Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Rate Limiting for Authentication and User Routes #63

Closed
wants to merge 4 commits into from
Closed

Add Rate Limiting for Authentication and User Routes #63

wants to merge 4 commits into from

Conversation

LEVIII007
Copy link

Rate Limiting Implementation

About

This PR adds rate limiting to protect critical API endpoints from abuse and ensure service stability. The implementation uses slowapi to enforce IP-based rate limits.

Features

  • IP-based rate limiting for authentication and user endpoints
  • Customized limits for different route types
  • Automatic logging of rate limit violations
  • Configurable enable/disable toggle

Rate Limits

Endpoint Limit Purpose
Auth Routes 100/minute Prevent brute force attacks
User Routes 100/minute Control API usage
Index 100/minute Basic protection

Implementation Details

# Rate limiting configuration
limiter = Limiter(
    key_func=get_remote_address,
    strategy="fixed-window", 
    storage_uri="memory://",
    enabled=RATE_LIMITING_ENABLED
)

# Applied to auth routes
auth.router.dependencies.append(Depends(auth_rate_limit()))

# Applied to user routes  
user.router.dependencies.append(Depends(user_rate_limit()))

# Protected index endpoint
@app.get("/")
@limiter.limit("10 per minute")
async def index(request: Request):
    return "Welcome to Portal!"

Benefits

  • Prevents abuse of authentication endpoints
  • Protects against DDoS attempts
  • Ensures fair API usage
  • Enhanced security logging
  • Maintainable codebase

Testing Done

  • Verified rate limits on auth endpoints
  • Tested user route restrictions
  • Confirmed rate limit exceeded responses
  • Validated logging functionality

Dependencies

slowapi==0.1.8

Configuration

Enable/disable rate limiting via environment variable:

RATE_LIMITING_ENABLED=True

Logging

Rate limit violations are logged with:

  • Client IP
  • Endpoint path
  • HTTP method
  • Timestamp

Response Format

When rate limit exceeded:

{
    "detail": "Rate limit exceeded",
    "retry_after": "time in seconds" 
}

Status code: 429

Future Improvements

  • Add Redis backend support
  • Dynamic rate limiting based on user roles
  • More granular endpoint controls

DEMO

Rate limiting Screenshot

Related Issues

Closes #62

suryabulusu
suryabulusu reviewed Oct 25, 2024
View reviewed changes
app/router/auth.py
refresh_token = ""
data = auth_user.data
data = auth_user.data if auth_user.data is not None else {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't be part of this PR

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think these changes are related to PR 61

suryabulusu
suryabulusu reviewed Oct 25, 2024
View reviewed changes
Copy link
Contributor

@suryabulusu suryabulusu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left comments.. looks good otherwise!

@LEVIII007 LEVIII007 closed this by deleting the head repository Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@suryabulusu suryabulusu suryabulusu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Apply Rate Limiting to Critical Routes Using SlowAPI
2 participants
@LEVIII007 @suryabulusu