Add limits for Projects List API for unauthenticated requests
requested to merge 388435-add-limits-configurable-through-the-application-settings-to-rate-limit-projects-list-api into master
What does this MR do and why?
For #388435 (closed)
This MR:
- Adds new column on
application_settings
with the nameprojects_api_rate_limit_unauthenticated
, with a default value of400
(per 10 minutes) - The limit of 400 requests/10 minutes/IP address was decided upon based on #388435 (comment 1281516886).
- This value is used as rate limiter for unauthenticated requests to the
GET /projects
endpoint. - This rate limit is not applicable for authenticated requests.
- The whole change is behind a feature flag -
rate_limit_for_unauthenticated_projects_api_access
. - Allows setting the value of
projects_api_rate_limit_unauthenticated
application setting via the API and the UI (when the above feature flag is enabled). - Adds documentation for the change.
Frontend change
Adds this setting in the admin/application_settings/network
page (behind the rate_limit_for_unauthenticated_projects_api_access
feature flag)
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
- Perform
Feature.enable(:rate_limit_for_unauthenticated_projects_api_access)
in Rails console to enable the feature. - Go to
admin/application_settings/network
and set the value of the setting in the screenshot above to a low value, like5
- Open
/api/v4/projects
endpoint in an incognito window so that you can perform unauthenticated requests. - Notice that you can make
5
requests to this endpoint within 10 minutes, but a 6th call within the 10 minute interval would give a response with HTTP statustoo_many_requests
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #388435 (closed)
Edited by Manoj M J