Skip to content

Commit

Permalink
Rate limit assets list endpoint for logged out users
Browse files Browse the repository at this point in the history
  • Loading branch information
mvandenburgh committed Mar 21, 2024
1 parent f043363 commit 7051d15
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
7 changes: 7 additions & 0 deletions dandiapi/api/views/asset.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
from rest_framework.exceptions import NotAuthenticated, NotFound, PermissionDenied
from rest_framework.generics import get_object_or_404
from rest_framework.response import Response
from rest_framework.throttling import AnonRateThrottle, BaseThrottle
from rest_framework.viewsets import GenericViewSet, ReadOnlyModelViewSet
from rest_framework_extensions.mixins import DetailSerializerMixin, NestedViewSetMixin

Expand Down Expand Up @@ -82,6 +83,12 @@ class AssetViewSet(DetailSerializerMixin, GenericViewSet):
filter_backends = [filters.DjangoFilterBackend]
filterset_class = AssetFilter

def get_throttles(self) -> list[BaseThrottle]:
if self.action == 'list':
throttles = [*self.throttle_classes, AnonRateThrottle]
return [throttle() for throttle in throttles]
return super().get_throttles()

def raise_if_unauthorized(self):
# We need to check the dandiset to see if it's embargoed, and if so whether or not the
# user has ownership
Expand Down
11 changes: 11 additions & 0 deletions dandiapi/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import os
from pathlib import Path
import sys

from composed_configuration import (
ComposedConfiguration,
Expand Down Expand Up @@ -79,6 +80,11 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
'dandiapi.drf_utils.rewrap_django_core_exceptions'
)

# By default, set request rate limit to a very high number, effectively disabling it.
configuration.REST_FRAMEWORK['DEFAULT_THROTTLE_RATES'] = {
'anon': f'{sys.maxsize}/minute',
}

# If this environment variable is set, the pydantic model will allow URLs with localhost
# in them. This is important for development and testing environments, where URLs will
# frequently point to localhost.
Expand Down Expand Up @@ -181,6 +187,11 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
# We're configuring sentry by hand since we need to pass custom options (traces_sampler).
configuration.INSTALLED_APPS.remove('composed_configuration.sentry.apps.SentryConfig')

# In production, enable rate limiting for unauthenticated users
configuration.REST_FRAMEWORK['DEFAULT_THROTTLE_RATES'] = {
'anon': '60/minute',
}

ENABLE_GITHUB_OAUTH = True

# All login attempts in production should go straight to GitHub
Expand Down

0 comments on commit 7051d15

Please sign in to comment.