how to mitigate 30 request per minute limitation?
im newbie to vanilla forum. we have integrate vanila forum to our app by using vanilla api. if i talked about the vanila integration to your site. admins can create discussions from your app and we direct those request to api using a access token key which is generated for a administrator in vanilla forum.
users are logged in through Access Directory and its integrated with vanilla api as well. users can access our api and see the vanilla forum which uses access directory authentication and can create conversations. we thought to follow the same pattern which described above and i have an issue that we will get hitting by 30 request per minute if 40 users tried to create conversation at the same time ( in a minute). how to handle this situation ? how user can directly contact vanilla discussion safely ? can we create tokens for each and every user?
i hereby attached an image as well to show the architecture we are using
You should have a token per user. Otherwise you will have to reconstruct each and every permission handling on your apps side.
If you access the API with a token of a user, you don't have to think about permissions.
See here for an example on how to create a token for a user: https://github.com/R-J/apitoken/blob/master/class.apitoken.plugin.php
Hi @R_J thanks alot for your answer on this. i read your code for create token per user. but where should i put this php class? i should put in in vanilla forum server or my backend? if you nevermind can you please explain how to use this plugin with vanilla ?
@R_J i used docker for vanilla and set it up using that. and i tried to follow your documentation on how to install a plugin as wel. then i uploaded your plugin as you instructed in there. and i enabled the plugin.
issue is when i tried to access api im getting full page render with page not found error. how to fix that issue ? i tried in addon to enable api or something but its not there.
@R_J sorry for tagging you again . i tried to trigger your plugin using the URL vanila-domain/api/v2/plugin/apitoken
but it says its not found.
No, the plugin isn't really useful for anything else but being a reference implementation on how to issue a token.
You might also be interested in this comment: https://open.vanillaforums.com/discussion/comment/255772/#Comment_255772
That "feature flag" mentioned there means, that you have to add
$Configuration['Feature']['AuthenticationAPI']['Enabled'] = true;to your config to use the authentication api. But I haven't done any tests with that so that I cannot tell you how to use that. Since it hasn't been officially audited, it might not be the best idea to already use it.
Forget about that linked comment. It wouldn't help you. It allows authentication via API but it doesn't issue a token, so you will have to implement that on your own.
By now your server does every request to Vanilla as the admin user. If you mix up the code from the plugin above and the information from that discussion, you should be able extend your servers functionlaity to issue a token for a user (if needed.
I wonder if we should maybe make it clearer, but our vanilla-docker isn't really setup for production usage. It comes with xdebug installed and enabled, and doesn't even have opcache.
It's built primarily for local development.
Who cares reading documentation? After all this discussion is all about that part of the docs 😉
Thanks for the answer @charrondev . I need to make things clear regarding this constraint over mitigate 30 request per minute.
As a new developer for vanilla forum and we are trying to use your products as an integrated solution we find difficulties on above question. really appreciate if you can answer and it will be help to the people who are lost in this issue as well.
In addition to this i would like to thank @R_J for explaining more on the background
The 30 seconds limit might come from the spam settings in the config (the
And when you hit the next limit it might come from here:
But your question 5 should be answered first: working with just one master token is wrong. The problem with that approach is that you have to recreate a lot of inbuilt functionality, mainly the user access rights. But also the spam threshold if you do it that way 😉
The current documentation still shows that you (your app) have to issue tokens by yourself. If you have questions concerning the cloud version, I would recommend using the official contact form. Although the developers that come around here most probably know the answer to your questio