Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

illogical pttl value leads to functional blacklisting #34

Closed
weisjohn opened this issue Nov 1, 2016 · 5 comments
Closed

illogical pttl value leads to functional blacklisting #34

weisjohn opened this issue Nov 1, 2016 · 5 comments

Comments

@weisjohn
Copy link

weisjohn commented Nov 1, 2016

I'm still trying to track down how this happened, but on my local redis (3.0.2) I see:

127.0.0.1:6379> get limit:::1:count
"-1"
127.0.0.1:6379> pttl limit:::1:count
(integer) -1

And according to http://redis.io/commands/pttl,

"The command returns -1 if the key exists but has no associated expire."

Should we check for -1 as well as null in https://github.com/scttcper/koa-simple-ratelimit/blob/master/index.js#L79 ?

As it is now, it can never get unset and the user (me) is hosed.
@weisjohn weisjohn mentioned this issue Nov 1, 2016
Closed
@weisjohn
Copy link
Author

weisjohn commented Nov 1, 2016

After deleting the key, everything was functioning correctly. I don't know how to reproduce the setting, however, it did happen without any special manipulation on my part.

@scttcper
Copy link
Owner

scttcper commented Nov 1, 2016

@weisjohn @niftylettuce it looks like if you have multiple connections at once we could have a race condition the results in -1. What they're talking about in this pull request. tj/node-ratelimiter#25 Maybe on the next request if the ttl is -1 we can delete the key.

@scttcper
Copy link
Owner

scttcper commented Nov 1, 2016
edited
Loading

Nevermind what I said its not multiple connections, I've reproduced it.

If the ttl is very short say 1ms left or something.
The key expires and is removed
A new key is decreased.
This key has no ttl and blacklists the user with a -1 value.

scttcper added a commit that referenced this issue Nov 2, 2016
@scttcper
fixes #34
27a767d 
	will set a new item in database if ttl is -1 or less which indicates the key has been decreased after ttl has expired
@scttcper
Copy link
Owner

scttcper commented Nov 2, 2016

@niftylettuce opened #35 let me know if you have any thoughts here

@niftylettuce
Copy link
Collaborator

Just wanted to follow up here - it's because we were using Number.MAX_VALUE in development which Redis doesn't like 👍. Switching it to 10000 was better - but ultimately I'm disabling rate limiting in dev 👍

niftylettuce added a commit to ladjs/api that referenced this issue Jun 23, 2018
@niftylettuce
Bumped deps, Added cors, Fixed rate limiting per scttcper/koa-simple-…
c87b14c 
…ratelimit#34
niftylettuce added a commit to ladjs/web that referenced this issue Jun 23, 2018
@niftylettuce
Bumped deps, Fixed rate limiting per scttcper/koa-simple-ratelimit#34
90e326e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weisjohn @niftylettuce @scttcper