Create access throughput service
A new service will be created that maintains a list of external connections created to the API, using a piece of identifiable information and a timestamp to store a record of access. This service will be bound to CDI to allow for access throughout the application. As this service will be multithreaded, access will need to synchronized on mutable elements.
On request of the throughput service, any expired entries should be removed before any operations (such as adding new entries or checking for abuse) are performed.
If a user triggers the an unsuccessful request too many times after limit has been reached, then a temporary blacklist can be triggered to reduce likelihood of abuse of the API. There should be the ability to weight different types of requests to trigger timeouts faster for different types of requests.
The following properties will be created within the microprofile for the application:
- eclipse.throughput.max: The maximum number of accesses allowed per period
- eclipse.throughput.period: The period of time to record access for.
- eclipse.throughput.burst.max: The number of requests that should be allowed within a burst period.
- eclipse.throughput.burst.period: The period of time that defines a "burst" of requests
- eclipse.throughput.burst.weight: Allows for users abusing the API within a short period of time to trigger a timeout sooner by increasing the weight of unsuccessful burst requests.
- eclipse.throughput.whitelist: Whitelist of personally identifiable tokens that should always be allowed access
- eclipse.throughput.blacklist: Blacklist of personally identifiable tokens that should always be restricted access
- eclipse.throughput.timeout.max: The maximum number of requests to allow to the API
- eclipse.throughput.timeout.period: The timeout period for too many requests.