Apply rate limit to project hook test API endpoint (!150066) · Merge requests · GitLab.org / GitLab

Luke Duncalfe requested to merge ld-rate-limit-project-webhook-test-endpoints into master Apr 19, 2024

What does this MR do and why?

Testing a webhook performs an HTTP request to the webhook receiver and waits for the response. With our authenticated API rate limit being 2,000/m this makes us vulnerable to potentially tie up API node resources. Especially when the external service is slow to respond.

This change applies a rate limit to the endpoint of 3 requests per minute, per project webhook.

It also adjusts the urgency to :low, to adjust the target duration to 5s.

#25329 (comment 1868556805)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Choose a project, and configure two webhooks for it. You can use https://webhook.site to generate a webhook receiver URL and use it for the URL.
Within the same minute:
1. Make three curls to test the first webhook (substituting <PROJECT_ID> and <HOOK_ID>). These should all succeed.
```
curl --location --request POST 'http://gdk.test:3000/api/v4/projects/<PROJECT_ID>/hooks/<HOOK_ID>/test/tag_push_events?private_token=<TOKEN>'
```
2. Make a fourth curl and it should return a rate limit error.
3. Make a curl using the second hook's ID, it should succeed.

Edited Apr 19, 2024 by Luke Duncalfe

Apply rate limit to project hook test API endpoint

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports