Why do I need to throttle usage?
Security in APIs is important and we might not want the APIs we build to be overly used. This could be to prevent DDoS attacks or to make sure no one tries to brute-force-use your API. To solve this problem I built a small attribute function that allows for throttling of a specific endpoint.
When I started writing this I got a lot of inspiration from this post on stack overflow.
Attribute code
Here is the code for the throttling attribute
1[AttributeUsage(AttributeTargets.Method)]2public class ThrottleAttribute : ActionFilterAttribute3{4 public string Name { get; set; }5 public int Seconds { get; set; }6 public string Message { get; set; }78 private static MemoryCache Cache { get; } = new MemoryCache(new MemoryCacheOptions());910 public override void OnActionExecuting(ActionExecutingContext c)11 {12 var key = string.Concat(Name, "-", c.HttpContext.Request.HttpContext.Connection.RemoteIpAddress);1314 if (!Cache.TryGetValue(key, out bool entry))15 {16 var cacheEntryOptions = new MemoryCacheEntryOptions()17 .SetAbsoluteExpiration(TimeSpan.FromSeconds(Seconds));1819 Cache.Set(key, true, cacheEntryOptions);20 }21 else22 {23 if (string.IsNullOrEmpty(Message))24 Message = "You may only perform this action every {n} seconds.";2526 c.Result = new ContentResult {Content = Message.Replace("{n}", Seconds.ToString())};27 c.HttpContext.Response.StatusCode = (int) HttpStatusCode.Conflict;28 }29 }30}
Example usage
1[Route("api/[controller]")]2public class ActionsController : Controller3{4 // GET /api/actions/throttle5 [HttpGet("throttle")]6 // Only allow access every 5 seconds7 [Throttle(Name = "ThrottleTest", Seconds = 5)]8 public object GetThrottle() => new9 {10 Message = "OK!"11 };12}