I have two related questions.
First, are there any Jersey features for throttling connections from users?
Services such as Twitter only allow a certain number or requests per time
period. How would I do something similar? Is this something that is better
handled by a proxy or other service?
The thing is, I'd like to have varying service levels based upon the "plan"
the user is paying for. So whatever is doing the throttling would need to be
able to access business logic.
Secondly, I have a specific use case that needs even more strict API abuse
prevention measures. I'm sure doing this probably isn't a best practice, but
my API allows new user accounts to be created. The web UI is a single-page
javascript app, and there are mobile, iphone and android apps, all which
need to be able to create accounts. Third-party apps will be able to provide
UI for users to create accounts as well. So using a RESTful API call is
quite convenient.
But are there any good ways to keep bots from automatically signing up lots
of accounts? Perhaps any given IP can only sign up one account per minute.
But what about all those AOL users, or corporate users behind firewalls?
As a pure API solution, there would not be a CAPTCHA involved. But perhaps
there could be. What if the client was required to make an initial request
to gain permission to create an account? That permission request would
respond with something like:
http://somewhere.com/api1/account/permission
{
request_id: 2ab3f98ce
captcha_image:
http://somewhere.com/captchas/2ab3f98ce.gif
}
Then the API call to create an account would include the request_id plus the
"answer" to the captcha image. It could also require at least 10 seconds
before the /account/permission call and the /account/create call to make
sure a human is doing the work, not a bot.
But I hate CAPTCHAs, especially in my mobile apps. And it seems like there
should be a better solution. Any ideas?
Tauren