Add optional rate limiting for all API requests.

Review Request #9114 — Created Aug. 1, 2017 and submitted

Information

Djblets
release-0.10.x
19c722f...

Reviewers

This change generalizes the rate limiting infrastructure a bit and adds support
for rate limiting API requests. I've changed it so that there are three
settings keys, LOGIN_LIMIT_RATE, API_ANONYMOUS_LIMIT_RATE, and
API_AUTHENTICATED_LIMIT_RATE. These can be set to None, which will disable
rate limiting for that type, or to a rate limit string as before.

If an API request is rate limited, the response will have the error and include
a couple special headers that show what the limit is and how long the user has
to wait before retrying the request.

As part of this, I've also fixed up a couple small issues with the logic
between the different cases depending on the value of increment. In the case
where it's False, we expect to get results as if we were incrementing, but
without actually storing the value to the cache. Once this was fixed, I was
able to fix is_ratelimited to actually check if the limit was exceeded,
rather than at or above.

Based on work by Raman Dhatt.

  • Manually made some authenticated and anonymous API requests with this
    configured and saw the expected results.
  • Ran unit tests.
Description From Last Updated

F401 'base64' imported but unused

reviewbotreviewbot

Do we want to maybe put these into a dict or list and pull them all out at once? e.g. …

brenniebrennie

How about 429 -- Too Many Requests?

brenniebrennie
Checks run (1 failed, 1 succeeded)
flake8 failed.
JSHint passed.

flake8

david
brennie
  1. 
      
  2. djblets/auth/ratelimit.py (Diff revision 2)
     
     

    Do we want to maybe put these into a dict or list and pull them all out at once?

    e.g.

    _info = {
        0: ('LOGIN_LIMIT_RATE', DEFAULT_LOGIN_LIMIT_RATE, 'login-ratelimit'),
        # ...
    }
    
    try:
        settings_key, default_value, cache_key_prefix = _info[limit_type]
    except KeyError:
        raise ValueError(...)
    

    Also do we want to extract LOGIN_LIMIT_RATE etc into constants?

  3. djblets/webapi/errors.py (Diff revision 2)
     
     

    How about 429 -- Too Many Requests?

  4. 
      
david
brennie
  1. Ship It!
  2. 
      
david
Review request changed

Status: Closed (submitted)

Change Summary:

Pushed to release-0.10.x (d265d9f)
Loading...