Posted on Sep 22, 2022

Rate Limits Phoenix

Ever wondered how to protect your APi/Backend from Spam? Here is how.

Requirements:

Elixir v13.3.2 +
Phoenix v1.6.10+
Basic Knowledge of Elixir

$ elixir -v Elixir 1.13.2 (compiled with Erlang/OTP 24) $ mix phx.new --version Phoenix installer v1.6.10

Getting started

Create a new Phoenix Project

$ mix phx.new ratelimit --no-mailer --no-assets --no-html --no-ecto --no-dashboard

If you will be asked to install some dependencies, answer with y (yes).

Adding Dependencies

Lets add some dependencies that will help us doing all of this
mix.exs

defp deps do [ # here is some other stuff # <-- add the stuff below here --> # http {:httpoison, "~> 1.8"}, # rate limit {:hammer, "~> 6.1"}, ] end

For the rate limits, we will use the following library
https://github.com/ExHammer/hammer

Install dependencies

$ mix deps.get

Project files

Now lets get our hands dirty by creating some helper functions.

lib/ratelimit/base.ex

defmodule Ratelimit.Base do use HTTPoison.Base @moduledoc """ This handles HTTP requests without api key (basic requests). """ def process_request_headers(headers) do [{"Content-Type", "application/json"} | headers] end end

Now lets add a function that gets the IP of the user visiting our website.
lib/ratelimit/helper/getip.ex

defmodule Ratelimit.IP do @doc """ Get the IP address of the current user visiting the route. Formatted as a string: "123.456.78.9" """ # {:ok, String.t()} | {:error, :api_down} @spec getIP() :: {String.t() | :api_down} def getIP() do ip_url = "https://api.ipify.org/" case Ratelimit.Base.get!(ip_url) do %HTTPoison.Response{body: body, status_code: 200} -> body %HTTPoison.Response{status_code: status_code} when status_code > 399 -> IO.inspect(status_code, label: "STATUS_CODE") :error _ -> raise "APi down" end end end

Awesome, now lets create a file that handles our ratelimits
lib/ratelimit/util/ratelimit.ex

defmodule RatelimitWeb.Plugs.RateLimiter do import Plug.Conn use RatelimitWeb, :controller alias Ratelimit.IP require Logger # two request / minute are allowed @limit 2 def init(options), do: options def call(conn, _opts) do # call the ip function ip = IP.getIP() case Hammer.check_rate(ip, 60_000, @limit) do {:allow, count} -> assign(conn, :requests_count, count) {:deny, _limit} -> # Beep Boop, remove this in production Logger.debug("Rate limit exceeded for #{inspect(ip)}") error_response(conn) end end defp error_response(conn) do conn |> put_status(:service_unavailable) # set the json status |> json(%{message: "Please wait before sending another request."}) # return an error message |> halt() # stop the process end end

Now we have to configure Hammer in our config files.
For that, open config/config.exs and add this line here:

# Config the rate limiter config :hammer, backend: {Hammer.Backend.ETS, [expiry_ms: 60_000 * 60 * 4, cleanup_interval_ms: 60_000 * 10]}

Adding the Controller

Now we have to create a simple controller for our website.
lib/ratelimit_web/controllers/page_controller.ex

defmodule RatelimitWeb.PageController do use RatelimitWeb, :controller def index(conn, _params) do send_resp(conn, 200, "Hello there!") end end

and we have to edit our lib/ratelimit_web/router.ex to the following

pipeline :api do # add the rate limit plug here plug RatelimitWeb.Plugs.RateLimiter plug :accepts, ["json"] end scope "/api", RatelimitWeb do pipe_through :api # add this here get "/test", PageController, :index end