question

Ehsan-9412 avatar image
0 Votes"
Ehsan-9412 asked ZhiLv-MSFT commented

Implement ASP.Net core rate Limit without an Endpoint

I'm using AspNetCoreRateLimit Nuget package. Currently it's working nice, something like below:

  "IpRateLimiting": {
     "EnableEndpointRateLimiting": true,
     "StackBlockedRequests": false,
     "RealIpHeader": "X-Real-IP",
     "ClientIdHeader": "X-ClientId",
     "HttpStatusCode": 429,
     "QuotaExceededResponse": {
       "Content": "Too many attempts ",
    
       "ContentType": "application/json"
     },
     "GeneralRules": [   
       {
         "Endpoint": "*:/register",
         "Period": "1h",
         "Limit": 15
       },
  .   .   . 


I need to know if it is possible to use rate limit, for internal action methods, In fact I have an action method like this :

 public async Task<IActionResult> sendSMS(string mobileNumber)
   {
     // continued 
   }

It is not called from client side and always is redirectedTo and is called from other action methods. I need to set a rate Limit on it if it is possible


dotnet-aspnet-core-mvc
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The code sample you shared is a public action, the action not internal. A redirect is a type of HTTP response that tells the browser to do an HTTP GET to a URL location.

Are you worried clients will make HTTP requests directly to the public sendSMS() action? If so, rethink the design. Rather than doing a redirect, call a private method that sends the SMS message.

0 Votes 0 ·

Other action methods like register,login,revalidate,resetPassword can access sendSMS action method. Thoses action methods (login,register, revalidate,resetPassword) are called from client browser and can be limited as I mentioned in my question. Private and public is not matter of question, Is it possible to limit an action method which is not called from client browser? and is called from my web App always? tnx

0 Votes 0 ·
ZhiLv-MSFT avatar image
1 Vote"
ZhiLv-MSFT answered ZhiLv-MSFT commented

Hi @Ehsan-9412,

Is it possible to limit an action method which is not called from client browser? and is called from my web App always?

You only want to call that sendSMS method/function from the code of other method(s) instead of exposing it as an action method, right?

In this scenario, you can apply the `NonAction` attribute to the method, code as below:

     public IActionResult Privacy()
     {
         //call the sendSMS method
         var result = sendSMS("1001");

         return View();
     }
     [NonAction]
     public async Task<IActionResult> sendSMS(string mobileNumber)
     {
         // continued 

         return Ok("send SMS");
     }

[Note] The NonAction attribute indicates that a controller method is not an action method. After using this attribute, the send SMS act as a normal method, and you can't use the RedirectToAction() method to redirect to this method. And, if you call the action method from the client/browser (via the URL), it will show the 404 view page not found error.

In addition, you can consider creating a normal method instead of an action method, then call it from other action methods, code like this:

     public IActionResult Privacy()
     {
         var result = sendSMS("1001");

         return View();
     } 
     public string sendSMS(string mobileNumber)
     {
         // continued 

         return "Success";
     }


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards,
Dillion

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Tnx for taking time. Yes you limit the sendSMS method and it was instructive to me. But I'm talking about rate limit, So how can I limit sendSMS to be accessed only 10 times per hour per client IP, as I asked in the question : Implement ASP.Net core rate Limit without an Endpoint. the method sendSMS is not an endpoint to the client and is not called directly by user, if it was directly called, I would limit it like my code in the question simply.

0 Votes 0 ·

Hi @Ehsan-9412,

From the AspNetCoreRateLimit Defining rate limit rules, we can see that the rate limit rule applies for the endpoint, if the sendSMS is not an endpoint, you can't set the rate limit for it. So, there have two choices: 1. set the sendSMS method as the action method (endpoint), you could set the rate limit via AspNetCoreRateLimit, but this method is called directly by user. 2. Set the sendSMS method as the normal method, in this scenario, you can't set the limit via AspNetCoreRateLimit, but this method is not called directly by user.

Besides, you could consider creating your rules to set the limitation, instead of using the AspNetCoreRateLimit package. check the following workflow:

  1. Set the sendSMS method as normal method.

  2. In the Controller, get the remote client IP address, and then store the client IP address and the times to access the sendSMS method (You could also store the data using database).

  3. When user wants to access the sendSMS method, query data from the session, and determine whether the limit is exceeded or not, then based on the result to call the sendSMS method.

1 Vote 1 ·
Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered

Redirect to is done by the client, so as long as all your actions use redirect you can throttle with the package. If an action calls directly, than only that actions throttle will be in effect.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.