@Api\Security\MaxRequestsPerMinute

Limiting number of requests to an endpoint

This annotation allows you limit the number of request to an endpoint per minute from the current IP-address.

The basic syntax is:

@Api\Security\MaxRequestsPerMinute( $limit, $identifier )

An example would be:

// Limit access to all endpoints with "my_id" to 10 per IP and minute
@Api\Security\MaxRequestsPerMinute( 10, "my_id" )

// Limit overall access to all endpoints using this annotation to 10 per IP and minute
@Api\Security\MaxRequestsPerMinute( 10 )

Exceeding the given number will result in an 403 Error response.

The optional argument my_id can be any arbitrary key.

When using the same key in multiple endpoints, all endpoint calls with the same key will be counted
Without an id, all endpoints using the annotation will be counted

<?php

namespace My\Extension\Api;

use Nng\Nnrestapi\Annotations as Api;
use Nng\Nnrestapi\Api\AbstractApi;

/**
 * @Api\Endpoint()
 */
class Example extends AbstractApi
{
   /**
    * @Api\Security\MaxRequestsPerMinute(5, "getSettings")
    * @Api\Access("public")
    *
    * @return array
    */
   public function getSettingsAction() 
   {
      return ['nice'=>'result'];
   }

}

Hint

The \nn\rest::Security()-Helper has many useful methods in case you would like to handle checking for limits and locking users manually.

Have a look at \Nng\Nnrestapi\Utilities\Security for more details.

// returns FALSE if IP has exceeded number of requests for `my_key`
$isBelowLimit = \nn\rest::Security( $this->request )->maxRequestsPerMinute(['my_key'=>60]);

// manually lock an IP for 5 minutes
\nn\rest::Security( $this->request )->lockIp( 300, 'Reason why...' );

// unlock the IP
\nn\rest::Security( $this->request )->unlockIp();