Strange Behaviour: Key Level Rate Limit Per Access Right

ghilman27 · August 17, 2021, 3:35pm

So I just want to check how rate limiting works and got this strange behaviour. I’m using the CE edition

Case:

I want to set a user with:

per key rate limit 100 per 5 seconds, no matter what API they accessed
per API limit. No limit for /free/ API and 5 requests per 5 seconds for /subscriber/ API

I didn’t set any global API rate limit to /free/ or /subscriber/

Here is the session object

    {
        "org_id": "adi",
        "allowance": 100,
        "rate": 100,
        "per": 5,
        "expires": 0,
        "quota_max": 100,
        "quota_renewal_rate": 60,
        "access_rights": {
            "free": {
                "api_name": "Free API",
                "api_id": "free",
                "limit": {
                    "rate": 0,
                    "per": 0
                }
            },
            "subscriber": {
                "api_name": "Subscriber API",
                "api_id": "subscriber",
                "limit": {
                    "rate": 5,
                    "per": 5
                }
            }
        }
    }

Expected Behavior:

If I access /subscriber/ more than 5 times in 5 seconds, I’ll get an error
If I access /free/ fewer than the remaining rate set in the key (100 per 5), I’ll be fine
If I access any API more than the rate set in the key (100 per 5), I’ll get an error

The Real Behavior:
Depending on which API I access first:

If I access /free/ first, then directly access /subscriber/ more than 5 times, I won’t get an error no matter how much I request
Wait for a certain time, then access /subscriber/ first until it hit the limit error. Now access /free/ endpoint more than 5 times, I’ll get an error.

Is this the expected behaviour??

Olu · August 19, 2021, 5:14pm

Could you let us know the version of the gateway you are running? We will confirm and get back to you

ghilman27 · August 20, 2021, 4:05am

I’m using tyk-gateway docker with tags v3.2.1

Olu · September 1, 2021, 5:46pm

Hi @ghilman27

The expected behavior:

A rate limit exceeded error would occur if you access /subscriber/ more than 5 times in 5 seconds
No limit whatsoever if you access /free/ more than (100 times per 5 secs)
Any other API apart from /free/ and /subscriber/ will be affected by a rate limit of 100 calls per 5 secs. However, no other APIs exist, so nothing happens.

Based on the real behavior you experienced, could you share the full key definition as well as comment on what type of authentication is being used for both APIs?

ghilman27 · September 6, 2021, 6:42am

Hi @Olu

Thanks for replying, I’m using “authorization” header for both API.

Here is the full key definition

{
    "last_check": 0,
    "allowance": 100,
    "rate": 100,
    "per": 5,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "date_created": "2021-08-17T15:10:51.171897582Z",
    "expires": 0,
    "quota_max": 100,
    "quota_renews": 1629214365,
    "quota_remaining": 99,
    "quota_renewal_rate": 60,
    "access_rights": {
    "free": {
    "api_name": "Free API",
    "api_id": "free",
    "versions": null,
    "allowed_urls": null,
    "restricted_types": null,
    "limit": null,
    "field_access_rights": null,
    "allowance_scope": ""
    },
    "subscriber": {
    "api_name": "Subscriber API",
    "api_id": "subscriber",
    "versions": null,
    "allowed_urls": null,
    "restricted_types": null,
    "limit": {
    "rate": 5,
    "per": 5,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "quota_max": 0,
    "quota_renews": 1629214365,
    "quota_remaining": 99,
    "quota_renewal_rate": 0
    },
    "field_access_rights": null,
    "allowance_scope": ""
    }
    },
    "org_id": "adi",
    "oauth_client_id": "",
    "oauth_keys": null,
    "certificate": "",
    "basic_auth_data": {
    "password": "",
    "hash_type": ""
    },
    "jwt_data": {
    "secret": ""
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "hmac_string": "",
    "rsa_certificate_id": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "apply_policies": null,
    "data_expires": 0,
    "monitor": {
    "trigger_limits": null
    },
    "enable_detail_recording": false,
    "enable_detailed_recording": false,
    "meta_data": {},
    "tags": [],
    "alias": "",
    "last_updated": "1629213051",
    "id_extractor_deadline": 0,
    "session_lifetime": 0
}

Here is the full api definition

{
    "name": "Free API",
    "slug": "",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "free",
    "org_id": "adi",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": null,
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": null,
        "allowed_authorize_types": null,
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "authorization",
        "use_certificate": false,
        "validate_signature": false,
        "signature": {
            "algorithm": "",
            "header": "",
            "secret": "",
            "allowed_clock_skew": 0,
            "error_code": 0,
            "error_message": ""
        }
    },
    "auth_configs": null,
    "use_basic_auth": false,
    "basic_auth": {
        "disable_caching": false,
        "cache_ttl": 0,
        "extract_from_body": false,
        "body_user_regexp": "",
        "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": false,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
        "is_enabled": false,
        "secret": "",
        "key_id": "",
        "algorithm": "",
        "header_list": null,
        "certificate_id": "",
        "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
        "location": "header",
        "key": "version",
        "strip_path": false
    },
    "version_data": {
        "not_versioned": true,
        "default_version": "",
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "",
                "paths": {
                    "ignored": null,
                    "white_list": null,
                    "black_list": null
                },
                "use_extended_paths": false,
                "extended_paths": {},
                "global_headers": null,
                "global_headers_remove": null,
                "global_response_headers": null,
                "global_response_headers_remove": null,
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": null,
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 0,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/free/",
        "target_url": "http://fake-api:8080/colors.json",
        "disable_strip_slash": false,
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        },
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": null,
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
        }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
        "pre": null,
        "post": null,
        "post_key_auth": null,
        "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
        },
        "response": null,
        "driver": "",
        "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": null
        }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
        "cache_timeout": 0,
        "enable_cache": false,
        "cache_all_safe_requests": false,
        "cache_response_codes": null,
        "enable_upstream_cache_control": false,
        "cache_control_ttl_header": "",
        "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": null,
    "enable_ip_blacklisting": false,
    "blacklisted_ips": null,
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
        "enable": false,
        "allowed_origins": null,
        "allowed_methods": null,
        "allowed_headers": null,
        "exposed_headers": null,
        "allow_credentials": false,
        "max_age": 0,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
        "rate": 0,
        "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
        "enabled": false,
        "execution_mode": "",
        "version": "",
        "schema": "",
        "type_field_configurations": null,
        "playground": {
            "enabled": false,
            "path": ""
        },
        "engine": {
            "field_configs": null,
            "data_sources": null
        }
    }
}

{
    "name": "Subscriber API",
    "slug": "",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "subscriber",
    "org_id": "adi",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": null,
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": null,
        "allowed_authorize_types": null,
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "authorization",
        "use_certificate": false,
        "validate_signature": false,
        "signature": {
            "algorithm": "",
            "header": "",
            "secret": "",
            "allowed_clock_skew": 0,
            "error_code": 0,
            "error_message": ""
        }
    },
    "auth_configs": null,
    "use_basic_auth": false,
    "basic_auth": {
        "disable_caching": false,
        "cache_ttl": 0,
        "extract_from_body": false,
        "body_user_regexp": "",
        "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": false,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
        "is_enabled": false,
        "secret": "",
        "key_id": "",
        "algorithm": "",
        "header_list": null,
        "certificate_id": "",
        "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
        "location": "header",
        "key": "version",
        "strip_path": false
    },
    "version_data": {
        "not_versioned": true,
        "default_version": "",
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "",
                "paths": {
                    "ignored": null,
                    "white_list": null,
                    "black_list": null
                },
                "use_extended_paths": false,
                "extended_paths": {},
                "global_headers": null,
                "global_headers_remove": null,
                "global_response_headers": null,
                "global_response_headers_remove": null,
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": null,
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 0,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/subscriber/",
        "target_url": "http://fake-api:8080/token.json",
        "disable_strip_slash": false,
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        },
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": null,
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
        }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
        "pre": null,
        "post": null,
        "post_key_auth": null,
        "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
        },
        "response": null,
        "driver": "",
        "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": null
        }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
        "cache_timeout": 0,
        "enable_cache": false,
        "cache_all_safe_requests": false,
        "cache_response_codes": null,
        "enable_upstream_cache_control": false,
        "cache_control_ttl_header": "",
        "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": null,
    "enable_ip_blacklisting": false,
    "blacklisted_ips": null,
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
        "enable": false,
        "allowed_origins": null,
        "allowed_methods": null,
        "allowed_headers": null,
        "exposed_headers": null,
        "allow_credentials": false,
        "max_age": 0,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
        "rate": 0,
        "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
        "enabled": false,
        "execution_mode": "",
        "version": "",
        "schema": "",
        "type_field_configurations": null,
        "playground": {
            "enabled": false,
            "path": ""
        },
        "engine": {
            "field_configs": null,
            "data_sources": null
        }
    }
}

Olu · September 8, 2021, 3:19pm

Thanks for sharing. Will check it and get back to you soon

Olu · October 4, 2021, 10:02am

Hi @ghilman27, could you confirm the number of gateways involved? We are running a couple of tests.

ghilman27 · October 5, 2021, 1:45am

@Olu Do you mean how many Tyk gateway instances? It was a single instance
I also only had around 4 APIs

Olu · October 5, 2021, 9:22am

Thanks for your response. We will get back to you shortly. And yes, I meant how many gateway instances.