I have a slightly unusual problem. One of our clients has a public API, that is built on Elixir / Phoenix / Postgres.
I am thinking of rate-limiting the access to API because we are getting hundreds of requests per second already and a lot of clients seem to have bult very lazy clients that just hit our API every second or so.
While I can fairly easily implement something like plug-attack, which would return 401 / 403 / custom status code instantly, and I actually tried this approach, this fails to prevent attempts to contact the API, and also breaks some of the customers code that consumes the API in a naive loops.
I wonder if I get myself into trouble by implementing a Plug or cowboy handler that pauses instead of returning status code instantly for these abusive clients.
So, when user goes above rate limit, we simply
:timer.sleep(10_000) in a Plug or similar.
Has someone here tried such approach, or maybe knows of a tools that I can use in front of my API to facilitate this behavior?
I am slightly worried about doing that on the Elixir side, as this would mean maintaining these connections in memory, and also possibly hitting system limits on open file descriptors etc. But maybe it’d be simply OK.