Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Rate Limiter and Cloudfront Caching for API #75

Merged
merged 20 commits into from
Mar 19, 2025
Merged

Implement Rate Limiter and Cloudfront Caching for API #75

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
88e77c5
add cloudformation for table definition
devksingh4 Mar 19, 2025
602173d
fix IAM permission
devksingh4 Mar 19, 2025
f90e61e
build rate limiter logic
devksingh4 Mar 19, 2025
fc6fcbf
implement rate limiting on specific routes
devksingh4 Mar 19, 2025
47402ec
remove log statement
devksingh4 Mar 19, 2025
336392b
mock rate limiter implementation
devksingh4 Mar 19, 2025
5d129ea
bypass rate limiter in unit tests
devksingh4 Mar 19, 2025
a1b9330
use more sensible rate limiting
devksingh4 Mar 19, 2025
8aafb49
fix linting issues
devksingh4 Mar 19, 2025
a4fc884
consolidate stages to fix concurrency
devksingh4 Mar 19, 2025
ccfcae1
use cloudfront to cache events route
devksingh4 Mar 19, 2025
465ffee
cache subpaths too
devksingh4 Mar 19, 2025
740b54c
be more transparent about caching behavior to editors
devksingh4 Mar 19, 2025
47a8ec0
change fetching behavior
devksingh4 Mar 19, 2025
f501c36
fix cache behavior
devksingh4 Mar 19, 2025
4475721
enable custom domains on cloudfront
devksingh4 Mar 19, 2025
552d685
map the custom domain to cloudfront instead of the api gateway
devksingh4 Mar 19, 2025
061a8b1
fix domain behavior
devksingh4 Mar 19, 2025
e0ac910
fix domain
devksingh4 Mar 19, 2025
38d575d
fix acm-cache-status header
devksingh4 Mar 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 2 additions & 34 deletions .github/workflows/deploy-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
- name: Run unit testing
run: make test_unit

deploy-dev:
deploy-test-dev:
runs-on: ubuntu-latest
permissions:
id-token: write
Expand All @@ -47,7 +47,7 @@ jobs:
group: ${{ github.event.repository.name }}-dev-env
cancel-in-progress: false
environment: "AWS DEV"
name: Deploy to DEV
name: Deploy to DEV and Run Tests
needs:
- test-unit
steps:
Expand Down Expand Up @@ -90,38 +90,6 @@ jobs:
HUSKY: "0"
VITE_RUN_ENVIRONMENT: dev

test-dev:
runs-on: ubuntu-latest
name: Run Live Tests
needs:
- deploy-dev
concurrency:
group: ${{ github.event.repository.name }}-dev-env
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
env:
HUSKY: "0"
cache: 'yarn'

- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: 22.x

- name: Restore Yarn Cache
uses: actions/cache@v4
with:
path: node_modules
key: yarn-modules-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-dev
restore-keys: |
yarn-modules-${{ runner.os }}-

- name: Set up Python 3.11 for testing
uses: actions/setup-python@v5
with:
python-version: 3.11

- name: Run health check
run: make dev_health_check

Expand Down
46 changes: 5 additions & 41 deletions .github/workflows/deploy-prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ jobs:
python-version: 3.11
- name: Run unit testing
run: make test_unit
deploy-dev:

deploy-test-dev:
runs-on: ubuntu-latest
concurrency:
group: ${{ github.event.repository.name }}-dev
Expand All @@ -33,7 +34,7 @@ jobs:
id-token: write
contents: read
environment: "AWS DEV"
name: Deploy to DEV
name: Deploy to DEV and Run Tests
needs:
- test-unit
steps:
Expand Down Expand Up @@ -62,26 +63,6 @@ jobs:
HUSKY: "0"
VITE_RUN_ENVIRONMENT: dev

test-dev:
runs-on: ubuntu-latest
name: Run Live Tests
needs:
- deploy-dev
concurrency:
group: ${{ github.event.repository.name }}-dev
cancel-in-progress: false
steps:
- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: 22.x
- uses: actions/checkout@v4
env:
HUSKY: "0"
- name: Set up Python 3.11 for testing
uses: actions/setup-python@v5
with:
python-version: 3.11
- name: Run live testing
run: make test_live_integration
env:
Expand All @@ -94,15 +75,15 @@ jobs:

deploy-prod:
runs-on: ubuntu-latest
name: Deploy to Prod
name: Deploy to Prod and Run Health Check
concurrency:
group: ${{ github.event.repository.name }}-prod
cancel-in-progress: false
permissions:
id-token: write
contents: read
needs:
- test-dev
- deploy-test-dev
environment: "AWS PROD"
steps:
- name: Set up Node for testing
Expand All @@ -129,22 +110,5 @@ jobs:
env:
HUSKY: "0"
VITE_RUN_ENVIRONMENT: prod

health-check-prod:
runs-on: ubuntu-latest
name: Confirm services healthy
needs:
- deploy-prod
concurrency:
group: ${{ github.event.repository.name }}-prod
cancel-in-progress: false
steps:
- name: Set up Node for testing
uses: actions/setup-node@v4
with:
node-version: 22.x
- uses: actions/checkout@v4
env:
HUSKY: "0"
- name: Call the health check script
run: make prod_health_check
10 changes: 6 additions & 4 deletions cloudformation/custom-domain.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ Parameters:
AllowedValues: [ 'dev', 'prod' ]
RecordName:
Type: String
CloudfrontDomain:
Type: String

Conditions:
IsDev: !Equals [!Ref RunEnvironment, 'dev']
Expand Down Expand Up @@ -44,7 +46,7 @@ Resources:
Properties:
HostedZoneId: !Ref GWHostedZoneId
Name: !Sub "${RecordName}.${GWBaseDomainName}"
Type: A
AliasTarget:
DNSName: !GetAtt CustomDomainName.RegionalDomainName
HostedZoneId: !GetAtt CustomDomainName.RegionalHostedZoneId
Type: CNAME
TTL: 300
ResourceRecords:
- !Ref CloudfrontDomain
8 changes: 8 additions & 0 deletions cloudformation/iam.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,14 @@ Resources:
- expireAt
- "*"

- Sid: DynamoDBRateLimitTableAccess
Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:UpdateItem
Resource:
- Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-rate-limiter

- Sid: DynamoDBIndexAccess
Effect: Allow
Action:
Expand Down
85 changes: 85 additions & 0 deletions cloudformation/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ Resources:
GWApiId: !Ref AppApiGateway
GWHostedZoneId:
!FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]

LinkryDomainProxy:
Type: AWS::Serverless::Application
Expand All @@ -138,6 +139,7 @@ Resources:
GWApiId: !Ref AppApiGateway
GWHostedZoneId:
!FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]

CoreUrlProd:
Type: AWS::Serverless::Application
Expand All @@ -158,6 +160,7 @@ Resources:
GWApiId: !Ref AppApiGateway
GWHostedZoneId:
!FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]

AppApiLambdaFunction:
Type: AWS::Serverless::Function
Expand Down Expand Up @@ -306,6 +309,30 @@ Resources:
- AttributeName: userEmail
KeyType: HASH

RateLimiterTable:
Type: "AWS::DynamoDB::Table"
DeletionPolicy: "Delete"
UpdateReplacePolicy: "Delete"
Properties:
BillingMode: "PAY_PER_REQUEST"
TableName: infra-core-api-rate-limiter
DeletionProtectionEnabled: true
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: false
AttributeDefinitions:
- AttributeName: PK
AttributeType: S
- AttributeName: SK
AttributeType: S
KeySchema:
- AttributeName: PK
KeyType: HASH
- AttributeName: SK
KeyType: RANGE
TimeToLiveSpecification:
AttributeName: ttl
Enabled: true

EventRecordsTable:
Type: "AWS::DynamoDB::Table"
DeletionPolicy: "Retain"
Expand Down Expand Up @@ -562,6 +589,20 @@ Resources:
- ApiGwConfig
- !Ref RunEnvironment
- UiDomainName
- !Join
- ""
- - "go."
- !FindInMap
- ApiGwConfig
- !Ref RunEnvironment
- EnvDomainName
- !Join
- ""
- - "ical."
- !FindInMap
- ApiGwConfig
- !Ref RunEnvironment
- EnvDomainName

DefaultCacheBehavior:
TargetOriginId: S3WebsiteOrigin
Expand All @@ -578,6 +619,50 @@ Resources:
Forward: none
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # caching-optimized
CacheBehaviors:
- PathPattern: "/api/v1/events"
TargetOriginId: ApiGatewayOrigin
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
- GET
- HEAD
- OPTIONS
- PUT
- POST
- DELETE
- PATCH
CachedMethods:
- GET
- HEAD
ForwardedValues:
QueryString: true
QueryStringCacheKeys:
- host
- ts
- upcomingOnly
Cookies:
Forward: none
- PathPattern: "/api/v1/events/*"
TargetOriginId: ApiGatewayOrigin
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
- GET
- HEAD
- OPTIONS
- PUT
- POST
- DELETE
- PATCH
CachedMethods:
- GET
- HEAD
ForwardedValues:
QueryString: true
QueryStringCacheKeys:
- host
- ts
- upcomingOnly
Cookies:
Forward: none
- PathPattern: "/api/*"
TargetOriginId: ApiGatewayOrigin
ViewerProtocolPolicy: redirect-to-https
Expand Down
66 changes: 66 additions & 0 deletions src/api/functions/rateLimit.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
import {
ConditionalCheckFailedException,
UpdateItemCommand,
} from "@aws-sdk/client-dynamodb";
import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
import { genericConfig } from "common/config.js";

interface RateLimitParams {
ddbClient: DynamoDBClient;
rateLimitIdentifier: string;
duration: number;
limit: number;
userIdentifier: string;
}

export async function isAtLimit({
ddbClient,
rateLimitIdentifier,
duration,
limit,
userIdentifier,
}: RateLimitParams): Promise<{
limited: boolean;
resetTime: number;
used: number;
}> {
const nowInSeconds = Math.floor(Date.now() / 1000);
const timeWindow = Math.floor(nowInSeconds / duration) * duration;
const PK = `rate-limit:${rateLimitIdentifier}:${userIdentifier}:${timeWindow}`;

try {
const result = await ddbClient.send(
new UpdateItemCommand({
TableName: genericConfig.RateLimiterDynamoTableName,
Key: {
PK: { S: PK },
SK: { S: "counter" },
},
UpdateExpression: "ADD #rateLimitCount :inc SET #ttl = :ttl",
ConditionExpression:
"attribute_not_exists(#rateLimitCount) OR #rateLimitCount <= :limit",
ExpressionAttributeValues: {
":inc": { N: "1" },
":limit": { N: limit.toString() },
":ttl": { N: (timeWindow + duration).toString() },
},
ExpressionAttributeNames: {
"#rateLimitCount": "rateLimitCount",
"#ttl": "ttl",
},
ReturnValues: "UPDATED_NEW",
ReturnValuesOnConditionCheckFailure: "ALL_OLD",
}),
);
return {
limited: false,
used: parseInt(result.Attributes?.rateLimitCount.N || "1", 10),
resetTime: timeWindow + duration,
};
} catch (error) {
if (error instanceof ConditionalCheckFailedException) {
return { limited: true, resetTime: timeWindow + duration, used: limit };
}
throw error;
}
}
1 change: 0 additions & 1 deletion src/api/functions/sts.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ import { AssumeRoleCommand } from "@aws-sdk/client-sts";
import { STSClient } from "@aws-sdk/client-sts";
import { genericConfig } from "common/config.js";
import { InternalServerError } from "common/errors/index.js";
import { duration } from "moment";

export async function getRoleCredentials(
roleArn: string,
Expand Down
Loading
Loading