Custom rate limiter

[mfoq]

Hi, i want to implement a custom rate limiter with my own logic and driver "storage" like database or redis

how to do that in yii2 "basic template"? i have a 3 modules in the system, only an API's system I tried to add my custom rate limiter to the base controller that all API's extend from, but nothing happens. The request goes without getting checked in the rate limiter layer

So, what are the key points to add my custom rate limiter in this case?

[terabytesoftw]

Could you show your code, so I can see what you are trying to implement, thanks.

[mfoq]

Hi @terabytesoftw , I solved the problem.

The main challenge was to catch requests from unauthenticated users and block them by IP as well. The issue was that the authentication component aborts the request early when the user is not authenticated, so the rate limiter never got a chance to run for those requests.

To fix this, I extended CompositeAuth into a custom RateLimitedCompositeAuth class and used beforeAction to catch requests before they are aborted by the authenticator, like this:

$behaviors['authenticator'] = [
    'class' => RateLimitedCompositeAuth::class,
    'except' => ['login', ...],
    'authMethods' => [
        HttpBearerAuth::class,
    ],
];

Then, for authenticated requests, I added a separate rate limiter behavior that extends from yii\base\ActionFilter after the authenticator behavior:

$behaviors['rateLimiter'] = [
    'class' => ApiRateLimiter::class,
];

With this approach, I can flexibly limit both authenticated users (by id) and unauthenticated users (by IP).

Thanks for your help, and if you have any thoughts it would be really helpful

[xicond]

I'm thinking maybe can provide general ratelimiter in the future, not just for request
can be for queue (general purpose), email purpose, API request purpose, tokenize purpose, etc.

so developer implement one same logic, can apply same for request, email, login, sms OTP

if only for request, then it's not re-useable