Rate limit Users API endpoints
There are a couple of endpoints in the Users API that need to have a rate limit added. The endpoints and suggested limits are listed below:
Based on this comment #421905 (comment 1832435121) we'll be rate limiting based on user if authenticated and on IP if unauthenticated. We can have the same values for both limits.
Endpoint | Requests per minute Limit |
---|---|
GET /users/:id/followers | 100 |
GET /users/:id/following | 100 |
GET /users/:user_id/status | 240 |
GET /users/:user_id/keys | 120 |
GET /users/:id/keys/:key_id | 120 |
GET /users/:id/gpg_keys | 120 |
GET /users/:id/gpg_keys/:key_id | 120 |
We should make sure that this feature is behind a feature flag, so the groupauthentication can roll it out and watch for any unintended consequences.
This Kibana dashboard can help to see the current usage pattern.
See also #421905 (comment 1832435121), #421905 (comment 1806884841) and #421905 (comment 1820899320).
Edited by Abdul Wadood