DDPRateLimiter should allow a callback for going over the limit

[shaylevi2]

Assuming a user is constantly going over the set limit - I would like to automatically ban this user.

Given a method that ran everytime a user has gone over the specified limit, would allow me to do it.

[stubailo]

I think this shouldn't be hard to add in the ddp-rate-limiter package. In fact, you could probably do it now by overriding the getErrorMessage function, which is basically a callback that just happens to also return the error message.

Here's the relevant code: https://github.com/meteor/meteor/blob/devel/packages/ddp-rate-limiter/ddp-rate-limiter.js

[shaylevi2]

The problem with getErrorMessage is that it's a single function for all the possible limits someone might wanna use, maybe for some you wanna ban and for some you don't.

[stubailo]

Yeah but you could put an if statement in there since you get all of the data in the callback argument. I'm not saying it's perfect, but it is a viable workaround for now.

[shaylevi2]

You get
{ allowed: false, timeToReset: 269, numInvocationsLeft: 0 }

No idea what function and you can't even access the connection data (i.e this.connection.id is undefined)

[stubailo]

Oh weird, I would have thought that should give you the name of the DDP message.

[nlhuykhang]

I think we could add a callback as the fourth argument of .addRule, then execute it inside check if the limit has been exceeded. Is this ok?

[abernix]

@nlhuykhang Something like that. Perhaps it would be worth having the callback's signature be callback(denied, allowed) and have it called in both cases? This would allow some additional functionality (success audit logs, etc.), right?

[sebakerckhof]

I think it would also make sense to modify https://github.com/meteor/meteor/blob/devel/packages/rate-limit/rate-limit.js#L131 so the input is added to the rate limit result. It seems to make sense to be able to see what caused the error in the error message (seeing that @stubailo thought this was already in there).

[hwillson]

Great ideas guys! Time to make this a reality then? I'd be happy to work on this if we agree this approach makes sense.

[nlhuykhang]

@hwillson I already created a PR here #8237

[hwillson]

Sorry @nlhuykhang - I've been reading too many GH issues lately, I skipped right past your reference!

[abernix]

This should be released in Meteor 1.4.3.2. You can try the latest 1.4.3.2 beta and help confirm/test by running:

meteor update --release 1.4.3.2-beta.0

Please report back if you encounter any problems. Thanks for suggesting this originally, @shaylevi2, and thanks very much for submitting a PR to make it happen, @nlhuykhang.