Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{Token, User}-dependent rate limit control #205

Closed
brunolnetto opened this issue Jun 29, 2024 · 9 comments
Closed

{Token, User}-dependent rate limit control #205

brunolnetto opened this issue Jun 29, 2024 · 9 comments

Comments

@brunolnetto
Copy link

Describe the bug
This is not a bug description. In fact, I would like to know if the use case for authentication-dependent (i.e. JWT token, for example) is covered by this library. The use case is as follows:

  1. We provide a token as Bearer on request.
  2. The endpoint recognizes the user and saves information about user access rate;
  3. In case of rate or limit violation, we raise an exception with status code 429.
@ecly
Copy link

ecly commented Aug 15, 2024

@brunolnetto this is supported with slowapi.

You can provide a key_func to the Limiter which can take the fastapi.Request as its parameter, from which you can get the User ID from the token and use this as a key.

I.e. just using the bearer token as a key for rate limiting could be done with:

from fastapi import Request
from slowapi import Limiter

def api_key_from_request(request: Request):
    auth = request.headers.get("authorization")
    user_id = get_user_id_from_auth(auth)
    return user_id
    
limiter = Limiter(key_func=api_key_from_request)
...

@brunolnetto
Copy link
Author

Is there some way to alternate between provided key and default key, like IP? I mean, not every route is key-protected.

@ecly
Copy link

ecly commented Aug 15, 2024

Is there some way to alternate between provided key and default key, like IP? I mean, not every route is key-protected.

Sure, check out the default utility functions that support IP based rate limiting: https://slowapi.readthedocs.io/en/latest/api/#utility-functions

And you can override with per route/decorator key functions, depending on the need for each route.

@brunolnetto
Copy link
Author

Sorry for furher requesting explanation, but what precisely is the difference between functions get_remote_address and get_ipaddr?

@ecly
Copy link

ecly commented Aug 15, 2024

Sorry for furher requesting explanation, but what precisely is the difference between functions get_remote_address and get_ipaddr?

Probably better served for discussions, but you can view the implementation here.

TLDR:

  • Behind a proxy/load balancer (that uses X-Forwarded-For headers) use get_remote_address.
  • If clients connect directly to our server, you use get_ipaddr.

@brunolnetto
Copy link
Author

brunolnetto commented Aug 15, 2024
edited
Loading

I added a pull request to remove repeated code. May you review and merge? :-)

#211

@ecly
Copy link

ecly commented Aug 15, 2024

I added a pull request to remove repeated code. May you review and merge? :-)

#211

I'm not a maintainer of this project, so cannot help with that. Just a user.

@laurentS
Copy link
Owner

@ecly thanks for taking the time to reply! @brunolnetto I've authorized CI on your PR, thanks for sending it in.
Indeed, this would have been better suited for a discussion than a bug :) Closing this one.

@brunolnetto
Copy link
Author

CI is till failing because of command run poetry run mypy .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@laurentS @ecly @brunolnetto