Silhouette

Rate limiting

Suggest Edits

Silhouette can be combined with play-guard to provide rate-limiting based on the needs of your specific application (note: Silhouette does not hold any dependency to play-guard). Common use cases are things such as throttling by IP, as well as throttling a computationally expensive endpoint for an authenticated user not to spam refresh.

The following is an example for building a rate limiting action for a user that is already logged In:

/**
 * A Limiter for user logic.
 */
object UserLimiter {

  /**
   * A Rate limiter Function for.
   *
   * @param rateLimiter The rate limiter implementation.
   * @param reject The function to apply on reject.
   * @param requestKeyExtractor The Request Parameter we want to filter from.
   * @param actorSystem The implicit Akka Actor system.
   * @tparam K the key by which to identify the user.
   */
  def apply[T <: Env, R[_] <: SecuredRequest[T, _], K](rateLimiter: RateLimiter)(
    reject: R[_] => Result, requestKeyExtractor: R[_] => K
  )(
    implicit 
    actorSystem: ActorSystem
  ): RateLimitActionFilter[R] with ActionFunction[R, R] = {
    new RateLimitActionFilter[R](rateLimiter)(reject, requestKeyExtractor) with ActionFunction[R, R]
  }
}

We could then define our own implementation of the filter as follows:

type Secured[B] = SecuredRequest[MyEnv, B]

/**
   * A default user filter implementation.
   *
   * @param ac The Akka Actor System implicitly provided.
   */
  def defaultUserFilter(implicit ac: ActorSystem): RateLimitActionFilter[Secured] with ActionFunction[Secured, Secured] = {
    (UserLimiter.apply[MyEnv, Secured, UUID](new RateLimiter(10, 1f / 10, "Default User Limiter"))
      (_ => Results.TooManyRequests("You've been refreshing too much. Please try again in 10 seconds"), r => r.identity.userID))
  }

We can then compose actions for some arbitrary, dependency injected controller as such:

class MyController @Inject()(silhouette: Silhouette[MyEnv])(implicit ac: ActorSystem) extends Controller {

  private val defaultUserFilter = UserLimiter.defaultUserFilter
  
  def myAction: Action[AnyContent] = (silhouette.SecuredAction andThen defaultUserFilter).async {
    implicit request =>
      
    //..Your custom logic here
  }
}

We can also leverage some of the built-in limiters within play-guard. In the following example, we will use the built-in HttpErrorLimitAction to throttle the number of logins a user from a particular IP can make before they are throttled from logging in entirely within some controller:

/**
 * A rate limiter based on failed requests.
 */
private val httpErrorRateLimited: ActionBuilder[Request] =
  HttpErrorRateLimitAction(new RateLimiter(2, 1f / 10, "test failure rate limit")) { _ => Results.TooManyRequests("failure rate exceeded") }
    
def submit = (httpErrorRateLimited andThen silhouette.UnsecuredAction).async { implicit request => 
  ...
}

Updated less than a minute ago