discourse/lib/rate_limiter.rb

# frozen_string_literal: true

# A redis backed rate limiter.
class RateLimiter

  attr_reader :max, :secs, :user, :key

  def self.key_prefix
    "l-rate-limit3:"
  end

  def self.disable
    @disabled = true
  end

  def self.enable
    @disabled = false
  end

  # We don't observe rate limits in test mode
  def self.disabled?
    @disabled
  end

  # Only used in test, only clears current namespace, does not clear globals
  def self.clear_all!
    Discourse.redis.delete_prefixed(RateLimiter.key_prefix)
  end

  def self.clear_all_global!
    Discourse.redis.without_namespace.keys("GLOBAL::#{key_prefix}*").each do |k|
      Discourse.redis.without_namespace.del k
    end
  end

  def build_key(type)
    "#{RateLimiter.key_prefix}:#{@user && @user.id}:#{type}"
  end

  def initialize(user, type, max, secs, global: false, aggressive: false)
    @user = user
    @type = type
    @key = build_key(type)
    @max = max
    @secs = secs
    @global = global
    @aggressive = aggressive
  end

  def clear!
    redis.del(prefixed_key)
  end

  def can_perform?
    rate_unlimited? || is_under_limit?
  end

  def seconds_to_wait(now)
    @secs - age_of_oldest(now)
  end

  # reloader friendly
  unless defined? PERFORM_LUA
    PERFORM_LUA = <<~LUA
      local now = tonumber(ARGV[1])
      local secs = tonumber(ARGV[2])
      local max = tonumber(ARGV[3])

      local key = KEYS[1]


      if ((tonumber(redis.call("LLEN", key)) < max) or
          (now - tonumber(redis.call("LRANGE", key, -1, -1)[1])) >= secs) then
        redis.call("LPUSH", key, now)
        redis.call("LTRIM", key, 0, max - 1)
        redis.call("EXPIRE", key, secs * 2)

        return 1
      else
        return 0
      end
    LUA

    PERFORM_LUA_SHA = Digest::SHA1.hexdigest(PERFORM_LUA)
  end

  unless defined? PERFORM_LUA_AGGRESSIVE
    PERFORM_LUA_AGGRESSIVE = <<~LUA
      local now = tonumber(ARGV[1])
      local secs = tonumber(ARGV[2])
      local max = tonumber(ARGV[3])

      local key = KEYS[1]

      local return_val = 0

      if ((tonumber(redis.call("LLEN", key)) < max) or
          (now - tonumber(redis.call("LRANGE", key, -1, -1)[1])) >= secs) then
        return_val = 1
      else
        return_val = 0
      end

      redis.call("LPUSH", key, now)
      redis.call("LTRIM", key, 0, max - 1)
      redis.call("EXPIRE", key, secs * 2)

      return return_val
    LUA

    PERFORM_LUA_AGGRESSIVE_SHA = Digest::SHA1.hexdigest(PERFORM_LUA_AGGRESSIVE)
  end

  def performed!(raise_error: true)
    return true if rate_unlimited?
    now = Time.now.to_i

    if ((max || 0) <= 0) || rate_limiter_allowed?(now)
      raise RateLimiter::LimitExceeded.new(seconds_to_wait(now), @type) if raise_error
      false
    else
      true
    end
  rescue Redis::CommandError => e
    if e.message =~ /READONLY/
      # TODO,switch to in-memory rate limiter
    else
      raise
    end
  end

  def rollback!
    return if RateLimiter.disabled?
    redis.lpop(prefixed_key)
  rescue Redis::CommandError => e
    if e.message =~ /READONLY/
      # TODO,switch to in-memory rate limiter
    else
      raise
    end
  end

  def remaining
    return @max if @user && @user.staff?

    arr = redis.lrange(prefixed_key, 0, @max) || []
    t0 = Time.now.to_i
    arr.reject! { |a| (t0 - a.to_i) > @secs }
    @max - arr.size
  end

  private

  def rate_limiter_allowed?(now)

    lua, lua_sha = nil
    if @aggressive
      lua = PERFORM_LUA_AGGRESSIVE
      lua_sha = PERFORM_LUA_AGGRESSIVE_SHA
    else
      lua = PERFORM_LUA
      lua_sha = PERFORM_LUA_SHA
    end

    eval_lua(lua, lua_sha, [prefixed_key], [now, @secs, @max]) == 0
  end

  def prefixed_key
    if @global
      "GLOBAL::#{key}"
    else
      Discourse.redis.namespace_key(key)
    end
  end

  def redis
    Discourse.redis.without_namespace
  end

  def age_of_oldest(now)
    # age of oldest event in buffer, in seconds
    now - redis.lrange(prefixed_key, -1, -1).first.to_i
  end

  def is_under_limit?
    now = Time.now.to_i

    # number of events in buffer less than max allowed? OR
    (redis.llen(prefixed_key) < @max) ||
    # age bigger than silding window size?
    (age_of_oldest(now) >= @secs)
  end

  def rate_unlimited?
    !!(RateLimiter.disabled? || (@user && @user.staff?))
  end

  def eval_lua(lua, sha, keys, args)
    redis.evalsha(sha, keys, args)
  rescue Redis::CommandError => e
    if e.to_s =~ /^NOSCRIPT/
      redis.eval(lua, keys, args)
    else
      raise
    end
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 06:17:27 +08:00			`# frozen_string_literal: true`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`# A redis backed rate limiter.`
			`class RateLimiter`

FEATURE: scale up likes per day as users increase trust level tl2 = 1.5 times the likes tl3 = 2 times the likes tl4 = 3 times the likes configurable via tl[234]_additional_likes_per_day_multiplier site setting 2015-04-16 07:44:30 +08:00			`attr_reader :max, :secs, :user, :key`

FIX: The "too similar" check happened when trying to make a post a wiki 2015-02-03 01:44:21 +08:00			`def self.key_prefix`
FIX: load balanced servers do not share monotonic clock This means then when a service is load balanced and you reach rate limits there was a case where they counting was way off also remove the stub from clock_gettime cause we need to be super careful with it, so we should probably just stub by hand when needed 2017-12-07 08:48:11 +08:00			`"l-rate-limit3:"`
FIX: The "too similar" check happened when trying to make a post a wiki 2015-02-03 01:44:21 +08:00			`end`
FIX: Should flush rate limit keys before testing it 2015-01-30 00:44:51 +08:00
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`def self.disable`
			`@disabled = true`
			`end`

			`def self.enable`
			`@disabled = false`
			`end`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`# We don't observe rate limits in test mode`
			`def self.disabled?`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`@disabled`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`# Only used in test, only clears current namespace, does not clear globals`
FIX: Should flush rate limit keys before testing it 2015-01-30 00:44:51 +08:00			`def self.clear_all!`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 17:05:53 +08:00			`Discourse.redis.delete_prefixed(RateLimiter.key_prefix)`
FIX: Should flush rate limit keys before testing it 2015-01-30 00:44:51 +08:00			`end`

FEATURE: optional default off global per ip rate limiter 2017-12-11 14:21:00 +08:00			`def self.clear_all_global!`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 17:05:53 +08:00			`Discourse.redis.without_namespace.keys("GLOBAL::#{key_prefix}*").each do \|k\|`
			`Discourse.redis.without_namespace.del k`
FEATURE: optional default off global per ip rate limiter 2017-12-11 14:21:00 +08:00			`end`
			`end`

Add better error messages for rate limits. 2015-09-25 01:52:32 +08:00			`def build_key(type)`
			`"#{RateLimiter.key_prefix}:#{@user && @user.id}:#{type}"`
			`end`

PERF: introduce aggressive rate limiting for anonymous (#11129) Previous to this change our anonymous rate limits acted as a throttle. New implementation means we now also consider rate limited requests towards the limit. This means that if an anonymous user is hammering the server it will not be able to get any requests through until it subsides with traffic. 2020-11-05 13:36:17 +08:00			`def initialize(user, type, max, secs, global: false, aggressive: false)`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`@user = user`
Add better error messages for rate limits. 2015-09-25 01:52:32 +08:00			`@type = type`
			`@key = build_key(type)`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`@max = max`
			`@secs = secs`
FEATURE: optional default off global per ip rate limiter 2017-12-11 14:21:00 +08:00			`@global = global`
PERF: introduce aggressive rate limiting for anonymous (#11129) Previous to this change our anonymous rate limits acted as a throttle. New implementation means we now also consider rate limited requests towards the limit. This means that if an anonymous user is hammering the server it will not be able to get any requests through until it subsides with traffic. 2020-11-05 13:36:17 +08:00			`@aggressive = aggressive`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

			`def clear!`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`redis.del(prefixed_key)`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

			`def can_perform?`
small refactor of RateLimiter for clarity 2013-05-24 08:18:59 +08:00			`rate_unlimited? \|\| is_under_limit?`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

FIX: Add Retry-Header to rate limited responses (#11736) It returned a 429 error code with a 'Retry-After' header if a RateLimiter::LimitExceeded was raised and unhandled, but the header was missing if the request was limited in the 'RequestTracker' middleware. 2021-01-19 17:35:46 +08:00			`def seconds_to_wait(now)`
			`@secs - age_of_oldest(now)`
			`end`

Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`# reloader friendly`
			`unless defined? PERFORM_LUA`
			`PERFORM_LUA = <<~LUA`
			`local now = tonumber(ARGV[1])`
			`local secs = tonumber(ARGV[2])`
			`local max = tonumber(ARGV[3])`
Revert "PERF: improve speed of rate limiter" This reverts commit a9bcdd7f279827e86ec474bcf4c9ed96bc1c0060. 2017-12-04 18:19:28 +08:00
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`local key = KEYS[1]`
Revert "PERF: improve speed of rate limiter" This reverts commit a9bcdd7f279827e86ec474bcf4c9ed96bc1c0060. 2017-12-04 18:19:28 +08:00
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00
			`if ((tonumber(redis.call("LLEN", key)) < max) or`
FIX: sliding window end time in rate limiter (#11691) If the sliding window size is N seconds, then a moment at the Nth second should be considered as the moment outside of the sliding window. Otherwise, if the sliding window is already full, at the Nth second, a new call wouldn't be allowed, but a time to wait before the next call would be equal to zero, which is confusing. In other words, the end of the time range shouldn't be included in the sliding window. Let's say we start at the second 0, and the sliding window size is 10 seconds. In the current version of rate limiter, this sliding window will be considered as a time range [0, 10] (including the end of the range), which actually is 11 seconds in length. After this fix, the time range will be considered as [0, 10) (excluding the end of the range), which is exactly 10 seconds in length. 2021-01-13 02:26:43 +08:00			`(now - tonumber(redis.call("LRANGE", key, -1, -1)[1])) >= secs) then`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`redis.call("LPUSH", key, now)`
			`redis.call("LTRIM", key, 0, max - 1)`
			`redis.call("EXPIRE", key, secs * 2)`

			`return 1`
			`else`
			`return 0`
			`end`
			`LUA`

			`PERFORM_LUA_SHA = Digest::SHA1.hexdigest(PERFORM_LUA)`
			`end`

PERF: introduce aggressive rate limiting for anonymous (#11129) Previous to this change our anonymous rate limits acted as a throttle. New implementation means we now also consider rate limited requests towards the limit. This means that if an anonymous user is hammering the server it will not be able to get any requests through until it subsides with traffic. 2020-11-05 13:36:17 +08:00			`unless defined? PERFORM_LUA_AGGRESSIVE`
			`PERFORM_LUA_AGGRESSIVE = <<~LUA`
			`local now = tonumber(ARGV[1])`
			`local secs = tonumber(ARGV[2])`
			`local max = tonumber(ARGV[3])`

			`local key = KEYS[1]`

			`local return_val = 0`

			`if ((tonumber(redis.call("LLEN", key)) < max) or`
FIX: sliding window end time in rate limiter (#11691) If the sliding window size is N seconds, then a moment at the Nth second should be considered as the moment outside of the sliding window. Otherwise, if the sliding window is already full, at the Nth second, a new call wouldn't be allowed, but a time to wait before the next call would be equal to zero, which is confusing. In other words, the end of the time range shouldn't be included in the sliding window. Let's say we start at the second 0, and the sliding window size is 10 seconds. In the current version of rate limiter, this sliding window will be considered as a time range [0, 10] (including the end of the range), which actually is 11 seconds in length. After this fix, the time range will be considered as [0, 10) (excluding the end of the range), which is exactly 10 seconds in length. 2021-01-13 02:26:43 +08:00			`(now - tonumber(redis.call("LRANGE", key, -1, -1)[1])) >= secs) then`
PERF: introduce aggressive rate limiting for anonymous (#11129) Previous to this change our anonymous rate limits acted as a throttle. New implementation means we now also consider rate limited requests towards the limit. This means that if an anonymous user is hammering the server it will not be able to get any requests through until it subsides with traffic. 2020-11-05 13:36:17 +08:00			`return_val = 1`
			`else`
			`return_val = 0`
			`end`

			`redis.call("LPUSH", key, now)`
			`redis.call("LTRIM", key, 0, max - 1)`
			`redis.call("EXPIRE", key, secs * 2)`

			`return return_val`
			`LUA`

			`PERFORM_LUA_AGGRESSIVE_SHA = Digest::SHA1.hexdigest(PERFORM_LUA_AGGRESSIVE)`
			`end`

FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a single path. This can happen if a URL is shared with the entire forum base and everyone is logged on 2018-04-18 14:58:40 +08:00			`def performed!(raise_error: true)`
correct return value 2018-04-25 06:44:07 +08:00			`return true if rate_unlimited?`
FIX: load balanced servers do not share monotonic clock This means then when a service is load balanced and you reach rate limits there was a case where they counting was way off also remove the stub from clock_gettime cause we need to be super careful with it, so we should probably just stub by hand when needed 2017-12-07 08:48:11 +08:00			`now = Time.now.to_i`
Add guard for `nil` in our `RateLimiter`. 2018-03-01 13:20:42 +08:00
PERF: introduce aggressive rate limiting for anonymous (#11129) Previous to this change our anonymous rate limits acted as a throttle. New implementation means we now also consider rate limited requests towards the limit. This means that if an anonymous user is hammering the server it will not be able to get any requests through until it subsides with traffic. 2020-11-05 13:36:17 +08:00			`if ((max \|\| 0) <= 0) \|\| rate_limiter_allowed?(now)`
FIX: Use the same time moment for related Redis calls in rate limiter (#11692) Co-authored-by: Robin Ward <robin.ward@gmail.com> 2021-01-13 04:09:15 +08:00			`raise RateLimiter::LimitExceeded.new(seconds_to_wait(now), @type) if raise_error`
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a single path. This can happen if a URL is shared with the entire forum base and everyone is logged on 2018-04-18 14:58:40 +08:00			`false`
			`else`
			`true`
PERF: improve speed of rate limiter Also - adds a global rate limiter option - cleans up usage in tests - fixes freeze_time so it handles clock_gettime 2017-12-04 15:17:18 +08:00			`end`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`rescue Redis::CommandError => e`
			`if e.message =~ /READONLY/`
			`# TODO,switch to in-memory rate limiter`
			`else`
			`raise`
			`end`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

			`def rollback!`
			`return if RateLimiter.disabled?`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`redis.lpop(prefixed_key)`
FIX: Ignore Redis readonly errors in `RateLimiter#rollback!`. This is similar to what we're doing in `RateLimiter#performed!`. 2020-06-11 15:09:12 +08:00			`rescue Redis::CommandError => e`
			`if e.message =~ /READONLY/`
			`# TODO,switch to in-memory rate limiter`
			`else`
			`raise`
			`end`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

FEATURE: Warn a user when they have few likes remaining 2016-03-18 23:17:51 +08:00			`def remaining`
			`return @max if @user && @user.staff?`

Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`arr = redis.lrange(prefixed_key, 0, @max) \|\| []`
FIX: load balanced servers do not share monotonic clock This means then when a service is load balanced and you reach rate limits there was a case where they counting was way off also remove the stub from clock_gettime cause we need to be super careful with it, so we should probably just stub by hand when needed 2017-12-07 08:48:11 +08:00			`t0 = Time.now.to_i`
FEATURE: Warn a user when they have few likes remaining 2016-03-18 23:17:51 +08:00			`arr.reject! { \|a\| (t0 - a.to_i) > @secs }`
			`@max - arr.size`
			`end`

small refactor of RateLimiter for clarity 2013-05-24 08:18:59 +08:00			`private`

PERF: introduce aggressive rate limiting for anonymous (#11129) Previous to this change our anonymous rate limits acted as a throttle. New implementation means we now also consider rate limited requests towards the limit. This means that if an anonymous user is hammering the server it will not be able to get any requests through until it subsides with traffic. 2020-11-05 13:36:17 +08:00			`def rate_limiter_allowed?(now)`

			`lua, lua_sha = nil`
			`if @aggressive`
			`lua = PERFORM_LUA_AGGRESSIVE`
			`lua_sha = PERFORM_LUA_AGGRESSIVE_SHA`
			`else`
			`lua = PERFORM_LUA`
			`lua_sha = PERFORM_LUA_SHA`
			`end`

			`eval_lua(lua, lua_sha, [prefixed_key], [now, @secs, @max]) == 0`
			`end`

Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`def prefixed_key`
			`if @global`
			`"GLOBAL::#{key}"`
			`else`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 17:05:53 +08:00			`Discourse.redis.namespace_key(key)`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`end`
			`end`

			`def redis`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 17:05:53 +08:00			`Discourse.redis.without_namespace`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`end`

FIX: Use the same time moment for related Redis calls in rate limiter (#11692) Co-authored-by: Robin Ward <robin.ward@gmail.com> 2021-01-13 04:09:15 +08:00			`def age_of_oldest(now)`
Sliding window rate limiting Switched the algorithm to use a circular buffer based on a redis list 2013-05-26 03:37:28 +08:00			`# age of oldest event in buffer, in seconds`
FIX: Use the same time moment for related Redis calls in rate limiter (#11692) Co-authored-by: Robin Ward <robin.ward@gmail.com> 2021-01-13 04:09:15 +08:00			`now - redis.lrange(prefixed_key, -1, -1).first.to_i`
Sliding window rate limiting Switched the algorithm to use a circular buffer based on a redis list 2013-05-26 03:37:28 +08:00			`end`

small refactor of RateLimiter for clarity 2013-05-24 08:18:59 +08:00			`def is_under_limit?`
FIX: Use the same time moment for related Redis calls in rate limiter (#11692) Co-authored-by: Robin Ward <robin.ward@gmail.com> 2021-01-13 04:09:15 +08:00			`now = Time.now.to_i`

FIX: Should flush rate limit keys before testing it 2015-01-30 00:44:51 +08:00			`# number of events in buffer less than max allowed? OR`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00			`(redis.llen(prefixed_key) < @max) \|\|`
FIX: Use the same time moment for related Redis calls in rate limiter (#11692) Co-authored-by: Robin Ward <robin.ward@gmail.com> 2021-01-13 04:09:15 +08:00			`# age bigger than silding window size?`
			`(age_of_oldest(now) >= @secs)`
small refactor of RateLimiter for clarity 2013-05-24 08:18:59 +08:00			`end`

			`def rate_unlimited?`
FIX: rate limit password reset email 2014-08-18 08:55:30 +08:00			`!!(RateLimiter.disabled? \|\| (@user && @user.staff?))`
small refactor of RateLimiter for clarity 2013-05-24 08:18:59 +08:00			`end`
Revert "Revert "PERF: improve speed of rate limiter"" This reverts commit 2373d85239b7c19a04aab74155360d7dd572a1eb. 2017-12-04 18:23:11 +08:00
			`def eval_lua(lua, sha, keys, args)`
			`redis.evalsha(sha, keys, args)`
			`rescue Redis::CommandError => e`
			`if e.to_s =~ /^NOSCRIPT/`
			`redis.eval(lua, keys, args)`
			`else`
			`raise`
			`end`
			`end`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`