Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add API rate limiting #460

Closed
sbs2001 opened this issue May 22, 2021 · 6 comments · Fixed by #988
Closed

Add API rate limiting #460

sbs2001 opened this issue May 22, 2021 · 6 comments · Fixed by #988
Assignees
@TG1999
Labels
API Priority: high
Milestone
v31.0

Comments

@sbs2001
Copy link
Collaborator

sbs2001 commented May 22, 2021

Deploying without any guards against API spam, is a bad idea. Especially since we need to do quite a work and API payload is big.
@Hritik14
Copy link
Collaborator

Hritik14 commented Jun 8, 2021

The restframework comes with the throttling feature. If we could decide on the default limits, I'd love to open a PR for the same.

@pombredanne
Copy link
Collaborator

Using the DRF AnonRateThrottle should be good enough for a start

@pombredanne pombredanne added this to the v30.0 milestone Aug 2, 2022
@pombredanne
Copy link
Collaborator

At this stage we do not have anythin beyond basic auth

We should enable the "classic" API key system for DRF API access.

For now we barely enabled "django.contrib.auth", and "rest_framework.authtoken" in the settings https://github.com/nexB/vulnerablecode/blob/479111359070cc09010bde343e210306c4b14e40/vulnerablecode/settings.py ...

But we should emulate what is done in ScanCode.io ... see aboutcode-org/scancode.io#368 and aboutcode-org/scancode.io#359

@pombredanne
Copy link
Collaborator

For now, I think we will not need rate limiting once we implement auth... that's a refinement for later

@TG1999
Copy link
Contributor

TG1999 commented Aug 17, 2022

Added authentication here #848

@TG1999 TG1999 mentioned this issue Aug 17, 2022
Merged
@pombredanne
Copy link
Collaborator

As a first step when we make the public instance public I suggest this:

  • no auth for the UI access
  • auth for API access with an API key, that can be requested simply by email for a start.

We need to add link/content in the UI to explain how to request an API key.

@pombredanne pombredanne mentioned this issue Aug 23, 2022
Closed
3 tasks
@pombredanne pombredanne changed the title Add API rate limiting and auth Add API rate limiting Aug 30, 2022
@pombredanne pombredanne modified the milestones: v30.0, v31.0 Aug 30, 2022
@TG1999 TG1999 linked a pull request Oct 29, 2022 that will close this issue
Enable throttling #988
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TG1999 TG1999

Labels
API Priority: high
Projects
None yet
Milestone
v31.0
Development

Successfully merging a pull request may close this issue.

Enable throttling TG1999/vulnerablecode
4 participants
@pombredanne @Hritik14 @sbs2001 @TG1999