Laravel API throttle issue with Vapor.

[Abhi0725]

• Laravel Version: 7.11.0
• PHP Version: 7.4
• Database Driver & Version: MySQL 5.8

Description:

I deployed a basic Laravel site with a "flash sale" functionality. Forntend is VueJS SPA and used Laravel Sanctum for auth. It is serverless using Vapor.

The site is no fancy just a basic form to enter into the sale (So just one DB+API interaction) and one API interaction to get the products.

The product expected to have 30k visits in 30min (But we ended up having 590k page views and 200k in 30min). Huge but thanks to Vapor/Lambda it went smooth.

Now the thing is I used the default throttle of 60:1 for the API considering we are not going to hit that for any user. But the thing is as soon as we started having a good number of traffic (not the full traffic but possibly 50-60 concurrent) we started facing 429 Too Many Requests issue. The fun part is we were facing it only when not logged in.

I have been developing in Laravel for more than 5 years and made dozens of projects in Laravel and never faced this issue. The only things that were new: Sanctum and Vapor. Though after lots of dives into the source code didn't get anything that could be causing this issue. Anyone here faced this here? Am I taking the throttle flow as wrong (i.e it is based on per user per URL basis)?

Steps To Reproduce:

I don't know if this is the correct way to reproduce it but still will try: a basic Laravel project with an API call and auth using Sanctum deployed via Laravel Vapor.

I don't know how to reproduce that real time concurrency as Apache benchmark won't help there.

[Abhi0725]

I don't know if this is clear from the above but it was not just users but myself faced 429 Error even when I just reloaded the page once that was making only 1 API call.

[taylorotwell]

When not authenticated, Laravel will throttle by domain and IP address. However, this can lock out a lot of users because many people may share the same IP address.

[Abhi0725]

I can assure that when I was browsing it in not logged in state it was only me. No one was browsing at same time from my IP.

[Abhi0725]

@taylorotwell I tried adding some logs. If I am not mistaken this code is used to generate the signature in ThrottleRequests Middleware:

protected function resolveRequestSignature($request)
{
    if ($user = $request->user()) {
        return sha1($user->getAuthIdentifier());
    }
    if ($route = $request->route()) {
        return sha1($route->getDomain().'|'.$request->ip());
    }
    throw new RuntimeException('Unable to generate the request signature. Route unavailable.');
}

I tried logging the $request->route()->getDomain() and $request->ip()

Here's the output in my local:

Here's from the Vapor panel on live site:

Isn't it looks like domain and ip both are null and hence signature is same for all not logged in users?

Let me know if I should furnish some more details.

[Abhi0725]

Another screenshot of log of same line but on a forge deployed server.