HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

how to mitigate 30 request per minute limitation?

im newbie to vanilla forum. we have integrate vanila forum to our app by using vanilla api. if i talked about the vanila integration to your site. admins can create discussions from your app and we direct those request to api using a access token key which is generated for a administrator in vanilla forum.

users are logged in through Access Directory and its integrated with vanilla api as well. users can access our api and see the vanilla forum which uses access directory authentication and can create conversations. we thought to follow the same pattern which described above and i have an issue that we will get hitting by 30 request per minute if 40 users tried to create conversation at the same time ( in a minute). how to handle this situation ? how user can directly contact vanilla discussion safely ? can we create tokens for each and every user?

i hereby attached an image as well to show the architecture we are using


  • R_JR_J Ex-Fanboy Munich Admin

    You should have a token per user. Otherwise you will have to reconstruct each and every permission handling on your apps side.

    If you access the API with a token of a user, you don't have to think about permissions.

    See here for an example on how to create a token for a user: https://github.com/R-J/apitoken/blob/master/class.apitoken.plugin.php

  • Hi @R_J thanks alot for your answer on this. i read your code for create token per user. but where should i put this php class? i should put in in vanilla forum server or my backend? if you nevermind can you please explain how to use this plugin with vanilla ?

  • @R_J i used docker for vanilla and set it up using that. and i tried to follow your documentation on how to install a plugin as wel. then i uploaded your plugin as you instructed in there. and i enabled the plugin.

    issue is when i tried to access api im getting full page render with page not found error. how to fix that issue ? i tried in addon to enable api or something but its not there.

  • @R_J sorry for tagging you again . i tried to trigger your plugin using the URL vanila-domain/api/v2/plugin/apitoken

    but it says its not found.

  • R_JR_J Ex-Fanboy Munich Admin

    No, the plugin isn't really useful for anything else but being a reference implementation on how to issue a token.

    You might also be interested in this comment: https://open.vanillaforums.com/discussion/comment/255772/#Comment_255772

    That "feature flag" mentioned there means, that you have to add $Configuration['Feature']['AuthenticationAPI']['Enabled'] = true; to your config to use the authentication api. But I haven't done any tests with that so that I cannot tell you how to use that. Since it hasn't been officially audited, it might not be the best idea to already use it.

  • R_JR_J Ex-Fanboy Munich Admin

    Forget about that linked comment. It wouldn't help you. It allows authentication via API but it doesn't issue a token, so you will have to implement that on your own.

    By now your server does every request to Vanilla as the admin user. If you mix up the code from the plugin above and the information from that discussion, you should be able extend your servers functionlaity to issue a token for a user (if needed.

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    I wonder if we should maybe make it clearer, but our vanilla-docker isn't really setup for production usage. It comes with xdebug installed and enabled, and doesn't even have opcache.

    It's built primarily for local development.

  • R_JR_J Ex-Fanboy Munich Admin

    Who cares reading documentation? After all this discussion is all about that part of the docs 😉

  • Thanks for the answer @charrondev . I need to make things clear regarding this constraint over mitigate 30 request per minute.

    1. is there any other workaround for mitigate the issue without getting into this constraint? if so can u elaborate more?
    2. Is it possible to issue access token on behalf of user if we use community edition of vanilla forum? ( eg: lets say admin api account is there. so calling vanilla api able to generate token for user )
    3. Is it possible to enable api for user tokens if we use paid version of vanilla forum?
    4. if so what would be the flow to create those tokens ? and how we should process with the flow?
    5. We use a admin user token to do all the discussion creation, adding participants to group, creating groups. is it the correct way? or you have any proposed mechanism to do it right ?

    As a new developer for vanilla forum and we are trying to use your products as an integrated solution we find difficulties on above question. really appreciate if you can answer and it will be help to the people who are lost in this issue as well.

    In addition to this i would like to thank @R_J for explaining more on the background

  • R_JR_J Ex-Fanboy Munich Admin

    The 30 seconds limit might come from the spam settings in the config (the applications/conversations/settingsconfiguration.php):

    // All of the settings defined here can be overridden in the /conf/config.php file.
    $Configuration['Conversations']['Installed'] = '0';
    $Configuration['Conversations']['Conversations']['PerPage'] = '50';
    $Configuration['Conversations']['Messages']['PerPage'] = '50';
    $Configuration['Conversations']['Message']['MaxLength'] = '2000';
    $Configuration['Conversations']['Message']['Format'] = 'Text';
    $Configuration['Conversations']['Subjects']['Visible'] = false;
    // Flood control defaults.
    $Configuration['Conversations']['Conversation']['SpamCount'] = '2';
    $Configuration['Conversations']['Conversation']['SpamTime'] = '30';
    $Configuration['Conversations']['Conversation']['SpamLock'] = '60';
    $Configuration['Conversations']['ConversationMessage']['SpamCount'] = '2';
    $Configuration['Conversations']['ConversationMessage']['SpamTime'] = '30';
    $Configuration['Conversations']['ConversationMessage']['SpamLock'] = '60';

    And when you hit the next limit it might come from here:

    // Spam settings explained:
    // Users cannot post more than $SpamCount comments within $SpamTime seconds or
    // their account will be locked from posting for $SpamLock seconds.
    $Configuration['Vanilla']['Comment']['SpamCount'] = '5';
    $Configuration['Vanilla']['Comment']['SpamTime'] = '60';
    $Configuration['Vanilla']['Comment']['SpamLock'] = '120';
    $Configuration['Vanilla']['Discussion']['SpamCount'] = '3';
    $Configuration['Vanilla']['Discussion']['SpamTime'] = '60';
    $Configuration['Vanilla']['Discussion']['SpamLock'] = '120';

    But your question 5 should be answered first: working with just one master token is wrong. The problem with that approach is that you have to recreate a lot of inbuilt functionality, mainly the user access rights. But also the spam threshold if you do it that way 😉

    The current documentation still shows that you (your app) have to issue tokens by yourself. If you have questions concerning the cloud version, I would recommend using the official contact form. Although the developers that come around here most probably know the answer to your questio

Sign In or Register to comment.