Remove rate limit for root user #83
Comments
KAIYOHUGO
added
P-Middle
|
Isn't your usecase for migration tools(from QMOJ to MDOJ)? I prefers implementing alternative authentication method(service account?), because it's easier to maintain two rate-limiting method. |
|
Maybe we could use alternative http header for service account, and always rate limit service account with ip address, so that blacklist feature that current rate-limiting implementation provided can continue to work. |
Yes
You mean something like API key? |
|
Yes, and it's likely that we would put API key in header. If you don't prefer that, I would just prefix normal token and API key. |
|
I think we can let We can add message CreateApiRequest {
// name of the api token
required string name = 1;
optional uint64 expiry = 2;
}
message ApiTokenInfo {
required string token = 1;
required google.protobuf.Timestamp expiry = 2;
}
service Api {
rpc Create(CreateApiRequest) returns (ApiTokenInfo);
// and some list/delete method, there is no refresh method
}for all service will prefer use |
|
I am thinking about removing rate limit entirely for ip address in a CIDR submask, so we could implement them faster. And I also think that a correct solution because we can't make a new functionality without enlarging attack surface. |
Root user should not be rate limited (So we can use tools to do something such as create problem in batch)
The text was updated successfully, but these errors were encountered: