Skip to content

Make Users API rate limits configurable

Related to #458978 (closed)

What does this MR do and why?

  • It makes the users' API rate-limits configurable on Gitlab Self-Managed, based on the:

    • user if authenticated
    • IP address if unauthenticated
  • It allows customers to change/disable the new default rate limits in Gitlab 17.10, before its enabled by default in 18.0

Endpoint Requests per minute Limit
GET /users/:id/followers 100
GET /users/:id/following 100
GET /users/:user_id/status 240
GET /users/:user_id/keys 120
GET /users/:id/keys/:key_id 120
GET /users/:id/gpg_keys 120
GET /users/:id/gpg_keys/:key_id 120

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

After
458978-after

How to set up and validate locally

  1. Checkout this MR's branch
  2. Follow these steps to configure the Users API rate limits
  3. Turn on the feature flag to apply the configured rate_limits. Run these commands in your terminal:
gdk rails console
Feature.enable(:rate_limiting_user_endpoints)
  1. Test the rate-limits. Example: Change GET /users/:id/status limit to 3. Run the following curl request and verify that it returns a 429 response code after 3 requests.
curl --request GET "https://gdk.test:3443/api/v4/users/2/status" 

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hakeem Abdul-Razak

Merge request reports

Loading