Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

No limit on API calls #482

Open
xray7224 opened this Issue · 3 comments

2 participants

@xray7224

I noticed that there doesn't seem to be a limit on how often you can hit the API which could be a very easy way to DDOS a site. Maybe have a limit configurable in the config e.g. 1 API call per 60 seconds. If you exceed that times in say 5 minutes (possibly also configurable) then you're oauth tokens could be dropped (for repeat offenders registration could even be disallowed - however this may punish the user for a bad client)

@evanp
Owner
@xray7224

Ah yes, get enough nodes and any request would but fetching all that data (Some of these api calls can return into the hundreds of kbs of data). Getting and returning that much data could cause a lot of problems (I think anyway - I would have to do some more tests). I think if an exception was raised it would help the case.

There is also the fact it is tied to accounts to make API calls, you could like i suggested begin to deny access at least for a while which would seriously hinder any attempt getting the server to return the level of data that is required for say the inbox endpoint.

@evanp
Owner

So, identi.ca is a pretty popular public site, and we've just never had a problem with this.

I'm going to leave this issue open, since in theory I think it's a possible problem, but I'm probably not going to work much on API limits until or if they become a real problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.