Add optional rate limiting for all API requests.
Review Request #9114 — Created Aug. 1, 2017 and submitted
This change generalizes the rate limiting infrastructure a bit and adds support
for rate limiting API requests. I've changed it so that there are three
settings keys,LOGIN_LIMIT_RATE
,API_ANONYMOUS_LIMIT_RATE
, and
API_AUTHENTICATED_LIMIT_RATE
. These can be set toNone
, which will disable
rate limiting for that type, or to a rate limit string as before.If an API request is rate limited, the response will have the error and include
a couple special headers that show what the limit is and how long the user has
to wait before retrying the request.As part of this, I've also fixed up a couple small issues with the logic
between the different cases depending on the value ofincrement
. In the case
where it'sFalse
, we expect to get results as if we were incrementing, but
without actually storing the value to the cache. Once this was fixed, I was
able to fixis_ratelimited
to actually check if the limit was exceeded,
rather than at or above.Based on work by Raman Dhatt.
- Manually made some authenticated and anonymous API requests with this
configured and saw the expected results. - Ran unit tests.
- Commit:
-
6b20eac48063be4d64632f0062e9b4d95df2bbabd7b9100f6871903ce2d8f3f17d63925fb3bebc1f
Checks run (2 succeeded)
-
-
Do we want to maybe put these into a dict or list and pull them all out at once?
e.g.
_info = { 0: ('LOGIN_LIMIT_RATE', DEFAULT_LOGIN_LIMIT_RATE, 'login-ratelimit'), # ... } try: settings_key, default_value, cache_key_prefix = _info[limit_type] except KeyError: raise ValueError(...)
Also do we want to extract
LOGIN_LIMIT_RATE
etc into constants? -