May 2, 2019

Rate Limiting RESTful Api Requests using Action Filter Attributes - C# ASP.Net Core Web Api

“In computer networks, rate limiting is used to control the rate of traffic sent or received by a network interface controller and is used to prevent DDoS attacks.”

…We’re not going to be looking at preventing DDoS attacks today, but we are going to look at a simple method for limiting the number of times your users can request a particular endpoint within your C# ASP.Net Core Web Api.

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Enter “ASP.Net Core Action Filter Attributes”…

The C# ASP.Net MVC Core framework supports four different types of filters:

  1. Authorization filters – Implements the IAuthorizationFilter attribute.
  2. Action filters – Implements the IActionFilter attribute.
  3. Result filters – Implements the IResultFilter attribute.
  4. Exception filters – Implements the IExceptionFilter attribute.

Today we’re going to look at using an action filter, which is an attribute. You can apply most action filters to either an individual controller action or an entire controller.

“Action filters are used to implement the logic that get executed before or after a controller action executes.”

Let’s Code…

To begin with, we need a class that inherits from ActionFilterAttribute.

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Our action filter attribute contains a few properties - A name for uniqueness, an integer to store the number of seconds we’re basing our rate limiting on, and a cache for managing our rate limiting.

Next, we need to override the virtual OnActionExecuting method from our inherited class. Within this method we are doing the following -

  1. Obtaining the users ip address.

  2. Storing the ip address in our memory cache, with a timeout based on the number of seconds we have assigned to our rate limiting action filter attribute.

  3. Returning an error message and a relevant status code (HTTP 429), in the event that the user hits our rate limit for the Api.

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Now to apply our action filter attribute to our desired controller action. I’ve added a simple Api endpoint for this example, and applied the attribute to the method, stating that we want to rate limit to 1 request, every 5 seconds.

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Let’s now submit multiple requests to our endpoint and see what happens -

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

Action Filter Attribute Rate Limiting - C# ASP.Net Core Web Api

…As expected, our action filter attribute returned an error message, along with an HTTP 429 “Too Many Requests” status code.

Enjoy!