Rough draft of reciever rate limiting for discussion

[karmanyaahm]

This is the original proposal from the Matrix room
me:

My main idea, the ideal solution (as PeterCxy proposed) is to move the cost, for at least UP rate limits, to the receiver instead of the sender.

There are many ways to do it, but one potential solution (a simple but clean-ish one I could think of):

• Like id: and user:, make up* topics a up: visitor. [1]
• This up: visitor (the UP topic) has large-ish rate limits (to prevent obvious spam/misconfiguration), but doesn't care too much.
• Topic.Subscribe and Topic.Unsubscribe keep track of the most recent visitor to subscribe to a topic, and the time (say prev. 12hrs is valid). [2]
• On Topic.Publish, the message is 'billed' to the most-recent-visitor's rate limit (either ip: or user:), rejected if there is no recent visitor.
• Delete the message if successfully delivered to at least one client. UP topics are unique to each client anyways. [3]

[1] In which case up* topics have to be reserved explicitly for receiver-based rate limiting. We cannot rely on up=1 because the client doesn't control that.
[2] If all of this is in-memory: say someone loses their connection, wait 1 hour, ntfy restarts, wait 1 hour, they resubscribe. If there was a notification at T+90 minutes, that notification would be lost, since the topic would show up as 'fresh', and the notification rejected. However, this seems like a fair compromise for the simplicity of avoiding a database.
[3] Attempt delivering to multiple clients if they are online and subscribed though, for debugging purposes. This is just an extra resource-saving measure and not part of the core plan.

I can actually help you make it now, though, once we agree on a plan, since this is needed by a clear deadline.

binwiederhier:

I think I understand this plan. In my own words:

For topics starting with up*, we keep track of the visitors that are subscribed to a topic in the topic struct.

When a message is published, we determine the visitor based on the topic name instead of the IP (v := s.visitorByTopic("upABCDEF..")). If there are multiple visitors, we pick the most recent one.

The rest of the logic remains the same.

Correct?

me:

Basically, yes. The goal is to 'bill' that messsage to the most recently subscribed visitor instead of to the sender.

Additionally, this would require formally defining 'up*' as a special namespace, since messages are "billed" differently.

[karmanyaahm]

That. How do we know whether the last subscriber wants to cache messages (gone temporarily) or not (unsubscribed permanently)?

[binwiederhier]

I don't understand what's happening here. Sorry.

[karmanyaahm]

Messages are being billed to the last visitor (either someone currently subscribed or the last person to unsubscribe). This bill-the-last-unsusbscriber behavior remains for unifiedPushSubscriptionDuration.

Let's say user:KM is subscribed to ntfy.sh/upABCD, and unifiedPushSubscriptionDuration := 10 * time.Hour

Scenario 1:
06:00 user:KM's internet went out and they unsubscribed from ntfy.sh/upABCD
06:15: ntfy.sh receives a message at upABCD. It is stored and billed to KM
06:30 user:KM is online again. The missed message is delivered and everyone's happy.

Scenario 2:
06:00 user:KM's internet went out and they unsubscribed from ntfy.sh/upABCD
06:15: ntfy.sh receives a message at upABCD. It is stored and billed to KM
15:59: ntfy.sh receives a message at upABCD. It is stored and billed to KM
16:01: ntfy.sh receives a message at upABCD. t.lastUnsub.v is set to nil. The message is rejected (412 or whatever else).
23:59 user:KM is online again. They missed some messages, but it's not that big of a deal.

Scenario 3:
06:00 user:KM's intentionally unsubscribed from ntfy.sh/upABCD. They don't want upABCD messages anymore, but the app server keeps sending them.
06:15: ntfy.sh receives a message at upABCD. It is stored and billed to KM
15:59: ntfy.sh receives a message at upABCD. It is stored and billed to KM
16:01: ntfy.sh receives a message at upABCD. t.lastUnsub.v is set to nil. The message is rejected (412 or whatever else).
user:KM is angry that 2 (or 200 or 2000) messages from their rate limit were eaten up by this random app server.

[karmanyaahm]

If there is no last subscriber, or there was a subscriber very long ago, what should ntfy do?

1. Cache it anyway but bill it to the app server - inconsistent
2. Reject it. Which status code? 500?

[karmanyaahm]

*should be == not !=

[binwiederhier]

I think this is kind of up to the UP spec, no? "What should the push server do if there is no one listening" seems like a spec question.

Obviously the easiest thing would be to reject it. Everything else would cause lots of headscratching.

The response code may be https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/412?

[karmanyaahm]

Good point

[karmanyaahm]

Is the term "Bill" fine?

[karmanyaahm]

(apparently Billee is not a real word)

[MayeulC]

Invoiced? Billed visitor/account? Charged? Accounted?

Other "Bill" synonyms: cost, expense, tally

[binwiederhier]

t.SubscriberVisitor()?

[binwiederhier]

I think this is kind of up to the UP spec, no? "What should the push server do if there is no one listening" seems like a spec question.

Obviously the easiest thing would be to reject it. Everything else would cause lots of headscratching.

The response code may be https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/412?

[binwiederhier]

I would generally opt for replacing v early in this function, instead of adding if-then-elses everywhere.

Case and point: There's a v.MessageAllowed() at the top which would be run against the IP-visitor and not the subscriber visitor.

[karmanyaahm]

Yeah, but in that case, logs and email-allowed need to be if-then-elsed (which makes more sense I guess, since there's fewer of those things). I'll figure out a way to minimize complications.

[binwiederhier]

t.SubscriberVisitor()?

[binwiederhier]

I don't understand what's happening here. Sorry.

[binwiederhier]

Here's an idea: instead of using the prefix, could we use the presence of the ?up=1 query param? If the qurey param is present, bill differently? I vaguely remember this being discussed before, but I do not recall what the outcome was

[karmanyaahm]

From the UP dev chat

up=1 is sent by the server, whereas these messages are being billed to the subscriber. I thought about that too, but then came up with this:

• I am subscribed to ntfy.sh/videogameupdates, an open channel for anyone to post
• A malicious actor comes along and sends 10000 messages to ntfy.sh/videogameupdates?up=1
• Me, poor subscriber, is now rate-limited

So, we need a way in which the subscriber knows that they are subscribing to a subscriber-billed topic instead of trusting the sender to inform us. The easiest way is the topic.

[karmanyaahm]

Closing in favor of a new PR (coming soon)