[bisq-network/bisq] Define gRPC api call rate constraints (#5103)

Mon Jan 25 18:00:46 CET 2021

@ghubstan commented on this pull request.

> +
+    final ServerInterceptor[] interceptors() {
+        Optional<ServerInterceptor> rateMeteringInterceptor = rateMeteringInterceptor();
+        return rateMeteringInterceptor.map(serverInterceptor ->
+                new ServerInterceptor[]{serverInterceptor}).orElseGet(() -> new ServerInterceptor[0]);
+    }
+
+    final Optional<ServerInterceptor> rateMeteringInterceptor() {
+        CallRateMeteringInterceptor defaultCallRateMeteringInterceptor =
+                new CallRateMeteringInterceptor(new HashMap<>() {{
+                    put("getBalances", new GrpcCallRateMeter(1, SECONDS));
+                    put("getAddressBalance", new GrpcCallRateMeter(1, SECONDS));
+                    put("getFundingAddresses", new GrpcCallRateMeter(1, SECONDS));
+                    put("getUnusedBsqAddress", new GrpcCallRateMeter(1, SECONDS));
+                    put("sendBsq", new GrpcCallRateMeter(1, MINUTES));
+                    put("sendBtc", new GrpcCallRateMeter(1, MINUTES));

This is not to protect against malicious attacks.  A lot more analysis is needed for that.

The rate metering is to help prevent scripting mistakes.  We don't want anyone accidentally spamming the network with a create offer loop, or anyone accidentally emptying her own wallet.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/5103#discussion_r563884011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20210125/f332a075/attachment.htm>