I am working on mobile app and its API which uses a private token for every user for authentication.
I want to make sure that no one will misuse the API to crawl my data or to spam my database. Even if I won't publish their posts until they get manual approval, it's still spam and a headache for the data quality guys.
I am using RoR and I though about using Redis to store a counter for every user and if he reached a specific visits number, I can throttle or block his requests but it will take forever for me to implement the logic and to put a weight for every request and a worker to reset the counters every couple of hours or every day.
Of course I thought about using any ready made tools like Fail 2 ban or even AWS WAF because I'm running the app on AWS EB. But I want to use the user-id as identifier and not the IP because maybe someone will use proxies to crawl or to spam and I think there is a smarter approach instead of this manual one.
redisthere are plenty of packages on npm for rate limiting that you could use in conjunction with server side sessions. – li x Apr 10 '18 at 12:12