to not have your heroku instance spammed, you should protect your server APIs with jwt access with resource limiting for each distinct user. Refuse to answer requests without a jwt. Jwt : jwt.io/
in client, you are using the same pattern everytime with fetch/abortController. I would create a new hook called useAbortableFetch to wrap and reuse this Idea.
I did not know about the REST API naming conventions. I'll surely follow the guidelines. Most of my requests are verbs like getMovies and getMovieDetails like functions. I'll change them to nouns as per the guidelines. (I haven't read the guidelines fully so I may come up with something more appropriate).
I do not understand why would I need JWTs here.
Refuse to answer requests without a JWT.
But can you elaborate why would I need that? What exactly does "not have your Heroku instance spammed" mean?
Any pointers will be appreciated. 😄
Yes. I agree that part of the code is little WET. I was thinking the same while coding that part. A custom hook is a very good way indeed!
Thanks again for digging deep into the code and writing this! 😄
OK. Imagine that i'm a hacker wanting to shut down your website and deny to all your users the ability to request anything.
How would i do that ? as your project is open source i can see that your APIs are not protected. So if i spam your server with requests, i will for sure encounter the limits that where granted to you via your API key.
So ONE user can deny access to your APIs to ALL your users.
To mitigate that, what you usually want is to only deny the spamming user access to your APIs. for this you need to give the user a unique id and require each user to access your API with this id.
You can rate limit users based on their IP address (but if many different users are behind the same adress you will block all the legitimate users behind the adress),
You can rate limit users based on a unique id for each user behind the same IP adress by giving them a distinct JWT. In server side you create an id for a user (with IP inside as payload for exemple) and sign it by encapsulating it in a JWT. You then just check that this JWT is valid, and you should also give this JWT an expiration time (5 minutes to 20 minutes might be a good idea). Note that you need to use asymetric algorithm (like RS256) to really protect an API with JWTs.
Using the user IP for starting is fine, so you are rigth, you don't need JWT, but for more fine grained propection i would use a JWT that combine IP/expiration date to protect you APIs.
Thanks for the detailed explanation.
I understood what you are saying. I'll start implementing the said method of JWTs along with the IP as a payload. I'll figure out a good way.
I'll check the mentioned middleware too.
Thanks a lot again!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi,
Nice work. Here is a succinct review.
Hello and thanks a lot for the points!
I did not know about the REST API naming conventions. I'll surely follow the guidelines. Most of my requests are verbs like
getMoviesandgetMovieDetailslike functions. I'll change them to nouns as per the guidelines. (I haven't read the guidelines fully so I may come up with something more appropriate).I do not understand why would I need JWTs here.
But can you elaborate why would I need that? What exactly does "not have your Heroku instance spammed" mean?
Any pointers will be appreciated. 😄
Thanks again for digging deep into the code and writing this! 😄
OK. Imagine that i'm a hacker wanting to shut down your website and deny to all your users the ability to request anything.
How would i do that ? as your project is open source i can see that your APIs are not protected. So if i spam your server with requests, i will for sure encounter the limits that where granted to you via your API key.
So ONE user can deny access to your APIs to ALL your users.
To mitigate that, what you usually want is to only deny the spamming user access to your APIs. for this you need to give the user a unique id and require each user to access your API with this id.
Using the user IP for starting is fine, so you are rigth, you don't need JWT, but for more fine grained propection i would use a JWT that combine IP/expiration date to protect you APIs.
Now for your API you can plug a rate limiter middleware, like this : github.com/animir/node-rate-limite...
Thanks for the detailed explanation.
I understood what you are saying. I'll start implementing the said method of JWTs along with the IP as a payload. I'll figure out a good way.
I'll check the mentioned middleware too.
Thanks a lot again!