Consider limiting reactions as to avoid DOS/Abuse

[LordPraslea]

Hi

While testing reactions locally i noticed I could add tens if not hundreds of reactions and there seems to be no limit to them.

Is this the intended usage? I'd imagine a BOT spamming the DB with thousands of reactions

I was thinking of a limiter per IP (or hashed IP to avoid GDPR) to allow one of each per 24 hours.

What do you think?

I'll probably need to have a look at other systems to see how well it behaves.

Out of curiosity haven't you noticed bots trying to cling to various API's on your website?

[jlelse]

Yeah I noticed this as well, I have posts with almost a million reactions, probably due to someone trying to reach non-existing limits. But I tried to keep the code for this feature as performant as possible and never noticed any impact due to it. I guess the best way to set a rate limit would be to use some reverse proxy like Caddy and configure a rate limit there.

[LordPraslea]

Ok, nice. A "limit" might be usefull in some cases as to give the reactions some value, otherwise a single person can give 100 reactions and you wouldn't know if it where genuinely 100 people or 1 person who did it:). Yeah I guess caddy can rate limit, but this could also happen locally.