Skip to content

Add rate limits to groups and projects APIs

Abdul Wadood requested to merge 421909-rate-limit-endpoints into master

What does this MR do and why?

We have rate-limited the following endpoints to prevent abuse:

  1. GET /api/v4/users/:user_id/projects
  2. GET /api/v4/users/:user_id/contributed_projects
  3. GET /api/v4/users/:user_id/starred_projects
  4. GET /api/v4/projects
  5. GET /api/v4/groups/:id/projects
  6. GET /api/v4/projects/:id
  7. GET /api/v4/groups
  8. GET /api/v4/groups/:id

The changes here have been announced in this blog post.

But we can merge this since all the changes here are behind the rate_limit_groups_and_projects_api feature flag.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshot

From https://gdk.test:3000/admin/application_settings/network

image

How to set up and validate locally

  1. Go to https://gdk.test:3000/admin/application_settings/network and adjust the limit of any one of the endpoints for instance GET /groups.
  2. Then using curl exceed that rate limit curl https://gdk.test:3000/api/v4/groups.
  3. You'll get this message after the rate limit is exceeded {"message":{"error":"This endpoint has been requested too many times. Try again later."}}.

Related to #421909 (closed)

Edited by Abdul Wadood

Merge request reports