I need to give clients publishing capabilities in my application, but that creates an opportunity for malicious users to cause disruption. I see that Ably has revocable tokens (https://ably.com/docs/auth/revocation) and some imposed limits (https://ably.com/docs/general/limits), but I'm not seeing any way to explicitly limit a given client. What are the recommended ways to approach this, in particular for a serverless application?
As I see it, there are two cases to consider:
case 1 - Many messages to one channel
A possible solution here is to include client-side code so that other clients connected to the channel monitor it and automatically send a request to my server when too many messages are detected. The server can then look at the history of the channel and revoke the token. The downside to this approach is that the malicious client would be able to see the exact conditions that trigger a revocation.
case 2 - One message to many channels
A solution for this case is to issue a token per channel rather than for a namespace, and track the number of token requests made by the user in a given period of time, probably using a cache. Unfortunately this would involve more infrastructure and cause a substantial increase in the number of token requests for my use case and probably a noticeable difference in user experience.
If you want to limit the amount of messages a client can send within a period of time, you can do that with Ably if you use a JWT. If using a JWT, you can limit the amount of messages sent per second.