempt is a string or not if it is a string then we will handle the request by using the name limiter otherwise we'll proceed by the normal means behind the scene laravel is caching the incoming request by its key as we discussed just now location key of the request could be the id of the user or the ip address of the user and by default laravel will store the cache in files as defined in our emv file if you want laravel to work faster and get more juice out of it you can change the cage driver to reddits just that if you did change it to redis there is a better throttle middleware built just for radis let's go back to our http kernel class and we should replace the default throttle request middleware with shutter request with redis that being said you don't need to touch this if you're not using redis alright that's about everything you need to know about the terato middleware before we end the lesson i would like to do a quick demo to see what will happen if we reach the rate limit so i'll modify our throttle middleware so we can only take in two requests per minute and now let's go to postman we'll try to send get request to the index method of our user resources click on send we get a normal response one more time still okay the third time we get an error with a status code of 429 which means too many requests and we also get an error message saying that we have too many attempts since our app only allows two attempts per minute alright that's it key takeaway for this lesson in programming throttle means to limit the number of operations in a given period of time the throttle middleware in laravel helps to mitigate denial of service attack or dos attack from malicious users we can define name rate limiter in the route service provider and by default laravel has already defined a rate limiter called api for our applications api routes we can pass in the rate limiting config directly to the throttle middleware if we prefer not to use the name right limiter that's it for now and i'll see you again in the next video if you enjoy the content of this video don't forget to hit the like subscribe and the bell icon for more content to come it will really help me out thanks for the support [Music] you
Info
Channel: Acadea.io
Views: 4,946
Rating: undefined out of 5
Keywords: laravel, security, throttle, throttling, rate limit, api, rest
Id: xITrWaMB3gs
Channel Id: undefined
Length: 6min 7sec (367 seconds)
Published: Tue Dec 28 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.