How did I implement rate/limit feature for comments?

Problem

Captcha is a method designed to prevent spam behavior on applications, especially on web applications. Without captcha, attackers can easily generate automated queries with continuous frequency to a specific function to sabotage the system.

However, captcha is not without flaws. Its biggest drawback is that it can be confusing for users. Many codes are generated to verify that you are a human, but sometimes you have to wonder if you are indeed human when you can't decipher those distorted or blurry characters.

The comment function on 2coffee does not use captcha to create difficulties for users. Instead, I have implemented a technique called "rate/limit" to restrict spam behavior. Basically, it prevents continuous actions and limits the number of times a certain action can be performed within a specific time period. For example, only allowing users to comment a maximum of 3 times in 1 minute, or requiring a minimum of 10 seconds before submitting the next comment.

In today's article, I would like to share the process of implementing my rate/limit feature. I believe it will be helpful for readers, or I hope to receive feedback from readers to improve the implementation.

Algorithm

The initial idea is very simple. Since I didn't want to be too strict, I decided to allow users to submit a comment every 10 seconds after a successful submission. After successfully submitting a comment on one post, they need to wait at least 10 seconds before submitting a comment on any other post.

At this point, I need to implement an algorithm that takes the user ID as input and returns true/false. True if the limit has not been exceeded, false if they have commented too many times. Based on this, I can determine whether to allow them to submit a comment or not.

There are many ways to solve this problem, the simplest one is to retrieve their last comment and check the time to see if it's valid. This method is fast and straightforward to implement, but if there are many comments in the future, the query can become slower. Furthermore, future expansions may become more complicated. For example, changing the algorithm to allow them to submit a maximum of 3 comments within one minute. This would make the query more complex and likely slower.

Since Redis is being used, I have another approach to leverage the expire feature (ttl) of a key in Redis. I will create a key in the format comment_limit:user_id which contains a boolean value with an expiration time equal to the time between consecutive comments. Each time a comment is made, I just need to check if the key comment_limit:user_id exists. If it exists, it means they are not allowed to comment, and vice versa.

The advantage of this method is that the condition check is relatively fast, requiring only one query to retrieve the comment_limit:user_id key. However, more code needs to be written to handle the logic.

Implementation

The implementation is very simple. You need to have a Redis server to create keys with ttl. Each time you call the comment creation function, check if the comment_limit:user_id key exists.

For example, in the case where my user_id is 1:

GET comment_limit:1

If comment_limit:1 returns true, throw an error indicating that commenting is not allowed. Otherwise, if it returns null, allow the comment to be added, and then create a key comment_limit:1 with an expiration time set to the time you have configured. Let's assume it's 10 seconds:

SET comment_limit:1 true EX 10

With this, after 10 seconds, comment_limit:1 will be automatically deleted and the logic will allow the user to comment again.

Conclusion

There are many ways to implement the rate/limit algorithm for comment sections. I am currently using the approach of using the automatic expiration feature of keys combined with naming conventions to create a logic for checking the availability of comment activities. If you have any other approaches, please leave a comment for everyone to know!