A framework independent, flexible and highly extensible rate limiter for PHP.
It is best installed it through packagist
by including sunspikes/php-ratelimiter
in your project composer.json require:
"require": {
"sunspikes/php-ratelimiter": "dev-master"
}
You can also download it from Github, but no autoloader is provided so you'll need to register it with your own PSR-4 compatible autoloader.
// 1. Make a rate limiter with limit 3 attempts in 10 minutes
$cacheAdapter = new DesarrollaCacheAdapter((new DesarrollaCacheFactory())->make());
$settings = new ElasticWindowSettings(3, 600);
$ratelimiter = new RateLimiter(new ThrottlerFactory($cacheAdapter), new HydratorFactory(), $settings);
// 2. Get a throttler for path /login
$loginThrottler = $ratelimiter->get('/login');
// 3. Register a hit
$loginThrottler->hit()
// 4. Check if it reached the limit
if ($loginThrottler->check()) {
// access permitted
} else {
// access denied
}
// Or combine the steps 3 & 4
if ($loginThrottler->access()) {
// access permitted
} else {
// access denied
}
// To get the number of hits
print $loginThrottler->count(); // or count($throttler)
By default PHP Ratelimiter uses the desarolla2 cache adapter, the sample configuration provided in config/config.php
You can configure the drivers in config.php
, for example to use memcache change the driver to 'memcache'
return [
'default_ttl' => 3600,
'driver' => 'memcache',
'memcache' => [
//....
],
];
The PHP Ratelimiter is highly extensible, you can have custom adapters by implementing Sunspikes\Ratelimit\Cache\Adapter\CacheAdapterInterface
For example to use Doctrine cache adapter
class DoctrineCacheAdapter implements CacheAdapterInterface
{
public function __construct($cache)
{
$this->cache = $cache;
}
// Implement the methods
}
// Build adapter using APC cache driver
$adapter = new DoctrineCacheAdapter(new \Doctrine\Common\Cache\ApcCache());
Also you can have custom hydrators by implementing Sunspikes\Ratelimit\Throttle\Hydrator\DataHydratorInterface
For example to use a Symfony Request object instead of custom URL for ratelimiting
class RequestHydrator implements DataHydratorInterface
{
public function hydrate($data, $limit, $ttl)
{
// Make the key string
$key = $data->getClientIp() . $data->getPathInfo();
return new Data($key, $limit, $ttl);
}
}
// Hydrate the request to Data object
$hydrator = new RequestHydrator();
Then decorate or extend the HydratorFactory to recognize your data
use Hydrator\FactoryInterface;
class MyHydratorFactory implements FactoryInterface
{
private $defaultFactory;
public function __construct(FactoryInterface $defaultFactory)
{
$this->defaultFactory = $defaultFactory;
}
public function make($data)
{
if ($data instanceof Request) {
return new RequestHydrator();
}
return $this->defaultFactory->make($data);
}
}
An elastic window throttler will allow X requests in Y seconds. Any further access attempts will be counted, but return false as status. Note that the window will be extended with Y seconds on every hit. This means there need to be no hits during Y seconds for the counter to be reset to 0.
See Overview example for instantiation.
All the following throttlers use time functions, thus needing a different factory for construction:
$cacheAdapter = new DesarrollaCacheAdapter((new DesarrollaCacheFactory())->make());
$timeAdapter = new PhpTimeAdapter();
$throttlerFactory = new TimeAwareThrottlerFactory($cacheAdapter, $timeAdapter);
$hydratorFactory = new HydratorFactory();
//$settings = ...
$ratelimiter = new RateLimiter($throttlerFactory, $hydratorFactory, $settings);
A fixed window throttler will allow X requests in the Y seconds since the first request. Any further access attempts will be counted, but return false as status. The window will not be extended at all.
// Make a rate limiter with limit 120 attempts per minute
$settings = new FixedWindowSettings(120, 60);
A moving window throttler will allow X requests during the previous Y seconds. Any further access attempts will be counted, but return false as status. The window is never extended beyond Y seconds.
// Make a rate limiter with limit 120 attempts per minute
$settings = new MovingWindowSettings(120, 60);
A leaky bucket throttler will allow X requests divided over time Y.
Any access attempts past the threshold T (default: 0) will be delayed by Y / (X - T)
access()
will return false if delayed, hit()
will return the number of milliseconds waited
Note: Time limit for this throttler is in milliseconds, where it is seconds for the other throttler types!
// Make a rate limiter with limit 120 attempts per minute, start delaying after 30 requests
$settings = new LeakyBucketSettings(120, 60000, 30);
The retrial queue encapsulates another throttler. When this throttler receives a hit which would fail on the internal throttler, the request is delayed until the internal throttler has capacity again.
// Make a leaky bucket ratelimiter which delays any overflow
$settings = new RetrialQueueSettings(new LeakyBucketSettings(120, 60000, 120));
Krishnaprasad MG [@sunspikes]
Please feel free to send pull requests.
This is an open-sourced software licensed under the MIT license.