New in Symfony 5.2: Rate Limiter component

October 14, 2020 Javier Eguiluz

Contributed by
Wouter De Jong
in #37546.

A “rate limiter” controls how frequently some event (e.g. an HTTP request or a login attempt) is allowed to happen. Rate limiting is commonly used as a defensive measure to protect services from excessive use.

Symfony 5.2 introduces a new RateLimiter component so you can add those protections to your own applications. For example, imagine that you want to apply the same restrictions as GitHub to your own APIs when used anonymously: 60 requests per hour and identify requests by the originating IP address.

First, configure a new rate limiter as follows:

# config/packages/rate_limiter.yaml
framework:
    rate_limiter:
        anonymous_api:
            strategy: fixed_window
            limit: 60
            interval: '60 minutes'

Now, inject the rate limiter in your controllers or services and use it to check if the request should be allowed or not:

// src/Controller/ApiController.php
namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
use Symfony\Component\RateLimiter\Limiter;

class ApiController extends AbstractController
{
    // the variable name must be: "rate limiter name" + "limiter" suffix
    public function index(Limiter $anonymousApiLimiter)
    {
        // create a limiter based on the client's IP address
        // (you can also use a username/email, an API key, etc.)
        $limiter = $anonymousApiLimiter->create($request->getClientIp());

        // try to consume a resource; if it's accepted, serve the request
        // otherwise, return a 429 (Too Many Requests) error
        if (false === $limiter->consume()->isAccepted()) {
            throw new TooManyRequestsHttpException();
        }

        // ...
    }

    // ...
}

That’s it! The RateLimiter component implements many other features and provides two different strategies to control the limits: “fixed window” and “token bucket”. Read the RateLimiter docs to learn all about its features.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

New in Symfony 5.2: Rate Limiter component symfony.com/blog/new-in-symfony-5-2-rate-limiter-component

Tweet this

Comments

Fabien Lemoine said on Oct 14, 2020 at 09:48 #1

It's kind of brute force protection. Can it be used with a login form?

Wouter de Jong said on Oct 14, 2020 at 10:36 #2

Great post!

One thing I would like to add: Depending on the number of tools available to you, using Symfony's RateLimiter to enforce API limits/brute force production might not be the best idea. You still always get a performance penalty for starting a PHP process, booting the Symfony kernel, etc.
If possible, manage such critical limits before the PHP process (e.g. in your Nginx config, your Cloudfire account or using AWS request throttling).

Yoan Arnaudov said on Oct 14, 2020 at 12:21 #3

This is really nice feature. Good job!

Alessandro GIULIANI said on Oct 14, 2020 at 14:37 #4

It would be nice to have an annotation for this feature !

Jerôme Soanguimpali Clovis said on Oct 14, 2020 at 22:01 #5

Great functionality, but I'm wondering whether this could verify the limits without initiating a PHP process. Because if we have 1,000 requests of this kind, it becomes heavy for the server even though these requests will not result in 200 responses

Leonardo Cavill said on Oct 15, 2020 at 04:34 #6

Nice feature.

philippe said on Oct 16, 2020 at 14:55 #7

Nice. It 's been useful to limit attempts on a login's form.

I think there is a mistake in the exemple.
The variable $limiter is create but not used and we use the anonymousApiLimiter to validate.
In the documentation, it's the $limiter use to validate.

Javier Eguiluz Certified said on Oct 16, 2020 at 18:09 #8

@philippe you are right! We've just fixed the variable name in the code example.