Operation Rate Limiting #17815
Description
THIS IS CURRENTLY IN DRAFT. NEEDS TO CLARIFICATION / ANALYZE
Intro
We may have certain operations in our application that we want to implement a kind of rate limiting. This is not for API call rate limiting middleware of ASP.NET Core, a web independent system to control frequency of operations.
Example use cases
- Do not allow to make "forgot email" request for the same email address more than 3 times in an hour.
- Do not allow to get a "monthly sales report" more than 2 times in a day for each user (maybe generating that report uses a lot of system resources).
Implementation details
We may define a OperationRateLimitingRule with the following properties:
- OperationName (string) (a unique string per operation)
- Duration (int) (as seconds) (it also can be a 1 day, 1 week, 1 month, ...)
- MaxExecutionCount (int) (in the given duration)
When we want to check if we are allowed to perform the operation, we may pass the following parameters to a service, say IOperationRateLimitingManager.CheckAsync method:
- operationName (string): Matches to a name in the configured rule definitions.
- parameter (string, optional): This will be used to control rate limiting for different entities. For example, we may pass current user's id, so different users won't share the same rate. We may pass tenantid if we want to share same limit for all users of a tenant. If we want to pass multiple values, we can join by
_for example. This is an arbitrary parameter to distiguish different people/entity.
We can save operation values in the IDistributedCache as the default store and allow to implement a custom store (like a database store).
Additional notes
That feature seems overlaps with the feature system especially when we use it to limit tenant operations. However, features system is used to limit tenants for business purposes (to get more money from some tenants that have more wide limits) but rate limiting system is for saving system resources (we don't want to send too many emails) and prevent security attacks.