Add generic support for rate limiting.

Review Request #14631 — Created Oct. 8, 2025 and updated

Information

Djblets
release-5.x

Reviewers

Djblets has long had rate limiting support for user sessions, allowing
separate rate limits for anonymous users and authenticated users for
normal sessions and API. Outside of this, though, we had no mechanism
for rate limiting other operations.

This change introduces that generic rate limiting support via a new
djblets.protect.ratelimit module. This is a modernized port of the old
rate limit code, which can be used with arbitrary keys and validity
windows to provide rate limit functionality for anything.

The main function is check_rate_limit, which takes in a parsed or
string rate limit, a partial cache key, and a flag indicating whether to
increment the count toward the rate limit in cache (defaults to True).

The existing auth rate limiting code has been reworked as a wrapper
around this, focusing on the settings and checks for rate limiting
user sessions.

Unit tests pass.

Summary ID
Add generic support for rate limiting.
Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.
272beaa42c350a1093d5f639a49a09c0ae5b6fc0
Description From Last Updated

djblets.http.requests doesn't currently exist. Did you forget to add this file?

daviddavid

Can we use .format() instead of %-formatting here?

daviddavid

This type is wrong

daviddavid

Can we pass the timeout as a kwarg here?

daviddavid

too many blank lines (2) Column: 9 Error code: E303

reviewbotreviewbot
Checks run (1 failed, 1 succeeded)
flake8 failed.
JSHint passed.

flake8

david
  1. 
      
  2. djblets/auth/ratelimit.py (Diff revision 1)
     
     
    Show all issues

    djblets.http.requests doesn't currently exist. Did you forget to add this file?

  3. djblets/auth/ratelimit.py (Diff revision 1)
     
     
     
    Show all issues

    Can we use .format() instead of %-formatting here?

  4. djblets/protect/ratelimit.py (Diff revision 1)
     
     
     
    Show all issues

    This type is wrong

  5. djblets/protect/ratelimit.py (Diff revision 1)
     
     
    Show all issues

    Can we pass the timeout as a kwarg here?

  6.