captaincodeman / svelte-api-keys Goto Github PK
View Code? Open in Web Editor NEWAPI Key Generation, Validation, and Rate Limiting for SvelteKit
Home Page: https://captaincodeman.github.io/svelte-api-keys/
API Key Generation, Validation, and Rate Limiting for SvelteKit
Home Page: https://captaincodeman.github.io/svelte-api-keys/
Example: you have an API route /routes/api/projects/[id]/+server.ts
You could have a permission allowing you access to all projects, such as project:*
or you might want a token that only allows access to a specific project, so would have a permission like project:world-domination
Fairly easy to do, but maybe not obvious:
export async function GET({ locals, params }) {
const { id } = params
await locals.api.any(`project:*`, `project:${id}`).approve(limit)
// rest of code
}
Allow updating permissions on existing API keys
Cover lots of databases for key storage - use something like Drizzle (?)
Document how to implement API Key Prefixes to indicate usage, similar as Stripe's pk_test_
(prefix can be stripped out via custom fn in key extractor)
There would never be enough tokens available to fulfill the request, so the system should warn when this is detected
e.g. for cloudflare, when it would be in a http header (True-Client-IP
?) instead of using SvelteKit's event.getClientAddress()
Combine Handler
into KeyManager
, and also pass in KeyExtractor
Options
as a parameter instead of it being a separate instance. i.e. it's just the key store and token bucket implementation (that have different implementations) that need to be passed in.
before
const store = new InMemoryKeyStore()
const manager = new KeyManager(store)
const bucket = new InMemoryTokenBucket()
const extractor = new KeyExtractor({ searchParam: 'key', httpHeader: 'x-api-key' })
const handler = new Handler(extractor, manager, bucket)
export const handle = handler.handle
after
const store = new InMemoryKeyStore()
const bucket = new InMemoryTokenBucket()
const manager = new KeyManager(store, bucket, { searchParam: 'key', httpHeader: 'x-api-key' })
export const handle = manager.handle
Demo doesn't need to be making real http requests, which then require a backend.
It can use the pieces to emulate making requests, which would also allow it to visualize the operation of the token buckets and permission checks.
More importantly, it can then the run completely client-side so it wouldn't require a real back-end and could be run on GitHub Pages.
Make it easier to call the limit fn in endpoints, without requiring any imports, by accepting rate
and size
parameters directly (which are normally used for the Refill
constructor). The api
object on locals could also expose the SECOND
, MINUTE
, etc... constants
before
import { MINUTE, Refill } from 'svelte-api-keys'
const rate = new Refill(30 / MINUTE, 10)
export async function GET({ locals }) {
await locals.api.has('read').limit(rate)
// process request
}
after
export async function GET({ locals }) {
await locals.api.has('read').limit(30 / locals.api.MINUTE, 10)
// process request
}
Unless the key size is way too small the chances are so tiny as to be impossible, which means it's guaranteed to happen ...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.