Strange Behaviour: Key Level Rate Limit Per Access Right

So I just want to check how rate limiting works and got this strange behaviour. I’m using the CE edition

Case:

  1. I want to set a user with:
  • per key rate limit 100 per 5 seconds, no matter what API they accessed
  • per API limit. No limit for /free/ API and 5 requests per 5 seconds for /subscriber/ API
  1. I didn’t set any global API rate limit to /free/ or /subscriber/

Here is the session object

    {
        "org_id": "adi",
        "allowance": 100,
        "rate": 100,
        "per": 5,
        "expires": 0,
        "quota_max": 100,
        "quota_renewal_rate": 60,
        "access_rights": {
            "free": {
                "api_name": "Free API",
                "api_id": "free",
                "limit": {
                    "rate": 0,
                    "per": 0
                }
            },
            "subscriber": {
                "api_name": "Subscriber API",
                "api_id": "subscriber",
                "limit": {
                    "rate": 5,
                    "per": 5
                }
            }
        }
    }

Expected Behavior:

  1. If I access /subscriber/ more than 5 times in 5 seconds, I’ll get an error
  2. If I access /free/ fewer than the remaining rate set in the key (100 per 5), I’ll be fine
  3. If I access any API more than the rate set in the key (100 per 5), I’ll get an error

The Real Behavior:
Depending on which API I access first:

  1. If I access /free/ first, then directly access /subscriber/ more than 5 times, I won’t get an error no matter how much I request
  2. Wait for a certain time, then access /subscriber/ first until it hit the limit error. Now access /free/ endpoint more than 5 times, I’ll get an error.

Is this the expected behaviour??

Could you let us know the version of the gateway you are running? We will confirm and get back to you

I’m using tyk-gateway docker with tags v3.2.1

Hi @ghilman27

The expected behavior:

  1. A rate limit exceeded error would occur if you access /subscriber/ more than 5 times in 5 seconds
  2. No limit whatsoever if you access /free/ more than (100 times per 5 secs)
  3. Any other API apart from /free/ and /subscriber/ will be affected by a rate limit of 100 calls per 5 secs. However, no other APIs exist, so nothing happens.

Based on the real behavior you experienced, could you share the full key definition as well as comment on what type of authentication is being used for both APIs?

Hi @Olu

Thanks for replying, I’m using “authorization” header for both API.

Here is the full key definition

{
    "last_check": 0,
    "allowance": 100,
    "rate": 100,
    "per": 5,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "date_created": "2021-08-17T15:10:51.171897582Z",
    "expires": 0,
    "quota_max": 100,
    "quota_renews": 1629214365,
    "quota_remaining": 99,
    "quota_renewal_rate": 60,
    "access_rights": {
    "free": {
    "api_name": "Free API",
    "api_id": "free",
    "versions": null,
    "allowed_urls": null,
    "restricted_types": null,
    "limit": null,
    "field_access_rights": null,
    "allowance_scope": ""
    },
    "subscriber": {
    "api_name": "Subscriber API",
    "api_id": "subscriber",
    "versions": null,
    "allowed_urls": null,
    "restricted_types": null,
    "limit": {
    "rate": 5,
    "per": 5,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "quota_max": 0,
    "quota_renews": 1629214365,
    "quota_remaining": 99,
    "quota_renewal_rate": 0
    },
    "field_access_rights": null,
    "allowance_scope": ""
    }
    },
    "org_id": "adi",
    "oauth_client_id": "",
    "oauth_keys": null,
    "certificate": "",
    "basic_auth_data": {
    "password": "",
    "hash_type": ""
    },
    "jwt_data": {
    "secret": ""
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "hmac_string": "",
    "rsa_certificate_id": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "apply_policies": null,
    "data_expires": 0,
    "monitor": {
    "trigger_limits": null
    },
    "enable_detail_recording": false,
    "enable_detailed_recording": false,
    "meta_data": {},
    "tags": [],
    "alias": "",
    "last_updated": "1629213051",
    "id_extractor_deadline": 0,
    "session_lifetime": 0
}

Here is the full api definition

{
    "name": "Free API",
    "slug": "",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "free",
    "org_id": "adi",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": null,
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": null,
        "allowed_authorize_types": null,
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "authorization",
        "use_certificate": false,
        "validate_signature": false,
        "signature": {
            "algorithm": "",
            "header": "",
            "secret": "",
            "allowed_clock_skew": 0,
            "error_code": 0,
            "error_message": ""
        }
    },
    "auth_configs": null,
    "use_basic_auth": false,
    "basic_auth": {
        "disable_caching": false,
        "cache_ttl": 0,
        "extract_from_body": false,
        "body_user_regexp": "",
        "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": false,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
        "is_enabled": false,
        "secret": "",
        "key_id": "",
        "algorithm": "",
        "header_list": null,
        "certificate_id": "",
        "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
        "location": "header",
        "key": "version",
        "strip_path": false
    },
    "version_data": {
        "not_versioned": true,
        "default_version": "",
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "",
                "paths": {
                    "ignored": null,
                    "white_list": null,
                    "black_list": null
                },
                "use_extended_paths": false,
                "extended_paths": {},
                "global_headers": null,
                "global_headers_remove": null,
                "global_response_headers": null,
                "global_response_headers_remove": null,
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": null,
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 0,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/free/",
        "target_url": "http://fake-api:8080/colors.json",
        "disable_strip_slash": false,
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        },
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": null,
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
        }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
        "pre": null,
        "post": null,
        "post_key_auth": null,
        "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
        },
        "response": null,
        "driver": "",
        "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": null
        }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
        "cache_timeout": 0,
        "enable_cache": false,
        "cache_all_safe_requests": false,
        "cache_response_codes": null,
        "enable_upstream_cache_control": false,
        "cache_control_ttl_header": "",
        "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": null,
    "enable_ip_blacklisting": false,
    "blacklisted_ips": null,
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
        "enable": false,
        "allowed_origins": null,
        "allowed_methods": null,
        "allowed_headers": null,
        "exposed_headers": null,
        "allow_credentials": false,
        "max_age": 0,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
        "rate": 0,
        "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
        "enabled": false,
        "execution_mode": "",
        "version": "",
        "schema": "",
        "type_field_configurations": null,
        "playground": {
            "enabled": false,
            "path": ""
        },
        "engine": {
            "field_configs": null,
            "data_sources": null
        }
    }
}
{
    "name": "Subscriber API",
    "slug": "",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "subscriber",
    "org_id": "adi",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": null,
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": null,
        "allowed_authorize_types": null,
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "authorization",
        "use_certificate": false,
        "validate_signature": false,
        "signature": {
            "algorithm": "",
            "header": "",
            "secret": "",
            "allowed_clock_skew": 0,
            "error_code": 0,
            "error_message": ""
        }
    },
    "auth_configs": null,
    "use_basic_auth": false,
    "basic_auth": {
        "disable_caching": false,
        "cache_ttl": 0,
        "extract_from_body": false,
        "body_user_regexp": "",
        "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": false,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
        "is_enabled": false,
        "secret": "",
        "key_id": "",
        "algorithm": "",
        "header_list": null,
        "certificate_id": "",
        "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
        "location": "header",
        "key": "version",
        "strip_path": false
    },
    "version_data": {
        "not_versioned": true,
        "default_version": "",
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "",
                "paths": {
                    "ignored": null,
                    "white_list": null,
                    "black_list": null
                },
                "use_extended_paths": false,
                "extended_paths": {},
                "global_headers": null,
                "global_headers_remove": null,
                "global_response_headers": null,
                "global_response_headers_remove": null,
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": null,
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 0,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/subscriber/",
        "target_url": "http://fake-api:8080/token.json",
        "disable_strip_slash": false,
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        },
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": null,
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
        }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
        "pre": null,
        "post": null,
        "post_key_auth": null,
        "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
        },
        "response": null,
        "driver": "",
        "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": null
        }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
        "cache_timeout": 0,
        "enable_cache": false,
        "cache_all_safe_requests": false,
        "cache_response_codes": null,
        "enable_upstream_cache_control": false,
        "cache_control_ttl_header": "",
        "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": null,
    "enable_ip_blacklisting": false,
    "blacklisted_ips": null,
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
        "enable": false,
        "allowed_origins": null,
        "allowed_methods": null,
        "allowed_headers": null,
        "exposed_headers": null,
        "allow_credentials": false,
        "max_age": 0,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
        "rate": 0,
        "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
        "enabled": false,
        "execution_mode": "",
        "version": "",
        "schema": "",
        "type_field_configurations": null,
        "playground": {
            "enabled": false,
            "path": ""
        },
        "engine": {
            "field_configs": null,
            "data_sources": null
        }
    }
}

Thanks for sharing. Will check it and get back to you soon