Storefront rate limiting with X-Forwarded-For

Solved
Shopify Partner
3 0 0

We're working on a custom front-end for our clients store, integrating with Craft CMS to allow for better control of their content. This involves using PHP and Twig templates, which are rendered server side. I noticed on the rate limiting section of the docs that the limit is based on the client IP. Do you read the `X-Forwarded-For` header for the client IP, or would all requests be rate-limited to the servers IP?

0 Likes
Highlighted

Success.

Shopify Staff
Shopify Staff
324 60 43

Hi @alexjcollins 


Is this in regards to the Storefront API? If so, the XFF header should be respected to pass the client IP. Let me know if you are having issues. By design however, the Storefront API should be used client-side. 

Vix | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 


0 Likes
Highlighted
Shopify Partner
3 0 0

Yes, this is regarding the Storefront API, and thanks for your quick response!

 

I understand that the API should be used client-side, but that negates non-javascript apps and server-side rendered apps, which kind of sucks. But if XFF is respected then it's not really an issue!

0 Likes
Highlighted
Shopify Partner
1 0 0

@vix Do you have anymore documentation on this? @alexjcollins did you manage to make this work?

 

We're using the Storefront API as well along with Next.js, which server side renders the application and we're concerned that we'll end up being IP address banned or rate limited and we need this header to be respected. 

 

Right now we have a Node based GraphQL proxy server similar in implementation to the example here. I have configured our proxy server to pass along X-Forwarded-For (we're hosting on App Engine) but we're still getting rate limited from different clients when making a customerRecover mutation call:

 

mutation CUSTOMER_RECOVER {
  payload: customerRecover(email: "testuser@example.com") {
    customerUserErrors {
      code
      field
      message
    }
  }
}

I have not managed to empty the Storefront API Leaky bucket using load testing tools to hit the rate limit as documented here.

 

 

0 Likes
Highlighted
New Member
7 0 0

How is it possible to use the Storefront API client side?  I always get CORS errors.


@vix wrote:

Hi @alexjcollins 


Is this in regards to the Storefront API? If so, the XFF header should be respected to pass the client IP. Let me know if you are having issues. By design however, the Storefront API should be used client-side. 


 

0 Likes