honzabit / durable-limiter Goto Github PK

https://developers.cloudflare.com/durable-objects/api/transactional-storage-api/

I believe you want to wrap all puts and gets into a specific transation. There is a risk of a race condition between puts and gets since each durable object may interweave I/O operations

Responses can be stored/returned from the cache when the fixed window algorithm is used. Any rate-limited response can be safely stored in and returned from the cache, until the timestamp returned in the resets property.

On the other hand, the sliding window algorithm is not so cache-friendly, but I guess an approximation of cache time can possibly be computed here too using the distance of rate from limit and the interval.

Add a custom block time per rule by leveraging the cache.

I maybe completely misunderstanding this so forgive me if this is the case, but say we take:

ts_less_than: Math.floor(now / 1000 / parseInt(interval)) - parseInt(interval) * 2

This is number of intervals - the interval seconds * 2.

Shouldn't you be doing number of intervals -2 intervals aka:

Math.floor(now / 1000 / parseInt(interval)) - 2

Old keys need to be cleaned up to avoid unneeded storage charges.

The keys need to be restructured to also include the interval, and together with the window, stale keys can be identified and removed.

There are scenarios where this code is more cost-effective than CF's rate limiter and other scenarios where it could kill your budget.

Maybe using some on-the-fly calculations (like the cost calculator) on the traffic patterns, we could identify these scenarios effectively and integrate with the CF API to push the rate-limit rule closer to the edge. An alarm also could be used to trigger the rule's deletion every 1h, as if needed it would be automatically re-provisioned.

I'm pretty sure the caching expiration logic used is incorrect and causes requests to not be counted or rate limited

I had to remove the caching for it to actually work once deployed. I don't see how you can cache anything and count responses to be rate limited at the same time but I could be misunderstanding it 🤔