Summary

Add generic support for rate limiting.

Review Request #14631 — Created Oct. 8, 2025 and updated Dec. 10, 2025, 12:13 a.m.

Information

Owner

chipx86

Repository

Djblets

Branch

release-5.x

Bugs

Depends On

Reviewers

Groups

djblets

People

Description

Djblets has long had rate limiting support for user sessions, allowing

separate rate limits for anonymous users and authenticated users for

normal sessions and API. Outside of this, though, we had no mechanism

for rate limiting other operations.
This change introduces that generic rate limiting support via a new

djblets.protect.ratelimit module. This is a modernized port of the old

rate limit code, which can be used with arbitrary keys and validity

windows to provide rate limit functionality for anything.
The main function is check_rate_limit, which takes in a parsed or

string rate limit, a partial cache key, and a flag indicating whether to

increment the count toward the rate limit in cache (defaults to True).
The existing auth rate limiting code has been reworked as a wrapper

around this, focusing on the settings and checks for rate limiting

user sessions.

Testing Done

Unit tests pass.

Commits

Summary	ID
Add generic support for rate limiting. Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.	7f8c2b3f4589007a21864b0e5935cb677bdf2b28

Summary

Add generic support for rate limiting.

Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.

7f8c2b3f4589007a21864b0e5935cb677bdf2b28

Issues

Description	From	Last Updated
djblets.http.requests doesn't currently exist. Did you forget to add this file?	david	Nov. 28, 2025, 9:38 p.m.
Can we use .format() instead of %-formatting here?	david	Nov. 28, 2025, 9:38 p.m.
This type is wrong	david	Nov. 28, 2025, 9:38 p.m.
Can we pass the timeout as a kwarg here?	david	Nov. 28, 2025, 9:38 p.m.
too many blank lines (2) Column: 9 Error code: E303	reviewbot	Oct. 8, 2025, 4:52 p.m.
Can Any be imported inside of TYPE_CHECKING?	david	Dec. 1, 2025, 3:17 p.m.
Can you add ValueError and ImproperlyConfigured to a Raises section in the docs here.	maubin	Dec. 9, 2025, 11:38 p.m.
Can you add ValueError to a Raises section in the docs here.	maubin	Dec. 9, 2025, 11:39 p.m.
This should say list of str and mention the user_id_or_ip part of the return value.	maubin	Dec. 9, 2025, 11:39 p.m.
This needs a Raises section for ValueError.	maubin	Dec. 9, 2025, 11:40 p.m.
This should say rate_limit instead of default_limit.	maubin	Dec. 9, 2025, 11:40 p.m.
We should maybe mention this in the arg description for rate_limit, that it can be set to None for no …	maubin	Dec. 9, 2025, 11:41 p.m.

flake8 failed.

JSHint passed.

flake8

djblets/protect/tests/test_ratelimit.py (Diff revision 1)
The issue has been resolved. Show all issues
```
too many blank lines (2)

Column: 9
Error code: E303
```

djblets/auth/ratelimit.py (Diff revision 1)

The issue has been resolved. Show all issues

djblets.http.requests doesn't currently exist. Did you forget to add this file?

chipx86 Nov. 28, 2025, 9:40 p.m.

The change was sitting in draft form. Published as /r/14630/

djblets/auth/ratelimit.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Can we use .format() instead of %-formatting here?
```
djblets/protect/ratelimit.py (Diff revision 1)
The issue has been resolved. Show all issues
```
This type is wrong
```
djblets/protect/ratelimit.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Can we pass the timeout as a kwarg here?
```
1. chipx86 Nov. 28, 2025, 9:40 p.m.
  Yeah, copy/paste from old code.

Change Summary:


Switched to .format() for a string.
Fixed a type in docs.
Fixed an old moved cache.add() call to explicitly pass the timeout as a keyword argument.

Commits:

	Summary	ID
	Add generic support for rate limiting. Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.	272beaa42c350a1093d5f639a49a09c0ae5b6fc0
	Add generic support for rate limiting. Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.	fa9944b879bf157cded9d9109277128bf483a135

Diff:

Revision 2 (+1518 -270)

Show changes

	djblets/auth/ratelimit.py
	djblets/auth/tests/test_ratelimit.py
	djblets/extensions/hooks.py
	djblets/protect/ratelimit.py
	djblets/protect/tests/test_ratelimit.py
	djblets/webapi/tests/test_api_auth_backend.py
	docs/djblets/coderef/index.rst

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

djblets/auth/ratelimit.py (Diff revision 2)
The issue has been resolved. Show all issues
```
Can Any be imported inside of TYPE_CHECKING?
```

djblets/auth/ratelimit.py (Diff revision 2)

The issue has been resolved. Show all issues

Can you add ValueError and ImproperlyConfigured to a Raises section in the docs here.

djblets/auth/ratelimit.py (Diff revision 2)
The issue has been resolved. Show all issues
```
Can you add ValueError to a Raises section in the docs here.
```

djblets/auth/ratelimit.py (Diff revision 2)

The issue has been resolved. Show all issues

This should say list of str and mention the user_id_or_ip part of the return value.

djblets/protect/ratelimit.py (Diff revision 2)
The issue has been resolved. Show all issues
```
This needs a Raises section for ValueError.
```
djblets/protect/ratelimit.py (Diff revision 2)
The issue has been resolved. Show all issues
```
This should say rate_limit instead of default_limit.
```

djblets/protect/ratelimit.py (Diff revision 2)

The issue has been resolved. Show all issues

We should maybe mention this in the arg description for rate_limit, that it can be set to None for no rate limiting.

Change Summary:


Added missing exception documentation to several functions.
Fixed the return docs for the old is_ratelimited().
Fixed an incorrect argument name in the check_rate_limit() docs and described the None case for the value.

Commits:

	Summary	ID
	Add generic support for rate limiting. Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.	fa9944b879bf157cded9d9109277128bf483a135
	Add generic support for rate limiting. Djblets has long had rate limiting support for user sessions, allowing separate rate limits for anonymous users and authenticated users for normal sessions and API. Outside of this, though, we had no mechanism for rate limiting other operations. This change introduces that generic rate limiting support via a new `djblets.protect.ratelimit` module. This is a modernized port of the old rate limit code, which can be used with arbitrary keys and validity windows to provide rate limit functionality for anything. The main function is `check_rate_limit`, which takes in a parsed or string rate limit, a partial cache key, and a flag indicating whether to increment the count toward the rate limit in cache (defaults to `True`). The existing auth rate limiting code has been reworked as a wrapper around this, focusing on the settings and checks for rate limiting user sessions.	7f8c2b3f4589007a21864b0e5935cb677bdf2b28

Diff:

Revision 3 (+1562 -270)

Show changes

	djblets/auth/ratelimit.py
	djblets/auth/tests/test_ratelimit.py
	djblets/extensions/hooks.py
	djblets/protect/ratelimit.py
	djblets/protect/tests/test_ratelimit.py
	djblets/webapi/tests/test_api_auth_backend.py
	docs/djblets/coderef/index.rst

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```