Dear all,
How to make rate limiting for every user access except admin due to protect from attacker?
1 Like
The package Hammer works well for rate limiting, at least using ETS. They don’t recommend it for production, but if you are not a heavily distributed app it should be ok. The recommend Redis for production, but I have not been able to get Hammer talking to redis, even though I have no other problems with Redis.
Anyway, to implement Hammer as a rate limiter, you can do it at the controller level, although I do it as a plug. Since you are rate limiting based on user, you can carve out an exception for your admin user.
The best model there would be to introduce some kind of role concept into your user model. This way, not only can you exempt the “admin” role, but you could set different rate limit policies for other roles. E.g., if you had power users who paid you to increase the velocity ceiling.
Hammer: Overview — hammer v6.2.1
A tutorial I found useful: Rate-limiting a Phoenix API with Hammer - ElixirCasts
4 Likes
