Pregunta

Context: Someone wrote a bot that makes 1000's of api calls on my webapp which in turn relies on a google api. I only want real users to use the webapp.

How do I prevent bots from accessing the api. One solution is to record the IP addresses and rate limit the calls. Another is to use a Captcha.

However, I am looking for an easy hack (clever, naive implementation) that prevents automated queries.

The web app is built with Ruby on Rails.

EDIT: My webapp performs some calculations and returns the result. The visitors are general public and they only use it sporadically. They find my app through google search results. So, they don't need to use access token to use the site.

¿Fue útil?

Solución

You can use a gem like Rack Attack to throttle user request on various conditions. For example allow max 5 request from the same ip per second:

# Throttle requests to 5 requests per second per ip
Rack::Attack.throttle('req/ip', :limit => 5, :period => 1.second) do |req|
  # If the return value is truthy, the cache key for the return value
  # is incremented and compared with the limit. In this case:
  #   "rack::attack:#{Time.now.to_i/1.second}:req/ip:#{req.ip}"
  #
  # If falsy, the cache key is neither incremented nor checked.

  req.ip
end

Otros consejos

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top