How did I implement rate/limit feature for comments?

How did I implement rate/limit feature for comments?

Daily short news for you

  • People often joke that regex is the language of aliens. Anyone who can write regex has the abilities of an extraterrestrial. It's just a joke, but the truth is that regex is really hard to understand.

    By chance, I came across a website that teaches us regex step by step. During the learning process, we need to interact with dozens of questions ranging from simple to advanced in order to gradually learn how to use this "alien language".

    regexlearn.com

    » Read more

  • Good news to start the day. GitHub has just widely announced GitHub Models to everyone. If you remember, more than 2 months ago, GitHub had a trial program for using LLMs models, and in my case, it took a month to get approved for use. Now, they have given everyone with a GitHub account access, no registration needed anymore 🥳

    GitHub Models is currently a lifesaver for me while building this blog 😆

    GitHub Models is now available in public preview | Github Blog

    » Read more

  • I came across a repository that uses Tauri and Svelte to rewrite an application like the Task Manager on Windows or the Monitor on Mac. I was curious, so I downloaded it and was surprised to find that the app is only a few MB in size and loads quickly. The app itself is also very smooth

    » Read more

Problem

Captcha is a method designed to prevent spam behavior on applications, especially on web applications. Without captcha, attackers can easily generate automated queries with continuous frequency to a specific function to sabotage the system.

However, captcha is not without flaws. Its biggest drawback is that it can be confusing for users. Many codes are generated to verify that you are a human, but sometimes you have to wonder if you are indeed human when you can't decipher those distorted or blurry characters.

The comment function on 2coffee does not use captcha to create difficulties for users. Instead, I have implemented a technique called "rate/limit" to restrict spam behavior. Basically, it prevents continuous actions and limits the number of times a certain action can be performed within a specific time period. For example, only allowing users to comment a maximum of 3 times in 1 minute, or requiring a minimum of 10 seconds before submitting the next comment.

In today's article, I would like to share the process of implementing my rate/limit feature. I believe it will be helpful for readers, or I hope to receive feedback from readers to improve the implementation.

Algorithm

The initial idea is very simple. Since I didn't want to be too strict, I decided to allow users to submit a comment every 10 seconds after a successful submission. After successfully submitting a comment on one post, they need to wait at least 10 seconds before submitting a comment on any other post.

At this point, I need to implement an algorithm that takes the user ID as input and returns true/false. True if the limit has not been exceeded, false if they have commented too many times. Based on this, I can determine whether to allow them to submit a comment or not.

There are many ways to solve this problem, the simplest one is to retrieve their last comment and check the time to see if it's valid. This method is fast and straightforward to implement, but if there are many comments in the future, the query can become slower. Furthermore, future expansions may become more complicated. For example, changing the algorithm to allow them to submit a maximum of 3 comments within one minute. This would make the query more complex and likely slower.

Since Redis is being used, I have another approach to leverage the expire feature (ttl) of a key in Redis. I will create a key in the format comment_limit:user_id which contains a boolean value with an expiration time equal to the time between consecutive comments. Each time a comment is made, I just need to check if the key comment_limit:user_id exists. If it exists, it means they are not allowed to comment, and vice versa.

The advantage of this method is that the condition check is relatively fast, requiring only one query to retrieve the comment_limit:user_id key. However, more code needs to be written to handle the logic.

Implementation

The implementation is very simple. You need to have a Redis server to create keys with ttl. Each time you call the comment creation function, check if the comment_limit:user_id key exists.

For example, in the case where my user_id is 1: 

GET comment_limit:1

If comment_limit:1 returns true, throw an error indicating that commenting is not allowed. Otherwise, if it returns null, allow the comment to be added, and then create a key comment_limit:1 with an expiration time set to the time you have configured. Let's assume it's 10 seconds: 

SET comment_limit:1 true EX 10

With this, after 10 seconds, comment_limit:1 will be automatically deleted and the logic will allow the user to comment again.

Conclusion

There are many ways to implement the rate/limit algorithm for comment sections. I am currently using the approach of using the automatic expiration feature of keys combined with naming conventions to create a logic for checking the availability of comment activities. If you have any other approaches, please leave a comment for everyone to know!

or
* The summary newsletter is sent every 1-2 weeks, cancel anytime.
Author

Hello, my name is Hoai - a developer who tells stories through writing ✍️ and creating products 🚀. With many years of programming experience, I have contributed to various products that bring value to users at my workplace as well as to myself. My hobbies include reading, writing, and researching... I created this blog with the mission of delivering quality articles to the readers of 2coffee.dev.Follow me through these channels LinkedIn, Facebook, Instagram, Telegram.

Did you find this article helpful?
NoYes

Comments (0)

Leave a comment...