Support Multiple PartitionedRateLimiter Per Endpoint

[Kahbazi]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Right now RateLimiting middleware has two PartitionedRateLimiter. A global and an endpoint limiter. This means for each endpoint there could be at most two level of rate limiters and also the global one is somehow limited because it must be same for all endpoints.
So I can not limit my endpoints based on more than two partitions. As an example I need to limit first based on request IP, then current user Id and then based on the current endpoint.
Let's say I need to limit 10 requests per second per IP, no matter which endpoint. And also limit 5 requests per second per User Id.

Also I can't have different window and limit based on one partition. Again let's say I need to limit 10 requests per second per IP and also limit 40 requests per minute per IP.

Describe the solution you'd like

I'm suggesting to create PartitionedRateLimiter<HttpContext> based on policy and have a Dictionary<string, PartitionedRateLimiter<HttpContext> which policy is the key. The endpoints could have multiple IRequireRateLimitMetadata and every one of them is a policy with its own PartitionedRateLimiter. And the middleware would always call Acquire on each of these limiters whether IsAcquired is true or false and only limit the request if one of them has IsAcquired = false.

This way part of the limiter like checking based on User Id could be shared between multiple endpoints too.

Additional context

cc @wtgodbe @BrennanConroy @halter

[wtgodbe]

This should be achievable through the CreateChained API in runtime - it allows you to pass in multiple PartitionedRateLimiters which it will combine into 1 PartitionedRateLimiter that runs all of your input limiters in sequence. Then you could apply that single chained limiter to the endpoint.

[wtgodbe]

Going to close this as I believe it's covered by the above comment - feel free to re-open if there's additional functionality in this request that I'm missing.

[Kahbazi]

@wtgodbe I believe the issue should be re-opened. It seems ChainedPartitionedRateLimiter is the answer on how to implement my requirements (with a small change that I need to call Acquire on every limiter whether IsAcquired is true or false), but I don't see any way to achieve that using the current implementation of the middleware. Is there any sample on how to do that? And also I can't use the global limiter because I would need different ChainedPartitionedRateLimiter per endpoint.

[wtgodbe]

I see, I think you're right that we don't currently support that (endpoint policies are RateLimitPartition based, not PartitionedRateLimiter based). We'll consider this for future passes

[adityamandaleeka]

Triage: we're open to this but we'd like to see more use cases for this sort of pattern.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[adityamandaleeka]

We have another request for this: #44907