I'm writing a rest api which doesn't require any authentication. How can I restrict a browser for a particular number of requests in a day. Also how can I differentiate whether call is from browser or called through program
For your first question, look into a rate limiter such as this github.com/jhurliman/node-rate-limiter - there are more..
Second question - get access to the user-agent on the incoming request. A lib like this will help: github.com/biggora/express-useragent
I don't know if I'm supposing too much, but maybe that "rate-limit" logic can be set on the load balancer (if you use any of them on your setup), so you don't actually need to add specific logic to your Node.js server and complicate things.
Some links:
Edit: I did not see the node tag there. So I will remove part of my answer in php. Sorry!
If you want to identify if the call is from js:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
You can use 1 or all of the above points and combine it with the host name if you want. These are some points that came to my mind and I am sure there is many many more.
BUT, if you are not really offering some secure information (about people's identities) please let people scrape your website as they want. Because internet is a free environment. A tech savvy person can circumvent almost 99% of the measures taken. And DDoS is really really difficult to prevent after all.
The typical way for tracking a user across sessions in a browser is through a cookie, which is automatically sent by the browser on subsequent requests.
However, there is nothing stopping a non-browser client from emulating this process by storing issued cookies themselves and re-sending them on subsequent API requests (cookies are just HTTP headers, after all).
You may be better off approaching this problem from another perspective, and requiring registration with an email address, or authentication with a third-party SSO provider like GMail or Facebook. This means that you still have authentication, but it's harder to "abuse" whatever service you're planning provide given the inherent difficulty in obtaining a new set of unique credentials.
Ibrahim Tanyalcin
{intrst:"Scnc&Art",msc:"admin@MutaFrame",strive:"Experiment&Learn",loves:"ES5",hates:"bandwagon",lang:"Javascript",twttr:"@ibrhmTanyalcin"}
TheSheriff
Co-Founder, Founder, Entrepreneur & Problem Solver
Can you elaborate a bit more on your second question? Call? As in webRTC?
The first part you could set a cookie/something in storage to check, or you can keep a DB of IP addresses and check/update requests per IP.
Both aren't a great solution as they can easily be navigated around, so I would suggest requiring users to be logged in so you have associated accounts with requests.