Proper usage of the Throttle API

SKevo

Hello,
I am asking how to properly temporarily throttle certain Flarum API routes. Namely, we at FreeFlarum have found that api/forgot can be quite easily spammed with POST requests which results in E-mail spam.

The question is, how can we throttle certain routes so that they won't be spammed? Say I want to add a 5 minute cooldown between sending forgotten password requests and test mail request.

So far, we are using this code (for test mail), but that throttles the test mail permanently, making it disfunctional - we want similar temporary cooldown for forgotten password requests:

[...]
     (new Flarum\Extend\ThrottleApi)->set('throttleMailTests', function ($request) {
        if ($request->getAttribute('routeName') === 'mailTest') {
            return true;
        }
     }),
[...]

Thanks

askvortsov

SKevo The ThrottleApi API is extremely flexible, but somewhat low-level. If the callback returns true, the request will be throttled. If the callback returns false, any throttling will be overriden. Extensions are responsible for figuring out criteria for throttling.

In this case, the best option might be using redis to log when a given user accesses a given route, and use that as a basis for throttling. Alternatively, you could add a database column, but that's a fair bit of overhead.

SKevo

askvortsov thanks for the reply, although I was hoping for something simpler 😂. What if I create a variable that stores the current timestamp and then add 5 minutes to it and check if time has passed or not? The thing is that we haven't implemented Redis for FreeFlarum (yet - planned for recode) and database seems a bit overcomplicated to me.

Edit: I could try this library too, seems easy to use: https://github.com/Kurozora/laravel-cooldown

askvortsov

SKevo What if I create a variable

Where'd the variable be stored? Static isn't an option since PHP rebuilds the entire process every time.

It would have been nice to offer a timed throttler directly in core, but that brings us back to the "where do we store this" issue: we'd need to support Redis or some other driver directly in core, and that would be quite messy.

SKevo

askvortsov I agree with that... I am not a PHP developer, so I see why "static" variable isn't an option now, so thank you. I will try to find a way to implement this and come back if I find anything useful to share.

Edit: The package that I have listed, kurozora/laravel-cooldown is PHP ⁷.3, so not an option for FreeFlarum at the moment. I'll try it as soon as we update.

luceos

SKevo

- Noot Noot! -

Alright, I'll discuss it and we might just update to 7.4, and later to 8 (when Flarum supports it)... And hope that it goes well 🤞

Edit: Updated, testing it right now
Edit 2: 2difficult4mekthxbai