With the global incidence of ill behaved distributed crawling overloading sites, rate limits are in many of our minds.
The rate_limit feature, since Rails 7.2, is potentially a nice building block for building more on top, so I’ve been looking at it.
Because of how it calculates cache keys based on current controller, it looks like the rates it calcuates are necessarily per controller, not global.
Am I understanding this right? If you pass in a name argument, you can have a separate counter that is not shared with others in the controller – but the counter is still restricted to each particular controller, since the key name prefix still involves controller_path.
If you want to declare an applicatiopn-wide rate limit – say a particular agent is limited to only 10 requests per second across the entire site, you are currently out of luck.
Even if you declare it in your application controller, you’ll end up with a separate counter per controller – actual agent or IP will be limited to 1- requests per second per controller – since the cache_key with controller_path is executed inside a before_action, at individual request time.
Do I have this right? Is this intentional? Is wanting a global cross-controller counter a common use case? Are people going to be surprised by how it works if they try? Should there be a way to get a global counter if you want one? What would be a reasonable change to make this possible?
I hope it gets merged, and in the meantime I may patch it into my app (or put it in with a different name) – the rate_limit implementation is only 5 localized lines long, so easy enough to change locally if I want.
I don’t know if there’s anything we can do to make it more likely to get merged?