Merge pull request #1899 from dandi/rate-limit-asset-list

Rate limit assets list endpoint for unauthenticated users
dandi · Mar 22, 2024 · c3666bc · c3666bc
2 parents 2579afb + 55cbc02
commit c3666bc
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/dandiapi/api/views/asset.py b/dandiapi/api/views/asset.py
@@ -36,6 +36,7 @@
 from rest_framework.exceptions import NotAuthenticated, NotFound, PermissionDenied
 from rest_framework.generics import get_object_or_404
 from rest_framework.response import Response
+from rest_framework.throttling import AnonRateThrottle, BaseThrottle
 from rest_framework.viewsets import GenericViewSet, ReadOnlyModelViewSet
 from rest_framework_extensions.mixins import DetailSerializerMixin, NestedViewSetMixin
 
@@ -82,6 +83,12 @@ class AssetViewSet(DetailSerializerMixin, GenericViewSet):
     filter_backends = [filters.DjangoFilterBackend]
     filterset_class = AssetFilter
 
+    def get_throttles(self) -> list[BaseThrottle]:
+        if self.action == 'list':
+            throttles = [*self.throttle_classes, AnonRateThrottle]
+            return [throttle() for throttle in throttles]
+        return super().get_throttles()
+
     def raise_if_unauthorized(self):
         # We need to check the dandiset to see if it's embargoed, and if so whether or not the
         # user has ownership

diff --git a/dandiapi/settings.py b/dandiapi/settings.py
@@ -2,6 +2,7 @@
 
 import os
 from pathlib import Path
+import sys
 
 from composed_configuration import (
     ComposedConfiguration,
@@ -79,6 +80,11 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
             'dandiapi.drf_utils.rewrap_django_core_exceptions'
         )
 
+        # By default, set request rate limit to a very high number, effectively disabling it.
+        configuration.REST_FRAMEWORK['DEFAULT_THROTTLE_RATES'] = {
+            'anon': f'{sys.maxsize}/minute',
+        }
+
         # If this environment variable is set, the pydantic model will allow URLs with localhost
         # in them. This is important for development and testing environments, where URLs will
         # frequently point to localhost.
@@ -181,6 +187,11 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
         # We're configuring sentry by hand since we need to pass custom options (traces_sampler).
         configuration.INSTALLED_APPS.remove('composed_configuration.sentry.apps.SentryConfig')
 
+        # In production, enable rate limiting for unauthenticated users
+        configuration.REST_FRAMEWORK['DEFAULT_THROTTLE_RATES'] = {
+            'anon': '300/minute',
+        }
+
     ENABLE_GITHUB_OAUTH = True
 
     # All login attempts in production should go straight to GitHub