Is Rate Limiting middleware before or after Authentication one? #1828
Replies: 3 comments 2 replies
-
|
@osmansonmez yes this makes sense I think, I would accept a PR for this but don't have time to do the work myself atm. I will mark this issue as a new feature. |
Beta Was this translation helpful? Give feedback.
-
|
This really needs to be addressed. ETA anyone? At least it this should be mentioned in the documentation that this can be exploited to launch a dos attack on a valid client in its current state (mark as experimental maybe?). |
Beta Was this translation helpful? Give feedback.
-
|
Ho-ho-ho! 💥 |
Beta Was this translation helpful? Give feedback.
-
|
Mr. Hemal, |
Beta Was this translation helpful? Give feedback.
-
Hi Osman! |
Beta Was this translation helpful? Give feedback.
-
I want to use Rate Limiting but I want to take RequestId from claims. I see RateLimiting handler runs before authentication handler and
ClaimsToHeadersMiddlewarehandler. I think we should change order RateLimiting and authentication . I don't trust clear header value. Client can change ClientId value always and make request to server and can break Rate Limiting control. I want to take RequestID from in to the claims after authentication.How can we do?
Beta Was this translation helpful? Give feedback.
All reactions