mirror of
https://github.com/Unleash/unleash.git
synced 2025-02-09 00:18:00 +01:00
b06613d1b0
### What The heaviest requests we serve are the register and metrics POSTs from our SDKs/clients. This PR adds ratelimiting to /api/client/register, /api/client/metrics, /api/frontend/register and /api/frontend/metrics with a default set to 6000 requests per minute (or 100 rps) for each of the endpoints. It will be overrideable by the environment variables documented. ### Points of discussion @kwasniew already suggested using featuretoggles with variants to control the rate per clientId. I struggled to see if we could dynamically update the middleware after initialisation, so this attempt will need a restart of the pod to update the request limit.
241 lines
8.0 KiB
TypeScript
241 lines
8.0 KiB
TypeScript
import { Request, Response } from 'express';
|
|
import Controller from '../controller';
|
|
import {
|
|
IFlagResolver,
|
|
IUnleashConfig,
|
|
IUnleashServices,
|
|
NONE,
|
|
} from '../../types';
|
|
import { Logger } from '../../logger';
|
|
import ApiUser from '../../types/api-user';
|
|
import {
|
|
ClientMetricsSchema,
|
|
createRequestSchema,
|
|
createResponseSchema,
|
|
emptyResponse,
|
|
getStandardResponses,
|
|
ProxyClientSchema,
|
|
proxyFeaturesSchema,
|
|
ProxyFeaturesSchema,
|
|
} from '../../openapi';
|
|
import { Context } from 'unleash-client';
|
|
import { enrichContextWithIp } from '../../proxy';
|
|
import { corsOriginMiddleware } from '../../middleware';
|
|
import NotImplementedError from '../../error/not-implemented-error';
|
|
import NotFoundError from '../../error/notfound-error';
|
|
import rateLimit from 'express-rate-limit';
|
|
import { minutesToMilliseconds } from 'date-fns';
|
|
|
|
interface ApiUserRequest<
|
|
PARAM = any,
|
|
ResBody = any,
|
|
ReqBody = any,
|
|
ReqQuery = any,
|
|
> extends Request<PARAM, ResBody, ReqBody, ReqQuery> {
|
|
user: ApiUser;
|
|
}
|
|
|
|
type Services = Pick<
|
|
IUnleashServices,
|
|
'settingService' | 'proxyService' | 'openApiService'
|
|
>;
|
|
|
|
export default class ProxyController extends Controller {
|
|
private readonly logger: Logger;
|
|
|
|
private services: Services;
|
|
|
|
private flagResolver: IFlagResolver;
|
|
|
|
constructor(
|
|
config: IUnleashConfig,
|
|
services: Services,
|
|
flagResolver: IFlagResolver,
|
|
) {
|
|
super(config);
|
|
this.logger = config.getLogger('proxy-api/index.ts');
|
|
this.services = services;
|
|
this.flagResolver = flagResolver;
|
|
|
|
// Support CORS requests for the frontend endpoints.
|
|
// Preflight requests are handled in `app.ts`.
|
|
this.app.use(corsOriginMiddleware(services, config));
|
|
|
|
this.route({
|
|
method: 'get',
|
|
path: '',
|
|
handler: this.getProxyFeatures,
|
|
permission: NONE,
|
|
middleware: [
|
|
this.services.openApiService.validPath({
|
|
tags: ['Frontend API'],
|
|
operationId: 'getFrontendFeatures',
|
|
responses: {
|
|
200: createResponseSchema('proxyFeaturesSchema'),
|
|
...getStandardResponses(401, 404),
|
|
},
|
|
summary:
|
|
'Retrieve enabled feature toggles for the provided context.',
|
|
description:
|
|
'This endpoint returns the list of feature toggles that the proxy evaluates to enabled for the given context. Context values are provided as query parameters. If the Frontend API is disabled 404 is returned.',
|
|
}),
|
|
],
|
|
});
|
|
|
|
this.route({
|
|
method: 'post',
|
|
path: '',
|
|
handler: ProxyController.endpointNotImplemented,
|
|
permission: NONE,
|
|
});
|
|
|
|
this.route({
|
|
method: 'get',
|
|
path: '/client/features',
|
|
handler: ProxyController.endpointNotImplemented,
|
|
permission: NONE,
|
|
});
|
|
|
|
this.route({
|
|
method: 'post',
|
|
path: '/client/metrics',
|
|
handler: this.registerProxyMetrics,
|
|
permission: NONE,
|
|
middleware: [
|
|
this.services.openApiService.validPath({
|
|
tags: ['Frontend API'],
|
|
summary: 'Register client usage metrics',
|
|
description: `Registers usage metrics. Stores information about how many times each toggle was evaluated to enabled and disabled within a time frame. If provided, this operation will also store data on how many times each feature toggle's variants were displayed to the end user. If the Frontend API is disabled 404 is returned.`,
|
|
operationId: 'registerFrontendMetrics',
|
|
requestBody: createRequestSchema('clientMetricsSchema'),
|
|
responses: {
|
|
200: emptyResponse,
|
|
204: emptyResponse,
|
|
...getStandardResponses(400, 401, 404),
|
|
},
|
|
}),
|
|
rateLimit({
|
|
windowMs: minutesToMilliseconds(1),
|
|
max: config.metricsRateLimiting.frontendMetricsMaxPerMinute,
|
|
validate: false,
|
|
standardHeaders: true,
|
|
legacyHeaders: false,
|
|
}),
|
|
],
|
|
});
|
|
|
|
this.route({
|
|
method: 'post',
|
|
path: '/client/register',
|
|
handler: this.registerProxyClient,
|
|
permission: NONE,
|
|
middleware: [
|
|
this.services.openApiService.validPath({
|
|
tags: ['Frontend API'],
|
|
summary: 'Register a client SDK',
|
|
description:
|
|
'This is for future use. Currently Frontend client registration is not supported. Returning 200 for clients that expect this status code. If the Frontend API is disabled 404 is returned.',
|
|
operationId: 'registerFrontendClient',
|
|
requestBody: createRequestSchema('proxyClientSchema'),
|
|
responses: {
|
|
200: emptyResponse,
|
|
...getStandardResponses(400, 401, 404),
|
|
},
|
|
}),
|
|
rateLimit({
|
|
windowMs: minutesToMilliseconds(1),
|
|
max: config.metricsRateLimiting
|
|
.frontendRegisterMaxPerMinute,
|
|
validate: false,
|
|
standardHeaders: true,
|
|
legacyHeaders: false,
|
|
}),
|
|
],
|
|
});
|
|
|
|
this.route({
|
|
method: 'get',
|
|
path: '/health',
|
|
handler: ProxyController.endpointNotImplemented,
|
|
permission: NONE,
|
|
});
|
|
|
|
this.route({
|
|
method: 'get',
|
|
path: '/internal-backstage/prometheus',
|
|
handler: ProxyController.endpointNotImplemented,
|
|
permission: NONE,
|
|
});
|
|
}
|
|
|
|
private static async endpointNotImplemented(
|
|
req: ApiUserRequest,
|
|
res: Response,
|
|
) {
|
|
const error = new NotImplementedError(
|
|
'The frontend API does not support this endpoint.',
|
|
);
|
|
res.status(error.statusCode).json(error);
|
|
}
|
|
|
|
private async getProxyFeatures(
|
|
req: ApiUserRequest,
|
|
res: Response<ProxyFeaturesSchema>,
|
|
) {
|
|
if (!this.config.flagResolver.isEnabled('embedProxy')) {
|
|
throw new NotFoundError();
|
|
}
|
|
const toggles = await this.services.proxyService.getProxyFeatures(
|
|
req.user,
|
|
ProxyController.createContext(req),
|
|
);
|
|
|
|
res.set('Cache-control', 'public, max-age=2');
|
|
|
|
this.services.openApiService.respondWithValidation(
|
|
200,
|
|
res,
|
|
proxyFeaturesSchema.$id,
|
|
{ toggles },
|
|
);
|
|
}
|
|
|
|
private async registerProxyMetrics(
|
|
req: ApiUserRequest<unknown, unknown, ClientMetricsSchema>,
|
|
res: Response,
|
|
) {
|
|
if (!this.config.flagResolver.isEnabled('embedProxy')) {
|
|
throw new NotFoundError();
|
|
}
|
|
|
|
if (this.config.flagResolver.isEnabled('disableMetrics')) {
|
|
res.sendStatus(204);
|
|
return;
|
|
}
|
|
|
|
await this.services.proxyService.registerProxyMetrics(
|
|
req.user,
|
|
req.body,
|
|
req.ip,
|
|
);
|
|
res.sendStatus(200);
|
|
}
|
|
|
|
private async registerProxyClient(
|
|
req: ApiUserRequest<unknown, unknown, ProxyClientSchema>,
|
|
res: Response<string>,
|
|
) {
|
|
if (!this.config.flagResolver.isEnabled('embedProxy')) {
|
|
throw new NotFoundError();
|
|
}
|
|
// Client registration is not yet supported by @unleash/proxy,
|
|
// but proxy clients may still expect a 200 from this endpoint.
|
|
res.sendStatus(200);
|
|
}
|
|
|
|
private static createContext(req: ApiUserRequest): Context {
|
|
const { query } = req;
|
|
return enrichContextWithIp(query, req.ip);
|
|
}
|
|
}
|