Updating docs and fixing code review comments.

anubhav94 · anubhav94 · commit 4cc907f7e482 · 2015-07-22T09:52:09.000-07:00
diff --git a/docs/client/data.js b/docs/client/data.js
diff --git a/docs/client/full-api/api/accounts.md b/docs/client/full-api/api/accounts.md
@@ -401,14 +401,14 @@ client, no arguments are passed.
 
 <h3 id="accounts_rate_limit"><span>Rate Limiting</span></h3>
 
-By default, there are rules added to the [`DDPRateLimiter`](#DDPRateLimiter)
+By default, there are rules added to the [`DDPRateLimiter`](#ddpratelimiter)
 that rate limit logins, new user registration and password reset calls to a
-limit of 5 requests per 10 seconds per IP address. These are a basic solution
+limit of 5 requests per 10 seconds per session. These are a basic solution
 to dictionary attacks where a malicious user attempts to guess the passwords
 of legitimate users by attempting all possible passwords.
 
 These rate limiting rules can be removed by calling
 `Accounts.removeDefaultRateLimit()`. Please see the
-[`DDPRateLimiter`](#DDPRateLimiter) docs for more information.
+[`DDPRateLimiter`](#ddpratelimiter) docs for more information.
 
 {{/template}}
diff --git a/docs/client/full-api/api/methods.md b/docs/client/full-api/api/methods.md
@@ -182,7 +182,22 @@ options about how the client executes the method.
 
 <h2 id="ddpratelimiter"><span>DDPRateLimiter</span></h2>
 
-A rate limiter added directly to DDP. The DDPRateLimiter allows you to add rules to limit calls by one or more of user IDs, IP addresses, method names and/or subscription names. The rate limiter is called on every method and subscription invocation. A default rule of limiting 'login' attempts to 5 calls every 10 seconds per IP address has been added to the [`Accounts base package`](#accounts_api). The rule can be removed by calling [`Accounts.removeDefaultRateLimit()`].
+The DDPRateLimiter allows users to add rules to limit calls to Meteor methods
+and subscriptions by one or more of user IDs, IP addresses, sessions, and
+method & subscription names. The rate limiter is called on every method and
+subscription invocation. A default rule of limiting login, password reset and
+new user creation  attempts to 5 calls every 10 seconds per session has been
+added to the [`accounts package`](#accounts_api). The rule can be removed by
+calling `Accounts.removeDefaultRateLimit()`.
+
+The DDPRateLimiter is configured with a set of rules. Each rule is a set of
+keys to be inspected with filters on those keys to specify all DDP messages
+that satisfy the rule. Each of these possible messages that satisfy the rule
+is given a bucket by creating a unique string composed of all the keys in the
+rule and the values from the message. After each rule's specified time
+interval, all the buckets are deleted. A rate limit is said to have been hit
+when a bucket has reached the rule's capacity, at which point errors will be
+returned for that input until the buckets are reset.
 
 {{> autoApiBox "DDPRateLimiter.addRule"}}
 {{> autoApiBox "DDPRateLimiter.removeRule"}}
diff --git a/docs/client/full-api/tableOfContents.js b/docs/client/full-api/tableOfContents.js
@@ -40,7 +40,8 @@ var toc = [
         {instance: "this", name: "stop", id: "publish_stop"},
         {instance: "this", name: "connection", id: "publish_connection"}
       ],
-      "Meteor.subscribe"
+      "Meteor.subscribe",
+      {name: "DDPRateLimiter", id: "ddpratelimiter"}
     ],
 
     {name: "Methods", id: "methods_header"}, [
@@ -54,7 +55,7 @@ var toc = [
       "Meteor.Error",
       "Meteor.call",
       "Meteor.apply",
-      {name: "DDPRateLimiter", id: "ddpratelimiter"},
+      {name: "DDPRateLimiter", id: "ddpratelimiter"}
     ],
 
     {name: "Check", id: "check_package"}, [
diff --git a/docs/client/names.json b/docs/client/names.json
@@ -1,26 +1,28 @@
 [
+  "Accounts",
   "Accounts",
   "Accounts.changePassword",
-  "Accounts.config",
   "Accounts.createUser",
   "Accounts.emailTemplates",
   "Accounts.forgotPassword",
-  "Accounts.onCreateUser",
-  "Accounts.onEmailVerificationLink",
-  "Accounts.onEnrollmentLink",
-  "Accounts.onLogin",
-  "Accounts.onLoginFailure",
-  "Accounts.onResetPasswordLink",
   "Accounts.resetPassword",
   "Accounts.sendEnrollmentEmail",
   "Accounts.sendResetPasswordEmail",
   "Accounts.sendVerificationEmail",
   "Accounts.setPassword",
   "Accounts.ui",
   "Accounts.ui.config",
-  "Accounts.validateLoginAttempt",
-  "Accounts.validateNewUser",
   "Accounts.verifyEmail",
+  "Ap.config",
+  "Ap.onCreateUser",
+  "Ap.onEmailVerificationLink",
+  "Ap.onEnrollmentLink",
+  "Ap.onLogin",
+  "Ap.onLoginFailure",
+  "Ap.onResetPasswordLink",
+  "Ap.userId",
+  "Ap.validateLoginAttempt",
+  "Ap.validateNewUser",
   "App",
   "App.accessRule",
   "App.configurePlugin",
@@ -86,6 +88,9 @@
   "DDPCommon.MethodInvocation#setUserId",
   "DDPCommon.MethodInvocation#unblock",
   "DDPCommon.MethodInvocation#userId",
+  "DDPRateLimiter.addRule",
+  "DDPRateLimiter.removeRule",
+  "DDPRateLimiter.setErrorMessage",
   "EJSON",
   "EJSON.CustomType",
   "EJSON.CustomType#clone",
@@ -138,7 +143,7 @@
   "Meteor.status",
   "Meteor.subscribe",
   "Meteor.user",
-  "Meteor.userId",
+  "Meteor.users",
   "Meteor.users",
   "Meteor.wrapAsync",
   "Mongo",
@@ -148,6 +153,8 @@
   "Mongo.Collection#find",
   "Mongo.Collection#findOne",
   "Mongo.Collection#insert",
+  "Mongo.Collection#rawCollection",
+  "Mongo.Collection#rawDatabase",
   "Mongo.Collection#remove",
   "Mongo.Collection#update",
   "Mongo.Collection#upsert",
diff --git a/packages/ddp-rate-limiter/ddp-rate-limiter.js b/packages/ddp-rate-limiter/ddp-rate-limiter.js
@@ -1,8 +1,9 @@
 // Rate Limiter built into DDP with a default error message.
 DDPRateLimiter = {
   errorMessage : function (rateLimitResult) {
-    return "Error, too many requests. Please slow down. You must wait " + Math.ceil(
-    rateLimitResult.timeToReset / 1000) + " seconds before trying again.";
+    return "Error, too many requests. Please slow down. You must wait " +
+    Math.ceil(rateLimitResult.timeToReset / 1000) + " seconds before trying " +
+    "again.";
   },
   rateLimiter : new RateLimiter()
 }
@@ -15,17 +16,24 @@ DDPRateLimiter.getErrorMessage = function (rateLimitResult) {
 }
 /**
  * @summary Update the error message returned when call is rate limited.
- * @param {string|function} message Function that takes an object with a timeToReset field that specifies the first time a method or subscription call is allowed
+ * @param {string|function} message Function that takes an object with a
+ * timeToReset field that specifies the first time a method or subscription
+ * call is allowed.
  */
 DDPRateLimiter.setErrorMessage = function (message) {
   this.errorMessage = message;
 }
 
 /**
  * @summary Adds a rule with a number of requests allowed per time interval.
- * @param {object}  rule         Rule should be an object where the keys are one or more of `['userId', 'ipAddr', 'type', 'name'] ` and the values are either `null`, a primitive, or a function that returns true if the rule should apply to the provided input for that key.
- * @param {integer} numRequests  number of requests allowed per time interval. Default = 10.
- * @param {integer} timeInterval time interval in milliseconds after which rule's counters are reset. Default = 1000.
+ * @param {object}  rule Rule should be an object where the keys are one or
+ * more of `['userId', 'ipAddr', 'type', 'name', 'sessionId'] ` and the values
+ * are either `null`, a primitive, or a function that returns true if the rule
+ * should apply to the provided input for that key.
+ * @param {integer} numRequests  number of requests allowed per time interval.
+ * Default = 10.
+ * @param {integer} timeInterval time interval in milliseconds after which
+ * rule's counters are reset. Default = 1000.
  * @return {string} Returns unique `ruleId` that can be passed to `removeRule`.
  */
 DDPRateLimiter.addRule = function (rule, numRequests, timeInterval) {
@@ -41,6 +49,8 @@ DDPRateLimiter.removeRule = function (id) {
   return this.rateLimiter.removeRule(id);
 }
 
+// This is accessed inside livedata_server.js, but shouldn't be called by any
+// user.
 DDPRateLimiter._increment = function (input) {
   this.rateLimiter.increment(input);
 }
diff --git a/packages/ddp-server/livedata_server.js b/packages/ddp-server/livedata_server.js
@@ -580,12 +580,17 @@ _.extend(Session.prototype, {
         // reconnect.
         return;
 
+      // XXX It'd be much better if we had generic hooks where any package can
+      // hook into subscription handling, but in the mean while we special case
+      // ddp-rate-limiter package. This is also done for weak requirements to
+      // add the ddp-rate-limiter package in case we don't have Accounts. A
+      // user trying to use the ddp-rate-limiter must explicitly require it.
       if (Package['ddp-rate-limiter']) {
         var DDPRateLimiter = Package['ddp-rate-limiter'].DDPRateLimiter;
         var rateLimiterInput = {
           userId: self.userId,
           ipAddr: self.connectionHandle.clientAddress,
-          type: msg.msg,
+          type: "sub",
           name: msg.name,
           sessionId: self.id
         };
@@ -667,12 +672,16 @@ _.extend(Session.prototype, {
       });
 
       try {
+        // XXX It'd be better if we could hook into method handlers better but
+        // for now, we need to check if the ddp-rate-limiter exists since we
+        // have a weak requirement for the ddp-rate-limiter package to be added
+        // to our application.
         if (Package['ddp-rate-limiter']) {
           var DDPRateLimiter = Package['ddp-rate-limiter'].DDPRateLimiter;
           var rateLimiterInput = {
             userId: self.userId,
             ipAddr: self.connectionHandle.clientAddress,
-            type: msg.msg,
+            type: "method",
             name: msg.method,
             sessionId: self.id
           };
diff --git a/packages/rate-limit/rate-limit.js b/packages/rate-limit/rate-limit.js
